Test tool for equivalence of access control list

Abstract

Computer network security is one of the important issues in the Internet age. Network administrators of organizations such as companies or universities filter IP packets at network equipment such as Layer 3 switch or firewall between their organizations and the Internet to keep the security of the computer networks. One of the expressions of the filtering rules of IP packets is access control list. Access control lists are lists of rules, which describe permission or denial of packet transition based on source IP address, destination IP address, port numbers and so on. Access control lists are not always fixed; network administrators change access control lists according to the change of network topology or network security policy. After several changes, access control lists may include redundancies and network administrators have to modify the access control list to remove redundancies. This modification must keep the semantics of access control list. After modification, the network administrators must confirm that the semantics of access control list does not change. One of the methods of equivalence of two access control lists is to send test IP packets to the network equipment that filters IP packets and to check the transitions of the IP packets. This paper proposes the method of generating test packets to confirm the equivalence of two access control lists.