Automated Synthesis of Access Control Lists

Xiao Liu, Brett Holden, and Dinghao Wu

Abstract—Network configuration remains time-consuming and write a correct permit commands are difficult with these
error-prone with the current configuration command system. complex options to consider. Additionally, the command
To create access control lists (ACLs) with commands containing is case-sensitive. Therefore, it is very likely for a careless
many options is still considered as a difficult task. In light of administrator to misuse an option or two.
this, we aim to develop a comprehensible way to the ACL con-
struction. Based on Eliza, a prototype of Artificial Intelligence, permit {gre | icmp | tcp | udp | ip | proto−num} {
source−ip [wildcard] | host source−ip | any} {dest−ip
we propose a new design called E ASYACL that synthesizes [wildcard] | host dest−ip | any}
ACL rules automatically from natural language descriptions.
E ASYACL demonstrates the effectiveness of domain-specific On the other hand, the platform dependency of syntax
program synthesis. Through the use of natural language, ACL makes the case more complicated. Network companies hold
rules can be constructed without using an excessive number of their own operating systems and with the design of platform-
options or rigid syntax. By introducing the batch processing, we directed syntaxes, the ACL configurations are entirely differ-
make it possible for users to apply configurations to a range
ent. Cisco and Juniper are two main network device man-
of IP addresses rather than tediously repeating commands.
E ASYACL supports multi-platform by an intermediate repre- ufacturers and they have their own configuration syntaxes
sentation which may be ported to the commands for both respectively. If one wants to permit HTTP traffic from IP
Cisco and Juniper devices. The comprehensible commands 172.21.1.1 to IP 172.21.1.15, the Cisco configuration and
are friendly for encapsulation as well as reuse. E ASYACL Juniper configuration are as follows:
enables end-users with no prior programming experience to 1 # Cisco command
construct ACL in a natural way which lowers the bar for 2 permit tcp host 172.21.1.1 host 172.21.1.15 eq 443
security management training and also reduces the errors in 3
network administration. 4 # Juniper command
5 filter 1 {
6 term T1 {
1. Introduction 7 from {
8 source−address {
9 172.21.1.1/32; }
An Access Control List (ACL), with respect to the 10 destination−address {
network system, is a list of permissions attached to a certain 11 172.21.1.15/32; }
12 protocol tcp; destination−port 443;
network [1]. Configuration mistakes can cause network out- 13 } then {
ages, degradation in performance, and security vulnerabili- 14 accept; }
ties. For example, installing the wrong packet filter, filtering 15 }
16 }
valid routes, advertising an incorrect block of IP addresses,
or assigning the same IP address to multiple pieces of As demonstrated in this example, the syntax of Cisco
equipment, can all lead to reachability problems [2]. ACL configuration commands is distinct from what Juniper
With an empirical analysis of the configuration process system adopts. While Cisco commands are designed to be
plus a thorough survey with network administrators in our imperative, Juniper’s are object-oriented [4]. Because of
department, a few complications are the main troublemakers. these distinctions, people have to learn different syntaxes
The misuse of configuration options is one of the most issues when they change platforms which brings more hurdles to
that were brought up. For ACL configuration commands, networking engineering training process.
options are critical which enlarge the semantic sets with Formal language synthesis is discussed over a few
succinct syntax. However, the large number of abbreviated applications, including spreadsheet commands [5], SQL
options are disturbing for network administrators, especially queries [6], and even input grammars [7]. In this study, to
those who are not apprenticed. Take the IP permit command lower the bar of entry for network administration training
as an example, there are in total six options that it would and reduce the configuration complexity, we propose E ASY-
accept. To permit the network flows of a specific type needs ACL, a tool that synthesizes ACL configuration commands
a few options filled out by the administrator who is required for different platforms directly from natural language de-
to read the specification carefully to avoid possible mistakes. scriptions. To overcome the challenge from option specifica-
Listing 1 demonstrates the IP permit command syntax [3] tions, we introduce a natural language interpretation system
and the details of each option is described in Table 1. To which accepts descriptions in a considerable flexibility and
 TABLE 1: Details for IP permit command syntax
Keywords Details
host Matches the following IP address.
any Matches any IP address.
gre Matches packets using the Generic Routing Encapsulation protocol.
ip Matches all IP packets.
tcp Matches packets using the TCP protocol.
udp Matches packets using the UDP protocol.
dest-ip Destination IP address.
icmp Matches ICMP packets.
proto-num (Optional) IP protocol number.
icmp-type (Optional) Matches by ICMP message type (0255).
code (Optional) Used with icmp-type to further match by ICMP code type(0255).
operator (Optional) Operator to use with specified ports.
port (Optional) Port, using a number (065535) or a keyword.
established (Optional) Matches TCP packets with the acknowledgment or reset bits set.
icmp-msg (Optional) Matches by a combination of ICMP message type and code types.

synthesize the target commands directly by extracting the to perform. In our scenario, it requires the system to under-
semantics with a rule-based natural language processing stand human descriptions over a specific domain. Therefore,
method. To avoid redundant training process, E ASYACL the variations of descriptions are limited. Due to the lack
can port the synthesized commands to different platforms, of training data and targeting on boosting a fast solution,
namely, Cisco and Juniper, for the current stage. We also we initialize our idea with a rule-based natural language
demonstrate the practical usage of troubleshooting existing processing system. The extracted semantics will be marked
ACL configuration errors through a common mistake among with an IR (intermediate representation) and then ported to
network engineers. Our tool is the first that synthesizes ACL commands in the target syntax specified by the user. We will
rules from natural language descriptions and proposes a use a running example to show the entire working flow.
unified interpretation system that connects different plat-
forms. We also provide a rangelist function that allows users 3. A Running Example
to perform batch updates for the network configuration.
We have proposed a tool that synthesizes ACL con-
This function remarkably reduced the workload when same
figuration commands from natural language descriptions.
configurations for a range IP addresses are performed.
Additionally, the synthesized commands should be actively
The rest of this paper is organized as follows. We
ported to different platforms with a corresponding syntax.
describe the overview with a clear problem statement and
For example, if we want to create a list of ACL rules:
our basic idea in Section 2. We also provide a running
Permit the RDP traffic for port 80 from IP address
example for demonstrating the basic idea. We detail the
192.168.0.11 to all the others.
designs of each module in our method and explain the
In the first step, our tool should understand that, this
rationales together with how we implement in practice in
is a permit rule and the kind of traffic it wants to permit
Section 4. Then, we discuss the usefulness and usability of
is RDP traffic. The permission is performed over port 80
the proposed tool with real-world use cases in Section 5.
and the source IP address is 192.168.0.11. All the other IP
We conduct discussions over the current implementation in
addresses are specified as the destination. Therefore, our tool
Section 6 and we draw the conclusion in Section 7.
will generate the commands, such that:
2. Overview 1
2
type: permit
traffic: RDP
3 port: 80
We are proposing a tool that synthesizes commands P 4 source: 192.168.0.11
in the ACL configuration syntaxes from natural language 5 destination: Others
descriptions N . Essentially, our goal is to 1) extract the se-
We need a sound and complete interpretation of the natural
mantics of natural language described commands and inter-
language description which can later be precisely ported to
pret them into an abstracted intermediate language; 2) port
a specific platform, either Cisco or Juniper in our current
the intermediate representation to a specific platform with
design. Thus, we have
a target syntax. By design, there are two main challenges:
natural language processing and semantic abstraction. 1 # Cisco
2 permit tcp 192.168.0.11 any eq 80
To be more specific, the first step of the proposed 3 #Juniper
tool is to understand natural language descriptions. Natural 4 filter 1 {
5 term T1 {
Language Processing is widely discussed by researchers 6 from {
with kinds of solutions, either statistical-based [8], or rule- 7 protocol rdp;
based [9], [10]. Recently, researchers are prone to adopt 8 destination−port 80;
9 }
statistic-based methods when there are adequate data to 10 then {
train and test. However, the rule-based method is more 11 permit;
12 }
efficient in specific domains since it does not require many 13 }
computational resources, and error analysis is more natural 14 }
 If there is an ambiguity in the natural language descrip- TABLE 2: Context-free Grammar for ACL language
tion, our tool will actively inquire for confirmation before command := command—command command
generating the target commands. By providing a simple way command := type option source destination
that network engineers to configure access control lists, we type := permit—deny
lower the entry bar for the training process and create a option := port|protocol
source := ip|range|any
method for cross-platform configurations. It will potentially destination := ip|range|any
reduce the error rate for network security engineering. port := number
protocol := TCP|IP|ICMP|...
ip := [0-255].[0-255].[0-255].[0-255] [wildcard]
4. Design range := ip-ip
any := [0.0.0.0-255.255.255.255]
E ASYACL is simply a system for creating network
access control lists. E ASYACL operates by receiving natural one-to-one corresponding to the decomposition rules which
language inputs, interpreting such inputs, and responding is different from the original Eliza framework.
with two sequential and distinct outputs: a natural language
response which indicates understanding and initiation of the Decomposition Rules
end-user’s desired action, and the synthesis of the correctly Permit the RDP traffic for port 80
formatted command for such action. In this section, we will (Predicate)(Redundant)(Option)(Redundant)(Option)+(Number)
detail the techniques leveraged in building E ASYACL. As from IP address 192.168.0.11 to all the others.
demonstrated in the running example, E ASYACL extracts (Predicate)(Option)(Number)(Predicate)(Number)
the semantics from commands in natural language and in-
terprets into system commands for different platforms. To 4.2. Intermediate Representation
better support different platforms, we incorporated an IR
(Intermediate Representation) into the system. In addition, As described, we adopt a rule-based method to extract
we also leverage a rangelist for batch updates which makes the semantics from the natural language descriptions. An
the system more user-friendly. important feature which sets distinguishes E ASYACL is
the generation of cross-platform output; this being both
4.1. Natural Language Processing the Cisco IOS and Juniper Junos syntaxes for the current
system. This enables users who are using a very wide range
To extract the semantics from natural language of networking devices, and helps users who may need to
descriptions, E ASYACL utilizes a rule-based method convert from one syntax to another. This includes helping a
originated from Eliza [11], a primitive AI prototype. The user to utilize his or her preexisting knowledge of a syntax
system is built upon the assumption that structures of to learn another syntax or to adapt their existing ACL rules.
natural language descriptions in a specific domain are We incorporate an IR (Intermediate Representation) in
limited. We leverage this heuristic for constructing rules E ASYACL, which is a context-free language as shown in
that can extract the intrinsic semantics of sentences. There Table 2. It is a superset of the complete sets of Cisco
are two types of rules in Eliza, the decomposition rules and Juniper commands which include in total two predicate
and the reassemble rules. As shown in the following types (permit, deny). We first extract the semantics from
example, the decomposition rules are used to decompose the natural language descriptions and then synthesize the
the complete sentences into tokens. We defined four IR commands. The IR commands are then ported to specific
kinds of tokens: Number Token, Predicate Token, Option platforms requested by the user.
Token, and Redundant Token to match different parts in
a sentence. We in total construct 73 decomposition rules 4.3. Rangelist
for E ASYACL which accepts most descriptions that one
network engineer may say when configuring the access In practice, engineers commonly complain that router
control list. In addition to the decomposition rules, we also interfaces do not support network ranges. A crucial fea-
adopt the reassemble rules for interaction purpose. Eliza ture of E ASYACL is its ability to handle ranges of IP
leverages the reassemble rules in its system for composing addresses, network summarizations and using them in ACL
interactive responses. Essentially, the reassemble rules configuration generation. The depending size of the network
are some incorporated templates that can be based on to range and its specific summarization, often results in the
synthesize the natural language feedbacks. There are some output of several lines of rules. The capability of E ASYACL
dynamic changing parts in the templates which can be to handle ranges of IP addresses in its interpretation of
replaced by extracted tokens from the input sentences. For natural language is hugely beneficial to the user. This feature
instance, if Eliza heard “I love dogs” from a user, it will empowers end-users who have limited computer networking
apply the reassemble rule “What are (Token)” together knowledge and would otherwise be thwarted by the need to
with the extracted token “dog” and synthesize the response create summaries.
“What are dogs”. To generate interactive feedbacks for A concise representation of an IP address refers to the
command confirmation, we incorporate 73 reassemble rules number of groups used to list addresses. For example, while
in the system. To make things simpler, we build such rules the program could simply produce one line or rather one
ACL configuration rule for each address listed in the range, language described commands, our tool will understand that
this is inefficient for the program, and tedious for the end- only packets from two sources are permitted. Therefore, it
user if he or she needs to add the rules to an access control will synthesize the IR,
list. Furthermore, it is important for ACLs to be as concise 1 type: permit
as possible in order to remain efficient and not exceed the 2 traffic: ANY
3 port: ANY
maximum allowed length. 4 source: 172.16.0.0/16 172.17.0.0/16
The range handling of E ASYACL is contained within 5 destination: ANY.
the rangelist function. This component takes a range of By specifying the Cisco syntax as the target, E ASYACL
end-user inputted IP addresses and converts them into appro- will first interpret the subnet mask as 0.0.255.255 and then
priately grouped and formatted networks for the synthesis generates the commands in Juniper syntax,
of access control lists. Ranges of IP addresses can be most 1 filter 1 {
appropriately represented by being both precise and concise. 2 term T1 {
It is important that IP address ranges are precise so that 3 from {
4 destination 172.16.0.0 0.0.255.255;
only the specified addresses are included in the synthesized 5 }
output. In simple terms, this means that if a user enters the 6 then {
address range “192.168.1.0 - 192.168.1.10”, this must only 7 permit;
8 }
include those addresses, not for instance, another address in 9 from {
that networks subnet such as “192.168.1.15”. 10 destination 172.17.0.0 0.0.255.255;
11 }
The rangelist function accomplishes the necessary 12 then {
precision and conciseness using Variable Length Subnet 13 permit;
Masking (VLSM). The result in the above example would 14 }
15 }
be the summarization of “192.168.1.0 - 192.168.1.10” as 16 }
“192.168.1.0/29, 192.168.1.8/31, 192.138.1.10/32”. In addi-
tion to calculating the VLSM summarization of the end-user Example 2. All hosts within the network 192.168.50.0/23
inputted IP address range, it also calculates the inverse of the should be denied access, except for hosts 192.168.50.128–
subnet mask, and converts the CIDR notation to an ordinary 255. All other hosts should be permitted access.
four-byte mask, as required by IOS syntax for access control This example shows the case of interpreting range-
lists. The result of the “rangelist” function is an IP address list. E ASYACL will first extract the semantics from the
range in a usable format for ACL synthesis. This component natural language descriptions including (1) permit the
can be used to implement many abstract actions in a batch hosts 192.168.50.128-192.168.50.255; (2) deny the hosts
across the desired range of IP addresses. 192.168.50.0/23; (3) permit all others. Therefore, three com-
mands are synthesized,
5. Case Study 1 # command 1
2 type: permit
Normally, Access Control Lists allow or deny packets 3 traffic: ANY
4 port: ANY
according to the source address, destination address, type 5 source: 192.168.50.128−192.168.50.255
of packet, or any combination of these requirements. In 6 destination: ANY
7 # command 2
this section, we perform a case study over practical ACL 8 type: permit
configurations. To demonstrate the ability to synthesize stan- 9 traffic: ANY
dard ACL rules and conduct rangelist summary, we have 10 port: ANY
11 source: 192.168.50.0/23
collected two practical Access Control Lists from the CCNA 12 destination: ANY
Lab materials [12]. In addition, we also demonstrate the 13 # command 3
14 type: permit
ability to troubleshoot ACL errors with a practical imple- 15 traffic: ANY
mentation error. 16 port: ANY
17 source: ANY
18 destination: ANY.
5.1. Commands Synthesis
Since there is a rangelist specified by the user in the first
command, our system will perform the summary calcula-
We propose E ASYACL, a tool that synthesizes ACL
tion over it. After the calculation, it outputs the following
rules from natural language descriptions, to lower the en-
commands in the Cisco syntax:
trance bar for the network engineering training process. In
1 access−list 2 permit 192.168.50.128 0.0.1.127
this section, we perform the case studies over two exam- 2 access−list 2 deny 192.168.50.0 0.0.1.255
ples from CCNA practice. The first example is a standard 3 access−list 2 permit any.
network permit and the second one has a rangelist.
Example 1. The networks 172.16.0.0/16 and 172.17.0.0/16 5.2. Troubleshooting
should be permitted access, with all others denied.
Troubleshooting is another main motivation we propose
This example is a standard Access Control List with two E ASYACL. This tool will handle natural language descrip-
permit commands. By providing E ASYACL with this natural tions with no ambiguity and then make interpretations.
 language programming of E ASYACL are similar, E ASYACL
R2 has some key advantages. The use of a natural language
system is advantageous over training software because it
R1 R3 conveys the meaning of concepts in plain language. Alter-
# Can you show the natively, tutorials lead the end-user to mimic patterns which
configured access lists? provide desired results, which can be an important interme-
Extended IP access list diate step for learning. However, the end-user cannot learn
1 deny tcp 192.168.1.0 a programming language if they cannot assign semantics
0.0.0.255 any to commands. Without such an understanding end-users are
192.168.1.0/24 192.168.3.0/24 2 permit tcp 192.168.1.0
0.0.0.255 any eq telnet less able to remember syntax or make adaptations.
3 permit ip any any In addition to ensuring that the end-user understands the
meaning of tasks in a programming language, the use of
R3 Access Control Lists natural language translation also reduces the time it takes
to learn. The casual and conversational dialogue included in
E ASYACL allows the end-user to transition from English
PC PC to programming syntax at his or her own pace. Further-
192.168.1.4 192.168.3.6 more, because E ASYACL responses in natural language and
Figure 1: Troubleshooting network errors program syntax, the end-user is always able to easily refer
between the two, should they become confused.
Therefore, we can leverage this feature for troubleshooting. Synthesizing programming language from natural lan-
To be more specific, when we find any errors in the network, guage descriptions has been discussed widely. Applica-
such as no connectivity, we can describe the requirements tions are constructed by researchers for different purposes.
in natural language and re-implement an access control PiE [16] is a framework that automatically generates pro-
list quickly. Problems should be resolved if it is simply grams from natural language descriptions using a rule-based
an implementation error; otherwise, it should be a design method. Similar approaches are also presented in Natural
problem. In this section, we present an analysis of a practical Shell [17], both of which are targeting for tutoring purposes.
implementation error [13]. While natural language translation is largely advantageous
Example 3. The configuration requires: any tcp traffic from over tutorial or training software as a method of program-
hosts 192.168.1.0/8 should be permited through the telnet ming education, there are some drawbacks of natural trans-
port; all ip traffic are permited. lation, as well as some instances where a tutorial-model
is more effective. If an end-user is not sufficiently atten-
As shown in Figure 1, there is an error in the access tive, a natural language translation and program synthesis
control list implementation: Host 192.168.1.4 has no telnet system, such as E ASYACL, has the potential to be too
connectivity with 192.168.3.6. It is a common mistake that overly flexible, such that it prohibits learning. For example,
many network engineers may encounter, because the router if an end-user can use a wide range of natural language
processes ACLs from the top down, statement 1 denies host commands to synthesize a target program, and he or she
192.168.1.4, so statement 20 does not get processed. To is not attentive to recognize the associated program syntax,
troubleshoot this problem, we asked a network administrator this may inhibit their learning by not directly forcing them
to try with our proposed method. to learn the syntax. Because tutorial software most often
He tried with feeding our system with the natural lan- attempts to mimic real programming scenario, it does not
guage descriptions one sentence after the other. And E ASY- typically have this issue.
ACL synthesized the commands:
1 1 permit tcp 192.168.1.0
2 0.0.0.255 any eq telnet
7. Conclusion
3 2 deny tcp 192.168.1.0
4 0.0.0.255 any In this paper, we developed a system called E ASYACL
5 3 permit ip any any
in order to synthesize access control lists from natural
Comparing the synthesized commands and the original language inputs. E ASYACL has a simple system architecture
implementation, statement 1 and 2 are reversed. The last line in which the user provides a natural language description to
allows all other non-TCP traffic that falls under IP (ICMP, Eliza, who replies with an accurate ACL rule and natural
UDP, and so on). The network administrator corrected the language response to maintain a conversation. E ASYACL
implementation right away and claimed it a helpful tool for operates on a rule-based intelligent system, which is capable
network troubleshooting. of receiving ranges of IP addresses, and supports multi-
platform outputs, i.e., Cisco and Juniper. We demonstrated
6. Discussion the functionalities of E ASYACL through three case studies.
It was shown that the code can be conveniently modified
Although tutorial style training software for network by even novice programmers to expand functionality, in-
configuration, such as Cisco Packet Tracer [14] and Graph- crease the flexibility of users’ natural language inputs, or
ical Network Simulator-3 (GNS3) [15], and the natural troubleshoot a problematic configuration.
References
[1] R. Shirey, “Internet Security Glossary, Version 2,” Internet Requests
for Comments, RFC Editor, RFC 4949, 2007. [Online]. Available:
https://www.rfc-editor.org/info/rfc4949
[2] D. Caldwell, A. Gilbert, J. Gottlieb, A. Greenberg, G. Hjalmtysson,
and J. Rexford, “The cutting EDGE of IP router configuration,” ACM
SIGCOMM Computer Communication Review, vol. 34, no. 1, pp. 21–
26, 2004.
[3] Y. Bhaiji, Network Security Technologies and Solutions (CCIE Pro-
fessional Development Series). Pearson Education, 2008.
[4] J. Davies, P. Comerford, V. Grout, N. Rvachova, and O. Korkh,
“An investigation into the effect of rule complexity in access
control list,” 2012. [Online]. Available: https://www.khai.edu/csp/
nauchportal/Arhiv/REKS/2012/REKS512/Davies.pdf
[5] S. Gulwani, “Automating string processing in spreadsheets using
input-output examples,” in Proceedings of the 38th Annual ACM
SIGPLAN-SIGACT Symposium on Principles of Programming Lan-
guages, ser. POPL ’11. New York, NY, USA: ACM, 2011, pp.
317–330.
[6] C. Wang, A. Cheung, and R. Bodik, “Synthesizing highly expressive
SQL queries from input-output examples,” in Proceedings of the 38th
ACM SIGPLAN Conference on Programming Language Design and
Implementation. ACM, 2017, pp. 452–466.
[7] O. Bastani, R. Sharma, A. Aiken, and P. Liang, “Synthesizing pro-
gram input grammars,” in Proceedings of the 38th ACM SIGPLAN
Conference on Programming Language Design and Implementation.
ACM, 2017, pp. 95–110.
[8] C. D. Manning and H. Schütze, Foundations of Statistical Natural
Language Processing. MIT Press, 1999.
[9] R. Vlas and W. N. Robinson, “A rule-based natural language tech-
nique for requirements discovery and classification in open-source
software development projects,” in Proceedings of the 44th Hawaii
Int’l Conf. on System Sciences (HICSS), 2011.
[10] A. Ranta, “A multilingual natural-language interface to regular ex-
pressions,” in Proceedings of the International Workshop on Finite
State Methods in Natural Language Processing. Association for
Computational Linguistics, 1998, pp. 79–90.
[11] J. Weizenbaum, “ELIZA—a computer program for the study of
natural language communication between man and machine,” Com-
munications of the ACM, vol. 9, no. 1, pp. 36–45, Jan. 1966.
[12] C. Practice, “Standard ACLs Access Control Lists,” 2014. [Online].
Available: http://www.ccnapractice.com/acls/standard-acls
[13] Orbitco, “What is ACLs Error ? Solutions to ACLs errors Examples,”
2015. [Online]. Available: http://www.orbit-computer-solutions.com/
network-troubleshooting-access-control-lists-errors/
[14] J. Janitor, F. Jakab, and K. Kniewald, “Visual learning tools for
teaching/learning computer networks: Cisco networking academy and
packet tracer,” in Proceedings of the Sixth International Conference
on Networking and Services (ICNS). IEEE, 2010, pp. 351–355.
[15] C. Welsh, GNS3 Network Simulation Guide. Packt Publishing, 2013.
[16] X. Liu and D. Wu, “PiE: Programming in Eliza,” in Proceedings of
the 29th ACM/IEEE International Conference on Automated Software
Engineering. ACM, 2014, pp. 695–700.
[17] X. Liu, Y. Jiang, L. Wu, and D. Wu, “Natural Shell: An assistant
for end-user scripting,” International Journal of People-Oriented
Programming (IJPOP), vol. 5, no. 1, pp. 1–18, 2016.