Network Policy Abstractions in OpenStack Neutron
- 1. May 2014 Network Policy Abstractions in Neutron Mohammad Banikazemi Sumit Naiksatam Stephen Wong
- 2. Outline ❖ Introduction ❖ Neutron Abstractions ❖ Group Policy Extension ❖ PoC Implementation and Demo ❖ Future Directions ❖ Q&A
- 3. Networking in the Cloud ❖ Current API: network centric ❖ Need a more application centric set of abstractions as well ❖ More easily understood/utilized by higher layers ❖ Declarative model ❖ Separation of concerns
- 4. Desired Features ❖ Provide policy-based connectivity between application tiers ❖ Support dynamic application of policies ❖ Redirection to Network services and chains ❖ Policies defined by administrators and users
- 5. Current Neutron API ❖ Network centric, close to physical devices ❖ Network: isolated layer-2 broadcast domain; private/shared ❖ Subnet: CIDR IP address block associated with a network; optionally associated with gateway, DNS/DHCP servers ❖ Port: virtual switch port on a network; has MAC and IP address properties ❖ Router: connects networks, supports SNAT
- 6. Example: Multi Tier Apps Q Web Application DB Firewall Load Balancer QoS External Network (Internet)
- 7. Neutron Representation Q Network/ subnet Network/ subnet Network/ subnet Router External Network Port Q neutron net-create web_tier neutron subnet-create web_tier 10.0.0.0/24 neutron router-create router1 neutron router-add-interface router1 web_subnet . . .
- 8. Group Policy e x t e n s i o n
- 9. The Basic Idea ❖ Endpoint (EP): Lowest unit of abstraction where policy is applied ❖ Endpoint Group (EPG): Logical grouping of endpoints ❖ Policy Rule: Network policies to access EPGs ❖ Contract: Collection of policy rules
- 10. EPG-Contract Relationship ❖ An EPG may provide one or more contracts ❖ An EPG may consume one or more contracts Endpoint Group Contract ❖ Application deployer focused
- 11. Policy Rules ❖ Action is applied to traffic specified by Classifier Policy Rule Classifier Protocol Ports Direction Action Type Value Action Type Allow Redirect QoS Log Copy Mark Value None Service/Chain QoS args Log args Copy args Mark args
- 12. Group Policy - Workflow neutron classifier-create Insecure-Web-Access --port 80 --protocol TCP --direction IN neutron policy-rule insecure-web --policy-classifier Insecure-Web-Access --actions ALLOW neutron contract-create Web-Server-Contract --policy-rule insecure-web ❖ Create contract ❖ Create EPGs and provide/consume contracts neutron epg-create Web-Server-EPG --provides-contract Web-Server-Contract neutron ep-create --endpoint-group Web-Server-EPG neutron epg-create Outside-EPG --consumes-contract Web-Server-Contract
- 13. Putting It All Together – 3 Tier App Web Application DB Firewall Load Balancer External Network (Internet)
- 14. Group Policy Realization EPG Web EPG Application EPG DB Firewall EPG External Network (Internet) Contract Protocol:TCP Port:80 Action:Redirect To FW_LB_CHAIN ProvidesConsumes Protocol:TCP Port:3306 Action:ALLOW Protocol:TCP Port:9080 Action:ALLOW EPG EPG
- 15. Optional Constructs in Model ❖ Scopes: put constraints around how provider and consumer EPGs are matched ❖ Policy Rule Filters: allow for tagging Policy Rules with Labels such that subsets can be created in a Contract ❖ Contract hierarchy: infra admin constraints can be achieved by Contract hierarchical composition ❖ Endpoint labels: policies get triggered automatically when labels are added or removed
- 16. Proof of Concept i m p l e m e n t a t i o n
- 17. PoC Implementation ❖ Team has worked on a PoC implementation ❖ Considering various model and implementation alternatives ❖ Using legacy driver ❖ CLI, Horizon, and Heat CLI Neutron Heat Horizon Policy Manager Legacy Policy Driver ODL Policy Driver others
- 18. The Group Policy PoC Team ❖ Sumit Naiksatam, Robert Kukura, Mandeep Dhami (Cisco) ❖ Mohammad Banikazemi (IBM) ❖ Stephen Wong (Midokura) ❖ Ronak Shah (Nuage Networks) ❖ Hemanth Ravi, Susaant Kondapaneni, Prasad Vellanki (One Convergence) ❖ Rudra Rugge (Juniper)
- 19. State of Implementation ❖ The blueprint for Group Policy has been reviewed/approved ❖ Working PoC available (install from: https://github.com/noironetworks/devstack/tree/group- policy-poc) ❖ Neutron reference implementation for Group Policy is in progress ❖ Complementary work on network services framework is in progress
- 20. More Information ❖ Neutron Group-based Policy design session May 16 • 10:50am - 11:30am • B304 ❖ Wiki page: https://wiki.openstack.org/wiki/Neutron/GroupPolicy ❖ Neutron Group Policy Sub-Team Meeting IRC weekly meetings: https://wiki.openstack.org/wiki/Meetings/Neutron_Group_Policy
- 21. Backup
- 22. PoC
- 23. Separation of Concerns ❖ Different aspect of operations performed by different agents ❖ Administrators specify the more network specific requirements ❖ Other tenants specify app specific
- 25. Dynamic / Automatic Updates ❖ Slide 12
- 26. Multiple Policy Frameworks Network Policy Manager AdministratorMark hosts as infected All infected machines should be quarantined Create access policy quarantine (to end points labeled "infected") SystemWide PolicyManager
- 27. Outline of Policies ❖ Contract C1: ❖ Policy rule: redirect my_service_chain_fw_lb ❖ Contract C2: ❖ Policy rule: allow all ❖ Contract C3: ❖ Policy rule: allow all ❖ Policy rule: QoS my_qos_spec
- 28. Group Policy a c l o s e r l o o k
- 29. EPG-Contract Relationship Provide / Consume ❖ Let’s look at more details Endpoint Group Contract
- 30. Contract Scopes ❖ Contracts are provided and consumed through contract scopes Contract Scope Selector Provider- Capability/Consumer- Role Selector Scope Global Tenant EPG Value None Tenant ID EPG ID ❖ Selectors specify the scope: Global/Tenant/EPG ❖ Provider-Capabilities/Consumer-Roles: Policy labels, which allow defining granular constraints within the contract
- 31. Policy Rules Policy Rule Classifier Protocol Ports Direction Action Type Value
- 32. Policy Rules ❖ Filters/Labels used to limit policy rules provided/consumed Policy Rule Filter Provider Capability Consumer Role Classifier Protocol Ports Direction Action Type Value
- 33. Contract Hierarchy of Contracts ❖ Contracts can refer to other contracts ❖ Specifying base contracts by administrators Provide / Consume Endpoint Group
- 34. Using Neutron Advanced Services To fully take advantage of Group Policy: ❖ Defining a policy container for services Leveraging advanced services: ❖ Unified, generic and flexible service definition ❖ Support for various service insertion modes ❖ Support for various service manifestations ❖ Service chaining and traffic steering
- 35. Group Policy r i c h c o n s t r u c t
- 36. Dynamic Updates Q Web Application DB Firewall Load Balancer QoS External Network (Internet) Web
- 37. Separation of Concerns Group Policy Manager Administrator Users Allocate Network Resources Sets up network contracts Sets up access contracts Create application contracts Provide/consume contracts
- 38. Multiple Providers with Failover Group Policy Manager ProviderA Provide contract Set scope to Global ProviderB Users Consume contract Provide contract Set scope to Global Administrator Create contracts
- 39. Other Policy Frameworks Group Policy Manager Administrator Congress Label hosts as infected All infected machines should be quarantined Create access contract quarantine (to end points labeled "infected")
- 40. Heat Implementation ❖ Native Neutron heat resources ❖ WIP patch available on Gerrit ❖ Provides richer and simpler abstraction ❖ Allows for complex topology declaration ❖ Demo HOT template ❖ Publishes secure web service