Mining Policies From Enterprise Network Configuration

Theophilus Benson, Aditya Akella, and David A. Maltz


Few studies so far have examined the nature of reachability policies

in enterprise networks. A better understanding of reachability

policies could both inform future approaches to network design as

well as current network configuration mechanisms. In this paper, we

introduce the notion of a policy unit, which is an abstract representation

of how the policies implemented in a network apply to different

network hosts. We develop an approach for reverse-engineering a

network’s policy units from its router configuration. We apply this

approach to the configurations of five productions networks, including

three university and two private enterprises. Through our empirical

study, we validate that policy units capture useful characteristics

of a network’s policy. We also obtain insights into the nature of the

policies implemented in modern enterprises. For example, we find

most hosts in these networks are subject to nearly identical reachability

policies at Layer 3.


Publication typeInproceedings
Published inInternet Measurement Conference
PublisherAssociation for Computing Machinery, Inc.
> Publications > Mining Policies From Enterprise Network Configuration