Skip to content

Path analysis

Definition of a Path

A network engineer determines whether a particular host can connect to another by logging into the first host to initiate a connection with the second host, and observe success or failure. To determine all possible connections one might emulate the engineer, testing every possible pair of source/destination IP addresses, but this would be inefficient. However, many pairs are treated in exactly the same way: they follow the same routes, have the same NAT rules applied, are admitted by the same firewall rules. NP-View takes advantage of this common treatment.

NP-View works with a data structure called a path, that has the same attributes as an IP packet. The source of a path is a set of contiguous IP addresses (often a CIDR block, but may also be an arbitrary range), and a contiguous range of port numbers (possibly the whole range). Likewise, the path destination is a set of contiguous IP addresses and a contiguous range of port numbers. Finally, a path carries a set of protocol identifiers.

The fundamental component of NP-View path analysis is to create paths to represent all flows originating in one network and terminating in another, to inject it into the network at the source network, and push through finding all related paths that derive from it. As a path is pushed along, it may fragment into multiple related paths, as a result of routing (because different destination addresses may be routed through different interfaces), NAT, and access control filtering. Paths that reach the destination describe permitted connections.

Path Analysis

Each path analysis starts by identifying all possible source networks of interest, and all possible destination networks of interest. Different analysis options affect the selection of these sets. The networks are identified from references to them in the configuration files, for example in interface definitions, group definitions, and access control rules.

Networks and hosts that are referenced within the configuration are the most important. These are found within the model either at the visual level (when primary) or attached as peers to gateways. A full analysis identifies all flows between these known networks and hosts. It is also possible though to include analysis that allows the source and/or destination of flows to be from IP address space which is not explicitly referenced in the model. An extended analysis allows one to include external sources and destinations.

Networks and hosts that are referenced in the configuration but have no identifiable home in the network are associated as peers with the Unmapped gateway. Access to these and to all external hosts and networks is assumed to go through gateways which have been identified as border gateways. Paths involving a network or host attached to Unmapped have their endpoints in the border gateway, with a peer designation of Unmapped or Internet depending on whether the address is known to the configuration or not.