Unearthing ClassBench

November 20, 2015

I’m working on writing an ACL toolkit as part of an exploration into network-infrastructure-as-code. For the amount of pain that ACL and policy management causes the average network admin, I’m surprised that there aren’t more mature, open solutions out there. Maybe I’m just missing them, but there definitely does not appear to be any de facto tool for this space.

While digging for tools, I came across a master’s thesis and accompanying open-source application called acl-check by Tomas Hozza. This led me to a string of research papers outlining strategies for ACL rule conflict detection. The acl-check tool isn’t actively maintained, but has a working implementation of the necessary algorithms. I went to work porting them to go.

Not too far into this process, I needed a way to test my logic. Ideally, I would have a 10,000 line Cisco ACL from a real device to use. Not having one handy, the next best thing (I figure) is to generate one. acl-check uses ClassBench, another research tool that’s a little dusty but funcional. The documentation dives right into tuning parameters, but assumes familiarity with the theory. I tried reading the accompanying research paper and technical report; it didn’t really help. Let’s just see if we can figure it out.

Installation

Pull the Filter Set Generator tarball down from the website and crack it open.

$ curl -O http://www.arl.wustl.edu/classbench/db_generator.tar.gz
$ tar -zxvf db_generator.tar.gz
$ cd db_generator

Read the README. Scratch forehead. Continue.

$ make all
g++ -O2 -c db_generator.cc
db_generator.cc:18:1: error: C++ requires a type specifier for all declarations
main(int argc, char *argv[])
^
db_generator.cc:57:14: warning: using the result of an assignment as a condition without parentheses [-Wparentheses]
    while (c = *++argv[0]){
           ~~^~~~~~~~~~~~
db_generator.cc:57:14: note: place parentheses around the assignment to silence this warning
    while (c = *++argv[0]){
             ^
           (             )
db_generator.cc:57:14: note: use '==' to turn this assignment into an equality comparison
    while (c = *++argv[0]){
             ^
             ==
1 warning and 1 error generated.
make: *** [db_generator.o] Error 1

Appease the compiler.

diff --git a/db_generator.cc b/db_generator.cc
index 3344759..94f1496 100644
--- a/db_generator.cc
+++ b/db_generator.cc
@@ -15,7 +15,7 @@
 #include "custom_db.h"
 #include "sys/time.h"

-main(int argc, char *argv[])
+int main(int argc, char *argv[])
 {
   char filename[1024];
   char in_filename[1024];
@@ -54,7 +54,7 @@ main(int argc, char *argv[])
   int c = 0;
   // Check for switches
   while (--argc > 0 && (*++argv)[0] == '-'){
-    while (c = *++argv[0]){
+    while ((c = *++argv[0])){
       switch (c) {
       case 'r':
        random = 1;

And try again.

$ make all
$ ./db_generator -h
db_generator is a synthetic filter database generator.
Usage: db_generator -hrb (-c <input parameter file>) <number of filters> <smoothness> <address scope> <port scope> <output filename>
         -h displays help menu
         -r generates a random database
         -b turns on address prefix scaling with database size; note that this alters the skew distribution in the parameter file
         -c generates a custom database using an input parameter file
         <smoothness> is a parameter [0:64] that injects structured randomness
         <address scope> is a parameter [-1.0:1.0] that adjusts the average scope of the address prefixe pairs
         <port scope> is a parameter [-1.0:1.0] that adjusts the average scope of the port range pairs
                 positive values increase scope (favor shorter, less specific address prefixes)
                 negative values decrease scope (favor longer, more specific address prefixes)

Example: db_generator -bc MyParameters 10000 2 -0.5 0.1 MyFilters10k

ACL Generation

Now we’re cooking. Generate 1000 random lines:

$ ./db_generator -r 1000 random1000.acl

This is what you get:

$ head random1000.acl
@79.72.51.225/13        19.119.189.34/21        6232 : 29072    28781 : 52978   0x3b/0xFF       0x7f06/0xc495
@208.145.51.32/24       94.3.172.9/25   12185 : 36603   18098 : 24975   0x36/0xFF       0x8823/0x6247
@26.60.146.112/19       216.161.80.90/10        41912 : 47000   19092 : 58296   0xca/0xFF       0xb648/0x2804
@131.25.35.226/3        104.117.127.82/23       49351 : 65128   5784 : 35832    0x03/0xFF       0x133d/0xe707
@60.104.235.26/8        176.223.106.7/12        27347 : 44550   560 : 2630      0x5f/0xFF       0x55c8/0xe48b
@41.147.177.157/25      204.22.34.186/19        27020 : 33397   23213 : 55621   0x12/0xFF       0xa6b3/0x4845
@186.132.57.164/13      234.141.138.42/18       35292 : 54650   8307 : 54311    0x0e/0xFF       0x2ab8/0xab91
@237.24.120.83/3        36.20.126.53/27 6407 : 46852    40912 : 64843   0x6d/0xFF       0x26a5/0x93bd
@108.90.2.176/9 76.171.115.159/24       32502 : 59989   5001 : 42780    0x71/0xFF       0x04a1/0x0864
@64.111.177.81/27       245.106.101.36/20       32334 : 36150   33106 : 35704   0x5e/0xFF       0x862a/0xa07c

Columns, in order:

Source Prefix (with @, reason unknown)
Destination Prefix
Souce Port Range (start : stop)
Destination Port Range (start : stop)
Protocol (in hex with Mask)
I have no idea. I should probably go back and read the paper again.

We have ACLs, but they don’t look quite normal. Fortunately, the website provides some seed parameter files that should get us closer to a real filter set. Let’s try that.

$ curl -O http://www.arl.wustl.edu/classbench/parameter_files.tar.gz
$ tar -zxvf parameter_files.tar.gz
$ ./db_generator -bc parameter_files/acl1_seed 1000 2 -0.5 0.1 1000acl1.acl
$ head 1000acl1.acl
@113.27.93.169/32 152.217.82.139/32 0 : 65535 1526 : 1526 0x06/0xFF 0x0000/0x0200
@113.27.93.178/32 100.128.165.211/32  0 : 65535 1521 : 1521 0x06/0xFF 0x0000/0x0200
@113.27.93.252/32 169.112.39.157/32 0 : 65535 1521 : 1521 0x06/0xFF 0x0000/0x0200
@113.27.93.252/32 169.113.96.220/32 0 : 65535 32201 : 32201 0x06/0xFF 0x0000/0x0200
@113.27.93.252/32 169.113.96.221/32 0 : 65535 1521 : 1521 0x06/0xFF 0x0000/0x0200
@113.27.93.252/32 169.113.96.221/32 0 : 65535 1433 : 1433 0x06/0xFF 0x1000/0x1000
@113.27.93.216/32 169.113.96.221/32 0 : 65535 1489 : 1489 0x06/0xFF 0x0000/0x0200
@113.27.93.216/32 196.85.136.63/32  0 : 65535 1521 : 1521 0x06/0xFF 0x1000/0x1000
@113.27.93.195/32 202.123.4.63/32 0 : 65535 1704 : 1704 0x06/0xFF 0x1000/0x1000
@113.27.93.201/32 213.195.248.41/32 0 : 65535 1521 : 1521 0x06/0xFF 0x0000/0x0200

Much better. I’ll expand the post once I figure out more of what’s going on. In the meantime, Happy access controlling!