Network Policy Mohammad Banikazemi Sumit Naiksatam Abstractions in - - PowerPoint PPT Presentation

network policy
SMART_READER_LITE
LIVE PREVIEW

Network Policy Mohammad Banikazemi Sumit Naiksatam Abstractions in - - PowerPoint PPT Presentation

Feb 21, 2024 217 likes •425 views

May 2014 Network Policy Mohammad Banikazemi Sumit Naiksatam Abstractions in Neutron Stephen Wong Outline Introduction Neutron Abstractions Group Policy Extension PoC Implementation and Demo

slide-1
SLIDE 1

May 2014

Network Policy

Abstractions in Neutron

Mohammad Banikazemi Sumit Naiksatam Stephen Wong

slide-2
SLIDE 2

Outline

❖ Introduction ❖ Neutron Abstractions ❖ Group Policy Extension ❖ PoC Implementation and Demo ❖ Future Directions ❖ Q&A

slide-3
SLIDE 3

Networking in the Cloud

❖ Current API: network centric ❖ Need a more application centric set of abstractions

as well

❖ More easily understood/utilized by higher layers ❖ Declarative model ❖ Separation of concerns

slide-4
SLIDE 4

Desired Features

❖ Provide policy-based connectivity between

application tiers

❖ Support dynamic application of policies ❖ Redirection to Network services and chains ❖ Policies defined by administrators and users

slide-5
SLIDE 5

Current Neutron API

❖ Network centric, close to physical devices ❖ Network: isolated layer-2 broadcast domain; private/shared ❖ Subnet: CIDR IP address block associated with a network;

  • ptionally associated with gateway, DNS/DHCP servers

❖ Port: virtual switch port on a network; has MAC and IP

address properties

❖ Router: connects networks, supports SNAT

slide-6
SLIDE 6

Example: Multi Tier Apps

Q Web Application DB Firewall Load Balancer QoS External Network (Internet)

slide-7
SLIDE 7

Neutron Representation

Q Network/ subnet Network/ subnet Network/ subnet Router External Network

Port

Q

neutron net-create web_tier neutron subnet-create web_tier 10.0.0.0/24 neutron router-create router1 neutron router-add-interface router1 web_subnet

. . .

slide-8
SLIDE 8

Group Policy

e x t e n s i o n

slide-9
SLIDE 9

The Basic Idea

❖ Endpoint (EP): Lowest unit of

abstraction where policy is applied

❖ Endpoint Group (EPG): Logical

grouping of endpoints

❖ Policy Rule: Network policies to

access EPGs

❖ Contract: Collection of policy rules

slide-10
SLIDE 10

EPG-Contract Relationship

❖ An EPG may provide one or more contracts ❖ An EPG may consume one or more contracts

Endpoint Group

Contract

❖ Application deployer focused

slide-11
SLIDE 11

Policy Rules

❖ Action is applied to traffic specified by Classifier

Policy Rule

Classifier Protocol Ports Direction Action Type Value

Action

Type

Allow

Redirect

QoS Log Copy

Mark

Value

None Service/ Chain QoS args Log args Copy args Mark args

slide-12
SLIDE 12

Group Policy - Workflow

neutron classifier-create Insecure-Web-Access --port 80 --protocol TCP --direction IN neutron policy-rule insecure-web --policy-classifier Insecure-Web-Access --actions ALLOW neutron contract-create Web-Server-Contract --policy-rule insecure-web

❖ Create contract ❖ Create EPGs and provide/consume contracts

neutron epg-create Web-Server-EPG --provides-contract Web-Server-Contract neutron ep-create --endpoint-group Web-Server-EPG neutron epg-create Outside-EPG --consumes-contract Web-Server-Contract

slide-13
SLIDE 13

Putting It All Together – 3 Tier App

Web Application DB Firewall Load Balancer External Network (Internet)

slide-14
SLIDE 14

Group Policy Realization

EPG Web EPG Application EPG DB

Firewall Firewall

EPG External Network (Internet)

Contract Protocol:TCP Port:80 Action:Redirect To FW_LB_CHAIN Provides Consumes Protocol:TCP Port:3306 Action:ALLOW Protocol:TCP Port:9080 Action:ALLOW EPG EPG

slide-15
SLIDE 15

Optional Constructs in Model

❖ Scopes: put constraints around how provider and consumer

EPGs are matched

❖ Policy Rule Filters: allow for tagging Policy Rules with Labels

such that subsets can be created in a Contract

❖ Contract hierarchy: infra admin constraints can be achieved

by Contract hierarchical composition

❖ Endpoint labels: policies get triggered automatically when

labels are added or removed

slide-16
SLIDE 16

Proof of Concept

i m p l e m e n t a t i o n

slide-17
SLIDE 17

PoC Implementation

❖ Team has worked on a PoC

implementation

❖ Considering various model and

implementation alternatives

❖ Using legacy driver ❖ CLI, Horizon, and Heat

CLI

  • Neutron
  • Heat
  • Horizon
  • Policy Manager
  • Legacy
  • Policy Driver
  • ODL
  • Policy Driver
  • thers
slide-18
SLIDE 18

The Group Policy PoC Team

❖ Sumit Naiksatam, Robert Kukura, Mandeep Dhami (Cisco) ❖ Mohammad Banikazemi (IBM) ❖ Stephen Wong (Midokura) ❖ Ronak Shah (Nuage Networks) ❖ Hemanth Ravi, Susaant Kondapaneni, Prasad Vellanki (One

Convergence)

❖ Rudra Rugge (Juniper)

slide-19
SLIDE 19

State of Implementation

❖ The blueprint for Group Policy has been reviewed/

approved

❖ Working PoC available (install from: https://github.com/

noironetworks/devstack/tree/group-policy-poc)

❖ Neutron reference implementation for Group Policy is in

progress

❖ Complementary work on network services framework is in

progress

slide-20
SLIDE 20

More Information

❖ Neutron Group-based Policy design session

  • May 16 • 10:50am - 11:30am • B304

❖ Wiki page:

  • https://wiki.openstack.org/wiki/Neutron/GroupPolicy

❖ Neutron Group Policy Sub-Team Meeting IRC weekly meetings:

  • https://wiki.openstack.org/wiki/Meetings/Neutron_Group_Policy