SAT Applications Tutorialplus a pinch of Margrave

Tim NelsonShriram Krishnamurthi

Brown University1

hostname simple

interface outsideip address 10.1.1.1 255.255.255.0

interface insideip access-group 102 inip address 192.168.1.1 255.255.0.0

access-list 102 permit tcp any any eq 80access-list 102 deny ip 192.168.4.0 0.0.0.255 any anyaccess-list 102 permit tcp any host 10.1.1.3access-list 102 deny any

ip route 0.0.0.0 0.0.0.0 10.1.1.2

2

simple outsideinside192.168.1.1/24 10.1.1.1/24

access-list 102 permit tcp any any eq 80access-list 102 deny ip 192.168.4.0 0.0.0.255 any anyaccess-list 102 permit tcp any host 10.1.1.3access-list 102 deny any

3

simple outsideinside192.168.1.1/24 10.1.1.1/24

allow(p) ↔(p.proto = tcp and p.tcpDst = 80) or(p.proto = tcp and p.ipDst = 10.1.1.3

and not (p.ipSrc in 192.168.4.0/24))

interface outsideip address 10.1.1.1 255.255.255.0

interface insideip access-group 102 inip address 192.168.1.1 255.255.0.0

4

simple outsideinside192.168.1.1/24 10.1.1.1/24

output(nexthop,o) ↔(nexthop in 10.1.1.0/24 and o = outside)

or(nexthop in 192.168.0.0/16 and o =

inside)

ip route 0.0.0.0 0.0.0.0 10.1.1.2

5

simple outsideinside192.168.1.1/24 10.1.1.1/24

route(p,nexthop) ↔ (nexthop = p.ipDst and (p.dlDst IN 10.1.1.0/24 or p.dlDst IN 192.168.0.0/16)) or (nexthop = 10.1.1.2 and not (p.dlDst IN 10.1.1.0/24 or p.dlDst IN 192.168.0.0/16))

6

output(nexthop,o)

route(p,nexthop)allow(p)

…

7

output(nexthop,o)

route(p,nexthop)allow(p)nat(p, p’)

router-pass(p, p’)

8

“Reasonable facts” as variables

p.ipSrc in 10.1.1.0/24

p.tcpsrc in 10.1.1.0/24

Constraints

(p.ipSrc in 10.1.1.0/24→

p.ipSrc in 10.1.0.0/16)

9

x(not x) or y

y or (not x) or z(not q)

andandand

Clause ::= (±x1 or … or ±xn)

(not y)

10

What about state?

access-list 102 permit tcp any any eq 80access-list 102 deny ip 192.168.4.0 0.0.0.255 any anyaccess-list 102 permit tcp any host 10.1.1.3 access-list 102 deny any

11

simple outsideinside192.168.1.1/24 10.1.1.1/24

allow(p) ↔(p.proto = tcp and p.tcpDst = 80) or(p.proto = tcp and p.ipDst = 10.1.1.3

and not (p.ipSrc in 192.168.4.0/24))or reflexiveReturn(p.ipSrc, p.ipDst, “web”)

reflect web

Stateful Firewall

access-list 102 permit tcp any any eq 80access-list 102 deny ip 192.168.4.0 0.0.0.255 any anyaccess-list 102 permit tcp any host 10.1.1.3 access-list 102 deny any

12

simple outsideinside192.168.1.1/24 10.1.1.1/24

plus_reflexiveReturn(p.ipSrc, p.ipDst) ↔ (p.proto = tcp and p.tcpDst = 80)

reflect web

13

plus_nat(p.ipSrc, p.tcpSrc, next) ↔p.proto = tcp and not nat(p.ipsrc, p.tcpSrc, ANY)

Is the translation reversed at outside gateway?

all p | p.locPt = outside and p.ipdst =

gateway_addrand nat(oldip, oldpt, p.tcpDst) and

forward(p, p’) → (p’.tcpDst = oldpt and p’.ipdst = oldip)