Automating Conflict-Aware ACL Configurations with Natural Language Intents

TL;DR

This paper introduces Xumi, a system that automates conflict-aware ACL configuration using large language models, significantly reducing manual effort and errors in network policy management.

Contribution

Xumi is the first system to automatically translate natural language intents into ACL rules, detect conflicts, and optimize deployment plans in network configurations.

Findings

Accelerates ACL configuration by over 10x.

Addresses hundreds of conflicting ACLs effectively.

Reduces rule additions by approximately 40%.

Abstract

ACL configuration is essential for managing network flow reachability, yet its complexity grows significantly with topologies and pre-existing rules. To carry out ACL configuration, the operator needs to (1) understand the new configuration policies or intents and translate them into concrete ACL rules, (2) check and resolve any conflicts between the new and existing rules, and (3) deploy them across the network. Existing systems rely heavily on manual efforts for these tasks, especially for the first two, which are tedious, error-prone, and impractical to scale. We propose Xumi to tackle this problem. Leveraging LLMs with domain knowledge of the target network, Xumi automatically and accurately translates the natural language intents into complete ACL rules to reduce operators' manual efforts. Xumi then detects all potential conflicts between new and existing rules and generates resolved intents for deployment with operators' guidance, and finally identifies the best deployment plan that minimizes the rule additions while satisfying all intents. Evaluation shows that Xumi accelerates the entire configuration pipeline by over 10x compared to current practices, addresses O(100) conflicting ACLs and reduces rule additions by ~40% in modern cloud network.