Research On Fast Network Verification Method Based On Lightweight Multilayer Model

With the rapid development of network technology,the distributed network control plane becomes more and more complex.In order to meet the routing and forwarding requirements of different service traffic,the control plane runs a variety of routing protocols,and the configuration parameters of the routing protocols are numerous and very flexible.The device configuration languages of different manufacturers are different.Incorrect configuration may cause network interruption and other security incidents,which makes configuring and maintaining the network a challenging and error-prone process.Therefore,in order to ensure the security and availability of the network,the verification of network configuration on the control plane is facing severe challenges.However,the existing tools for verifying network configuration have problems such as slow verification speed and excessive system resource consumption.In order to solve the above problems,the research goal of this thesis is to build a lightweight network verification model in real network configuration scenarios such as campus networks,and to implement the corresponding verification methods for network security policies and availability policies.Fast verification,while reducing the consumption of system resources in the verification process.The research content and contributions of this thesis mainly include the following three parts:Firstly,designing a lightweight multilayer network verification model based on control plane abstraction representation.The verification model of the abstract control plane representation is a set of single-layer directed graphs,which consume less resources,but lacks modeling of some key routing protocol attributes and has limited application scenarios.Therefore,in order to reduce the resource consumption during the verification process,based on the abstract control plane representation,this thesis extends its single-layer graph model to a multilayer graph model,decouples the functions of the graph model,and the multilayer network verification model can address some of the key routing protocol attributes that are missing in the abstract control plane representation.From the experimental results,compared with other commonly used verification models,with the increase of the number of network devices,the network verification model in this thesis reduces the model construction time by 1-20 times,the CPU usage time is reduced by about half,and the physical memory usage is reduced by10%-30% under different network scales.Secondly,a network security policy verification method based on improved breadth-first search is studied and proposed.Considering the process of verifying the security policy,it is necessary to check whether the configuration of specific protocol labels in the network is performed in a certain order.Therefore,to speed up the verification,according to the correlation graph traversal algorithm,this thesis proposes a network security policy verification method based on breadth-first search.From the experimental results,with the increase of the number of network devices,the verification speed of this method is increased by 20 times compared with the verification method of Minesweeper,and the verification speed of this method is 2times faster than that of the Tiramisu verification method,and the peak CPU ratio is reduced by about 16%.Finally,the network availability policy verification method based on integer linear programming is studied.In order to speed up the verification speed,based on integer linear programming,this thesis sets relevant constraints for different availability policy verification methods,reduces the modeling of network attributes that are not related to the target policy,and can increase the key attributes of the protocol that are not considered by the abstract control plane representation.From the experimental results,under the small network scale,compared with other availability policy verification methods,this method reduces the number of virtual machine memory recycling.Compared with the Minesweeper's method,with the increase of the network scale,the verification speed gradually increases to 18 times.