Unearthing ClassBench
I’m working on writing an ACL toolkit as part of an exploration into network-infrastructure-as-code. For the amount of pain that ACL and policy management causes the average network admin, I’m surprised that there aren’t more mature, open solutions out there. Maybe I’m just missing them, but there definitely does not appear to be any de facto tool for this space.
While digging for tools, I came across a master’s thesis and accompanying open-source application called acl-check by Tomas Hozza. This led me to a string of research papers outlining strategies for ACL rule conflict detection. The acl-check tool isn’t actively maintained, but has a working implementation of the necessary algorithms. I went to work porting them to go.
Not too far into this process, I needed a way to test my logic. Ideally, I would have a 10,000 line Cisco ACL from a real device to use. Not having one handy, the next best thing (I figure) is to generate one. acl-check uses ClassBench, another research tool that’s a little dusty but funcional. The documentation dives right into tuning parameters, but assumes familiarity with the theory. I tried reading the accompanying research paper and technical report; it didn’t really help. Let’s just see if we can figure it out.
Installation
Pull the Filter Set Generator tarball down from the website and crack it open.
$ curl -O http://www.arl.wustl.edu/classbench/db_generator.tar.gz
$ tar -zxvf db_generator.tar.gz
$ cd db_generator
Read the README. Scratch forehead. Continue.
$ make all
g++ -O2 -c db_generator.cc
db_generator.cc:18:1: error: C++ requires a type specifier for all declarations
main(int argc, char *argv[])
^
db_generator.cc:57:14: warning: using the result of an assignment as a condition without parentheses [-Wparentheses]
while (c = *++argv[0]){
~~^~~~~~~~~~~~
db_generator.cc:57:14: note: place parentheses around the assignment to silence this warning
while (c = *++argv[0]){
^
( )
db_generator.cc:57:14: note: use '==' to turn this assignment into an equality comparison
while (c = *++argv[0]){
^
==
1 warning and 1 error generated.
make: *** [db_generator.o] Error 1
Appease the compiler.
diff --git a/db_generator.cc b/db_generator.cc
index 3344759..94f1496 100644
--- a/db_generator.cc
+++ b/db_generator.cc
@@ -15,7 +15,7 @@
#include "custom_db.h"
#include "sys/time.h"
-main(int argc, char *argv[])
+int main(int argc, char *argv[])
{
char filename[1024];
char in_filename[1024];
@@ -54,7 +54,7 @@ main(int argc, char *argv[])
int c = 0;
// Check for switches
while (--argc > 0 && (*++argv)[0] == '-'){
- while (c = *++argv[0]){
+ while ((c = *++argv[0])){
switch (c) {
case 'r':
random = 1;
And try again.
$ make all
$ ./db_generator -h
db_generator is a synthetic filter database generator.
Usage: db_generator -hrb (-c <input parameter file>) <number of filters> <smoothness> <address scope> <port scope> <output filename>
-h displays help menu
-r generates a random database
-b turns on address prefix scaling with database size; note that this alters the skew distribution in the parameter file
-c generates a custom database using an input parameter file
<smoothness> is a parameter [0:64] that injects structured randomness
<address scope> is a parameter [-1.0:1.0] that adjusts the average scope of the address prefixe pairs
<port scope> is a parameter [-1.0:1.0] that adjusts the average scope of the port range pairs
positive values increase scope (favor shorter, less specific address prefixes)
negative values decrease scope (favor longer, more specific address prefixes)
Example: db_generator -bc MyParameters 10000 2 -0.5 0.1 MyFilters10k
ACL Generation
Now we’re cooking. Generate 1000 random lines:
$ ./db_generator -r 1000 random1000.acl
This is what you get:
$ head random1000.acl
@79.72.51.225/13 19.119.189.34/21 6232 : 29072 28781 : 52978 0x3b/0xFF 0x7f06/0xc495
@208.145.51.32/24 94.3.172.9/25 12185 : 36603 18098 : 24975 0x36/0xFF 0x8823/0x6247
@26.60.146.112/19 216.161.80.90/10 41912 : 47000 19092 : 58296 0xca/0xFF 0xb648/0x2804
@131.25.35.226/3 104.117.127.82/23 49351 : 65128 5784 : 35832 0x03/0xFF 0x133d/0xe707
@60.104.235.26/8 176.223.106.7/12 27347 : 44550 560 : 2630 0x5f/0xFF 0x55c8/0xe48b
@41.147.177.157/25 204.22.34.186/19 27020 : 33397 23213 : 55621 0x12/0xFF 0xa6b3/0x4845
@186.132.57.164/13 234.141.138.42/18 35292 : 54650 8307 : 54311 0x0e/0xFF 0x2ab8/0xab91
@237.24.120.83/3 36.20.126.53/27 6407 : 46852 40912 : 64843 0x6d/0xFF 0x26a5/0x93bd
@108.90.2.176/9 76.171.115.159/24 32502 : 59989 5001 : 42780 0x71/0xFF 0x04a1/0x0864
@64.111.177.81/27 245.106.101.36/20 32334 : 36150 33106 : 35704 0x5e/0xFF 0x862a/0xa07c
Columns, in order:
- Source Prefix (with
@
, reason unknown) - Destination Prefix
- Souce Port Range (start : stop)
- Destination Port Range (start : stop)
- Protocol (in hex with Mask)
- I have no idea. I should probably go back and read the paper again.
We have ACLs, but they don’t look quite normal. Fortunately, the website provides some seed parameter files that should get us closer to a real filter set. Let’s try that.
$ curl -O http://www.arl.wustl.edu/classbench/parameter_files.tar.gz
$ tar -zxvf parameter_files.tar.gz
$ ./db_generator -bc parameter_files/acl1_seed 1000 2 -0.5 0.1 1000acl1.acl
$ head 1000acl1.acl
@113.27.93.169/32 152.217.82.139/32 0 : 65535 1526 : 1526 0x06/0xFF 0x0000/0x0200
@113.27.93.178/32 100.128.165.211/32 0 : 65535 1521 : 1521 0x06/0xFF 0x0000/0x0200
@113.27.93.252/32 169.112.39.157/32 0 : 65535 1521 : 1521 0x06/0xFF 0x0000/0x0200
@113.27.93.252/32 169.113.96.220/32 0 : 65535 32201 : 32201 0x06/0xFF 0x0000/0x0200
@113.27.93.252/32 169.113.96.221/32 0 : 65535 1521 : 1521 0x06/0xFF 0x0000/0x0200
@113.27.93.252/32 169.113.96.221/32 0 : 65535 1433 : 1433 0x06/0xFF 0x1000/0x1000
@113.27.93.216/32 169.113.96.221/32 0 : 65535 1489 : 1489 0x06/0xFF 0x0000/0x0200
@113.27.93.216/32 196.85.136.63/32 0 : 65535 1521 : 1521 0x06/0xFF 0x1000/0x1000
@113.27.93.195/32 202.123.4.63/32 0 : 65535 1704 : 1704 0x06/0xFF 0x1000/0x1000
@113.27.93.201/32 213.195.248.41/32 0 : 65535 1521 : 1521 0x06/0xFF 0x0000/0x0200
Much better. I’ll expand the post once I figure out more of what’s going on. In the meantime, Happy access controlling!