september 3 rd , 2014, warehouse theater 6:30-9:30pm
DESCRIPTION
September 3 rd , 2014, Warehouse Theater 6:30-9:30pm. What is Policy?. As defined by the Oxford English Dictionary: A course or principle of action adopted or proposed by a government, party, business, or individual As defined by Wikipedia: - PowerPoint PPT PresentationTRANSCRIPT
September 3rd, 2014, Warehouse Theater6:30-9:30pm
What is Policy?
• As defined by the Oxford English Dictionary:• A course or principle of action adopted or proposed by a government, party,
business, or individual
• As defined by Wikipedia:• A policy is a statement of intent, and is implemented as a procedure or
protocol.
We’ve heard about policy before….
• Forwarding policy• All Ethernet multicast packets received on port 1 should be sent to VLAN 11
• Routing Table policy• Ignore all routes advertised by peer 63.24.13.5
• Firewall policy• Drop all packets from infected host 10.11.12.13
Why Policy?
• Configuration and Management gets challenging at scale
• How many devices do you need to touch in order to configure access across the network for a given tenant?
Why Policy?
• Policy provides a way of expressing intent:• “I’d like to prevent Thomas from
rattling off a bunch of gibberish at public speaking events”
• That intent can be mapped into configuration or dynamic management, through a process called “rendering”
Blah Blah Blah
Blah Blah
Blah
Blah Blah Blah
Blah Blah
Blah
Rendered Policy Enforcement
Policy in Research: Frenetic/Pyretic
• Research from Jennifer Rexford’s team at Princeton and Nate Foster at Cornell• Domain-specific policy language for programming OpenFlow networks• Addresses interactions between concurrent modules:• Program A wants to install a packet-in action on traffic from 10.0.0.5• Program B wants to install a redirect flow on traffic from 10.0.0.5• How do we implement the behavior we want?
• Provides two sub-languages:• Limited but high-level and declarative network query language• General-purpose, functional and reactive network policy management library
Frenetic (cont.)
• The following example is the frenetic python code to perform Deep Packet Inspection:
def web_packets_query():return (Select(packets) *
Where(srcport_fp(80)))def dpi():
web_packets_query() >> analyze_packet()
Policy in Research: Resonance/Pyresonance• Research from Nick Feamster’s team at Georgia Tech• Express network policies as event-based programs• Specify a Finite State Machine (FSM) for each device in the network• FSMs define states the host can occupy and events that trigger
changes in state• A forwarding behavior is specified for each state
Resonance FSM Example
OpenStack Congress
• Policy framework that allows you to declare, monitor, enforce, and audit policy in a heterogeneous cloud environment• Feeds data from services into its policy
engine and verifies that the cloud's actual state abides by the cloud operator's policies• Policy language resembles Datalog• Designed to work with any policy and any
cloud service
Group Based Policy
• Open source child of Cisco’s ACI, using concepts rooted in Promise Theory• Leverages the idea that things are typically managed in groups, not
necessarily individual devices• Provides a high level policy model for describing “Intent”• Uses function-specific rendering to map intent to infrastructure
Group Based Policy: Fundamental Constructs• Endpoints• Endpoint Groups• Contracts
“DB Mgr” Contract
Endpoint Group
“Database Servers”
Endpoint (EP “A”)
Endpoint Group
“Database Managers”
Endpoint (EP “B”)
Provides Consumes
Group Based Policy: Contracts
• Contracts have Clauses• Clauses have Subject References
which select Subjects• Contracts also have Subjects• Subjects Have Rules• Rules have Classifiers/Actions:• TCP dest port 80/allow traffic
ContractClause: HTTP
Subject: ICMP
Subject Ref: HTTP
Subject Ref: ICMP
Rule: Allow ICMP
Subject: HTTP
Rule: Allow HTTP
OpenDaylight Group Based Policy
• Implementation of Group Based Policy for the OpenDaylight SDN Controller• “Proof of Concept” Network Virtualization solution using OpenFlow
renderer for Helium• Coordinating with related projects within OpenDaylight (e.g. Service
Function Chaining)• OpFlex renderer targeted for Lithium release
OpenStack Group Based Policy
• Implementation of Group Based Policy for Neutron• Provides APIs, database, plugin, and drivers• Reference driver implementation that renders the policy in terms of
traditional neutron resources (port, subnet, etc.) • Code ready for Juno release (pending acceptance/approval by
neutron cores)
Questions?