Proposal of an Automatic Verification Method for Network Configuration Model by Static Analysis

TL;DR

This paper introduces an automatic static analysis-based verification method for network configuration models, enabling detection of policy violations and aiding designers without costly device testing.

Contribution

It presents a novel static analysis approach to verify network configuration models and convert them into familiar device-like formats for easier review.

Findings

Successfully detected configuration errors in a large-scale campus network.

Generated device state outputs matching actual device configurations.

Validated the method's effectiveness through a real-world case study.

Abstract

In the network design phase, designers typically assess the validity of the network configuration on paper. However, the interactions between devices based on network protocols can be complex, making this assessment challenging. Meanwhile, testing with actual devices incurs significant costs and effort for procurement and preparation. Traditional methods, however, have limitations in identifying configuration values that cause policy violations and verifying syntactically incomplete device configuration files. In this paper, we propose a method to automatically verify the consistency of a model representing the network configuration (Network Configuration Model) by static analysis. The proposed method performs verification based on the network configuration model to detect policy violations and points out configuration values that cause these violations. Additionally, to facilitate the designers' review of each network device's configuration, the model is converted into a format that mimics the output of actual devices, which designers are likely familiar with. As a case study, we applied the proposed method to the network configuration of Shinshu University, a large-scale campus network, by intentionally introducing configuration errors and applying the method. We further evaluated whether it could output device states equivalent to those of actual devices.