Network Policy Abstractions in OpenStack Neutron


Published on

A new set of application centric network abstractions are being developed in the form of the Neutron Group Policy extension. In this model, networking requirements of applications are expressed as network policies. On the other hand, there have been significant work on defining network services (*aaS), service insertion and service chaining in the Neutron community. More recently work on Network Function Virtualization and a framework for advanced services in virtual machines have been getting attention.

In this talk, we first discuss the state of the work in implementing the Neutron Group Policy extension and show how a more application-centric view of networking resources can be used to specify and deploy applications. In particular, we demonstrate the use of network policies as defined in a Heat template to specify and deploy an application. We then explore how the Neutron Group Policy extension can take advantage of advances in defining network services and functions and bring about a truly application centric view of networking resources. We show how this view impacts different layers of the stack from end to end and discuss the future directions of the Neutron Group Policy extension.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Network Policy Abstractions in OpenStack Neutron

  1. 1. May 2014 Network Policy Abstractions in Neutron Mohammad Banikazemi Sumit Naiksatam Stephen Wong
  2. 2. Outline ❖ Introduction ❖ Neutron Abstractions ❖ Group Policy Extension ❖ PoC Implementation and Demo ❖ Future Directions ❖ Q&A
  3. 3. Networking in the Cloud ❖ Current API: network centric ❖ Need a more application centric set of abstractions as well ❖ More easily understood/utilized by higher layers ❖ Declarative model ❖ Separation of concerns
  4. 4. Desired Features ❖ Provide policy-based connectivity between application tiers ❖ Support dynamic application of policies ❖ Redirection to Network services and chains ❖ Policies defined by administrators and users
  5. 5. Current Neutron API ❖ Network centric, close to physical devices ❖ Network: isolated layer-2 broadcast domain; private/shared ❖ Subnet: CIDR IP address block associated with a network; optionally associated with gateway, DNS/DHCP servers ❖ Port: virtual switch port on a network; has MAC and IP address properties ❖ Router: connects networks, supports SNAT
  6. 6. Example: Multi Tier Apps Q Web Application DB Firewall Load Balancer QoS External Network (Internet)
  7. 7. Neutron Representation Q Network/ subnet Network/ subnet Network/ subnet Router External Network Port Q neutron net-create web_tier neutron subnet-create web_tier neutron router-create router1 neutron router-add-interface router1 web_subnet . . .
  8. 8. Group Policy e x t e n s i o n
  9. 9. The Basic Idea ❖ Endpoint (EP): Lowest unit of abstraction where policy is applied ❖ Endpoint Group (EPG): Logical grouping of endpoints ❖ Policy Rule: Network policies to access EPGs ❖ Contract: Collection of policy rules
  10. 10. EPG-Contract Relationship ❖ An EPG may provide one or more contracts ❖ An EPG may consume one or more contracts Endpoint Group Contract ❖ Application deployer focused
  11. 11. Policy Rules ❖ Action is applied to traffic specified by Classifier Policy Rule Classifier Protocol Ports Direction Action Type Value Action Type Allow Redirect QoS Log Copy Mark Value None Service/Chain QoS args Log args Copy args Mark args
  12. 12. Group Policy - Workflow neutron classifier-create Insecure-Web-Access --port 80 --protocol TCP --direction IN neutron policy-rule insecure-web --policy-classifier Insecure-Web-Access --actions ALLOW neutron contract-create Web-Server-Contract --policy-rule insecure-web ❖ Create contract ❖ Create EPGs and provide/consume contracts neutron epg-create Web-Server-EPG --provides-contract Web-Server-Contract neutron ep-create --endpoint-group Web-Server-EPG neutron epg-create Outside-EPG --consumes-contract Web-Server-Contract
  13. 13. Putting It All Together – 3 Tier App Web Application DB Firewall Load Balancer External Network (Internet)
  14. 14. Group Policy Realization EPG Web EPG Application EPG DB Firewall EPG External Network (Internet) Contract Protocol:TCP Port:80 Action:Redirect To FW_LB_CHAIN ProvidesConsumes Protocol:TCP Port:3306 Action:ALLOW Protocol:TCP Port:9080 Action:ALLOW EPG EPG
  15. 15. Optional Constructs in Model ❖ Scopes: put constraints around how provider and consumer EPGs are matched ❖ Policy Rule Filters: allow for tagging Policy Rules with Labels such that subsets can be created in a Contract ❖ Contract hierarchy: infra admin constraints can be achieved by Contract hierarchical composition ❖ Endpoint labels: policies get triggered automatically when labels are added or removed
  16. 16. Proof of Concept i m p l e m e n t a t i o n
  17. 17. PoC Implementation ❖ Team has worked on a PoC implementation ❖ Considering various model and implementation alternatives ❖ Using legacy driver ❖ CLI, Horizon, and Heat CLI Neutron Heat Horizon Policy Manager Legacy Policy Driver ODL Policy Driver others
  18. 18. The Group Policy PoC Team ❖ Sumit Naiksatam, Robert Kukura, Mandeep Dhami (Cisco) ❖ Mohammad Banikazemi (IBM) ❖ Stephen Wong (Midokura) ❖ Ronak Shah (Nuage Networks) ❖ Hemanth Ravi, Susaant Kondapaneni, Prasad Vellanki (One Convergence) ❖ Rudra Rugge (Juniper)
  19. 19. State of Implementation ❖ The blueprint for Group Policy has been reviewed/approved ❖ Working PoC available (install from: policy-poc) ❖ Neutron reference implementation for Group Policy is in progress ❖ Complementary work on network services framework is in progress
  20. 20. More Information ❖ Neutron Group-based Policy design session May 16 • 10:50am - 11:30am • B304 ❖ Wiki page: ❖ Neutron Group Policy Sub-Team Meeting IRC weekly meetings:
  21. 21. Backup
  22. 22. PoC
  23. 23. Separation of Concerns ❖ Different aspect of operations performed by different agents ❖ Administrators specify the more network specific requirements ❖ Other tenants specify app specific
  24. 24. Dynamic/Automatic Updates ❖ Slide 12
  25. 25. Dynamic / Automatic Updates ❖ Slide 12
  26. 26. Multiple Policy Frameworks Network Policy Manager AdministratorMark hosts as infected All infected machines should be quarantined Create access policy quarantine (to end points labeled "infected") SystemWide PolicyManager
  27. 27. Outline of Policies ❖ Contract C1: ❖ Policy rule: redirect my_service_chain_fw_lb ❖ Contract C2: ❖ Policy rule: allow all ❖ Contract C3: ❖ Policy rule: allow all ❖ Policy rule: QoS my_qos_spec
  28. 28. Group Policy a c l o s e r l o o k
  29. 29. EPG-Contract Relationship Provide / Consume ❖ Let’s look at more details Endpoint Group Contract
  30. 30. Contract Scopes ❖ Contracts are provided and consumed through contract scopes Contract Scope Selector Provider- Capability/Consumer- Role Selector Scope Global Tenant EPG Value None Tenant ID EPG ID ❖ Selectors specify the scope: Global/Tenant/EPG ❖ Provider-Capabilities/Consumer-Roles: Policy labels, which allow defining granular constraints within the contract
  31. 31. Policy Rules Policy Rule Classifier Protocol Ports Direction Action Type Value
  32. 32. Policy Rules ❖ Filters/Labels used to limit policy rules provided/consumed Policy Rule Filter Provider Capability Consumer Role Classifier Protocol Ports Direction Action Type Value
  33. 33. Contract Hierarchy of Contracts ❖ Contracts can refer to other contracts ❖ Specifying base contracts by administrators Provide / Consume Endpoint Group
  34. 34. Using Neutron Advanced Services To fully take advantage of Group Policy: ❖ Defining a policy container for services Leveraging advanced services: ❖ Unified, generic and flexible service definition ❖ Support for various service insertion modes ❖ Support for various service manifestations ❖ Service chaining and traffic steering
  35. 35. Group Policy r i c h c o n s t r u c t
  36. 36. Dynamic Updates Q Web Application DB Firewall Load Balancer QoS External Network (Internet) Web
  37. 37. Separation of Concerns Group Policy Manager Administrator Users Allocate Network Resources Sets up network contracts Sets up access contracts Create application contracts Provide/consume contracts
  38. 38. Multiple Providers with Failover Group Policy Manager ProviderA Provide contract Set scope to Global ProviderB Users Consume contract Provide contract Set scope to Global Administrator Create contracts
  39. 39. Other Policy Frameworks Group Policy Manager Administrator Congress Label hosts as infected All infected machines should be quarantined Create access contract quarantine (to end points labeled "infected")
  40. 40. Heat Implementation ❖ Native Neutron heat resources ❖ WIP patch available on Gerrit ❖ Provides richer and simpler abstraction ❖ Allows for complex topology declaration ❖ Demo HOT template ❖ Publishes secure web service