Mining Policies From Enterprise Network Configuration

Few studies so far have examined the nature of reachability policies in enterprise networks. A better understanding of reachability policies could both inform future approaches to network design as well as current network configuration mechanisms. In this paper, the authors introduce the notion of a policy unit, which is an abstract representation of how the policies implemented in a network apply to different network hosts. They develop an approach for reverse-engineering a network's policy units from its router configuration. They apply this approach to the configurations of five productions networks, including three university and two private enterprises.