The document discusses group-based policy (GBP) as an approach to simplify networking in cloud environments, focusing on OpenStack Neutron and OpenDaylight implementations. It highlights the introduction of application-oriented APIs that separate user intent from underlying networking complexities, benefiting application developers. The document also outlines the architecture and components involved in GBP and its goals for improved automation and consistency in network management.

1. Group Based
Policy
Open Source Policy in OpenDaylight
and OpenStack Neutron
Kyle Mestery
OpenStack Neutron PTL

2. Abstract
As computing has continued to evolve to a more utility or cloud-like
environment, one area which has not evolved as much is networking. Concepts
relevant 20 years ago such as switches, ports, networks, subnets and routers
are today still very much the basic building blocks for operators and application
deployers. Group Based Policy looks to extend this landscape by introducing
the concepts of groups of endpoints and policy abstractions governing the
communication between the groups. With Group Based Policy, application
deployers can think in terms relevant to their applications when deploying
networking for their applications. This talk will cover an introduction to Group
Based Policy and explore it’s implementation in OpenStack Neutron and
OpenDaylight. An overview of how the two work together to achieve harmony
for application deployers will also be discussed.

3. Our hero … the application developer
Application
Developer

4. But first, some history

5. What is a computer network?
A computer network is a collection of
computers and other hardware components
interconnected by communication channels
that allow sharing of resources and
information.

6. A typical computer network ...

7. Protocol Soup ...

8. What if this could be simplified?

9. Now, back to our hero
Application
Developer

10. Our hero wants to deploy this
Client Tier Web/App Tier DB Tier
Internet Web/App
Server DB

11. Currently she does this ...
External Network
Q
Network/
subnet
Network/
subnet
Network/
subnet
Router
Q

12. What if she could do this!
PG
Web
PG
Application
PG
DB
PG
External Network
(Internet) C1 C2 C3
Protocol: TCP
Port: 80
Action: Redirect to
FW_LB_CHAIN
Protocol: TCP
Port: 9080
Action: ALLOW
Protocol: TCP
Port: 3306
Action: ALLOW

13. Introducing Group Based Policy
● APIs to allow the user to express intent
○ Separates intent from the actual underlying networking
infrastructure
● Application policy abstracted from network
specifics
● Open Standards, Open Source, Community
Driver
○ OpenDaylight
○ OpenStack Neutron

14. Group Based Policy Terminology
● Existing constructs
○ Switches
○ Networks
○ Subnets
○ Ports
○ Routers
○ Load balancers
○ Firewalls
● GBP Constructs
○ Policy Point
○ Policy Group

15. Group Based Policy Elements
● Policy Repository
● Endpoint Repository
● Observer
● Policy Enforcer

16. The Benefits of Group Based Policy
● Easier application focused networking
● Improved automation
● Consistency
● Extensible policy model
● User defined policy is not dependent on
specific networking technologies

17. Open Source Implementations
By utilizing OpenStack Neutron with
OpenDaylight and GBP APIs,
application developers and deployers
get a fully open source networking policy
system.

18. But first, back to our hero
I need some background
information on
OpenDaylight and
OpenStack.
Application
Developer

19. What is OpenDaylight?
OpenDaylight is an Open Source Software project under the Linux Foundation with the goal of
furthering the adoption and innovation of Software Defined Networking (SDN) through the
creation of a common industry supported platform
Code Acceptance Community
To create a robust, extensible,
open source code base that
covers the major common
components required to build
an SDN solution
To get broad industry
acceptance amongst vendors
and users
• Using OpenDaylight code
directly or through vendor
products
•Vendors using
OpenDaylight code as part
of commercial products
To have a thriving and
growing technical community
contributing to the code base,
using the code in commercial
products, and adding value
above, below and around.

20. What is OpenDaylight Building?
OpenDaylight is an open community that is building:
● An evolvable SDN platform capable of handling diverse use cases and
implementation approaches
● Common abstractions of capabilities NorthBound for people to program
● Intermediation of those capabilities to multiple Southbound
implementations
● Programmable Network services
● Network Applications
● Whatever else we need to make it work
○ Including engineering systems

21. What Is OpenStack?
Self-service provisioning of virtual machines
through a software API
Your Application
For tenant created, virtual isolated networks Massively scalable, distributed object store
and subnets, and services

22. OpenStack continues to build services which abstract
infrastructure and provide highly scalable utilities through
REST APIs, command tools and user portals
Compute
(VM provisioning)
Networking
(Virtual, Physical)
Orchestration
Identity/Authentication
Storage
(Object)
VM Image Catalog
User/Admin Portal
Metering
(Ceilometer)
(HEAT)
Storage
(Block)
Networking Services
(LB, FW, VPN, IDS..)

23. How Does Group Based Policy Fit Into
OpenDaylight and OpenStack?
Application
Developer

24. GBP In OpenDaylight
● Active project targeting the Helium Release
of OpenDaylight
● Initial code available:
○ https://git.opendaylight.org/gerrit/groupbasedpolicy
● More info on the wiki
○ https://wiki.opendaylight.org/view/Group_Policy:
Main

25. OpenDaylight GBP
Architecture

26. Group Based Policy Renders
● GBP supports a variety of underlying
technologies
○ Possible because policy model is based on high
level user intent
○ Complexity lies in the renderers
● Renders being worked include:
○ OVS Overlay
○ OpenFlow Render
○ OpFlex Render

27. Group Based Policy In OpenStack Neutron
● GBP sub-team focused on proof of concept
during Icehouse cycle
● Code patches out for review during Juno
○ https://blueprints.launchpad.
net/neutron/+spec/group-based-policy-abstraction
○ Patches encompass neutron, CLI, Horizon and Heat

28. CLI
Heat Horizon
Neutron
Policy Manager
Legacy
Policy Driver
ODL
Policy Driver
others
OpenStack GBP Architecture

29. The Open Source Policy “Stack”
Group Policy as defined by OpenStack
OpenDaylight provide northbound API for Group Policy and
southbound interface for OpFlex protocol.
OpFlex protocol defined through IETF
(OpFlex Control Protocol draft-smith-opflex-00)
OpFlex Policy Agent with northbound OpFlex protocol
interface and southbound interface for device (OVS is the
reference implementation).
Linux
libvirt OpenFlow OVSDB
OVS

30. Back to our hero
Application
Developer

31. In Summary
● Group Based Policy goals:
○ Separate application intent from underlying
implementation
○ Provide application oriented APIs for application
developers and deployers
○ Uses and extends existing open standards and
protocols
○ Simplify complex networking for application
deployers!

32. Allows anyone to accomplish this!
PG
Web
PG
Application
PG
DB
PG
External Network
(Internet) C1 C2 C3

33. More Information
● For more information on OpFlex and how it
integrates with GBP, attend Scott Mann’s
talk:
○ Open Source Policy: OpenDaylight and OpFlex
○ Thursday, 2:30-3:20PM
○ Room SB 3

34. Thank you!
Application
Developer