SlideShare a Scribd company logo

Troubleshooting for Intent-based Networking

Open Networking Summit, profile picture
Open Networking Summit

The document discusses intent-based networking and its troubleshooting methodologies, focusing on policy graph abstraction (PGA) as a framework to enhance network management. It highlights the importance of explicitly defined policies and the relationship between the application, control, and infrastructure layers. Examples of troubleshooting applications and the benefits of intent-level troubleshooting for identifying network issues are also presented.

Technology
1 of 37
Downloaded 101 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
Troubleshooting for Intent-based Networking Joon-Myung Kang and Mario A. Sánchez Hewlett Packard Labs Open Networking Summit 2017
Intent-based Networking Policy Graph Abstraction and Demo Troubleshooting and Demo QnA 2
Software-Defined Networking Application Plane (SDN Apps) Control Plane (OpenDaylight, ONOS, etc.) Infrastructure (Data) Plane (Cloud/IT/SDN/NFV) Open APIs Program Languages Abstraction SDN Northbound Interfaces Infrastructure Control Interfaces Vendor specific Low-level specifics Manual operations … 3
Software-Defined Networking Application Plane (SDN Apps) Control Plane (OpenDaylight, ONOS, etc.) Infrastructure (Data) Plane (Cloud/IT/SDN/NFV) Open APIs Program Languages Abstraction SDN Northbound Interfaces Infrastructure Control Interfaces Vendor specific Low-level specifics Manual operations … 4
Intent-based Networking Application Plane (SDN Apps) Control Plane (OpenDaylight, ONOS, etc.) Infrastructure (Data) Plane (Cloud/IT/SDN/NFV) INTENT North Bound Interface Infrastructure Control Interfaces − Application Plane says “What” (doesn’t care how) − Control Plane reasons “How” (doesn’t care why) Intent − “what”, not “how” (non-prescriptive) − Is portable − Is universal − Is compose-able − Is invariant − Is scale-able Source: Dave Lenrow, “Intent As The Common Interface to Network Resources,” Intent Based Network Summit 2015 ONF Boulder: Intent NBI Intent “I want my headache to stop” Prescription “Give me two aspirins” 5
Intent-based Networking Examples WEB/Gold/Working Hour No connect/Wireless Configure new guest WiFi 6
Intent-based Networking Examples WEB/Gold/Working Hour No connect/Wireless INVISIBLE Configure new guest WiFi 7
Intent-based Networking Open Source Efforts – ONF Open Source SDN Boulder – Define Intent North Bound Interface (NBI) – http://opensourcesdn.org/projects/project-boulder-intent-northbound-interface-nbi/ – https://community.opensourcesdn.org/wg/IntentNBI/dashboard – OpenDaylight NIC – Network Intent Composition – Manage and direct network services and network resources based on the given “Intent” – https://wiki.opendaylight.org/view/Network_Intent_Composition:Main – ONOS Intent Framework – Allows applications to specify their network control desires in form of policy rather than mechanism (Intent) – https://wiki.onosproject.org/display/ONOS/Intent+Framework ONF Intent NBI – Definition and Principles, Draft Version 6, Sep. 2016 https://wiki.opendaylight.org/view/Network_Intent_Composition:Graph 8
Policy Graph Abstraction (PGA) PGA overview Troubleshooting for Intent-based Networking 9
PGA is Real Public resources ACM SIGCOMM 2015 London, UK Research Paper and Demo Running System and Open Source Contributions OpenStack Summit 2015, 2016 OpenDaylight Summit 2015, 2016 10
Policy Management in Practice 11
Policy Graph Abstraction (PGA) Mktg&Cmp-B &Normal Engg&Cmp-A &Normal HTTP Web& Cloud DNS DB& Cloud Remedy Service Engg&Cmp-A &Qn Mktg&Cam-B &Qn Ping,SSH HTTP monitor SQL, monitor sync, monitor monitor DNS DNS * * BC BC BCLBFW BCLBFW DPIDPI BC BC graph composition Quarantined Remedy Service Policy sources Graph abstraction Unified, conflict-free policy graph Deploy 12
PGA Example − Label namespace across cloud services and network, capturing overlap vs. disjoint relations between labels 13 CPU Utilization > 90% <= 90%
PGA Example − Label namespace across cloud services and network, capturing overlap vs. disjoint relations between labels − 4 individual input policies (a) Departments admin Engg. Mktg Ping,SSH Cloud monitor Quarantined Remedy Service * (b) Application admin (d) Cloud operator(c) SDN app: HPE Net Protector Campus Cloud * * HTTP Empl Web SQL sync DBLB Normal DNS DNS (a) Enterprise IT admin DPI FW BC BC Cmp-AMktg Empl App Web CampusDB Net Protector Status Normal Qn Tenant Location Engg: Campus-A Mktg: Campus-B Application: Cloud Empl: Net protector Engg Label Namespace Label Mappings disjoint Cloud Cmp-B 14
PGA Example − 4 individual input policies − Label namespace across cloud services and network, capturing overlap vs. disjoint relations between labels − Proactive, automatic composition − Scalable algorithm: 13 mins to compose 20K ACL + service chain policies (a) Departments admin Engg. Mktg Ping,SSH Cloud monitor Quarantined Remedy Service * (b) Application admin (d) Cloud operator(c) SDN app: HPE Net Protector Campus Cloud * * HTTP Empl Web SQL sync DBLB Normal DNS DNS (a) Enterprise IT admin DPI FW BC BC Mktg&Cmp-B &Normal Engg&Cmp-A &Normal HTTP Web& Cloud DNS DB& Cloud Remedy Service Engg&Cmp-A &Qn Mktg&Cam-B &Qn Ping,SSH HTTP monitor SQL, monitor sync, monitor monitor DNS DNS * * BC BC BCLBFW BCLBFW DPIDPI BC BC compose Cmp-AMktg Empl App Web CampusDB Net Protector Status Normal Qn Tenant Location Engg: Campus-A Mktg: Campus-B Application: Cloud Empl: Net protector Engg Label Namespace Label Mappings disjoint Cloud Cmp-B 15
PGA Current status PGA implementation and impact − PGA model, composition, deployment, and tool to convert ACL policy configuration to PGA intent specification − PGA prototype for OpenStack (Juno ~ Newton) − PGA Intent APIs and graph compiler contributed to ODL/NIC Beryllium release − Troubleshooting for intent based policy management − Conflict detection − Composition correctness verification − Intent addition/modification/deletion 16
Live Demo PGA Basic Operations 17
PGA Demo 18
Troubleshooting With Intent-based Networking
Network debugging/troubleshooting a difficult task Picture sources: http://simplearchitectures.blogspot.com/2013/08/addressing-data-center-complexity.html http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_Center/ServerFarmSec_2- 1/ServSecDC/8_NIDS.html WEB NO CONNECT Picture source: http://www.ntstn.com/category/troubleshooting/network- troubleshooting Policy Network ping traceroute tcpdump SNMP sflow
Systematic troubleshooting –Know intent of the operator –Check network behavior against operator intent Intent-based networking –Policy is a first-class citizen –Intent explicitly expressed at policy layer –Forwarding semantics explicitly defined –Code compiles policy description into lower-level configuration Difficult to achieve in legacy networks Opportunity to rethink network debugging
Intent-based Networking Application Plane (SDN Apps) Controller Plane (OpenDaylight, ONOS, etc.) Infrastructure (Data) Plane (Cloud/IT/SDN/NFV) INTENT North Bound Interface Infrastructure Control Interfaces – Control Apps – Specify routing/access control policies – Logical view – Simplified/abstract representation of network – Physical view – One-to-one correspondence with the physical network – Controller’s job to configure the network devices (OpenFlow)
Intent-based Networking Application Plane (SDN Apps) Controller Plane (OpenDaylight, ONOS, etc.) Infrastructure (Data) Plane (Cloud/IT/SDN/NFV) INTENT North Bound Interface Infrastructure Control Interfaces – Control Apps – Specify routing/access control policies – Logical view – Simplified/abstract representation of network – Physical view – One-to-one correspondence with the physical network – Controller’s job to configure the network devices (OpenFlow) • Each layer performs one piece of translation process • Every layer should correctly map to every other layer • Most errors in SDN are mistranslations between layers
Checking network behavior against intent –Early debugging tools for OpenFlow-enabled networks –Ndb, OFRewind, NetSight, netwatch, netshark, nprof… –Easier to discover the source of network problems [Faulty device firmware, inconsistent flow rules, faulty routing…] –Testing and verification complement network troubleshooting and debugging [Loop freedom, black holes, performance of OpenFlow switches…] Too low level!
Knowing the operator’s intent Does the Actual Network Behavior Match the Policy? –If NO… Match the symptoms to responsible system component –If YES… The policy itself is the problem, a human must resolve the discrepancy –If unwanted behavior persists & all state layers are equivalent: –The configured policy must not match the operator’s intent
Troubleshooting System Composed graph User/App1 User/App2 User/Appn User Intents Input graphs Infrastructure Controllers PGA Results Metadata GUI Query Query Examples – Reachability/Connectivity checking – Can A talk to B? – Security vulnerability or Risk assessment – Addition/removal/edition correctnessTroubleshooting System
Troubleshooting Examples Reachability –Can A talk to B? –What EPG do nodes belong to? –Is there an edge connecting both EPGs? –What security groups should be checked? –What middleboxes should be checked?
Troubleshooting example Troubleshooting network connectivity (reachability) (a) Departments admin Engg. Mktg Ping,SSH Cloud monitor Quarantined Remedy Service * (b) Application admin (d) Cloud operator(c) SDN app: HP Net Protector Campus Cloud * * HTTP Empl Web SQL sync DBLB Normal DNS DNS (a) Enterprise IT admin DPI FW BC BC Mktg&Cmp-B &Normal Engg&Cmp-A &Normal HTTP Web& Cloud DNS DB& Cloud Remedy Service Engg&Cmp-A &Qn Mktg&Cam-B &Qn Ping,SSH HTTP monitor SQL, monitor sync, monitor monitor DNS DNS * * BC BC BCLBFW BCLBFW DPIDPI BC BC compose Cmp- A Status Tenant Empl App Mktg Web DB Campus Cloud Net Protector Normal Qn Location Engg: Campus-A Mktg: Campus-B Application: Cloud Empl: Net protector Cmp- B Eng g Label Namespace Label Mappings disjoint web Engg client HR site
Troubleshooting example Intent addition/modification/removal (a) Departments admin Engg. Mktg Ping,SSH Cloud monitor Quarantined Remedy Service * (b) Application admin (d) Cloud operator(c) SDN app: HP Net Protector Campus Cloud * * HTTP Empl Web SQL sync DBLB Normal DNS DNS (a) Enterprise IT admin DPI FW BC BC Mktg&Cmp-B &Normal Engg&Cmp-A &Normal HTTP Web& Cloud DNS DB& Cloud Remedy Service Engg&Cmp-A &Qn Mktg&Cam-B &Qn Ping,SSH HTTP monitor SQL, monitor sync, monitor monitor DNS DNS * * BC BC BCLBFW BCLBFW DPIDPI BC BC Cmp- A Status Tenant Empl App Mktg Web DB Campus Cloud Net Protector Normal Qn Location Engg: Campus-A Mktg: Campus-B Application: Cloud Empl: Net protector Cmp- B Eng g Label Namespace Label Mappings disjoint compare 29
Troubleshooting example Risk Assessment Indicator may be composed using different data points: e.g. # of compromised hops; # of network functions traversed, etc. What if a host from “Web&Cloud” is compromised? What EPGs might be able to reach host ‘x’ (through intermediate host compromise)?
Troubleshooting Demo Marketing Employee Campus Admin 10.10.20.1 Connectivity Problem Intent edition Remote desktop connection
PGA and Troubleshooting Demo 32
Summary –Intent-based Networking is beneficial to simplify network control & management 33
Summary –Intent-based Networking is beneficial to simplify network control & management –Policy Graph Abstraction (PGA) is one of the well-defined intent-based management framework and we presented possible troubleshooting examples 34
Summary –Intent-based Networking is beneficial to simplify network control & management –Policy Graph Abstraction (PGA) is one of the well-defined intent-based management framework and we presented possible troubleshooting examples –Intent-level troubleshooting can help to easily do troubleshooting network problems 35
Summary –Intent-based Networking is beneficial to simplify network control & management –Policy Graph Abstraction (PGA) is one of the well-defined intent-based management framework and we presented possible troubleshooting examples –Intent-level troubleshooting can help to easily identify network problems –What’s next – More More More practical experiences from network operators/administrators/developers… 36
Thank you joon-myung.kang@hpe.com mario.ant.sanchez@hpe.com 37

More Related Content

PDF
Embedded CDNs in 2023
MyNOG
 
PPTX
Migrating with Debezium
Mike Fowler
 
PDF
Datadog: a Real-Time Metrics Database for One Quadrillion Points/Day
C4Media
 
PDF
Data Lineage with Apache Airflow using Marquez
Willy Lulciuc
 
PDF
Apache Spark Data Source V2 with Wenchen Fan and Gengliang Wang
Databricks
 
PDF
TRex Traffic Generator - Hanoch Haim
harryvanhaaren
 
PDF
شرح مبسط جدا لمنهج سيسكو CCNA
Dawood Aqlan
 
PPTX
SDN: an introduction
Luca Profico
 
Embedded CDNs in 2023
MyNOG
 
Migrating with Debezium
Mike Fowler
 
Datadog: a Real-Time Metrics Database for One Quadrillion Points/Day
C4Media
 
Data Lineage with Apache Airflow using Marquez
Willy Lulciuc
 
Apache Spark Data Source V2 with Wenchen Fan and Gengliang Wang
Databricks
 
TRex Traffic Generator - Hanoch Haim
harryvanhaaren
 
شرح مبسط جدا لمنهج سيسكو CCNA
Dawood Aqlan
 
SDN: an introduction
Luca Profico
 

What's hot (20)

PPTX
Data Mesh using Microsoft Fabric
Nathan Bijnens
 
PPT
Chapter03
Muhammad Ahad
 
PDF
Scaling Data Analytics Workloads on Databricks
Databricks
 
PPTX
Service Oriented Architecture
Mohamed Zaytoun
 
PPTX
Log analysis using elk
Rushika Shah
 
PDF
Introduction to Apache NiFi dws19 DWS - DC 2019
Timothy Spann
 
PPTX
Evaluation of TPC-H on Spark and Spark SQL in ALOJA
DataWorks Summit
 
PDF
Breaking the Edge -- A Journey Through Cloud, Edge and Fog Computing
Angelo Corsaro
 
PDF
Apache NiFi User Guide
Deon Huang
 
PDF
Open vSwitch 패킷 처리 구조
Seung-Hoon Baek
 
PPT
Chapter07
Muhammad Ahad
 
PPTX
network monitoring system ppt
ashutosh rai
 
PPTX
How Criteo is managing one of the largest Kafka Infrastructure in Europe
Ricardo Paiva
 
PPTX
In-memory Caching in HDFS: Lower Latency, Same Great Taste
DataWorks Summit
 
PDF
Best Practice of Compression/Decompression Codes in Apache Spark with Sophia...
Databricks
 
PPTX
Spark etl
Imran Rashid
 
PDF
Simplify CDC Pipeline with Spark Streaming SQL and Delta Lake
Databricks
 
PDF
InfiniBand Essentials Every HPC Expert Must Know
Mellanox Technologies
 
PDF
Incrementally streaming rdbms data to your data lake automagically
Timothy Spann
 
PPTX
Tour of Dapr
Abhishek Gupta
 
Data Mesh using Microsoft Fabric
Nathan Bijnens
 
Chapter03
Muhammad Ahad
 
Scaling Data Analytics Workloads on Databricks
Databricks
 
Service Oriented Architecture
Mohamed Zaytoun
 
Log analysis using elk
Rushika Shah
 
Introduction to Apache NiFi dws19 DWS - DC 2019
Timothy Spann
 
Evaluation of TPC-H on Spark and Spark SQL in ALOJA
DataWorks Summit
 
Breaking the Edge -- A Journey Through Cloud, Edge and Fog Computing
Angelo Corsaro
 
Apache NiFi User Guide
Deon Huang
 
Open vSwitch 패킷 처리 구조
Seung-Hoon Baek
 
Chapter07
Muhammad Ahad
 
network monitoring system ppt
ashutosh rai
 
How Criteo is managing one of the largest Kafka Infrastructure in Europe
Ricardo Paiva
 
In-memory Caching in HDFS: Lower Latency, Same Great Taste
DataWorks Summit
 
Best Practice of Compression/Decompression Codes in Apache Spark with Sophia...
Databricks
 
Spark etl
Imran Rashid
 
Simplify CDC Pipeline with Spark Streaming SQL and Delta Lake
Databricks
 
InfiniBand Essentials Every HPC Expert Must Know
Mellanox Technologies
 
Incrementally streaming rdbms data to your data lake automagically
Timothy Spann
 
Tour of Dapr
Abhishek Gupta
 
Ad

Similar to Troubleshooting for Intent-based Networking (20)

PPTX
Network Intent Composition in OpenDaylight
OpenDaylight
 
PPTX
Software-Defined Networking , Survey of HotSDN 2012
Jason TC HOU (侯宗成)
 
PPTX
Troubleshooting Tracebacks
James Denton
 
PDF
Network Virtualization & Software-defined Networking
Digicomp Academy AG
 
PDF
SDN & NFV Introduction - Open Source Data Center Networking
Thomas Graf
 
PDF
Managing infrastructure with Application Policy by Mike Cohen
buildacloud
 
PDF
Network troubleshooting-guide1889
mark scott
 
PDF
25 years of firewalls and network filtering - From antiquity to the cloud
shira koper
 
PPTX
TFI2014 Session I - State of SDN - Scott Sneddon
Colorado Internet Society (CO ISOC)
 
PDF
Network Automation Journey, A systems engineer NetOps perspective
Walid Shaari
 
PDF
Sdn Software Defined Networks 1st Edition Thomas Nadeau D Ken Gray
ninhhzhkal622
 
PPTX
Network Troubleshooting.pptx
MohamedSafeer14
 
PDF
Computer Networks An Open Source Approach 1st Edition Ying-Dar Lin
hensedollia8
 
PPTX
Open stack gbp final sn-4-slideshare
Sumit Naiksatam
 
PDF
Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron
mestery
 
PDF
SDN Software Defined Networks 1st Edition Thomas Nadeau D.
hierljowdyc7
 
PDF
Network Threat Hunting Training - 202308.pdf
Ari Setiawan
 
PPTX
Cis sem sdn
Lino Quivén
 
PDF
Computer Networks An Open Source Approach 1st Edition Ying-Dar Lin
btocilo
 
PDF
IBM SevOne for network and systems monitoring
riadelidrissi
 
Network Intent Composition in OpenDaylight
OpenDaylight
 
Software-Defined Networking , Survey of HotSDN 2012
Jason TC HOU (侯宗成)
 
Troubleshooting Tracebacks
James Denton
 
Network Virtualization & Software-defined Networking
Digicomp Academy AG
 
SDN & NFV Introduction - Open Source Data Center Networking
Thomas Graf
 
Managing infrastructure with Application Policy by Mike Cohen
buildacloud
 
Network troubleshooting-guide1889
mark scott
 
25 years of firewalls and network filtering - From antiquity to the cloud
shira koper
 
TFI2014 Session I - State of SDN - Scott Sneddon
Colorado Internet Society (CO ISOC)
 
Network Automation Journey, A systems engineer NetOps perspective
Walid Shaari
 
Sdn Software Defined Networks 1st Edition Thomas Nadeau D Ken Gray
ninhhzhkal622
 
Network Troubleshooting.pptx
MohamedSafeer14
 
Computer Networks An Open Source Approach 1st Edition Ying-Dar Lin
hensedollia8
 
Open stack gbp final sn-4-slideshare
Sumit Naiksatam
 
Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron
mestery
 
SDN Software Defined Networks 1st Edition Thomas Nadeau D.
hierljowdyc7
 
Network Threat Hunting Training - 202308.pdf
Ari Setiawan
 
Cis sem sdn
Lino Quivén
 
Computer Networks An Open Source Approach 1st Edition Ying-Dar Lin
btocilo
 
IBM SevOne for network and systems monitoring
riadelidrissi
 
Ad

More from Open Networking Summit (20)

PDF
Microservice Powered Orchestration
Open Networking Summit
 
PDF
Considerations for Deploying Virtual Network Functions and Services
Open Networking Summit
 
PDF
Software Defined RAN
Open Networking Summit
 
PDF
Design Principles for 5G
Open Networking Summit
 
PDF
Disaggregation @Equinix
Open Networking Summit
 
PDF
Open Source Networking Solving Molecular Analysis of Cancer
Open Networking Summit
 
PDF
Building Business on Top of Open Source
Open Networking Summit
 
PDF
Harmonizing of Open Source Networking
Open Networking Summit
 
PDF
Five Trends Enabled by 5G that will Change Networking Forever
Open Networking Summit
 
PDF
Container Networking
Open Networking Summit
 
PDF
Networking Challenges for the Next Decade
Open Networking Summit
 
PDF
A Centrally Orchestrated SD-WAN Building a Green Ecosystem
Open Networking Summit
 
PDF
SDN-Based Enterprise Connectivity Service
Open Networking Summit
 
PDF
Open and Disaggregated Transport SDN - from PoC to Field Trial
Open Networking Summit
 
PDF
Disaggregated Networking - The Drivers, the Software & The High Availability
Open Networking Summit
 
PDF
IoT in Action: Architecting, Securing, & Scaling Applications
Open Networking Summit
 
PDF
Open Source Approach to Design and Deployment of Microservices-based VNF
Open Networking Summit
 
PDF
Container Service Chaining
Open Networking Summit
 
PDF
OpenStack: Networking Roadmap, Collaboration and Contribution
Open Networking Summit
 
PDF
Arachne: How does Uber check the health of its Network Infrastructure every 1...
Open Networking Summit
 
Microservice Powered Orchestration
Open Networking Summit
 
Considerations for Deploying Virtual Network Functions and Services
Open Networking Summit
 
Software Defined RAN
Open Networking Summit
 
Design Principles for 5G
Open Networking Summit
 
Disaggregation @Equinix
Open Networking Summit
 
Open Source Networking Solving Molecular Analysis of Cancer
Open Networking Summit
 
Building Business on Top of Open Source
Open Networking Summit
 
Harmonizing of Open Source Networking
Open Networking Summit
 
Five Trends Enabled by 5G that will Change Networking Forever
Open Networking Summit
 
Container Networking
Open Networking Summit
 
Networking Challenges for the Next Decade
Open Networking Summit
 
A Centrally Orchestrated SD-WAN Building a Green Ecosystem
Open Networking Summit
 
SDN-Based Enterprise Connectivity Service
Open Networking Summit
 
Open and Disaggregated Transport SDN - from PoC to Field Trial
Open Networking Summit
 
Disaggregated Networking - The Drivers, the Software & The High Availability
Open Networking Summit
 
IoT in Action: Architecting, Securing, & Scaling Applications
Open Networking Summit
 
Open Source Approach to Design and Deployment of Microservices-based VNF
Open Networking Summit
 
Container Service Chaining
Open Networking Summit
 
OpenStack: Networking Roadmap, Collaboration and Contribution
Open Networking Summit
 
Arachne: How does Uber check the health of its Network Infrastructure every 1...
Open Networking Summit
 

Recently uploaded (20)

PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Encapsulation theory and applications.pdf
gurumoop
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 

Troubleshooting for Intent-based Networking

  • 1. Troubleshooting for Intent-based Networking Joon-Myung Kang and Mario A. Sánchez Hewlett Packard Labs Open Networking Summit 2017
  • 2. Intent-based Networking Policy Graph Abstraction and Demo Troubleshooting and Demo QnA 2
  • 3. Software-Defined Networking Application Plane (SDN Apps) Control Plane (OpenDaylight, ONOS, etc.) Infrastructure (Data) Plane (Cloud/IT/SDN/NFV) Open APIs Program Languages Abstraction SDN Northbound Interfaces Infrastructure Control Interfaces Vendor specific Low-level specifics Manual operations … 3
  • 4. Software-Defined Networking Application Plane (SDN Apps) Control Plane (OpenDaylight, ONOS, etc.) Infrastructure (Data) Plane (Cloud/IT/SDN/NFV) Open APIs Program Languages Abstraction SDN Northbound Interfaces Infrastructure Control Interfaces Vendor specific Low-level specifics Manual operations … 4
  • 5. Intent-based Networking Application Plane (SDN Apps) Control Plane (OpenDaylight, ONOS, etc.) Infrastructure (Data) Plane (Cloud/IT/SDN/NFV) INTENT North Bound Interface Infrastructure Control Interfaces − Application Plane says “What” (doesn’t care how) − Control Plane reasons “How” (doesn’t care why) Intent − “what”, not “how” (non-prescriptive) − Is portable − Is universal − Is compose-able − Is invariant − Is scale-able Source: Dave Lenrow, “Intent As The Common Interface to Network Resources,” Intent Based Network Summit 2015 ONF Boulder: Intent NBI Intent “I want my headache to stop” Prescription “Give me two aspirins” 5
  • 6. Intent-based Networking Examples WEB/Gold/Working Hour No connect/Wireless Configure new guest WiFi 6
  • 7. Intent-based Networking Examples WEB/Gold/Working Hour No connect/Wireless INVISIBLE Configure new guest WiFi 7
  • 8. Intent-based Networking Open Source Efforts – ONF Open Source SDN Boulder – Define Intent North Bound Interface (NBI) – http://opensourcesdn.org/projects/project-boulder-intent-northbound-interface-nbi/ – https://community.opensourcesdn.org/wg/IntentNBI/dashboard – OpenDaylight NIC – Network Intent Composition – Manage and direct network services and network resources based on the given “Intent” – https://wiki.opendaylight.org/view/Network_Intent_Composition:Main – ONOS Intent Framework – Allows applications to specify their network control desires in form of policy rather than mechanism (Intent) – https://wiki.onosproject.org/display/ONOS/Intent+Framework ONF Intent NBI – Definition and Principles, Draft Version 6, Sep. 2016 https://wiki.opendaylight.org/view/Network_Intent_Composition:Graph 8
  • 9. Policy Graph Abstraction (PGA) PGA overview Troubleshooting for Intent-based Networking 9
  • 10. PGA is Real Public resources ACM SIGCOMM 2015 London, UK Research Paper and Demo Running System and Open Source Contributions OpenStack Summit 2015, 2016 OpenDaylight Summit 2015, 2016 10
  • 11. Policy Management in Practice 11
  • 12. Policy Graph Abstraction (PGA) Mktg&Cmp-B &Normal Engg&Cmp-A &Normal HTTP Web& Cloud DNS DB& Cloud Remedy Service Engg&Cmp-A &Qn Mktg&Cam-B &Qn Ping,SSH HTTP monitor SQL, monitor sync, monitor monitor DNS DNS * * BC BC BCLBFW BCLBFW DPIDPI BC BC graph composition Quarantined Remedy Service Policy sources Graph abstraction Unified, conflict-free policy graph Deploy 12
  • 13. PGA Example − Label namespace across cloud services and network, capturing overlap vs. disjoint relations between labels 13 CPU Utilization > 90% <= 90%
  • 14. PGA Example − Label namespace across cloud services and network, capturing overlap vs. disjoint relations between labels − 4 individual input policies (a) Departments admin Engg. Mktg Ping,SSH Cloud monitor Quarantined Remedy Service * (b) Application admin (d) Cloud operator(c) SDN app: HPE Net Protector Campus Cloud * * HTTP Empl Web SQL sync DBLB Normal DNS DNS (a) Enterprise IT admin DPI FW BC BC Cmp-AMktg Empl App Web CampusDB Net Protector Status Normal Qn Tenant Location Engg: Campus-A Mktg: Campus-B Application: Cloud Empl: Net protector Engg Label Namespace Label Mappings disjoint Cloud Cmp-B 14
  • 15. PGA Example − 4 individual input policies − Label namespace across cloud services and network, capturing overlap vs. disjoint relations between labels − Proactive, automatic composition − Scalable algorithm: 13 mins to compose 20K ACL + service chain policies (a) Departments admin Engg. Mktg Ping,SSH Cloud monitor Quarantined Remedy Service * (b) Application admin (d) Cloud operator(c) SDN app: HPE Net Protector Campus Cloud * * HTTP Empl Web SQL sync DBLB Normal DNS DNS (a) Enterprise IT admin DPI FW BC BC Mktg&Cmp-B &Normal Engg&Cmp-A &Normal HTTP Web& Cloud DNS DB& Cloud Remedy Service Engg&Cmp-A &Qn Mktg&Cam-B &Qn Ping,SSH HTTP monitor SQL, monitor sync, monitor monitor DNS DNS * * BC BC BCLBFW BCLBFW DPIDPI BC BC compose Cmp-AMktg Empl App Web CampusDB Net Protector Status Normal Qn Tenant Location Engg: Campus-A Mktg: Campus-B Application: Cloud Empl: Net protector Engg Label Namespace Label Mappings disjoint Cloud Cmp-B 15
  • 16. PGA Current status PGA implementation and impact − PGA model, composition, deployment, and tool to convert ACL policy configuration to PGA intent specification − PGA prototype for OpenStack (Juno ~ Newton) − PGA Intent APIs and graph compiler contributed to ODL/NIC Beryllium release − Troubleshooting for intent based policy management − Conflict detection − Composition correctness verification − Intent addition/modification/deletion 16
  • 20. Network debugging/troubleshooting a difficult task Picture sources: http://simplearchitectures.blogspot.com/2013/08/addressing-data-center-complexity.html http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_Center/ServerFarmSec_2- 1/ServSecDC/8_NIDS.html WEB NO CONNECT Picture source: http://www.ntstn.com/category/troubleshooting/network- troubleshooting Policy Network ping traceroute tcpdump SNMP sflow
  • 21. Systematic troubleshooting –Know intent of the operator –Check network behavior against operator intent Intent-based networking –Policy is a first-class citizen –Intent explicitly expressed at policy layer –Forwarding semantics explicitly defined –Code compiles policy description into lower-level configuration Difficult to achieve in legacy networks Opportunity to rethink network debugging
  • 22. Intent-based Networking Application Plane (SDN Apps) Controller Plane (OpenDaylight, ONOS, etc.) Infrastructure (Data) Plane (Cloud/IT/SDN/NFV) INTENT North Bound Interface Infrastructure Control Interfaces – Control Apps – Specify routing/access control policies – Logical view – Simplified/abstract representation of network – Physical view – One-to-one correspondence with the physical network – Controller’s job to configure the network devices (OpenFlow)
  • 23. Intent-based Networking Application Plane (SDN Apps) Controller Plane (OpenDaylight, ONOS, etc.) Infrastructure (Data) Plane (Cloud/IT/SDN/NFV) INTENT North Bound Interface Infrastructure Control Interfaces – Control Apps – Specify routing/access control policies – Logical view – Simplified/abstract representation of network – Physical view – One-to-one correspondence with the physical network – Controller’s job to configure the network devices (OpenFlow) • Each layer performs one piece of translation process • Every layer should correctly map to every other layer • Most errors in SDN are mistranslations between layers
  • 24. Checking network behavior against intent –Early debugging tools for OpenFlow-enabled networks –Ndb, OFRewind, NetSight, netwatch, netshark, nprof… –Easier to discover the source of network problems [Faulty device firmware, inconsistent flow rules, faulty routing…] –Testing and verification complement network troubleshooting and debugging [Loop freedom, black holes, performance of OpenFlow switches…] Too low level!
  • 25. Knowing the operator’s intent Does the Actual Network Behavior Match the Policy? –If NO… Match the symptoms to responsible system component –If YES… The policy itself is the problem, a human must resolve the discrepancy –If unwanted behavior persists & all state layers are equivalent: –The configured policy must not match the operator’s intent
  • 26. Troubleshooting System Composed graph User/App1 User/App2 User/Appn User Intents Input graphs Infrastructure Controllers PGA Results Metadata GUI Query Query Examples – Reachability/Connectivity checking – Can A talk to B? – Security vulnerability or Risk assessment – Addition/removal/edition correctnessTroubleshooting System
  • 27. Troubleshooting Examples Reachability –Can A talk to B? –What EPG do nodes belong to? –Is there an edge connecting both EPGs? –What security groups should be checked? –What middleboxes should be checked?
  • 28. Troubleshooting example Troubleshooting network connectivity (reachability) (a) Departments admin Engg. Mktg Ping,SSH Cloud monitor Quarantined Remedy Service * (b) Application admin (d) Cloud operator(c) SDN app: HP Net Protector Campus Cloud * * HTTP Empl Web SQL sync DBLB Normal DNS DNS (a) Enterprise IT admin DPI FW BC BC Mktg&Cmp-B &Normal Engg&Cmp-A &Normal HTTP Web& Cloud DNS DB& Cloud Remedy Service Engg&Cmp-A &Qn Mktg&Cam-B &Qn Ping,SSH HTTP monitor SQL, monitor sync, monitor monitor DNS DNS * * BC BC BCLBFW BCLBFW DPIDPI BC BC compose Cmp- A Status Tenant Empl App Mktg Web DB Campus Cloud Net Protector Normal Qn Location Engg: Campus-A Mktg: Campus-B Application: Cloud Empl: Net protector Cmp- B Eng g Label Namespace Label Mappings disjoint web Engg client HR site
  • 29. Troubleshooting example Intent addition/modification/removal (a) Departments admin Engg. Mktg Ping,SSH Cloud monitor Quarantined Remedy Service * (b) Application admin (d) Cloud operator(c) SDN app: HP Net Protector Campus Cloud * * HTTP Empl Web SQL sync DBLB Normal DNS DNS (a) Enterprise IT admin DPI FW BC BC Mktg&Cmp-B &Normal Engg&Cmp-A &Normal HTTP Web& Cloud DNS DB& Cloud Remedy Service Engg&Cmp-A &Qn Mktg&Cam-B &Qn Ping,SSH HTTP monitor SQL, monitor sync, monitor monitor DNS DNS * * BC BC BCLBFW BCLBFW DPIDPI BC BC Cmp- A Status Tenant Empl App Mktg Web DB Campus Cloud Net Protector Normal Qn Location Engg: Campus-A Mktg: Campus-B Application: Cloud Empl: Net protector Cmp- B Eng g Label Namespace Label Mappings disjoint compare 29
  • 30. Troubleshooting example Risk Assessment Indicator may be composed using different data points: e.g. # of compromised hops; # of network functions traversed, etc. What if a host from “Web&Cloud” is compromised? What EPGs might be able to reach host ‘x’ (through intermediate host compromise)?
  • 31. Troubleshooting Demo Marketing Employee Campus Admin 10.10.20.1 Connectivity Problem Intent edition Remote desktop connection
  • 33. Summary –Intent-based Networking is beneficial to simplify network control & management 33
  • 34. Summary –Intent-based Networking is beneficial to simplify network control & management –Policy Graph Abstraction (PGA) is one of the well-defined intent-based management framework and we presented possible troubleshooting examples 34
  • 35. Summary –Intent-based Networking is beneficial to simplify network control & management –Policy Graph Abstraction (PGA) is one of the well-defined intent-based management framework and we presented possible troubleshooting examples –Intent-level troubleshooting can help to easily do troubleshooting network problems 35
  • 36. Summary –Intent-based Networking is beneficial to simplify network control & management –Policy Graph Abstraction (PGA) is one of the well-defined intent-based management framework and we presented possible troubleshooting examples –Intent-level troubleshooting can help to easily identify network problems –What’s next – More More More practical experiences from network operators/administrators/developers… 36