Abstract: A first controller in a distributed network obtains, concurrently with a second controller in the distributed network, a system requirement and a message from a logical bus. The first controller and the second controller are communicatively coupled to the logical bus, and the first controller is communicatively coupled to a first portion of the network components and the second controller is communicatively coupled to a second portion. A processor associated with the first controller solves, concurrently with the second controller, the system requirement and the solving includes applying a solver to generate new configurations of the network components. The new configurations generated by the first controller are identical to the new configurations generated by the second controller. The first controller extracts configurations relevant to the first portion of the network components and applies the configurations to the first portion of the network components.

Abstract: A method, computer system, and computer program product include identifying, by one or more processors, a node in a network, where the node includes an incorrect configuration, where the incorrect configuration is a configuration utilized by a first communications protocol for communication with the node, and where the node includes another configuration utilized by a second communications protocol, for communication with the node. The one or more processors utilize the second communications protocol and the other configuration to access the node over the network and reconfigure the node to update the incorrect configuration to a new configuration.

Abstract: A method, system, and computer program product configure elements of a hybrid network. The method may include a processor obtaining at a first controller communicatively coupled to components of a hybrid network, a requirement for the hybrid network; the components include a first component type and a second component type. After obtaining the requirement, the processor generates a plan to configure a component of the first component type and a component of the second component type. The processor configures the component of the first component type according to a first portion of the plan by utilizing a security protocol over an unsecured connection. The processor configures the component of the second component type according to a second portion of the plan by transmitting this portion to a controller of components of the second component type in the hybrid network. The controller configures the component upon receipt of the portion.

Abstract: In a method, computer system, and computer program product include for re-configuring a network, program code identifies relationships between nodes on a network, where each relationship of the relationships includes a first node running a routing protocol and a second node running the routing protocol, where the first node and the second node are physically connected, and where the nodes include at least one controller and a plurality of routers. The program code performs, starting at the at least one controller a reverse breadth search of the relationships to determine for each router, a number of relationships comprising a path from the controller to the router. The program code, for example, program code that is executed on the at least one controller, reconfigures the routers in descending order of magnitude of the number of relationships comprising the path from each router of the plurality of routers to the controller.

Abstract: A system and method is provided for verifying an access-control policy against a particular constraint for a multi-step operation. In disclosed embodiments, the method includes expressing the access-control policy as a first quantifier-free form (QFF) constraint and identifying the particular constraint as a second QFF constraint. The method also includes identifying an operation vector and providing copies of the operation vector associated with steps in the multi-step operation. The method also includes determining a third QFF constraint using the first QFF constraint, the second QFF constraint, and the copies of the operation vector. The method also includes solving the third QFF constraint to determine a solution and outputting a result of the solving.

Abstract: A method, computer system, and computer program product include identifying, by one or more processors, a node in a network, where the node includes an incorrect configuration, where the incorrect configuration is a configuration utilized by a first communications protocol for communication with the node, and where the node includes another configuration utilized by a second communications protocol, for communication with the node. The one or more processors utilize the second communications protocol and the other configuration to access the node over the network and reconfigure the node to update the incorrect configuration to a new configuration.

Abstract: In a method, computer system, and computer program product include for re-configuring a network, program code identifies relationships between nodes on a network, where each relationship of the relationships includes a first node running a routing protocol and a second node running the routing protocol, where the first node and the second node are physically connected, and where the nodes include at least one controller and a plurality of routers. The program code performs, starting at the at least one controller a reverse breadth search of the relationships to determine for each router, a number of relationships comprising a path from the controller to the router. The program code, for example, program code that is executed on the at least one controller, reconfigures the routers in descending order of magnitude of the number of relationships comprising the path from each router of the plurality of routers to the controller.

Abstract: A method, system, and computer program product configure elements of a hybrid network. The method may include a processor obtaining at a first controller communicatively coupled to components of a hybrid network, a requirement for the hybrid network; the components include a first component type and a second component type. After obtaining the requirement, the processor generates a plan to configure a component of the first component type and a component of the second component type. The processor configures the component of the first component type according to a first portion of the plan by utilizing a security protocol over an unsecured connection. The processor configures the component of the second component type according to a second portion of the plan by transmitting this portion to a controller of components of the second component type in the hybrid network. The controller configures the component upon receipt of the portion.

Abstract: A first controller in a distributed network obtains, concurrently with a second controller in the distributed network, a system requirement and a message from a logical bus. The first controller and the second controller are communicatively coupled to the logical bus, and the first controller is communicatively coupled to a first portion of the network components and the second controller is communicatively coupled to a second portion. A processor associated with the first controller solves, concurrently with the second controller, the system requirement and the solving includes applying a solver to generate new configurations of the network components. The new configurations generated by the first controller are identical to the new configurations generated by the second controller. The first controller extracts configurations relevant to the first portion of the network components and applies the configurations to the first portion of the network components.

Abstract: There is set forth herein in on embodiment a method wherein configurations are changed. In one embodiment, configurations are changed in such a way that end-to-end requirements continue to be satisfied, the change is at minimum cost, and that at least one variable from a critical set of variables is changed.

Abstract: A system and method is provided for verifying an access-control policy against a particular constraint for a multi-step operation. In disclosed embodiments, the method includes expressing the access-control policy as a first quantifier-free form (QFF) constraint and identifying the particular constraint as a second QFF constraint. The method also includes identifying an operation vector and providing copies of the operation vector associated with steps in the multi-step operation. The method also includes determining a third QFF constraint using the first QFF constraint, the second QFF constraint, and the copies of the operation vector. The method also includes solving the third QFF constraint to determine a solution and outputting a result of the solving.

Abstract: A system and method is provided for verifying an access-control policy against a particular constraint for a multi-step operation. In disclosed embodiments, the method includes expressing the access-control policy as a first quantifier-free form (QFF) constraint and identifying the particular constraint as a second QFF constraint. The method also includes identifying an operation vector and providing copies of the operation vector associated with steps in the multi-step operation. The method also includes determining a third QFF constraint using the first QFF constraint, the second QFF constraint, and the copies of the operation vector. The method also includes solving the third QFF constraint to determine a solution and outputting a result of the solving.

Abstract: A method for solving the reconfiguration planning problem transforms the requirement that an invariant is always preserved into a constraint on the times at which the configuration parameters change. The method then solves this constraint to obtain the required reconfiguration plan. When this constraint is strengthened with a synthesis constraint, it is ensured that any final configuration that is computed is also reachable. An extension of the method allows parameters to take on multiple intermediate values.

Abstract: Changing a network configuration to restore compliance to one requirement may invalidate the network compliance with another requirement. A method changes a configuration to restore compliance to all requirements at minimum cost. The requirements are a hybrid of symbolic, arithmetic and bit-vector constraints, so traditional optimization techniques such as linear programming, that work only for purely arithmetic constraints, do not apply. The requirements are represented as SMT (satisfiability-modulo-theory) constraints on configuration variables, and then a weighted Max-SAT solver is used to compute the optimal configuration changes in order to minimize the cost.

Abstract: A method is provided for analyzing the semantic content of network configuration files, comprising the steps of accessing configuration files associated with corresponding network components, the files containing commands that define the configuration of those components; transforming the commands into a structural database based, at least in part, on a non-grammatical analysis of the commands, wherein the structure of the commands is represented as the structural database; and constructing a semantic database of the configuration files by querying the structural database.

Abstract: Changing a network configuration to restore compliance to one requirement may invalidate the network compliance with another requirement. A method changes a configuration to restore compliance to all requirements at minimum cost. The requirements are a hybrid of symbolic, arithmetic and bit-vector constraints, so traditional optimization techniques such as linear programming, that work only for purely arithmetic constraints, do not apply. The requirements are represented as SMT (satisfiability-modulo-theory) constraints on configuration variables, and then a weighted Max-SAT solver is used to compute the optimal configuration changes in order to minimize the cost.

Abstract: A system and method provides a solution to the problem of applying end-to-end requirements of connectivity, security, reliability and performance to configure a network and ultimately assign network components to the network. All requirements are modeled as constraints and a constraint solver does the resolution. Not every constraint to be solved is solved by the model-finder. Instead, we “factor away” subsets of a constraint that can be efficiently solved via a special-purpose constraint solver, such as an SQL/Prolog engine, linear programming system, or even an algorithm, leaving behind a constraint that truly requires the power of model-finding, and that is often efficiently solvable by existing model-finders. Such constraints are compiled into quantifier-free constraints that are Boolean combinations of constraints of two forms x=y and x=c where x, y are variables and c is a constant. Such constraints can be efficiently solved by modern SAT-based model-finders.

Abstract: A method for solving the reconfiguration planning problem transforms the requirement that an invariant is always preserved into a constraint on the times at which the configuration parameters change. The method then solves this constraint to obtain the required reconfiguration plan. When this constraint is strengthened with a synthesis constraint, it is ensured that any final configuration that is computed is also reachable. An extension of the method allows parameters to take on multiple intermediate values.

Abstract: A method is provided for analyzing the semantic content of network configuration files, comprising the steps of accessing configuration files associated with corresponding network components, the files containing commands that define the configuration of those components; transforming the commands into a structural database based, at least in part, on a non-grammatical analysis of the commands, wherein the structure of the commands is represented as the structural database; and constructing a semantic database of the configuration files by querying the structural database.

Abstract: A system and method is provided for verifying an access-control policy against a particular constraint for a multi-step operation. In disclosed embodiments, the method includes expressing the access-control policy as a first quantifier-free form (QFF) constraint and identifying the particular constraint as a second QFF constraint. The method also includes identifying an operation vector and providing copies of the operation vector associated with steps in the multi-step operation. The method also includes determining a third QFF constraint using the first QFF constraint, the second QFF constraint, and the copies of the operation vector. The method also includes solving the third QFF constraint to determine a solution and outputting a result of the solving.