Fast and Scalable ACL Policy Solving Under Complex Constraints With Graph Neural Networks

Abstract

Network operators often need to modify Access Control List (ACL) policies to align with to network upgrades. An essential part of the ACL update task is reachability satisfaction. Previous studies formalize reachability requirements as a set of constraints and then use Boolean Satisfiability (SAT) or Satisfiability Modulo Theories (SMT) solvers to search for solutions. However, as today’s networks grow in size and complexity, the constraints derived from the requirements become increasingly complex, leading to an unacceptable time cost to obtain a correct policy. The sluggish updating of ACL policies can affect the properties of a network, such as connectivity and security. This paper presents a novel approach for fast and scalable ACL policy synthesis under complex constraints. We utilize Graph Neural Networks (GNNs) to learn the relations between nodes and reason the solution that satisfies the update requirements. We further integrate global position encoding into the GNN architecture, which allows for better differentiation of nodes in ACL update tasks. Additionally, an enhanced stochastic local search solver is introduced to address incorrect predictions made by the GNN. Experiments on real-world topologies show that GNN saves up $278\times $ time costs compared to advanced SAT/SMT solvers on a 125-node network, and this advantage expands with the network size. Furthermore, our model extrapolates well when faced with different requirements and topologies, demonstrating its ability to handle frequent network upgrades.