1 / 16

September 3 rd , 2014, Warehouse Theater 6:30-9:30pm

September 3 rd , 2014, Warehouse Theater 6:30-9:30pm. What is Policy?. As defined by the Oxford English Dictionary: A course or principle of action adopted or proposed by a government, party, business, or individual As defined by Wikipedia:

Download Presentation

September 3 rd , 2014, Warehouse Theater 6:30-9:30pm

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. September 3rd, 2014, Warehouse Theater 6:30-9:30pm

  2. What is Policy? • As defined by the Oxford English Dictionary: • A course or principle of action adopted or proposed by a government, party, business, or individual • As defined by Wikipedia: • A policy is a statement of intent, and is implemented as a procedure or protocol. 

  3. We’ve heard about policy before…. • Forwarding policy • All Ethernet multicast packets received on port 1 should be sent to VLAN 11 • Routing Table policy • Ignore all routes advertised by peer 63.24.13.5 • Firewall policy • Drop all packets from infected host 10.11.12.13

  4. Why Policy? • Configuration and Management gets challenging at scale • How many devices do you need to touch in order to configure access across the network for a given tenant?

  5. Blah BlahBlah Why Policy? Blah BlahBlah • Policy provides a way of expressing intent: • “I’d like to prevent Thomas from rattling off a bunch of gibberish at public speaking events” • That intent can be mapped into configuration or dynamic management, through a process called “rendering” Blah BlahBlah Blah BlahBlah Rendered Policy Enforcement

  6. Policy in Research: Frenetic/Pyretic • Research from Jennifer Rexford’s team at Princeton and Nate Foster at Cornell • Domain-specific policy language for programming OpenFlow networks • Addresses interactions between concurrent modules: • Program A wants to install a packet-in action on traffic from 10.0.0.5 • Program B wants to install a redirect flow on traffic from 10.0.0.5 • How do we implement the behavior we want? • Provides two sub-languages: • Limited but high-level and declarative network query language • General-purpose, functional and reactive network policy management library

  7. Frenetic (cont.) • The following example is the frenetic python code to perform Deep Packet Inspection: defweb_packets_query(): return (Select(packets) * Where(srcport_fp(80))) def dpi(): web_packets_query() >> analyze_packet()

  8. Policy in Research: Resonance/Pyresonance • Research from Nick Feamster’s team at Georgia Tech • Express network policies as event-based programs • Specify a Finite State Machine (FSM) for each device in the network • FSMs define states the host can occupy and events that trigger changesin state • A forwarding behavior is specified for each state

  9. Resonance FSM Example

  10. OpenStack Congress • Policy framework that allows you to declare, monitor, enforce, and audit policy in a heterogeneous cloud environment • Feeds data from services into its policy engine and verifies that the cloud's actual state abides by the cloud operator's policies • Policy language resembles Datalog • Designed to work with any policy and any cloud service

  11. Group Based Policy • Open source child of Cisco’s ACI, using concepts rooted in Promise Theory • Leverages the idea that things are typically managed in groups, not necessarily individual devices • Provides a high level policy model for describing “Intent” • Uses function-specific rendering to map intent to infrastructure

  12. Group Based Policy: Fundamental Constructs • Endpoints • Endpoint Groups • Contracts “DB Mgr” Contract Endpoint Group “Database Managers” Endpoint Group “Database Servers” Consumes Provides Endpoint (EP “B”) Endpoint (EP “A”)

  13. Group Based Policy: Contracts Contract • Contracts have Clauses • Clauses have Subject References which select Subjects • Contracts also have Subjects • Subjects Have Rules • Rules have Classifiers/Actions: • TCP dest port 80/allow traffic Clause: HTTP Subject Ref: HTTP Subject Ref: ICMP Subject: ICMP Rule: Allow ICMP Subject: HTTP Rule: Allow HTTP

  14. OpenDaylight Group Based Policy • Implementation of Group Based Policy for the OpenDaylight SDN Controller • “Proof of Concept” Network Virtualization solution using OpenFlow renderer for Helium • Coordinating with related projects within OpenDaylight (e.g. Service Function Chaining) • OpFlex renderer targeted for Lithium release

  15. OpenStack Group Based Policy • Implementation of Group Based Policy for Neutron • Provides APIs, database, plugin, and drivers • Reference driver implementation that renders the policy in terms of traditional neutron resources (port, subnet, etc.) • Code ready for Juno release (pending acceptance/approval by neutron cores)

  16. Questions?

More Related