This invention relates to the field of network analysis, and in particular to a method and system for aggregating traffic flow policy parameters into a set of ranges that facilitate efficient network analysis.
Network Analysis has become an important aspect of information technology either in terms of evaluating the current state of network health, or predicting future network behavior. The behavior of a network is largely determined by the configuration on each of the network elements. The configuration defines the behavior of the network element for different types of data traffic that pass through it. The configuration includes, for example, a firewall access control policy, a traffic routing policy, a QoS (Quality of Service) policy, and so on. These policies generally define a distinct behavioral characteristic for each different group of related data traffic, such as traffic between particular nodes. The selection criteria include, for example, IP addresses, Ports, or some special bits on the data packet.
A comprehensive network analysis requires analysis and verification of the behavior of the network for each combination of the individual traffic flow characteristics. The verification of all combinations of traffic flow characteristics is generally infeasible; for example, IPv4 uses a 32-bit addressing scheme and the verification of a data flow policy between source and destination IP addresses presents as many as 232*232 unique address pairs for verification. TCP and UDP allow as many as 65,536 ports, further compounding the complexity of evaluating all combinations of traffic flow.
It would be advantageous to segregate the input space of data flow policies into sets of discrete ranges such that the network behavior is the same for all data points within each range. It would be advantageous to minimize the number of discrete ranges in each set to reduce the number of combinations that need to be verified for a given data flow policy.
These advantages, and others, can be realized by a method and system that processes the network configuration to identify each policy and the criteria associated with each policy. Each criteria of the policies is processed to identify a non-overlapping set of ranges, each range being associated with a particular policy or set of policies. In a preferred embodiment, the criteria include the protocol, the source and destination IP addresses, and the source and destination ports, and a minimal set of ranges is defined for each criteria.
Throughout the drawings, the same reference numerals indicate similar or corresponding features or functions. The drawings are included for illustrative purposes and are not intended to limit the scope of the invention.