pith. sign in

arxiv: 2605.22092 · v2 · pith:YGZD4MHJ · submitted 2026-05-21 · cs.NI · cs.SE

Astragalus: Automatic Configuration Repair for Production Networks

pith:YGZD4MHJreviewed 2026-06-30 16:33 UTCmodel grok-4.3open to challenge →

classification cs.NI cs.SE
keywords network configuration repairautomatic configuration repairsyntax-driven repairproduction networksconfiguration errorslocalize-fix-validate
0
0 comments X

The pith

A syntax-driven localize-fix-validate loop repairs network configuration errors by generating and checking candidates drawn from the existing repository.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that automatic configuration repair can succeed by iterating a localize-fix-validate pipeline on syntactically valid updates without ever building a full semantic model of network behavior. This matters because current semantics-driven tools become prohibitively slow once network size and complexity increase. If the claim holds, operators gain a practical way to restore correct behavior in large production networks after common configuration mistakes.

Core claim

Astragalus applies multiple rounds of localization, candidate generation from the repository, and validation to produce repairs. It repairs every injected incident across synthesized networks of varying sizes and 97.5 percent of incidents on a real network when 15 error types are introduced, all within an average of 6.93 seconds. The same method supplied valid repairs for seven recent production incidents or undesired changes on a network of thousands of devices, each completed in under six minutes.

What carries the argument

The localize-fix-validate pipeline that repeatedly generates syntactically valid candidate updates from the configuration repository and checks them for correctness.

If this is right

  • Repair time remains low even as network size grows from hundreds to thousands of devices.
  • The same error-injection suite of 15 types can be repaired at high success rates on both synthetic and real configurations.
  • Production incidents can be addressed in minutes rather than requiring manual diagnosis.
  • No construction or solution of full SMT-based semantic constraints is required for the repairs shown.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The approach may extend to other configuration domains that maintain large repositories of prior valid settings.
  • Validation could be strengthened by lightweight checks that still avoid full semantic modeling.
  • Repository coverage becomes the practical limit on repair success once the pipeline runs efficiently.

Load-bearing premise

Syntactically valid updates taken from the existing repository are sufficient to include a correct repair for the encountered error.

What would settle it

A network incident for which no syntactically valid candidate update from the repository restores the intended behavior.

Figures

Figures reproduced from arXiv: 2605.22092 by Peng Zhang, Xing Feng, Xu Liu, Zhenrong Gu.

Figure 1
Figure 1. Figure 1: The workflow of Astragalus. validator. With no extra information attached, it does the lo￾calization by best effort: the identified configurations by the localizer are usually suspicious configurations rather than the root causes. After the localization, the fix generator receives the suspiciousness of each part of the configuration. Step 2: Fix generation (§4.3). Based on the suspiciousness provided by th… view at source ↗
Figure 2
Figure 2. Figure 2: A sample configuration snippet (a), the correspond￾ing AST (b). Most routing software and network simulators model the configuration as an abstract syntax tree [12]. Similarly, As￾tragalus also internally represents the configuration files as an AST [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: An example for localization and fix generation of ACR. The leftmost graph is an illustration of the topology. (a) The coverage report and suspiciousness calculation of each configuration unit in 𝑆1, 𝑆2 and 𝑆3, using Tarantula; the repair options of each suspicious configuration unit. (b) The candidate repair options, and whether the repair option would fix the network. “Improved” means although the network… view at source ↗
Figure 4
Figure 4. Figure 4: shows the repair time of Astragalus over different sizes of fat-trees in the synthetic dataset, alongside AED and CEL. The 𝑥-axis denotes the fat-tree size 𝑘 (ranging from 4 to 12), while the y-axis reports repair/location time in sec￾onds on a logarithmic scale. As evidenced in the figure, AED (orange bars) and CEL (yellow bars) exhibit severe scalabil￾ity limitations. For 𝑘 = 4, both tools require approx… view at source ↗
Figure 5
Figure 5. Figure 5: shows the cumulative distribution function (CDF) of the relative root cause location 𝐿𝑟 for 4 SBFL techniques: Ochiai, tarantula, jaccard, and D-Star (with parameter 2). In both path change and reachability test cases, Ochiai, Jaccard and D-Star2 do not have observable difference in the CDF; 0.0 0.2 0.4 0.6 0.8 1.0 (a) Lr of Path Change 0.0 0.2 0.4 0.6 0.8 1.0 FLr (x) 0.0 0.2 0.4 0.6 0.8 1.0 (b) Lr of Reac… view at source ↗
Figure 6
Figure 6. Figure 6: The average time of localization, fix generation, and validation of Astragalus, in the synthesized dataset. Solid bars is for reachability incidents, and stripped bars is for path change incidents [PITH_FULL_IMAGE:figures/full_fig_p010_6.png] view at source ↗
Figure 8
Figure 8. Figure 8: Two real-world network incidents studied. The arrows indicate the propagation of the routes. from two data centers; and the peering switches only estab￾lish IBGP peer with the corresponding RR (𝑆3, 𝑆4 ↔ 𝑅𝑅1, 𝑆7, 𝑆8 ↔ 𝑅𝑅2). Many data centers in the network reuses ASN in some layer of the network. As a result, the AS-path of a BGP route sent from from one data center to another may contain two identical ASNs… view at source ↗
Figure 7
Figure 7. Figure 7: The proportion of three change operators applied in fixing fat-tree 8’s path change incidents [PITH_FULL_IMAGE:figures/full_fig_p011_7.png] view at source ↗
read the original abstract

Network configurations are prone to errors, which can lead to catastrophic service outages. A tool that can achieve automatic configuration repair (ACR) is highly desired by operators. Existing tools for ACR follow a \textit{semantics-driven approach}: they model network semantics as a set of SMT constraints, and solve them for a location or fix of the error. Due to the complex semantics of networks, constructing and solving these constraints can be prohibitively expensive, making these tools neither general nor scalable. Inspired by automatic program repair (APR), we explore another direction, i.e., a \textit{syntax-driven approach}, which generates and validates syntactically-valid candidate updates without modeling program semantics, often drawing on existing code in the same repository. Following this direction, we propose Astragalus, a syntax-driven method for ACR. It uses multiple iterations of a "localize-fix-validate" pipeline to search for repairs, and proves quite effective on configurations of our production network. Specifically, we show that Astragalus can repair every incident in multiple sizes of a synthesized network, and 97.5% of the incidents on a real network, both with 15 types of errors injected, within an average time of 6.93 seconds. It has also provided valid repairs in under 6 minutes for 7 recent network incidents or undesired changes, in a real production network with O(1,000)~O(10,000) devices.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. Astragalus presents a syntax-driven approach to automatic configuration repair (ACR) for production networks, using an iterative localize-fix-validate pipeline that generates candidate updates from syntactic patterns and the existing configuration repository without constructing SMT-based semantic models. The paper claims this repairs every incident across multiple sizes of a synthesized network and 97.5% of incidents on a real network (both with 15 injected error types) in an average of 6.93 seconds, plus valid repairs for 7 recent production incidents in under 6 minutes on a network with O(1,000)–O(10,000) devices.

Significance. If the validation step reliably ensures behavioral correctness, the work would be significant as a scalable alternative to semantics-driven ACR tools, which the paper argues are too expensive for large networks. The empirical results on both synthetic and real production configurations, plus the explicit avoidance of full semantic modeling, would represent a practical advance if the evaluation methodology supports the claims.

major comments (2)
  1. [Abstract and Evaluation] Abstract and Evaluation: The reported success rates (100% on synthetic, 97.5% on real) and average repair time of 6.93s are presented without any description of how the 15 error types were injected, how candidate repairs were validated as correct (beyond syntactic validity), or what failure cases occurred; this directly affects whether the localize-fix-validate loop can be assessed as producing behaviorally safe repairs.
  2. [Validation procedure (likely §4 or §5)] Validation procedure (likely §4 or §5): The central claim depends on the validate step detecting behavioral equivalence or safety using only syntactic patterns and limited tests from the repository; without a semantic model, it is unclear what concrete checks (e.g., reachability, ACL, convergence) are performed, leaving open the possibility that syntactically valid edits alter forwarding behavior undetected.
minor comments (1)
  1. [Abstract] The abstract and introduction would benefit from a brief forward reference to the exact validation criteria used in the localize-fix-validate loop.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments on the abstract, evaluation methodology, and validation procedure. We address each point below and will revise the manuscript to improve clarity and transparency without altering the core syntax-driven design.

read point-by-point responses
  1. Referee: [Abstract and Evaluation] Abstract and Evaluation: The reported success rates (100% on synthetic, 97.5% on real) and average repair time of 6.93s are presented without any description of how the 15 error types were injected, how candidate repairs were validated as correct (beyond syntactic validity), or what failure cases occurred; this directly affects whether the localize-fix-validate loop can be assessed as producing behaviorally safe repairs.

    Authors: We agree that additional details are required. The 15 error types were derived from common production incidents (e.g., ACL misconfigurations, route advertisement errors, interface mismatches) and injected by mutating existing configuration files according to syntactic templates observed in the repository. Validation of repairs combines syntactic pattern matching against the repository with execution of a curated set of test configurations drawn from the same repository. The 2.5% unrepaired cases on the real network involved interdependent errors spanning multiple devices that exceeded the single-iteration localization scope. In the revised manuscript we will expand §4 and §5 with a dedicated subsection describing the injection process, the exact validation checks, and the failure cases with examples. revision: yes

  2. Referee: [Validation procedure (likely §4 or §5)] Validation procedure (likely §4 or §5): The central claim depends on the validate step detecting behavioral equivalence or safety using only syntactic patterns and limited tests from the repository; without a semantic model, it is unclear what concrete checks (e.g., reachability, ACL, convergence) are performed, leaving open the possibility that syntactically valid edits alter forwarding behavior undetected.

    Authors: The validate step is deliberately limited to syntactic pattern matching (ensuring the candidate matches valid repository examples) plus execution of a small set of repository-derived test cases that exercise basic forwarding and ACL consistency. No reachability, convergence, or full semantic checks are performed, as these would require the SMT modeling the paper seeks to avoid for scalability. We acknowledge this creates a genuine risk of undetected behavioral changes. The revision will (1) explicitly enumerate the concrete syntactic and test-based checks in §4, (2) add a limitations paragraph discussing the absence of semantic guarantees, and (3) note that empirical success on seven recent production incidents provides practical evidence despite the limitation. revision: yes

Circularity Check

0 steps flagged

No circularity; empirical success rates are direct measurements on injected errors and real incidents.

full rationale

The paper reports measured repair success (100% on synthesized networks, 97.5% on real network with 15 error types, plus 7 production incidents) as outcomes of running the localize-fix-validate pipeline. No equations, fitted parameters, or self-citations are used to derive these rates; they are presented as experimental results. The central claim does not reduce to any input by construction, and the approach is self-contained against external benchmarks (injected errors and operator-validated production cases).

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Abstract-only review; no explicit free parameters, axioms, or invented entities are identifiable beyond the core domain assumption that syntax-level edits suffice for repair.

axioms (1)
  • domain assumption Syntactically valid candidate updates drawn from the existing configuration repository can be validated as correct without full network semantics
    The localize-fix-validate pipeline rests on this premise to avoid SMT solving.

pith-pipeline@v0.9.1-grok · 5788 in / 1340 out tokens · 57931 ms · 2026-06-30T16:33:47.307073+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

34 extracted references · 2 canonical work pages · 1 internal anchor

  1. [1]

    Tiramisu: Fast and General Network Verification

    Anubhavnidhi Abhashkumar, Aaron Gember-Jacobson, and Aditya Akella. Tiramisu: Fast and general network verification.arXiv preprint arXiv:1906.02043, 2019

  2. [2]

    Aed: Incrementally synthesizing policy-compliant and manage- able configurations

    Anubhavnidhi Abhashkumar, Aaron Gember-Jacobson, and Aditya Akella. Aed: Incrementally synthesizing policy-compliant and manage- able configurations. InProceedings of the 16th International Conference on emerging Networking EXperiments and Technologies, pages 482–495, 2020

  3. [3]

    On the ac- curacy of spectrum-based fault localization

    Rui Abreu, Peter Zoeteweij, and Arjan JC Van Gemund. On the ac- curacy of spectrum-based fault localization. InTesting: Academic and industrial conference practice and research techniques-MUTATION (TAICPART-MUTATION 2007), pages 89–98. IEEE, 2007

  4. [4]

    Fault-localization tech- niques for software systems: A literature review.ACM SIGSOFT Soft- ware Engineering Notes, 39(5):1–8, 2014

    Pragya Agarwal and Arun Prakash Agrawal. Fault-localization tech- niques for software systems: A literature review.ACM SIGSOFT Soft- ware Engineering Notes, 39(5):1–8, 2014

  5. [5]

    A scalable, commodity data center network architecture.ACM SIGCOMM computer communication review, 38(4):63–74, 2008

    Mohammad Al-Fares, Alexander Loukissas, and Amin Vahdat. A scalable, commodity data center network architecture.ACM SIGCOMM computer communication review, 38(4):63–74, 2008

  6. [6]

    The plastic surgery hypothesis

    Earl T Barr, Yuriy Brun, Premkumar Devanbu, Mark Harman, and Federica Sarro. The plastic surgery hypothesis. InProceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 306–317, 2014

  7. [7]

    Clone detection using abstract syntax trees

    Ira D Baxter, Andrew Yahin, Leonardo Moura, Marcelo Sant’Anna, and Lorraine Bier. Clone detection using abstract syntax trees. In Proceedings. International Conference on Software Maintenance (Cat. No. 98CB36272), pages 368–377. IEEE, 1998

  8. [8]

    A gen- eral approach to network configuration verification

    Ryan Beckett, Aarti Gupta, Ratul Mahajan, and David Walker. A gen- eral approach to network configuration verification. InProceedings of the Conference of the ACM Special Interest Group on Data Communica- tion, pages 155–168, 2017

  9. [9]

    Pinpoint: Problem determination in large, dynamic internet services

    Mike Y Chen, Emre Kiciman, Eugene Fratkin, Armando Fox, and Eric Brewer. Pinpoint: Problem determination in large, dynamic internet services. InProceedings International Conference on Dependable Systems and Networks, pages 595–604. IEEE, 2002

  10. [10]

    Facebook Engineering. Introducing data center fabric: The next- generation facebook data center network.https://engineering.fb.com/ 2014/11/14/production-engineering/introducing-data-center-fabric- the-next-generation-facebook-data-center-network/, 2014. [Online; accessed 06-December-2026]

  11. [11]

    Efficient network reachability analysis using a succinct control plane representation

    Seyed K Fayaz, Tushar Sharma, Ari Fogel, Ratul Mahajan, Todd Mill- stein, Vyas Sekar, and George Varghese. Efficient network reachability analysis using a succinct control plane representation. In12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16), pages 217–232, 2016

  12. [12]

    A general approach to network configuration analysis

    Ari Fogel, Stanley Fung, Luis Pedrosa, Meg Walraed-Sullivan, Ramesh Govindan, Ratul Mahajan, and Todd Millstein. A general approach to network configuration analysis. In12th USENIX Symposium on Networked Systems Design and Implementation (NSDI 15), pages 469– 483, 2015

  13. [13]

    Automatic software repair: A survey

    Luca Gazzola, Daniela Micucci, and Leonardo Mariani. Automatic software repair: A survey. InProceedings of the 40th International Conference on Software Engineering, pages 1219–1219, 2018

  14. [14]

    Automatically repairing network control planes using an abstract representation

    Aaron Gember-Jacobson, Aditya Akella, Ratul Mahajan, and Hongqiang Harry Liu. Automatically repairing network control planes using an abstract representation. InProceedings of the 26th Symposium on Operating Systems Principles, pages 359–373, 2017

  15. [15]

    Localiz- ing router configuration errors using minimal correction sets.arXiv preprint arXiv:2204.10785, 2022

    Aaron Gember-Jacobson, Ruchit Shrestha, and Xiaolin Sun. Localiz- ing router configuration errors using minimal correction sets.arXiv preprint arXiv:2204.10785, 2022

  16. [16]

    Fast control plane analysis using an abstract represen- tation

    Aaron Gember-Jacobson, Raajay Viswanathan, Aditya Akella, and Ratul Mahajan. Fast control plane analysis using an abstract represen- tation. InProceedings of the 2016 ACM SIGCOMM Conference, pages 300–313, 2016

  17. [17]

    Empirical evaluation of the tarantula automatic fault-localization technique

    James A Jones and Mary Jean Harrold. Empirical evaluation of the tarantula automatic fault-localization technique. InProceedings of the 20th IEEE/ACM international Conference on Automated software engineering, pages 273–282, 2005

  18. [18]

    Genprog: A generic method for automatic software repair

    Claire Le Goues, ThanhVu Nguyen, Stephanie Forrest, and Westley Weimer. Genprog: A generic method for automatic software repair. Ieee transactions on software engineering, 38(1):54–72, 2011

  19. [19]

    R2fix: Auto- matically generating bug fixes from bug reports

    Chen Liu, Jinqiu Yang, Lin Tan, and Munawar Hafiz. R2fix: Auto- matically generating bug fixes from bug reports. In2013 IEEE Sixth international conference on software testing, verification and validation, pages 282–291. IEEE, 2013

  20. [20]

    Automatic life cycle management of network configurations

    Hongqiang Harry Liu, Xin Wu, Wei Zhou, Weiguo Chen, Tao Wang, Hui Xu, Lei Zhou, Qing Ma, and Ming Zhang. Automatic life cycle management of network configurations. InProceedings of the Afternoon Workshop on Self-Driving Networks, pages 29–35, 2018

  21. [21]

    Directfix: Looking for simple program repairs

    Sergey Mechtaev, Jooyong Yi, and Abhik Roychoudhury. Directfix: Looking for simple program repairs. In2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, volume 1, pages 448–458. IEEE, 2015

  22. [22]

    Automatic software repair: A bibliography.ACM Computing Surveys (CSUR), 51(1):1–24, 2018

    Martin Monperrus. Automatic software repair: A bibliography.ACM Computing Surveys (CSUR), 51(1):1–24, 2018

  23. [23]

    Semfix: Program repair via semantic analysis

    Hoang Duong Thien Nguyen, Dawei Qi, Abhik Roychoudhury, and Satish Chandra. Semfix: Program repair via semantic analysis. In2013 35th International Conference on Software Engineering (ICSE), pages 772–781. IEEE, 2013

  24. [24]

    Acorn network control plane abstraction using route nondeterminism

    Divya Raghunathan, Ryan Beckett, Aarti Gupta, and David Walker. Acorn network control plane abstraction using route nondeterminism. In# PLACEHOLDER_PARENT_METADATA_V ALUE#, pages 261–272. TU Wien Academic Press, 2022

  25. [25]

    Jupiter rising: A decade of clos topologies and central- ized control in google’s datacenter network.ACM SIGCOMM computer communication review, 45(4):183–197, 2015

    Arjun Singh, Joon Ong, Amit Agarwal, Glen Anderson, Ashby Armis- tead, Roy Bannon, Seb Boving, Gaurav Desai, Bob Felderman, Paulie Germano, et al. Jupiter rising: A decade of clos topologies and central- ized control in google’s datacenter network.ACM SIGCOMM computer communication review, 45(4):183–197, 2015

  26. [26]

    Automated fixing of programs with con- tracts

    Yi Wei, Yu Pei, Carlo A Furia, Lucas S Silva, Stefan Buchholz, Bertrand Meyer, and Andreas Zeller. Automated fixing of programs with con- tracts. InProceedings of the 19th international symposium on Software testing and analysis, pages 61–72, 2010

  27. [27]

    Leveraging program equivalence for adaptive program repair: Models and first Conference acronym ’XX, June 03–05, 2018, Woodstock, NY Z

    Westley Weimer, Zachary P Fry, and Stephanie Forrest. Leveraging program equivalence for adaptive program repair: Models and first Conference acronym ’XX, June 03–05, 2018, Woodstock, NY Z. Gu, et al. results. In2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE), pages 356–366. IEEE, 2013

  28. [28]

    2021 facebook outage — Wikipedia, the free encyclopedia.https://en.wikipedia.org/w/index.php?title=2021_ Facebook_outage&oldid=1221077563, 2024

    Wikipedia contributors. 2021 facebook outage — Wikipedia, the free encyclopedia.https://en.wikipedia.org/w/index.php?title=2021_ Facebook_outage&oldid=1221077563, 2024. [Online; accessed 18-June- 2024]

  29. [29]

    Software fault localization using dstar (d*)

    W Eric Wong, Vidroha Debroy, Yihao Li, and Ruizhi Gao. Software fault localization using dstar (d*). In2012 IEEE Sixth International Conference on Software Security and Reliability, pages 21–30. IEEE, 2012

  30. [30]

    The plastic surgery hypothesis in the era of large language models

    Chunqiu Steven Xia, Yifeng Ding, and Lingming Zhang. The plastic surgery hypothesis in the era of large language models. InIEEE/ACM International Conference on Automated Software Engineering (ASE), pages 522–534, 2023

  31. [31]

    Accuracy, scalability, coverage: A practical configuration verifier on a global wan

    Fangdan Ye, Da Yu, Ennan Zhai, Hongqiang Harry Liu, Bingchuan Tian, Qiaobo Ye, Chunsheng Wang, Xin Wu, Tianchen Guo, Cheng Jin, et al. Accuracy, scalability, coverage: A practical configuration verifier on a global wan. InProceedings of the Annual conference of the ACM Special Interest Group on Data Communication on the applications, technologies, archite...

  32. [32]

    Automatic test packet generation

    Hongyi Zeng, Peyman Kazemian, George Varghese, and Nick McK- eown. Automatic test packet generation. InProceedings of the 8th international conference on Emerging networking experiments and tech- nologies, pages 241–252, 2012

  33. [33]

    Differential network analysis

    Peng Zhang, Aaron Gember-Jacobson, Yueshang Zuo, Yuhao Huang, Xu Liu, and Hao Li. Differential network analysis. In19th USENIX Symposium on Networked Systems Design and Implementation (NSDI 22), pages 601–615, 2022

  34. [34]

    {APKeep}: Realtime verification for real networks

    Peng Zhang, Xu Liu, Hongkun Yang, Ning Kang, Zhengchang Gu, and Hao Li. {APKeep}: Realtime verification for real networks. In17th USENIX Symposium on Networked Systems Design and Implementation (NSDI 20), pages 241–255, 2020