Astragalus: Automatic Configuration Repair for Production Networks
pith:YGZD4MHJreviewed 2026-06-30 16:33 UTCmodel grok-4.3open to challenge →
The pith
A syntax-driven localize-fix-validate loop repairs network configuration errors by generating and checking candidates drawn from the existing repository.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Astragalus applies multiple rounds of localization, candidate generation from the repository, and validation to produce repairs. It repairs every injected incident across synthesized networks of varying sizes and 97.5 percent of incidents on a real network when 15 error types are introduced, all within an average of 6.93 seconds. The same method supplied valid repairs for seven recent production incidents or undesired changes on a network of thousands of devices, each completed in under six minutes.
What carries the argument
The localize-fix-validate pipeline that repeatedly generates syntactically valid candidate updates from the configuration repository and checks them for correctness.
If this is right
- Repair time remains low even as network size grows from hundreds to thousands of devices.
- The same error-injection suite of 15 types can be repaired at high success rates on both synthetic and real configurations.
- Production incidents can be addressed in minutes rather than requiring manual diagnosis.
- No construction or solution of full SMT-based semantic constraints is required for the repairs shown.
Where Pith is reading between the lines
- The approach may extend to other configuration domains that maintain large repositories of prior valid settings.
- Validation could be strengthened by lightweight checks that still avoid full semantic modeling.
- Repository coverage becomes the practical limit on repair success once the pipeline runs efficiently.
Load-bearing premise
Syntactically valid updates taken from the existing repository are sufficient to include a correct repair for the encountered error.
What would settle it
A network incident for which no syntactically valid candidate update from the repository restores the intended behavior.
Figures
read the original abstract
Network configurations are prone to errors, which can lead to catastrophic service outages. A tool that can achieve automatic configuration repair (ACR) is highly desired by operators. Existing tools for ACR follow a \textit{semantics-driven approach}: they model network semantics as a set of SMT constraints, and solve them for a location or fix of the error. Due to the complex semantics of networks, constructing and solving these constraints can be prohibitively expensive, making these tools neither general nor scalable. Inspired by automatic program repair (APR), we explore another direction, i.e., a \textit{syntax-driven approach}, which generates and validates syntactically-valid candidate updates without modeling program semantics, often drawing on existing code in the same repository. Following this direction, we propose Astragalus, a syntax-driven method for ACR. It uses multiple iterations of a "localize-fix-validate" pipeline to search for repairs, and proves quite effective on configurations of our production network. Specifically, we show that Astragalus can repair every incident in multiple sizes of a synthesized network, and 97.5% of the incidents on a real network, both with 15 types of errors injected, within an average time of 6.93 seconds. It has also provided valid repairs in under 6 minutes for 7 recent network incidents or undesired changes, in a real production network with O(1,000)~O(10,000) devices.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. Astragalus presents a syntax-driven approach to automatic configuration repair (ACR) for production networks, using an iterative localize-fix-validate pipeline that generates candidate updates from syntactic patterns and the existing configuration repository without constructing SMT-based semantic models. The paper claims this repairs every incident across multiple sizes of a synthesized network and 97.5% of incidents on a real network (both with 15 injected error types) in an average of 6.93 seconds, plus valid repairs for 7 recent production incidents in under 6 minutes on a network with O(1,000)–O(10,000) devices.
Significance. If the validation step reliably ensures behavioral correctness, the work would be significant as a scalable alternative to semantics-driven ACR tools, which the paper argues are too expensive for large networks. The empirical results on both synthetic and real production configurations, plus the explicit avoidance of full semantic modeling, would represent a practical advance if the evaluation methodology supports the claims.
major comments (2)
- [Abstract and Evaluation] Abstract and Evaluation: The reported success rates (100% on synthetic, 97.5% on real) and average repair time of 6.93s are presented without any description of how the 15 error types were injected, how candidate repairs were validated as correct (beyond syntactic validity), or what failure cases occurred; this directly affects whether the localize-fix-validate loop can be assessed as producing behaviorally safe repairs.
- [Validation procedure (likely §4 or §5)] Validation procedure (likely §4 or §5): The central claim depends on the validate step detecting behavioral equivalence or safety using only syntactic patterns and limited tests from the repository; without a semantic model, it is unclear what concrete checks (e.g., reachability, ACL, convergence) are performed, leaving open the possibility that syntactically valid edits alter forwarding behavior undetected.
minor comments (1)
- [Abstract] The abstract and introduction would benefit from a brief forward reference to the exact validation criteria used in the localize-fix-validate loop.
Simulated Author's Rebuttal
We thank the referee for the constructive comments on the abstract, evaluation methodology, and validation procedure. We address each point below and will revise the manuscript to improve clarity and transparency without altering the core syntax-driven design.
read point-by-point responses
-
Referee: [Abstract and Evaluation] Abstract and Evaluation: The reported success rates (100% on synthetic, 97.5% on real) and average repair time of 6.93s are presented without any description of how the 15 error types were injected, how candidate repairs were validated as correct (beyond syntactic validity), or what failure cases occurred; this directly affects whether the localize-fix-validate loop can be assessed as producing behaviorally safe repairs.
Authors: We agree that additional details are required. The 15 error types were derived from common production incidents (e.g., ACL misconfigurations, route advertisement errors, interface mismatches) and injected by mutating existing configuration files according to syntactic templates observed in the repository. Validation of repairs combines syntactic pattern matching against the repository with execution of a curated set of test configurations drawn from the same repository. The 2.5% unrepaired cases on the real network involved interdependent errors spanning multiple devices that exceeded the single-iteration localization scope. In the revised manuscript we will expand §4 and §5 with a dedicated subsection describing the injection process, the exact validation checks, and the failure cases with examples. revision: yes
-
Referee: [Validation procedure (likely §4 or §5)] Validation procedure (likely §4 or §5): The central claim depends on the validate step detecting behavioral equivalence or safety using only syntactic patterns and limited tests from the repository; without a semantic model, it is unclear what concrete checks (e.g., reachability, ACL, convergence) are performed, leaving open the possibility that syntactically valid edits alter forwarding behavior undetected.
Authors: The validate step is deliberately limited to syntactic pattern matching (ensuring the candidate matches valid repository examples) plus execution of a small set of repository-derived test cases that exercise basic forwarding and ACL consistency. No reachability, convergence, or full semantic checks are performed, as these would require the SMT modeling the paper seeks to avoid for scalability. We acknowledge this creates a genuine risk of undetected behavioral changes. The revision will (1) explicitly enumerate the concrete syntactic and test-based checks in §4, (2) add a limitations paragraph discussing the absence of semantic guarantees, and (3) note that empirical success on seven recent production incidents provides practical evidence despite the limitation. revision: yes
Circularity Check
No circularity; empirical success rates are direct measurements on injected errors and real incidents.
full rationale
The paper reports measured repair success (100% on synthesized networks, 97.5% on real network with 15 error types, plus 7 production incidents) as outcomes of running the localize-fix-validate pipeline. No equations, fitted parameters, or self-citations are used to derive these rates; they are presented as experimental results. The central claim does not reduce to any input by construction, and the approach is self-contained against external benchmarks (injected errors and operator-validated production cases).
Axiom & Free-Parameter Ledger
axioms (1)
- domain assumption Syntactically valid candidate updates drawn from the existing configuration repository can be validated as correct without full network semantics
Reference graph
Works this paper leans on
-
[1]
Tiramisu: Fast and General Network Verification
Anubhavnidhi Abhashkumar, Aaron Gember-Jacobson, and Aditya Akella. Tiramisu: Fast and general network verification.arXiv preprint arXiv:1906.02043, 2019
work page internal anchor Pith review Pith/arXiv arXiv 1906
-
[2]
Aed: Incrementally synthesizing policy-compliant and manage- able configurations
Anubhavnidhi Abhashkumar, Aaron Gember-Jacobson, and Aditya Akella. Aed: Incrementally synthesizing policy-compliant and manage- able configurations. InProceedings of the 16th International Conference on emerging Networking EXperiments and Technologies, pages 482–495, 2020
2020
-
[3]
On the ac- curacy of spectrum-based fault localization
Rui Abreu, Peter Zoeteweij, and Arjan JC Van Gemund. On the ac- curacy of spectrum-based fault localization. InTesting: Academic and industrial conference practice and research techniques-MUTATION (TAICPART-MUTATION 2007), pages 89–98. IEEE, 2007
2007
-
[4]
Fault-localization tech- niques for software systems: A literature review.ACM SIGSOFT Soft- ware Engineering Notes, 39(5):1–8, 2014
Pragya Agarwal and Arun Prakash Agrawal. Fault-localization tech- niques for software systems: A literature review.ACM SIGSOFT Soft- ware Engineering Notes, 39(5):1–8, 2014
2014
-
[5]
A scalable, commodity data center network architecture.ACM SIGCOMM computer communication review, 38(4):63–74, 2008
Mohammad Al-Fares, Alexander Loukissas, and Amin Vahdat. A scalable, commodity data center network architecture.ACM SIGCOMM computer communication review, 38(4):63–74, 2008
2008
-
[6]
The plastic surgery hypothesis
Earl T Barr, Yuriy Brun, Premkumar Devanbu, Mark Harman, and Federica Sarro. The plastic surgery hypothesis. InProceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 306–317, 2014
2014
-
[7]
Clone detection using abstract syntax trees
Ira D Baxter, Andrew Yahin, Leonardo Moura, Marcelo Sant’Anna, and Lorraine Bier. Clone detection using abstract syntax trees. In Proceedings. International Conference on Software Maintenance (Cat. No. 98CB36272), pages 368–377. IEEE, 1998
1998
-
[8]
A gen- eral approach to network configuration verification
Ryan Beckett, Aarti Gupta, Ratul Mahajan, and David Walker. A gen- eral approach to network configuration verification. InProceedings of the Conference of the ACM Special Interest Group on Data Communica- tion, pages 155–168, 2017
2017
-
[9]
Pinpoint: Problem determination in large, dynamic internet services
Mike Y Chen, Emre Kiciman, Eugene Fratkin, Armando Fox, and Eric Brewer. Pinpoint: Problem determination in large, dynamic internet services. InProceedings International Conference on Dependable Systems and Networks, pages 595–604. IEEE, 2002
2002
-
[10]
Facebook Engineering. Introducing data center fabric: The next- generation facebook data center network.https://engineering.fb.com/ 2014/11/14/production-engineering/introducing-data-center-fabric- the-next-generation-facebook-data-center-network/, 2014. [Online; accessed 06-December-2026]
2014
-
[11]
Efficient network reachability analysis using a succinct control plane representation
Seyed K Fayaz, Tushar Sharma, Ari Fogel, Ratul Mahajan, Todd Mill- stein, Vyas Sekar, and George Varghese. Efficient network reachability analysis using a succinct control plane representation. In12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16), pages 217–232, 2016
2016
-
[12]
A general approach to network configuration analysis
Ari Fogel, Stanley Fung, Luis Pedrosa, Meg Walraed-Sullivan, Ramesh Govindan, Ratul Mahajan, and Todd Millstein. A general approach to network configuration analysis. In12th USENIX Symposium on Networked Systems Design and Implementation (NSDI 15), pages 469– 483, 2015
2015
-
[13]
Automatic software repair: A survey
Luca Gazzola, Daniela Micucci, and Leonardo Mariani. Automatic software repair: A survey. InProceedings of the 40th International Conference on Software Engineering, pages 1219–1219, 2018
2018
-
[14]
Automatically repairing network control planes using an abstract representation
Aaron Gember-Jacobson, Aditya Akella, Ratul Mahajan, and Hongqiang Harry Liu. Automatically repairing network control planes using an abstract representation. InProceedings of the 26th Symposium on Operating Systems Principles, pages 359–373, 2017
2017
-
[15]
Aaron Gember-Jacobson, Ruchit Shrestha, and Xiaolin Sun. Localiz- ing router configuration errors using minimal correction sets.arXiv preprint arXiv:2204.10785, 2022
-
[16]
Fast control plane analysis using an abstract represen- tation
Aaron Gember-Jacobson, Raajay Viswanathan, Aditya Akella, and Ratul Mahajan. Fast control plane analysis using an abstract represen- tation. InProceedings of the 2016 ACM SIGCOMM Conference, pages 300–313, 2016
2016
-
[17]
Empirical evaluation of the tarantula automatic fault-localization technique
James A Jones and Mary Jean Harrold. Empirical evaluation of the tarantula automatic fault-localization technique. InProceedings of the 20th IEEE/ACM international Conference on Automated software engineering, pages 273–282, 2005
2005
-
[18]
Genprog: A generic method for automatic software repair
Claire Le Goues, ThanhVu Nguyen, Stephanie Forrest, and Westley Weimer. Genprog: A generic method for automatic software repair. Ieee transactions on software engineering, 38(1):54–72, 2011
2011
-
[19]
R2fix: Auto- matically generating bug fixes from bug reports
Chen Liu, Jinqiu Yang, Lin Tan, and Munawar Hafiz. R2fix: Auto- matically generating bug fixes from bug reports. In2013 IEEE Sixth international conference on software testing, verification and validation, pages 282–291. IEEE, 2013
2013
-
[20]
Automatic life cycle management of network configurations
Hongqiang Harry Liu, Xin Wu, Wei Zhou, Weiguo Chen, Tao Wang, Hui Xu, Lei Zhou, Qing Ma, and Ming Zhang. Automatic life cycle management of network configurations. InProceedings of the Afternoon Workshop on Self-Driving Networks, pages 29–35, 2018
2018
-
[21]
Directfix: Looking for simple program repairs
Sergey Mechtaev, Jooyong Yi, and Abhik Roychoudhury. Directfix: Looking for simple program repairs. In2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, volume 1, pages 448–458. IEEE, 2015
2015
-
[22]
Automatic software repair: A bibliography.ACM Computing Surveys (CSUR), 51(1):1–24, 2018
Martin Monperrus. Automatic software repair: A bibliography.ACM Computing Surveys (CSUR), 51(1):1–24, 2018
2018
-
[23]
Semfix: Program repair via semantic analysis
Hoang Duong Thien Nguyen, Dawei Qi, Abhik Roychoudhury, and Satish Chandra. Semfix: Program repair via semantic analysis. In2013 35th International Conference on Software Engineering (ICSE), pages 772–781. IEEE, 2013
2013
-
[24]
Acorn network control plane abstraction using route nondeterminism
Divya Raghunathan, Ryan Beckett, Aarti Gupta, and David Walker. Acorn network control plane abstraction using route nondeterminism. In# PLACEHOLDER_PARENT_METADATA_V ALUE#, pages 261–272. TU Wien Academic Press, 2022
2022
-
[25]
Jupiter rising: A decade of clos topologies and central- ized control in google’s datacenter network.ACM SIGCOMM computer communication review, 45(4):183–197, 2015
Arjun Singh, Joon Ong, Amit Agarwal, Glen Anderson, Ashby Armis- tead, Roy Bannon, Seb Boving, Gaurav Desai, Bob Felderman, Paulie Germano, et al. Jupiter rising: A decade of clos topologies and central- ized control in google’s datacenter network.ACM SIGCOMM computer communication review, 45(4):183–197, 2015
2015
-
[26]
Automated fixing of programs with con- tracts
Yi Wei, Yu Pei, Carlo A Furia, Lucas S Silva, Stefan Buchholz, Bertrand Meyer, and Andreas Zeller. Automated fixing of programs with con- tracts. InProceedings of the 19th international symposium on Software testing and analysis, pages 61–72, 2010
2010
-
[27]
Leveraging program equivalence for adaptive program repair: Models and first Conference acronym ’XX, June 03–05, 2018, Woodstock, NY Z
Westley Weimer, Zachary P Fry, and Stephanie Forrest. Leveraging program equivalence for adaptive program repair: Models and first Conference acronym ’XX, June 03–05, 2018, Woodstock, NY Z. Gu, et al. results. In2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE), pages 356–366. IEEE, 2013
2018
-
[28]
2021 facebook outage — Wikipedia, the free encyclopedia.https://en.wikipedia.org/w/index.php?title=2021_ Facebook_outage&oldid=1221077563, 2024
Wikipedia contributors. 2021 facebook outage — Wikipedia, the free encyclopedia.https://en.wikipedia.org/w/index.php?title=2021_ Facebook_outage&oldid=1221077563, 2024. [Online; accessed 18-June- 2024]
2021
-
[29]
Software fault localization using dstar (d*)
W Eric Wong, Vidroha Debroy, Yihao Li, and Ruizhi Gao. Software fault localization using dstar (d*). In2012 IEEE Sixth International Conference on Software Security and Reliability, pages 21–30. IEEE, 2012
2012
-
[30]
The plastic surgery hypothesis in the era of large language models
Chunqiu Steven Xia, Yifeng Ding, and Lingming Zhang. The plastic surgery hypothesis in the era of large language models. InIEEE/ACM International Conference on Automated Software Engineering (ASE), pages 522–534, 2023
2023
-
[31]
Accuracy, scalability, coverage: A practical configuration verifier on a global wan
Fangdan Ye, Da Yu, Ennan Zhai, Hongqiang Harry Liu, Bingchuan Tian, Qiaobo Ye, Chunsheng Wang, Xin Wu, Tianchen Guo, Cheng Jin, et al. Accuracy, scalability, coverage: A practical configuration verifier on a global wan. InProceedings of the Annual conference of the ACM Special Interest Group on Data Communication on the applications, technologies, archite...
2020
-
[32]
Automatic test packet generation
Hongyi Zeng, Peyman Kazemian, George Varghese, and Nick McK- eown. Automatic test packet generation. InProceedings of the 8th international conference on Emerging networking experiments and tech- nologies, pages 241–252, 2012
2012
-
[33]
Differential network analysis
Peng Zhang, Aaron Gember-Jacobson, Yueshang Zuo, Yuhao Huang, Xu Liu, and Hao Li. Differential network analysis. In19th USENIX Symposium on Networked Systems Design and Implementation (NSDI 22), pages 601–615, 2022
2022
-
[34]
{APKeep}: Realtime verification for real networks
Peng Zhang, Xu Liu, Hongkun Yang, Ning Kang, Zhengchang Gu, and Hao Li. {APKeep}: Realtime verification for real networks. In17th USENIX Symposium on Networked Systems Design and Implementation (NSDI 20), pages 241–255, 2020
2020
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.