network policy
play

Network Policy Mohammad Banikazemi Sumit Naiksatam Abstractions in - PowerPoint PPT Presentation

Feb 21, 2024 •217 likes •422 views

May 2014 Network Policy Mohammad Banikazemi Sumit Naiksatam Abstractions in Neutron Stephen Wong Outline Introduction Neutron Abstractions Group Policy Extension PoC Implementation and Demo

  1. May 2014 � Network Policy Mohammad Banikazemi � Sumit Naiksatam � Abstractions in Neutron Stephen Wong �

  2. Outline ❖ Introduction � ❖ Neutron Abstractions � ❖ Group Policy Extension � ❖ PoC Implementation and Demo � ❖ Future Directions � ❖ Q&A �

  3. Networking in the Cloud ❖ Current API: network centric � ❖ Need a more application centric set of abstractions as well � ❖ More easily understood/utilized by higher layers � ❖ Declarative model � ❖ Separation of concerns �

  4. Desired Features ❖ Provide policy-based connectivity between application tiers � ❖ Support dynamic application of policies � ❖ Redirection to Network services and chains � ❖ Policies defined by administrators and users �

  5. Current Neutron API ❖ Network centric, close to physical devices � ❖ Network: isolated layer-2 broadcast domain; private/shared ❖ Subnet: CIDR IP address block associated with a network; optionally associated with gateway, DNS/DHCP servers ❖ Port: virtual switch port on a network; has MAC and IP address properties ❖ Router: connects networks, supports SNAT

  6. Example: Multi Tier Apps Application Web External Network DB (Internet) Q Load Firewall QoS Balancer

  7. Neutron Representation neutron net-create web_tier External Network neutron subnet-create web_tier 10.0.0.0/24 neutron router-create router1 neutron router-add-interface router1 web_subnet Router . . . Network/ Network/ subnet subnet Network/ subnet Port � Q Q

  8. Group Policy e x t e n s i o n �

  9. The Basic Idea ❖ Endpoint (EP): Lowest unit of abstraction where policy is applied � ❖ Endpoint Group (EPG): Logical grouping of endpoints � ❖ Policy Rule: Network policies to access EPGs � ❖ Contract: Collection of policy rules �

  10. EPG-Contract Relationship ❖ Application deployer focused � ❖ An EPG may provide one or more contracts � ❖ An EPG may consume one or more contracts � Endpoint Contract Group

  11. Policy Rules Action Policy Rule Value Type Classifier Action Allow None Service/ Redirect Chain Protocol Ports Direction Type Value QoS QoS args Log Log args ❖ Action is applied to traffic specified by Classifier � Copy Copy args Mark Mark args

  12. Group Policy - Workflow ❖ Create contract � neutron classifier-create Insecure-Web-Access --port 80 --protocol TCP --direction IN neutron policy-rule insecure-web --policy-classifier Insecure-Web-Access --actions ALLOW neutron contract-create Web-Server-Contract --policy-rule insecure-web ❖ Create EPGs and provide/consume contracts � neutron epg-create Web-Server-EPG --provides-contract Web-Server-Contract neutron ep-create --endpoint-group Web-Server-EPG neutron epg-create Outside-EPG --consumes-contract Web-Server-Contract

  13. Putting It All Together – 3 Tier App Application Web External Network DB (Internet) Load Firewall Balancer

  14. Group Policy Realization EPG Application EPG Web EPG EPG External Network DB (Internet) Protocol:TCP Protocol:TCP Protocol:TCP Port:80 Port:9080 Port:3306 Action:Redirect Action:ALLOW Action:ALLOW To FW_LB_CHAIN Contract � EPG � EPG � Consumes � Provides � Firewall � Firewall

  15. Optional Constructs in Model ❖ Scopes: put constraints around how provider and consumer EPGs are matched � ❖ Policy Rule Filters: allow for tagging Policy Rules with Labels such that subsets can be created in a Contract � ❖ Contract hierarchy: infra admin constraints can be achieved by Contract hierarchical composition � ❖ Endpoint labels: policies get triggered automatically when labels are added or removed �

  16. Proof of Concept i m p l e m e n t a t i o n �

  17. PoC Implementation ❖ Team has worked on a PoC CLI � Heat � Horizon � implementation � Neutron � ❖ Considering various model and implementation alternatives � ❖ Using legacy driver � Policy Manager � ❖ CLI, Horizon, and Heat � ODL � Legacy � others � Policy Driver � Policy Driver �

  18. The Group Policy PoC Team ❖ Sumit Naiksatam, Robert Kukura, Mandeep Dhami (Cisco) � ❖ Mohammad Banikazemi (IBM) � ❖ Stephen Wong (Midokura) � ❖ Ronak Shah (Nuage Networks) � ❖ Hemanth Ravi, Susaant Kondapaneni, Prasad Vellanki (One Convergence) � ❖ Rudra Rugge (Juniper) �

  19. State of Implementation ❖ The blueprint for Group Policy has been reviewed/ approved � ❖ Working PoC available (install from: https://github.com/ noironetworks/devstack/tree/group-policy-poc) � ❖ Neutron reference implementation for Group Policy is in progress � ❖ Complementary work on network services framework is in progress �

  20. More Information ❖ Neutron Group-based Policy design session � � � � � � � � � � May 16 • 10:50am - 11:30am • B304 � ❖ Wiki page: � � � � � � � � � � � � � � � � � � � https://wiki.openstack.org/wiki/Neutron/GroupPolicy � ❖ Neutron Group Policy Sub-Team Meeting IRC weekly meetings: � � � https://wiki.openstack.org/wiki/Meetings/Neutron_Group_Policy �

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Competition policy as a tool for the macroprudential regulation of the banking sector Massimo

Competition policy as a tool for the macroprudential regulation of the banking sector Massimo

Motivations and Theory Background Banking Network Default dynamics Network structures and Competition Policy Conditional Capital Requirements Network-Varying Capital Requirements Final Remarks Additional Plots Competition policy as a tool

267 views • 24 slides
A Testbed For Policy Closed Loop Network Management 1 Outline of the presentation In this

A Testbed For Policy Closed Loop Network Management 1 Outline of the presentation In this

A Testbed For Policy Closed Loop Network Management 1 Outline of the presentation In this presentation we will cover the following points: Paper Contribution System Architecture Network Configuration and Scenario The Policy and

178 views • 13 slides
Policy Input Tool 2.0 The Network: The Network: What is What is In 2015, several groups came

Policy Input Tool 2.0 The Network: The Network: What is What is In 2015, several groups came

Policy Input Tool 2.0 The Network: The Network: What is What is In 2015, several groups came together to come up with solutions that would Vision 2020? Vision 2020? permanently change debates on taxes and budgets in Colorado and reshape

457 views • 24 slides
Anti-Displacement Policy Network Update Image here Denver City Council, Housing and Homelessness

Anti-Displacement Policy Network Update Image here Denver City Council, Housing and Homelessness

Anti-Displacement Policy Network Update Image here Denver City Council, Housing and Homelessness Working Group Melissa Thate, Housing Policy Officer August 23, 2018 Anti-Displacement Policy Network Cities Austin, Boston, Buffalo, Denver,

672 views • 25 slides
Network Policy Controller in Weave Net Blocking unwanted network traffic in Kubernetes Bryan

Network Policy Controller in Weave Net Blocking unwanted network traffic in Kubernetes Bryan

Network Policy Controller in Weave Net Blocking unwanted network traffic in Kubernetes Bryan Boreham @bboreham Who knows... Kubernetes Docker Linux iptables Ancient wisdom For survival, your group needs: Leadership

675 views • 21 slides
Learning Output T anzania Webinar for PSAM Learning 5 th April 2018 Policy Forum is network of

Learning Output T anzania Webinar for PSAM Learning 5 th April 2018 Policy Forum is network of

Policy Forum Learning Output T anzania Webinar for PSAM Learning 5 th April 2018 Policy Forum is network of 79 Tanzanian CSOs drawn to influence policy processes that help in poverty reduction, equity & democratization About Policy

166 views • 15 slides
AFRICAN CULTURAL POLICY NETWORK SECRETARIAT: Racines, Morocco Address: 30, Rue Banafsaj,

AFRICAN CULTURAL POLICY NETWORK SECRETARIAT: Racines, Morocco Address: 30, Rue Banafsaj,

AFRICAN CULTURAL POLICY NETWORK AFRICAN CULTURAL POLICY NETWORK SECRETARIAT: Racines, Morocco Address: 30, Rue Banafsaj, Rsidence Berth II, 2me tage, n8, 20140, Mers Sultan, Casablanca, Morocco Phone number: +212 522 476 335 C/O Quitterie

923 views • 4 slides
Taxonomy and Description of Policy Combination Methods Yasusi Kanada Hitachi Ltd., IP Network

Taxonomy and Description of Policy Combination Methods Yasusi Kanada Hitachi Ltd., IP Network

Taxonomy and Description of Policy Combination Methods Yasusi Kanada Hitachi Ltd., IP Network Research Center What is a policy combination? Policies may be mutually dependent. Negative dependence is called conflicts , and widely studied.

224 views • 8 slides
ACE Practitioners Network by S ara S taino ACE Facilitator/ Policy S pecialist

ACE Practitioners Network by S ara S taino ACE Facilitator/ Policy S pecialist

ACE Practitioners Network by S ara S taino ACE Facilitator/ Policy S pecialist International IDEA Introduction In this presentation I will talk about how we will continue to develop ACE and how we envision it to grow, and explaining how

203 views • 5 slides
Preacher: Network Policy Checker for Adversarial Environments Kashyap Thimmaraju, Liron Schiff

Preacher: Network Policy Checker for Adversarial Environments Kashyap Thimmaraju, Liron Schiff

Preacher: Network Policy Checker for Adversarial Environments Kashyap Thimmaraju, Liron Schiff and Stefan Schmid 1 Backdoors and exploits Network devices are very effective attack vectors Provide access to internal networks

469 views • 18 slides
POLICY INFLUENCE ON DIGITALIZATION AND ECONOMIC DEVELOPMENT THE CASE OF GHANA DIODE NETWORK

POLICY INFLUENCE ON DIGITALIZATION AND ECONOMIC DEVELOPMENT THE CASE OF GHANA DIODE NETWORK

POLICY INFLUENCE ON DIGITALIZATION AND ECONOMIC DEVELOPMENT THE CASE OF GHANA DIODE NETWORK WORKSHOP OXFORD, UK EMMANUEL J. A. FIAGBENU - GMIC, NITA 9 TH 10 TH OCT. 2017 Overview Introduction Digitalization in Ghana Policy

601 views • 27 slides
A Transatlantic Partnership for Sustainable Development TPN Transatlantic Policy Network

A Transatlantic Partnership for Sustainable Development TPN Transatlantic Policy Network

A Transatlantic Partnership for Sustainable Development TPN Transatlantic Policy Network JANEZ POTONIK Co-chair UNEP International Resource Panel (IRP) Partner SYSTEMIQ 21 nd November 2019 Lets start the story in my home country

863 views • 55 slides
See the NYCDOE Academic Policy intranet page maintained by the Office of Academic Policy and

See the NYCDOE Academic Policy intranet page maintained by the Office of Academic Policy and

See the NYCDOE Academic Policy intranet page maintained by the Office of Academic Policy and Systems and consult the HS, MS, and ES academic policy guides for the most current information. Contact your network academic policy point with

761 views • 61 slides
Anti-Displacement Policy Network Report to City of Minneapolis Housing Policy and Development

Anti-Displacement Policy Network Report to City of Minneapolis Housing Policy and Development

CITY OF MINNEAPOLIS Anti-Displacement Policy Network Report to City of Minneapolis Housing Policy and Development Committee October 2, 2019 1 Strategic & Racial Equity Action Plan: Housing 2 HOUSING Strategic Need: The City of

476 views • 13 slides
Using Hierarchical Change Mining to Manage Network Security Policy Evolution Gabriel A. Weaver,

Using Hierarchical Change Mining to Manage Network Security Policy Evolution Gabriel A. Weaver,

Using Hierarchical Change Mining to Manage Network Security Policy Evolution Gabriel A. Weaver, Nick Foti, Sergey Bratus, Dan Rockmore, and Sean W. Smith Presented by Gabriel A. Weaver Dartmouth College Network services change and evolve.

463 views • 43 slides
their benefits and some local experience from the MedPAN network The network of MPA managers in

their benefits and some local experience from the MedPAN network The network of MPA managers in

FARNET TRANSNATIONAL SEMINAR FOR FLAGS VIGO (GALICIA), SPAIN 13 - 15 MARCH 2018 FLAGs and local resource management Policy context of Marine Protected Areas (MPAs), their benefits and some local experience from the MedPAN network The network

158 views • 12 slides
Peer to Peer Networks on Android Paul O'Neil and Steven Presser Agenda Motivation

Peer to Peer Networks on Android Paul O'Neil and Steven Presser Agenda Motivation

Peer to Peer Networks on Android Paul O'Neil and Steven Presser Agenda Motivation Constraints Tools and Barriers Architecture Demonstration Agenda Motivation Constraints Tools and Barriers Architecture

463 views • 27 slides
Network Operation Center NOC NOC Eng. Ali Munir Al-Mudhafar I.C.T Center Network Systems

Network Operation Center NOC NOC Eng. Ali Munir Al-Mudhafar I.C.T Center Network Systems

Network Operation Center NOC NOC Eng. Ali Munir Al-Mudhafar I.C.T Center Network Systems Division Introduction A fter Continuous and widespread use of Network system in many organizations, companies, government agencies, educational

343 views • 31 slides
WiFi Networks on Drones Ramon Sanchez-Iborra Universidad Politcnica de Cartagena (Spain)

WiFi Networks on Drones Ramon Sanchez-Iborra Universidad Politcnica de Cartagena (Spain)

ITU Kaleidoscope 2016 ICTs for a Sustainable World WiFi Networks on Drones Ramon Sanchez-Iborra Universidad Politcnica de Cartagena (Spain) Universidad Tcnica Federico Santa Mara (Santiago, Chile) Bangkok, Thailand ramon.sanchez@upct.es

250 views • 22 slides
FUTURE BUSINESS LEADERS OF AMERICA WHAT IS FBLA? The nations largest student run

FUTURE BUSINESS LEADERS OF AMERICA WHAT IS FBLA? The nations largest student run

FUTURE BUSINESS LEADERS OF AMERICA WHAT IS FBLA? The nations largest student run organization. CAREER PREPARATION LEADERSHIP DEVELOPMENT COMPETITIONS MEMBER OPPORTUNITIES Value for the members. COMPETITIONS - PROJECTS - SCHOLARSHIPS -

483 views • 15 slides
Maher Duessel Not-for-Profit Training July 2018 Agenda Review of ITGCs Review of IT

Maher Duessel Not-for-Profit Training July 2018 Agenda Review of ITGCs Review of IT

Maher Duessel Not-for-Profit Training July 2018 Agenda Review of ITGCs Review of IT Checklist Other Security Issues Questions 2 Review of General Computer Controls 3 ITGC What is that? Information Technology General

589 views • 38 slides
Technology Department Update November 2019 Jim Yox, Network Manager Matt Purificato, Network

Technology Department Update November 2019 Jim Yox, Network Manager Matt Purificato, Network

Technology Department Update November 2019 Jim Yox, Network Manager Matt Purificato, Network Administrator Technology Department Staffjng 2.o FTE 4 Computer Specialists w/stipend Summer Student Helpers Recent Changes

266 views • 10 slides
FRIENDS OF NIGHTHAWKS Congratulations! The SACSCOC Board of Trustees Approved two Associate of

FRIENDS OF NIGHTHAWKS Congratulations! The SACSCOC Board of Trustees Approved two Associate of

February 20, 2019 FRIENDS OF NIGHTHAWKS Congratulations! The SACSCOC Board of Trustees Approved two Associate of Applied Science Programs AAS Information Technology with specializations in Cybersecurity Network Administrator AAS

285 views • 17 slides
Employer Administrators Queensland 2019 Version 1.0 Agenda Introductions System

Employer Administrators Queensland 2019 Version 1.0 Agenda Introductions System

Employer Administrators Queensland 2019 Version 1.0 Agenda Introductions System differences Permissions Demonstration and training Soft launch checklist Questions and Answers Introduction Overview of RIW

713 views • 45 slides

More recommend