Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron
1. Group Based
Policy
Open Source Policy in OpenDaylight
and OpenStack Neutron
Kyle Mestery
OpenStack Neutron PTL
2. Abstract
As computing has continued to evolve to a more utility or cloud-like
environment, one area which has not evolved as much is networking. Concepts
relevant 20 years ago such as switches, ports, networks, subnets and routers
are today still very much the basic building blocks for operators and application
deployers. Group Based Policy looks to extend this landscape by introducing
the concepts of groups of endpoints and policy abstractions governing the
communication between the groups. With Group Based Policy, application
deployers can think in terms relevant to their applications when deploying
networking for their applications. This talk will cover an introduction to Group
Based Policy and explore it’s implementation in OpenStack Neutron and
OpenDaylight. An overview of how the two work together to achieve harmony
for application deployers will also be discussed.
3. Our hero … the application developer
Application
Developer
5. What is a computer network?
A computer network is a collection of
computers and other hardware components
interconnected by communication channels
that allow sharing of resources and
information.
10. Our hero wants to deploy this
Client Tier Web/App Tier DB Tier
Internet Web/App
Server DB
11. Currently she does this ...
External Network
Q
Network/
subnet
Network/
subnet
Network/
subnet
Router
Q
12. What if she could do this!
PG
Web
PG
Application
PG
DB
PG
External Network
(Internet) C1 C2 C3
Protocol: TCP
Port: 80
Action: Redirect to
FW_LB_CHAIN
Protocol: TCP
Port: 9080
Action: ALLOW
Protocol: TCP
Port: 3306
Action: ALLOW
13. Introducing Group Based Policy
● APIs to allow the user to express intent
○ Separates intent from the actual underlying networking
infrastructure
● Application policy abstracted from network
specifics
● Open Standards, Open Source, Community
Driver
○ OpenDaylight
○ OpenStack Neutron
14. Group Based Policy Terminology
● Existing constructs
○ Switches
○ Networks
○ Subnets
○ Ports
○ Routers
○ Load balancers
○ Firewalls
● GBP Constructs
○ Policy Point
○ Policy Group
15. Group Based Policy Elements
● Policy Repository
● Endpoint Repository
● Observer
● Policy Enforcer
16. The Benefits of Group Based Policy
● Easier application focused networking
● Improved automation
● Consistency
● Extensible policy model
● User defined policy is not dependent on
specific networking technologies
17. Open Source Implementations
By utilizing OpenStack Neutron with
OpenDaylight and GBP APIs,
application developers and deployers
get a fully open source networking policy
system.
18. But first, back to our hero
I need some background
information on
OpenDaylight and
OpenStack.
Application
Developer
19. What is OpenDaylight?
OpenDaylight is an Open Source Software project under the Linux Foundation with the goal of
furthering the adoption and innovation of Software Defined Networking (SDN) through the
creation of a common industry supported platform
Code Acceptance Community
To create a robust, extensible,
open source code base that
covers the major common
components required to build
an SDN solution
To get broad industry
acceptance amongst vendors
and users
• Using OpenDaylight code
directly or through vendor
products
•Vendors using
OpenDaylight code as part
of commercial products
To have a thriving and
growing technical community
contributing to the code base,
using the code in commercial
products, and adding value
above, below and around.
20. What is OpenDaylight Building?
OpenDaylight is an open community that is building:
● An evolvable SDN platform capable of handling diverse use cases and
implementation approaches
● Common abstractions of capabilities NorthBound for people to program
● Intermediation of those capabilities to multiple Southbound
implementations
● Programmable Network services
● Network Applications
● Whatever else we need to make it work
○ Including engineering systems
21. What Is OpenStack?
Self-service provisioning of virtual machines
through a software API
Your Application
For tenant created, virtual isolated networks Massively scalable, distributed object store
and subnets, and services
22. OpenStack continues to build services which abstract
infrastructure and provide highly scalable utilities through
REST APIs, command tools and user portals
Compute
(VM provisioning)
Networking
(Virtual, Physical)
Orchestration
Identity/Authentication
Storage
(Object)
VM Image Catalog
User/Admin Portal
Metering
(Ceilometer)
(HEAT)
Storage
(Block)
Networking Services
(LB, FW, VPN, IDS..)
23. How Does Group Based Policy Fit Into
OpenDaylight and OpenStack?
Application
Developer
24. GBP In OpenDaylight
● Active project targeting the Helium Release
of OpenDaylight
● Initial code available:
○ https://git.opendaylight.org/gerrit/groupbasedpolicy
● More info on the wiki
○ https://wiki.opendaylight.org/view/Group_Policy:
Main
26. Group Based Policy Renders
● GBP supports a variety of underlying
technologies
○ Possible because policy model is based on high
level user intent
○ Complexity lies in the renderers
● Renders being worked include:
○ OVS Overlay
○ OpenFlow Render
○ OpFlex Render
27. Group Based Policy In OpenStack Neutron
● GBP sub-team focused on proof of concept
during Icehouse cycle
● Code patches out for review during Juno
○ https://blueprints.launchpad.
net/neutron/+spec/group-based-policy-abstraction
○ Patches encompass neutron, CLI, Horizon and Heat
29. The Open Source Policy “Stack”
Group Policy as defined by OpenStack
OpenDaylight provide northbound API for Group Policy and
southbound interface for OpFlex protocol.
OpFlex protocol defined through IETF
(OpFlex Control Protocol draft-smith-opflex-00)
OpFlex Policy Agent with northbound OpFlex protocol
interface and southbound interface for device (OVS is the
reference implementation).
Linux
libvirt OpenFlow OVSDB
OVS
31. In Summary
● Group Based Policy goals:
○ Separate application intent from underlying
implementation
○ Provide application oriented APIs for application
developers and deployers
○ Uses and extends existing open standards and
protocols
○ Simplify complex networking for application
deployers!
32. Allows anyone to accomplish this!
PG
Web
PG
Application
PG
DB
PG
External Network
(Internet) C1 C2 C3
33. More Information
● For more information on OpFlex and how it
integrates with GBP, attend Scott Mann’s
talk:
○ Open Source Policy: OpenDaylight and OpFlex
○ Thursday, 2:30-3:20PM
○ Room SB 3