1. -defined networking
twitter: @dvorkinista
email: dvorkin@noironetworks.com
Mike Dvorkin
project Noir0

2. “The traveler who crosses a mountain in
the direction of a star runs the risk of
forgetting which is his guiding star if he
concentrates too exclusively on the
climbing problems. If he only acts for
action's sake, he will get nowhere.”
Antoine de Saint-Exupéry

3. Micromanagement
Automation has
been an attempt at
industrialization of
micromanagement
practices
do do do do do do do do do do
do do do do
Do this sequence of things

4. App intent
this is how I expose
myself to other apps/
components/services
This is how
I need to
consume
infra
This is my application
component
some other app
some other app
storage
requirements
compute
requirements
placement
requirements
scaling
rules
booting/init
rules
image
rules
vm vm …. vm
some app/
component/
service
What apps/components/
services do I depend on?
a real application consists of many of these
Network and netsec
are implicit
! Abstraction
! Portability
! Self-containment
! No leakage of unnecessary knowledge across apps

5. What is Network Control?
A B
YES You can
talk about this:
{ subject*, L4 Ports, … }
! End point A can talk to end point B
C D
NO You can’t
! End point C can’t talk to end point D
! the rest is path optimization
SDN, HDN, …
Traditional Networking, …
Overlays, ….
Quantum Entanglement, ….

6. … In French
I like to talk
about bees..
Vous me rappelez des
abeilles! (let’s talk about
bees… in French…)
Blah blah blah.…
PROViDER CONSUMER
Policy is like control of the subjects that
people can talk about. Provider specifies the
subjects and rules and consumer can only
communicate on specified subjects, subjected
to rules associated with the subjects.
….endpoints talking to each other

7. subject
subject …
contract
PROViDER CONSUMER
Such rules and policies can be thought of as
contract(s) specified by the target of the
conversation, the provider.
.
.
.
.
.
.

8. subject
subject …
contract
PROViDER
taboo
taboo
CONSUMER
?
Can I spray
bees with
pesticides?
Some (sub-)subjects are never allowed
– they are taboos

9. contractsurface
subject
subject
taboo
taboo
subject
subject
subject
subject
taboo
taboo
subject
subjectsubject
subject
taboo
taboo
subject
subject
subject
subject
subject
taboo
taboo
subject
subject
protective membrane
consisting of multiple
contracts
receptor
A set of contracts
constitutes a protective
“membrane” around
providing service with
subjects acting like
receptors allowing
traffic in and
subjecting it to the
rules

10. contractsurface
subject
subject
taboo
taboo
subject
subject
subject
subject
taboo
taboo
subject
subjectsubject
subject
taboo
taboo
subject
subject
subject
subject
subject
taboo
taboo
subject
subject
protective membrane
consisting of multiple
contracts
receptor
Expressed from the
vantage point of the
service or application
component that is
protected by the
membrane
I am a protected
service that is ready
to consume.

11. contractsurface
subject
subject
taboo
taboo
subject
subject
subject
subject
taboo
taboo
subject
subjectsubject
subject
taboo
taboo
subject
subject
subject
subject
taboo
taboo
subject
subject
protective membrane
consisting of multiple
contracts
receptorsubject
…
filter action
filter action
filter action
filter action
defined bi-directionally in the “provider” centric way
what what do i do
Expressed from the
vantage point of the
service or application
component that is
protected by the
membrane
…

12. contractsurface
subject
subject
taboo
taboo
subject
subject
subject
subject
taboo
taboo
subject
subjectsubject
subject
taboo
taboo
subject
subject
subject
subject
taboo
taboo
subject
subject
protective membrane
consisting of multiple
contracts
receptorsubject
filter action
identifies subject to
which actions will
be applied
L4 port ranges
TCP option
…
identifies actions
applied to the subject
QoS
Log
Redirect into SVC graph
…
defined bi-directionally in the “provider” centric way
what what do i do
Expressed from the
vantage point of the
service or application
component that is
protected by the
membrane

13. contractsurface
subject
subject
taboo
taboo
subject
subject
subject
subject
taboo
taboo
subject
subjectsubject
subject
taboo
taboo
subject
subject
subject
subject
taboo
taboo
subject
subject
protective membrane
consisting of multiple
contracts
receptorsubject
filter action
what
I can talk about
what do i do
when someone talked to me about this
filter action
filter action
filter actionaction
prio svc graph…
Service Graph Definition
term
out
in
term
in
out
logical
function
FW
logical
function
SLB
implicit treatment
how do I treat the subject of this conversation
Consumers of the service
protected by the membrane
are unaware of this detail.
Not only insertion/redirection:
Automated configuration
of L4-7 functions by deriving
parameters from policy–level
information

14. contractsurface
a logical
projection of an
“API” onto a
“wire” from the
vantage point of
the provider
subject
subject
taboo
taboo
subject
subject
subject
subject
taboo
taboo
subject
subjectsubject
subject
taboo
taboo
subject
subject
subject
subject
subject
taboo
taboo
subject
subject
Ooo la la…
I feel very safe.
Consume me!
protective membrane
consisting of multiple
contracts
receptor

15. contractsurface
a self contained
service definition
with any number of
symmetrically
behaving “end-
points”
subject
subject
taboo
taboo
subject
subject
subject
subject
taboo
taboo
subject
subjectsubject
subject
taboo
taboo
subject
subject
subject
subject
subject
taboo
taboo
subject
subject
Contact D
ContractB
Contract C
ContractA
Protective Membrane
contracts express
how this service can
be talked to, what
about, and what
happens to the
conversations
group
group

16. subje
ct
subje
ct
tab
oo
tab
oo
subje
ct
subje
ct
subje
ct
subje
ct
tab
oo
tab
oo
subje
ct
subje
ct
subject
subject
taboo
taboo
subject
subject
subject
subject
subject
taboo
taboo
subject
subject
Contact D
ContractB
Contract C
ContractA
group N
group M
subje
ct
subje
ct
tab
oo
tab
oo
subje
ct
subje
ct
subje
ct
subje
ct
tab
oo
tab
oo
subje
ct
subje
ct
subject
subject
taboo
taboo
subject
subject
subject
subject
subject
taboo
taboo
subject
subject
Contact X
ContractZ
Contract W
ContractY
group O
group O consumes a contract A that is symmetrically provided by groups M and N

17. What would a three-tier app look like?
EPG WEB EPG APP EPG DB
provide
provide
provide
provide provide provide
infra shared services
consume consume consume
L3 context
bd bd bd
webcontract
javacontract
sqlcontract
mgmt contract
Outside
consume consume
consumeNW Public
NW Private
subnet
subnet

18. What would a three-tier app look like?
EPG WEB EPG APP EPG DB
provide
provide
provide
provide provide provide
infra shared services
consume consume consume
L3 context
bd bd bd
webcontract
javacontract
sqlcontract
mgmt contract
Outside
consume consume
consumeNW Public
NW Private
subnet
subnet
access
control
self-documenting
expressionofintent
isolation

19. Division of Labor: separation of responsibilities
infrastructure policies
! How infrastructure is used
! How fabric is used
Tenant intent
EPG WEB EPG APP EPG DB
NW Public
NW Private
subnet
subnet
provide
provide
provide
provide provide provide
infra shared services
consume consume consume
L3 context
bd bd bd
webcontract
javacontract
sqlcontract
mgmt contract
Outside
consume consume
consume
isolation
access control
Operational Policies
! Exceptions
! Faults
! Stats
! Health
! Logs
! …
tenant/
app owner
networking guy
ops guy

20. Access Model
tenant

21. Access Model
ep-group
tenant
n

22. Access Model
ep-group
tenant
contract
consume
provide
n
nn
nn
n

23. Access Model
ep-group
tenant
contract
consume
provide
n
nn
nn
n
subject classifier
nn identified-by
n
default actions 1
action set

24. Access Model
ep-group
tenant
contract
consume
provide
n
nn
nn
n
subject classifier
nn identified-by
n
default actions 1
action set
characteristic
n
identifier
property
attribute
Additional logical
sub-classification within
the group to achieve
micro-segmentation

25. Access Model
ep-group
tenant
contract
consume
provide
n
nn
nn
n
subject classifier
nn identified-by
default actions 1
n
action set
clause
n
1actions
n
n
When this sort of
consuming ep groups talk
to this sort of providing
ep groups, these subjects
are in scope with the
following action
characteristic
n

26. Access Model
ep-group
tenant
contract
consume
provide
n
nn
nn
n
subject
n
action set
clause
n
1actions
n
n
provider
characteristic
consumer
characteristic
n
n
characteristic
n

27. Forwarding Model
ep-group
tenant
network
container
contained-in
n
1n
n

28. Forwarding Model
ep-group
tenant
network
container
contained-in
n
1n
n
network
context
subnet set
L2 flood
context
L2 bridge
context
L3
context
1
11
n
n n
contained-in
contained-in contained-in

29. interconnected components, with dependencies and requirements
cont
cont
…
web
VM
VM
…
app
phys
phys
…
db
internet
External
Private
Network
Intent-defined networking

30. Define Intent: What app is. What app Needs.
How do apps talk to each other
Automate instrumentation of intent

31. enforcement: multi-surface policy problem
intent
capabilities and state
opsconstraints
governance

32. intent
capabilities and state
opsconstraints
governance
Or simply….
desire/intent
reality
disappointment
disappointment := desire - reality
objective: disappointment ! 0