Towards a Semantic Virtualization of Configurations

4 downloads 220 Views 238KB Size Report
Abstract—Configuration information in network devices is ... Virtual Private Networks (VPNs), which alter the configuration .... as a service provider's network.
Towards a Semantic Virtualization of Configurations Sylvain Hallé

Omar Cherkaoui

Petko Valtchev

Université du Québec à Chicoutimi E-mail: [email protected]

Université du Québec à Montréal E-mail: [email protected]

Université du Québec à Montréal E-mail: [email protected]

Abstract—Configuration information in network devices is stored in an internal data structure that can be accessed through various means. However, the exact organization of the parameters, and therefore the actual way of reaching them, does not necessarily reflect a semantically sound view of the configuration operations in all situations. In this paper, we propose the use of configuration dependency rules to provide a semantic virtualization of the parameters. We show how this virtualization can be superimposed with minimal interference over current configuration protocols, taking Netconf as an example.

I. I NTRODUCTION It is a well known fact that the management of network services is hindered by the plethora of configuration parameters to control and their often erratic organization. Historically, the devices’ data structures started as a small and well-organized set of commands and parameters. However, the addition of new functionalities and services over time led to a progressive complexification of these structures. Most often, backward compatibility with earlier product lines was necessary, and a complete reorganization was out of question. The end result is that most of the configuration structures for current devices have outgrown many times their initial shell and lost their original cohesion. Parameters managing a single service are now dispersed at multiple locations and are frequently mixed inside configuration operations with other parameters from other services. One can cite the example of Virtual Private Networks (VPNs), which alter the configuration of routing tables, IP addressing schemes and other parameters at the same time, most of the time subject to semantic dependencies. The current trend towards virtualization of the network and its decoupling from physical devices makes the problem even worse. It is not even clear, though, that building a new configuration view from scratch would lead to better results in all use cases. The search for a universal configuration data model has started long ago with initiatives like Management Information Bases (MIBs) [11], Directory Enabled Networking (DEN) [14] and Common Information Model [1]. The fact that such unification and standardization endeavours have proliferated over the years gives food for thought. This paper describes work in progress, where we take an opposite approach to the question of restoring semantical soundness in configuration views. Instead of hoping for a good-for-all organization of parameters, we suggest the use of multiple “locally optimal” structures that each provide c 2012 IEEE 978-1-4673-0269-2/12/$31.00

an efficient fragmentary representation of the configuration well suited for a single service or management task. These structures, called virtual subtrees, are logically superimposed subsets of an original configuration structure. To this end, in Section II, we present formal configuration rules and structures and show their combined effect on the performance of configuration management tasks. In Section III, we present a method of analysis of configuration rules that allows the grouping, or clustering, of configuration parameters into semantically-related units. We show how this clustering mechanism can be superimposed with minimal interference over current configuration protocols and study in greater detail the case of Netconf, detailing the benefits of using such an approach. Finally, Section IV concludes and indicates forthcoming work. II. S EMANTIC R ELATIONS IN C ONFIGURATION V IEWS In this section, we present a general form of tree called configuration tree that can be used to model hierarchical (command-line and XML) structures, and model service dependencies between parameters in these structures. A. Tree-like Configuration Views A configuration view is the structural organization of configuration information inside a device, and the set of operations offered to access and modify that structure. Traditionally, network devices offer a limited number of views. The first and easiest of such views is the direct manipulation of configuration files, a tedious and error-prone operation that requires from the network engineer an intricate knowledge of the file’s organization, syntax, and implicit requirements. Although these files can group related parameters into sections, the organization of the information is mostly linear and generally offers little structure. The use of a command-line interface (CLI) provides a second, enhanced view of the configuration. Access to configuration parameters is made through the use of commands that can display and modify more than one parameter at once. The syntax and hierarchical organization of these commands into modes and submodes provides a greater structuring of the information. A higher level of functionality is offered by performing basic syntax and parameter validation. Fortuitous modification of parameters is lessened by dividing the configuration space into modes and submodes with each a limited number of accessible values. More recent efforts led to protocols like Netconf [9] that provide configuration management capabilities over SOAP via

called LocationPath, or the XML Linking Language XLink [8], and the XML Configuration Access Protocol (XCAP) [13]. It has been feared, however, that XPath (or any of its proper subsets for that matter) is too rich a language for integrating it into network devices whose priority should not be to serve control and management data.

Figure 1.

A part of a configuration tree

XML messages. In a typical Netconf session, XML-encoded remote procedure calls (RPC) are sent by an application to a device, which in turn sends an RPC-reply giving or acknowledging reception of a full or partial XML configuration data set. In order to achieve such standardized communication, the current Netconf draft defines a set of basic operations that must be supported by devices. Among these operations, get-config retrieves all or part of a specified configuration from a source in a given format, and edit-config loads all or part of a specified configuration to the specified target configuration. The configuration is organized into an explicit hierarchy of parameters that takes the form of a (mostly vendor-specific) XML document. As explained in [10], the configuration of network devices such as routers and switches can be represented as a tree where each node is a pair composed of a name and a value. This tree represents the hierarchy of parameters inherent to the configuration of the devices. This structure provides a general model for both modern incarnations of CLI and XML structures supported by Netconf. Figure 1 shows part of such a configuration tree. Without further specification, a get-config request retrieves the whole configuration. However, the current Netconf draft defines a method for further filtering the parts of the configuration the user actually wants that is called subtree filtering. This method is mandatory in all Netconf devices; it requires a section that represents a subdocument against which the configuration is to be filtered, and possibly a namespace for that element. There are, however, alternate ways of filtering a configuration. The main one is by employing the XML Path Language XPath [5]. XPath is a full-fledged tree language that allows one to point to arbitrary locations in a structure. In this respect, XPath is much more flexible than subtree filtering for getting and setting parts of a configuration, as in the Netconf-based network management platform prototype EnSuite [7]. Other suggestions have been to use a tailor-made subset of XPath

B. Semantic Dependencies No matter what selection language is used, the parameters and components of the configuration affected by a service exhibit precise dependencies. All those dependencies must be studied and captured by the management models, in order to provide effective solutions. Configuration Logic [15] was developed specifically in order to express properties on configuration trees. CL formulæ use the traditional Boolean connectives of predicate logic: ∧ (“and”), ∨ (“or”), ¬ (“not”), → (“implies”), to which two special quantifiers are added. The universal quantifier, identified by [ ], indicates a semicolon-delimited path in the tree and imposes that a formula be true for all nodes at the end of that path (the existential quantifier h i behaves in a similar fashion). Other formal approaches, such as the use of ontologies [2], [6], have been used to model configuration dependencies. Therefore the aim of this paper is not to promote CL or any other tree language as a requisite formalism for configuration management, but rather to show how configuration dependencies can be formally expressed and analyzed. To illustrate semantic dependencies, we take the case of the Virtual Private Network (VPN). A VPN service [12] is a private network constructed within a public network such as a service provider’s network. Most of the configuration of a VPN is realized in routers placed at the border between the client’s and the provider’s networks. On the client side, these routers are called customer edge (CE) routers, and on the provider side, they are called provider edges (PE). Figure 1 shows the portion of a router configuration for a VPN. In the configuration of a VPN, the Virtual Routing and Forwarding Table (VRF) name specified for the PE-CE connectivity and the VRF name configured on the PE interface for the CE link must be consistent. This places a first dependency on two parameters in the configuration: the value of the ip-vrf node and the value of the ip-vrf-forwarding under a specific interface. The following CL formula states exactly this: [ip-vrf = x1 ] [interface = x2 ] [interface = x2 ; ip-vrf-forwarding = x3 ] x1 = x3 This is only one example of network property that must be validated on configurations of routers. Actually, each network service imposes dozens of such constraints, and in turn dozens of different services can coexist on a single device. In [10], additional service constraints have been formalized. C. Effects of Semantically Dependent Values A configuration management task should minimize the risk of errors and unwarranted side effects. To achieve this goal, the

configuration view used to perform this task must minimize the number of distinct operations required, and provide the user with as few extraneous parameters as possible. The logic behind these requirements is that the more superfluous operations and configuration information is made available to a user, the higher the chances that unnecessary operations be invoked and unrelated parameters be modified, effectively disrupting the consistency of the global configuration. Therefore, in an ideal use case, a configuration task should consist of retrieving a portion of the configuration, making the proper modifications and committing the portion back into the configuration. If the configuration view is efficient and the portion retrieved is logically and semantically selfcontainted, no need is required to check the integrity of the whole configuration —it suffices to make sure that the block is internally sound. The global consistency of the configuration is maintained by performing sequences of small, atomic operations that each preserve local consistency. However, network configuration seldom works in this way. Instead, parameters to modify when adding a new functionality to a network or just repairing it are often dispersed across multiple hierarchies. From a CLI standpoint, this is exemplified by the need to jump from one mode to another to setup a network service. The consequences of using a suboptimal configuration view for a given configuration task are numerous: a) Increased processing and communication overhead: This becomes particularly true in remotely managed environments using protocols such as Netconf. Each additional request to a part of a configuration entails at least one pair of RPC response/reply for each device, which increases the load on a network caused by control and management traffic. Moreover, additional requests lead in turn to additional processing in the device, since every RPC requires gathering the configuration, building the XML tree based on it, and then filter (multiple times) this tree to produce the desired result set. b) Increased risk of inconsistency: The example in Section II-B has shown that multiple parameters placed at different locations in a configuration structure can be dependent of each other —that is, modifying one might entail modifying some others to retain consistency. If the access to these semantically related parameters can only be made by more than one request and editing operation, the systems runs the risk of a user performing only one of the two modifications and leaving the system into an inconsistent state. It also impairs possible CLI capabilities of validating configuration integrity when leaving a configuration submode. At present this is impossible as configuration parameters in a single mode rarely form a selfcontained set that can be independently checked for validity. c) Loss of atomicity in configuration operations: Because of this previous factor, it is well possible that rolling back one atomic get/set operation does not revert the system to its latest consistent state. This has for effect of rendering commit and rollback operations clumsy by involving a nonsystematic mechanism of configuration checkpoints. Note furthermore that [15] showed that dependencies relat-

ing parameters on different sub-trees cannot be expressed in XPath 1.0. They require the use of quantifiers that can only be found in the XML Query Language (XQuery) [3], an even richer language. Therefore, restoring consistency and atomicity on the client side by allowing complex queries to get and set the configuration parameters in a bulk operation would require at minimum XQuery capability inside a device, a functionality that is very unlikely to be implemented. III. V IRTUALIZING C ONFIGURATION I NFORMATION By construction, the arborescent structure found in CLI and XML hierarchies is already a grouping of information by families of semantically related parameters. However, it is not sufficient for all possible configuration tasks. We suggest to superimpose on a given tree multiple virtual arborescences. We hence take an orthogonal approach to [7], whence instead of allowing calls to request multiple disjoint parts of a tree at once, we instead call for a mapping to a virtual tree. A. Virtual Subtrees To this aim, we suggest the use of virtual subtrees. A virtual subtree is simply a tree structure that overlays an original (larger) tree, and whose contents reflects the semantic relationships between parameters. Each node of the virtual subtree corresponds to a node of the source tree. We assume that virtual subtrees preserve the original parenthood relation. In this particular case, building a virtual subtree simply amounts to picking up nodes of the original tree and linking them in respect to the original hierarchy. To build a virtual subtree for a specific network service, a simple algorithm can be devised. This algorithm first gathers all CL formulæ expressing constraints related to this service, and then simply picks all nodes that appear along the quantifiers in each CL formula. Consider the VPN service depicted in Section II-B. In the case of the formula shown there, three quantifiers, and therefore three paths, are present. The algorithm selects all nodes (no matter their values) whose name is ip-vrf or interface right under the top node, and all nodes whose name is ip-vrf-forwarding right under one of the previously selected interface nodes. Adding further constraints to the VPN service, as has been done in [10], would lead to more CL formulæ and hence to a broader selection of nodes for the VPN virtual subtree. It is important to note that the selection algorithm only includes nodes that are explicitly mentioned in the path of one of the quantifiers; in particular, it does not automatically include the subtree under a selected node, unless each node of this subtree is also mentioned in one of the quantifiers. There can be many virtual subtrees defined over a single original tree structure. In an XML context, virtual subtrees can be simply added over an original structure by marking, for each node, to which virtual subtree it is part of. This can be achieved by assigning a special namespace to the concerned nodes. For example, one could easily add the namespace “service:vpn” (or any significant string for that matter) to the XML

nodes of the original tree to mark them individually as part of the VPN service virtual subtree. As stated in the XML naming specification [4], multiple namespace prefixes can be declared as attributes of a single element; it is therefore possible to superimpose any number of virtual subtrees transparently over an already defined structure. Querying a virtual subtree then proceeds in the same way as querying the original tree. B. Benefits of the method The advantages of using virtual clustering of configuration information are manifold. First, one can query a device configuration by following the original get-config syntax using subtree filtering. It suffices to formulate the request by asking for the whole configuration and filtering only by the special namespace. Although the service dependencies are expressed in a formal tree logic, no XPath, Configuration Logic or XQuery is required, neither on the client or server side at the moment the request is processed. Therefore, the suggested method gracefully degrades on systems that do not support virtual trees: in this case, namespaces could simply be ignored, and one is reverted back to the standard mechanism for configuration retrieval. Another advantage is that it provides a finer granularity over security and access control; based on the identity of the querying user, only a certain number of virtual subtrees can be made available, and any parameter that falls outside of these selected clusters is automatically excluded from any request/response this user makes without any explicit control on the device. For example, user johndoe could only be allowed access to namespaces “service:acl” and “service:vlan” and would not be able to see any node elsewhere. The method provides a decoupling between the internal representation of information and the access method. Instead for a device of gathering the whole configuration and then filter (multiple times) the XML tree to produce the result set, the device can run pre-scripted operations that only gather and build the required XML tree. If the virtual tree is intelligently built, it will at the same time reduce the number of times such calls are made by giving all the required information in one call. The method can also warn about potential side-effects in other services; by building one virtual tree per set of service dependencies, it suffices to look at what other virtual subtrees a particular node is also attached. Finally, one should remark that the proposed method does not impose too much load on the device: the analysis of each services’ dependencies can be computed a priori and each virtual tree can be statically defined and remains valid until dependencies are modified. In a Netconf context, at the limit, only a minimal support of XPath in needed on the device side (if at all), as all the complex statements required to obtain specific parts of a configuration can all be predefined. IV. C ONCLUSION AND F UTURE W ORK In this paper, we have shown how dependencies between multiple parameters in network services configuration constrains the way in which this configuration information must

be accessed and modified. We used these rules to provide a systematic algorithm that creates a semantic clustering of the parameters called a virtual subtree, and showed how such subtrees can improve configuration consistency, security, and be superimposed with minimal interference over current configuration protocols, in particular the Netconf protocol. This approach opens the way to numerous avenues for future work. Even more efficient configuration views could be computed by relaxing the hierarchical relationship between nodes of a virtual subtree. The parenthood relationship of the original configuration needs not be preserved when building a virtual subtree; in such a case some formal notation is needed to precise the final structure of the subtree with respect to the original. In other words, building a virtual subtree could amount to gathering a subset of nodes from an original tree structure, and possibly reorganizing them before presenting them to the user. Moreover, if one considers the integrity of an entire network instead of a single device, one can try extending the approach to multi-device contexts where a same virtual subtree collects parameters dispersed in more than one device. The virtual subtree idea could be a key concept helping consistently manage federated virtual configurations. R EFERENCES [1] DSP0111 Common information model (CIM) core model, version 2.4, August 2000. [2] First International Conference on Innovative Computing, Information and Control (ICICIC 2006), 30 August - 1 September 2006, Beijing, China. IEEE Computer Society, 2006. [3] S. Boag, D. Chamberlin, M. F. Fernández, D. Florescu, J. Robie, and J. Siméon. XQuery 1.0: An XML query language, W3C working draft, 2005. [4] T. Bray, D. Hollander, A. Layman, and R. Tobin. Namespaces in XML 1.0, W3C recommendation, August 2001. [5] J. Clark and S. DeRose. XML path language (XPath) version 1.0, W3C recommendation, 1999. [6] D. Cleary, B. Danev, and D. O’Donoghue. Using ontologies to simplify wireless network configuration. In FOMI, 2005. [7] V. Cridlig, H. Abdelnur, J. Bourdellon, and R. State. A NetConf network management suite: ENSUITE. In T. Magedanz, E. R. M. Madeira, and P. Dini, editors, IPOM, volume 3751 of Lecture Notes in Computer Science, pages 152–161. Springer, 2005. [8] S. DeRose, E. Maler, and D. Orchard. XML linking language (XLink) version 1.0, W3C recommendation, June 2001. [9] R. Enns, M. Bjorklund, J. Schœnwælder, and A. Bierman. Netconf configuration protocol, IETF RFC 6241, June 2011. [10] S. Hallé, R. Deca, O. Cherkaoui, and R. Villemaire. Automated validation of service configuration on network devices. In J. B. Vicente and D. Hutchison, editors, MMNS, volume 3271 of Lecture Notes in Computer Science, pages 176–188. Springer, 2004. [11] M. R. MacFaden, D. Partain, J. Saperia, and W. F. Tackabury. Configuring networks and devices with simple network management protocol (snmp). (RFC 3512), April 2003. [12] E. C. Rosen and Y. Rekhter. BGP/MPLS VPNs (RFC 2547), March 1999. [13] J. Rosenberg. The extensible markup language (XML) configuration access protocol (XCAP), RFC 4825, May 2007. [14] J. Strassner. Directory Enabled Networks. New Riders Publishing, 1999. [15] R. Villemaire, S. Hallé, and O. Cherkaoui. Configuration logic: A multisite modal logic. In TIME, pages 131–137. IEEE Computer Society, 2005.