Network property verification
First Claim
1. A method, comprising:
- obtaining a plurality of packet handling rules from at least one firewall in a network and at least one routing table in the network;
translating the packet handling rules to one or more canonical data structures based on priority of rules at a given routing table or a given firewall, each canonical data structure representing a subset of packets affected by one or more corresponding packet handling rules such that each packet handling rule is covered by at least one canonical data structure;
generating a graph representation of the at least one firewall and at least one node corresponding to the at least one routing table in the network;
labeling a vertex in the graph representation with a first canonical data structure based on the first canonical data structure being associated with a first packet handling rule of the given firewall, the vertex in the graph representation corresponding to the given firewall;
labeling an edge in the graph representation with a second canonical data structure based on the second canonical data structure being associated with a second packet handling rule of the given routing table, the edge in the graph representation corresponding to the given routing table; and
using the graph representation, verifying one or more network properties to identify any network issues.
1 Assignment
0 Petitions
Accused Products
Abstract
A method may include obtaining packet handling rules from at least one firewall in a network and at least one routing table in the network, and translating the packet handling rules to canonical data structures based on priority of rules at a given routing table or a given firewall. Each canonical data structure may represent a subset of packets affected by one or more corresponding packet handling rules such that each packet handling rule is covered by at least one canonical data structure. The method may also include generating a graph representation of the firewalls and the nodes corresponding to the routing tables in the network. The method may additionally include labeling vertices and edges in the graph representation based on the packet handling rules. The method may also include, using the graph representation, verifying one or more network properties to identify any network issues.
-
Citations
20 Claims
-
1. A method, comprising:
-
obtaining a plurality of packet handling rules from at least one firewall in a network and at least one routing table in the network; translating the packet handling rules to one or more canonical data structures based on priority of rules at a given routing table or a given firewall, each canonical data structure representing a subset of packets affected by one or more corresponding packet handling rules such that each packet handling rule is covered by at least one canonical data structure; generating a graph representation of the at least one firewall and at least one node corresponding to the at least one routing table in the network; labeling a vertex in the graph representation with a first canonical data structure based on the first canonical data structure being associated with a first packet handling rule of the given firewall, the vertex in the graph representation corresponding to the given firewall; labeling an edge in the graph representation with a second canonical data structure based on the second canonical data structure being associated with a second packet handling rule of the given routing table, the edge in the graph representation corresponding to the given routing table; and using the graph representation, verifying one or more network properties to identify any network issues. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory computer readable medium including instructions that, when executed by one or more processors, are configured to perform or control performance of operations, the operations comprising:
-
obtaining a plurality of packet handling rules from at least one firewall in a network and at least one routing table in the network; translating the packet handling rules to one or more canonical data structures based on priority of rules at a given routing table or a given firewall, each canonical data structure representing a subset of packets affected by one or more corresponding packet handling rules such that each packet handling rule is covered by at least one canonical data structure; generating a graph representation of the at least one firewall and at least one node corresponding to the at least one routing table in the network; labeling a vertex in the graph representation with a first canonical data structure based on the first canonical data structure being associated with a first packet handling rule of the given firewall, the vertex in the graph representation corresponding to the given firewall; labeling an edge in the graph representation with a second canonical data structure based on the second canonical data structure being associated with a second packet handling rule of the given routing table, the edge in the graph representation corresponding to the given routing table; and using the graph representation, verifying one or more network properties to identify any network issues. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A system comprising:
-
one or more processors; and one or more non-transitory computer readable media including instructions that, when executed by the one or more processors, are configured to perform or control performance of operations, the operations comprising; obtaining a plurality of packet handling rules from at least one firewall in a network and at least one routing table in the network; translating the packet handling rules to one or more canonical data structures based on priority of rules at a given routing table or a given firewall, each canonical data structure representing a subset of packets affected by one or more corresponding packet handling rules such that each packet handling rule is covered by at least one canonical data structure; generating a graph representation of the at least one firewall and at least one node corresponding to the at least one routing table in the network; labeling a vertex in the graph representation with a first canonical data structure based on the first canonical data structure being associated with a first packet handling rule of the given firewall, the vertex in the graph representation corresponding to the given firewall; labeling an edge in the graph representation with a second canonical data structure based on the second canonical data structure being associated with a second packet handling rule of the given routing table, the edge in the graph representation corresponding to the given routing table; and using the graph representation, verifying one or more network properties to identify any network issues. - View Dependent Claims (18, 19, 20)
-
Specification