{"title":"论规则宽度与政策验证有效性的不合理","authors":"H. B. Acharya","doi":"10.1109/LCN.2014.6925786","DOIUrl":null,"url":null,"abstract":"Policies, such as routing tables and firewalls, are fundamental components of networking infrastructure. Unfortunately, existing policy verification and optimization algorithms require O(nd) time, where n is the number of rules (thousands), and d the number of fields (usually <; 10). However, these algorithms perform very well in practice. In this paper, we provide the explanation for this result: n and d are not the only parameters of interest! Through experimental study of our Parallel Next-step Lookup system PaNeL, as well as the FDD and Probe algorithms for policy verification, we clearly demonstrate the importance of our proposed new metric - the “width index”. Some established algorithms (such as FDD, used for structured firewall design) indeed become intractable for policies with poor width index values. We therefore suggest that the “unreasonable effectiveness” of such algorithms for practical policies is possible because such policies have a reasonable width index.","PeriodicalId":143262,"journal":{"name":"39th Annual IEEE Conference on Local Computer Networks","volume":"14 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-10-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"On rule width and the unreasonable effectiveness of policy verification\",\"authors\":\"H. B. Acharya\",\"doi\":\"10.1109/LCN.2014.6925786\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Policies, such as routing tables and firewalls, are fundamental components of networking infrastructure. Unfortunately, existing policy verification and optimization algorithms require O(nd) time, where n is the number of rules (thousands), and d the number of fields (usually <; 10). However, these algorithms perform very well in practice. In this paper, we provide the explanation for this result: n and d are not the only parameters of interest! Through experimental study of our Parallel Next-step Lookup system PaNeL, as well as the FDD and Probe algorithms for policy verification, we clearly demonstrate the importance of our proposed new metric - the “width index”. Some established algorithms (such as FDD, used for structured firewall design) indeed become intractable for policies with poor width index values. We therefore suggest that the “unreasonable effectiveness” of such algorithms for practical policies is possible because such policies have a reasonable width index.\",\"PeriodicalId\":143262,\"journal\":{\"name\":\"39th Annual IEEE Conference on Local Computer Networks\",\"volume\":\"14 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2014-10-16\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"39th Annual IEEE Conference on Local Computer Networks\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/LCN.2014.6925786\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"39th Annual IEEE Conference on Local Computer Networks","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/LCN.2014.6925786","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
On rule width and the unreasonable effectiveness of policy verification
Policies, such as routing tables and firewalls, are fundamental components of networking infrastructure. Unfortunately, existing policy verification and optimization algorithms require O(nd) time, where n is the number of rules (thousands), and d the number of fields (usually <; 10). However, these algorithms perform very well in practice. In this paper, we provide the explanation for this result: n and d are not the only parameters of interest! Through experimental study of our Parallel Next-step Lookup system PaNeL, as well as the FDD and Probe algorithms for policy verification, we clearly demonstrate the importance of our proposed new metric - the “width index”. Some established algorithms (such as FDD, used for structured firewall design) indeed become intractable for policies with poor width index values. We therefore suggest that the “unreasonable effectiveness” of such algorithms for practical policies is possible because such policies have a reasonable width index.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
