Understanding the true effect of IP access control lists

Packet-level access to IP networks is typically restricted by access control lists (ACLs) configured on components such as routers, firewalls, or switches. However, real-world ACLs are often poorly structured, and their true overall effect is hard to grasp - even for the expert. In this paper, we present a method for the analysis of ACLs based on the computation of the whiteset and blackset implied by an ACL specification. We illustrate our approach in the context of Cisco IOS. We discuss different applications of our analysis technique such as finding redundancies and contradictions hidden in an ACL, verifying its global accept/reject properties, or selectively presenting its effects only for focused subsets of IP packets. We analyze the theoretical and practical complexity of the proposed technique and conclude that it is well tractable in practice. Our method has been implemented as a part of CROCODILE, a security checker tool for IOS router configurations. This application demonstrates the viability as well as the practical usefulness of our approach.