Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Open stackatlantagrouppolicy


Published on

This is the slides for the talk Network Policy Abstractions in Neutron given at OpenStack Summit, Atlanta, May 2014.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Open stackatlantagrouppolicy

  1. 1. May 2014 Network Policy Abstractions in Neutron Mohammad Banikazemi Sumit Naiksatam Stephen Wong
  2. 2. Outline ❖ Introduction ❖ Neutron Abstractions ❖ Group Policy Extension ❖ PoC Implementation and Demo ❖ Future Directions ❖ Q&A
  3. 3. Networking in the Cloud ❖ Current API: network centric ❖ Need a more application centric set of abstractions as well ❖ More easily understood/utilized by higher layers ❖ Declarative model ❖ Separation of concerns
  4. 4. Desired Features ❖ Provide policy-based connectivity between application tiers ❖ Support dynamic application of policies ❖ Redirection to Network services and chains ❖ Policies defined by administrators and users
  5. 5. Current Neutron API ❖ Network centric, close to physical devices ❖ Network: isolated layer-2 broadcast domain; private/shared ❖ Subnet: CIDR IP address block associated with a network; optionally associated with gateway, DNS/DHCP servers ❖ Port: virtual switch port on a network; has MAC and IP address properties ❖ Router: connects networks, supports SNAT
  6. 6. Example: Multi Tier Apps Q Web Application DB Firewall Load Balancer QoS External Network (Internet)
  7. 7. Neutron Representation Q Network/ subnet Network/ subnet Network/ subnet Router External Network Port Q neutron net-create web_tier neutron subnet-create web_tier neutron router-create router1 neutron router-add-interface router1 web_subnet . . .
  8. 8. Group Policy e x t e n s i o n
  9. 9. The Basic Idea ❖ Endpoint (EP): Lowest unit of abstraction where policy is applied ❖ Endpoint Group (EPG): Logical grouping of endpoints ❖ Policy Rule: Network policies to access EPGs ❖ Contract: Collection of policy rules
  10. 10. EPG-Contract Relationship ❖ An EPG may provide one or more contracts ❖ An EPG may consume one or more contracts Endpoint Group Contract ❖ Application deployer focused
  11. 11. Policy Rules ❖ Action is applied to traffic specified by Classifier Policy Rule Classifier Protocol Ports Direction Action Type Value Action Type Allow Redirect QoS Log Copy Mark Value None Service/Chain QoS args Log args Copy args Mark args
  12. 12. Group Policy - Workflow neutron classifier-create Insecure-Web-Access --port 80 --protocol TCP --direction IN neutron policy-rule insecure-web --policy-classifier Insecure-Web-Access --actions ALLOW neutron contract-create Web-Server-Contract --policy-rule insecure-web ❖ Create contract ❖ Create EPGs and provide/consume contracts neutron epg-create Web-Server-EPG --provides-contract Web-Server-Contract neutron ep-create --endpoint-group Web-Server-EPG neutron epg-create Outside-EPG --consumes-contract Web-Server-Contract
  13. 13. Putting It All Together – 3 Tier App Web Application DB Firewall Load Balancer External Network (Internet)
  14. 14. Group Policy Realization EPG Web EPG Application EPG DB Firewall EPG External Network (Internet) Contract Protocol:TCP Port:80 Action:Redirect To FW_LB_CHAIN ProvidesConsumes Protocol:TCP Port:3306 Action:ALLOW Protocol:TCP Port:9080 Action:ALLOW EPG EPG
  15. 15. Optional Constructs in Model ❖ Scopes: put constraints around how provider and consumer EPGs are matched ❖ Policy Rule Filters: allow for tagging Policy Rules with Labels such that subsets can be created in a Contract ❖ Contract hierarchy: infra admin constraints can be achieved by Contract hierarchical composition ❖ Endpoint labels: policies get triggered automatically when labels are added or removed
  16. 16. Proof of Concept i m p l e m e n t a t i o n
  17. 17. PoC Implementation ❖ Team has worked on a PoC implementation ❖ Considering various model and implementation alternatives ❖ Using legacy driver ❖ CLI, Horizon, and Heat CLI Neutron Heat Horizon Policy Manager Legacy Policy Driver ODL Policy Driver others
  18. 18. The Group Policy PoC Team ❖ Sumit Naiksatam, Robert Kukura, Mandeep Dhami (Cisco) ❖ Mohammad Banikazemi (IBM) ❖ Stephen Wong (Midokura) ❖ Ronak Shah (Nuage Networks) ❖ Hemanth Ravi, Susaant Kondapaneni, Prasad Vellanki (One Convergence) ❖ Rudra Rugge (Juniper)
  19. 19. State of Implementation ❖ The blueprint for Group Policy has been reviewed/approved ❖ Working PoC available (install from: policy-poc) ❖ Neutron reference implementation for Group Policy is in progress ❖ Complementary work on network services framework is in progress
  20. 20. More Information ❖ Neutron Group-based Policy design session May 16 • 10:50am - 11:30am • B304 ❖ Wiki page: ❖ Neutron Group Policy Sub-Team Meeting IRC weekly meetings: