May 2014
Network Policy
Abstractions in Neutron
Mohammad Banikazemi
Sumit Naiksatam
Stephen Wong
Outline
❖ Introduction
❖ Neutron Abstractions
❖ Group Policy Extension
❖ PoC Implementation and Demo
❖ Future Directions
❖...
Networking in the Cloud
❖ Current API: network centric
❖ Need a more application centric set of abstractions
as well
❖ Mor...
Desired Features
❖ Provide policy-based connectivity between
application tiers
❖ Support dynamic application of policies
❖...
Current Neutron API
❖ Network centric, close to physical devices
❖ Network: isolated layer-2 broadcast domain; private/sha...
Example: Multi Tier Apps
Q
Web
Application
DB
Firewall Load
Balancer
QoS
External Network
(Internet)
Neutron Representation
Q
Network/
subnet
Network/
subnet
Network/
subnet
Router
External Network
Port
Q
neutron net-create...
Group Policy e x t e n s i o n
The Basic Idea
❖ Endpoint (EP): Lowest unit of
abstraction where policy is applied
❖ Endpoint Group (EPG): Logical
groupin...
EPG-Contract Relationship
❖ An EPG may provide one or more contracts
❖ An EPG may consume one or more contracts
Endpoint
G...
Policy Rules
❖ Action is applied to traffic specified by Classifier
Policy Rule
Classifier
Protocol Ports Direction
Action...
Group Policy - Workflow
neutron classifier-create Insecure-Web-Access --port 80 --protocol TCP --direction IN
neutron poli...
Putting It All Together – 3 Tier App
Web
Application
DB
Firewall Load
Balancer
External Network
(Internet)
Group Policy Realization
EPG
Web
EPG
Application
EPG
DB
Firewall
EPG
External Network
(Internet)
Contract
Protocol:TCP
Por...
Optional Constructs in Model
❖ Scopes: put constraints around how provider and consumer
EPGs are matched
❖ Policy Rule Fil...
Proof of Concept i m p l e m e n t a t i o n
PoC Implementation
❖ Team has worked on a PoC
implementation
❖ Considering various model and
implementation alternatives
❖...
The Group Policy PoC Team
❖ Sumit Naiksatam, Robert Kukura, Mandeep Dhami (Cisco)
❖ Mohammad Banikazemi (IBM)
❖ Stephen Wo...
State of Implementation
❖ The blueprint for Group Policy has been
reviewed/approved
❖ Working PoC available (install from:...
More Information
❖ Neutron Group-based Policy design session
May 16 • 10:50am - 11:30am • B304
❖ Wiki page:
https://wiki.o...
Upcoming SlideShare
Loading in...5
×

Open stackatlantagrouppolicy

169

Published on

This is the slides for the talk Network Policy Abstractions in Neutron given at OpenStack Summit, Atlanta, May 2014.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
169
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Open stackatlantagrouppolicy

  1. 1. May 2014 Network Policy Abstractions in Neutron Mohammad Banikazemi Sumit Naiksatam Stephen Wong
  2. 2. Outline ❖ Introduction ❖ Neutron Abstractions ❖ Group Policy Extension ❖ PoC Implementation and Demo ❖ Future Directions ❖ Q&A
  3. 3. Networking in the Cloud ❖ Current API: network centric ❖ Need a more application centric set of abstractions as well ❖ More easily understood/utilized by higher layers ❖ Declarative model ❖ Separation of concerns
  4. 4. Desired Features ❖ Provide policy-based connectivity between application tiers ❖ Support dynamic application of policies ❖ Redirection to Network services and chains ❖ Policies defined by administrators and users
  5. 5. Current Neutron API ❖ Network centric, close to physical devices ❖ Network: isolated layer-2 broadcast domain; private/shared ❖ Subnet: CIDR IP address block associated with a network; optionally associated with gateway, DNS/DHCP servers ❖ Port: virtual switch port on a network; has MAC and IP address properties ❖ Router: connects networks, supports SNAT
  6. 6. Example: Multi Tier Apps Q Web Application DB Firewall Load Balancer QoS External Network (Internet)
  7. 7. Neutron Representation Q Network/ subnet Network/ subnet Network/ subnet Router External Network Port Q neutron net-create web_tier neutron subnet-create web_tier 10.0.0.0/24 neutron router-create router1 neutron router-add-interface router1 web_subnet . . .
  8. 8. Group Policy e x t e n s i o n
  9. 9. The Basic Idea ❖ Endpoint (EP): Lowest unit of abstraction where policy is applied ❖ Endpoint Group (EPG): Logical grouping of endpoints ❖ Policy Rule: Network policies to access EPGs ❖ Contract: Collection of policy rules
  10. 10. EPG-Contract Relationship ❖ An EPG may provide one or more contracts ❖ An EPG may consume one or more contracts Endpoint Group Contract ❖ Application deployer focused
  11. 11. Policy Rules ❖ Action is applied to traffic specified by Classifier Policy Rule Classifier Protocol Ports Direction Action Type Value Action Type Allow Redirect QoS Log Copy Mark Value None Service/Chain QoS args Log args Copy args Mark args
  12. 12. Group Policy - Workflow neutron classifier-create Insecure-Web-Access --port 80 --protocol TCP --direction IN neutron policy-rule insecure-web --policy-classifier Insecure-Web-Access --actions ALLOW neutron contract-create Web-Server-Contract --policy-rule insecure-web ❖ Create contract ❖ Create EPGs and provide/consume contracts neutron epg-create Web-Server-EPG --provides-contract Web-Server-Contract neutron ep-create --endpoint-group Web-Server-EPG neutron epg-create Outside-EPG --consumes-contract Web-Server-Contract
  13. 13. Putting It All Together – 3 Tier App Web Application DB Firewall Load Balancer External Network (Internet)
  14. 14. Group Policy Realization EPG Web EPG Application EPG DB Firewall EPG External Network (Internet) Contract Protocol:TCP Port:80 Action:Redirect To FW_LB_CHAIN ProvidesConsumes Protocol:TCP Port:3306 Action:ALLOW Protocol:TCP Port:9080 Action:ALLOW EPG EPG
  15. 15. Optional Constructs in Model ❖ Scopes: put constraints around how provider and consumer EPGs are matched ❖ Policy Rule Filters: allow for tagging Policy Rules with Labels such that subsets can be created in a Contract ❖ Contract hierarchy: infra admin constraints can be achieved by Contract hierarchical composition ❖ Endpoint labels: policies get triggered automatically when labels are added or removed
  16. 16. Proof of Concept i m p l e m e n t a t i o n
  17. 17. PoC Implementation ❖ Team has worked on a PoC implementation ❖ Considering various model and implementation alternatives ❖ Using legacy driver ❖ CLI, Horizon, and Heat CLI Neutron Heat Horizon Policy Manager Legacy Policy Driver ODL Policy Driver others
  18. 18. The Group Policy PoC Team ❖ Sumit Naiksatam, Robert Kukura, Mandeep Dhami (Cisco) ❖ Mohammad Banikazemi (IBM) ❖ Stephen Wong (Midokura) ❖ Ronak Shah (Nuage Networks) ❖ Hemanth Ravi, Susaant Kondapaneni, Prasad Vellanki (One Convergence) ❖ Rudra Rugge (Juniper)
  19. 19. State of Implementation ❖ The blueprint for Group Policy has been reviewed/approved ❖ Working PoC available (install from: https://github.com/noironetworks/devstack/tree/group- policy-poc) ❖ Neutron reference implementation for Group Policy is in progress ❖ Complementary work on network services framework is in progress
  20. 20. More Information ❖ Neutron Group-based Policy design session May 16 • 10:50am - 11:30am • B304 ❖ Wiki page: https://wiki.openstack.org/wiki/Neutron/GroupPolicy ❖ Neutron Group Policy Sub-Team Meeting IRC weekly meetings: https://wiki.openstack.org/wiki/Meetings/Neutron_Group_Policy
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×