OpenStack® Summit Austin 2016

Policy CanvasDraw your policies for OpenStack services

Joon-Myung Kang, Mario Ant Sánchez, Sujata Banerjee,

Hewlett Packard Labs{firstname.lastname}@hpe.com

Apr 28, 2016

2

Jeongkeun “JK” LeeBarefoot Networks

jklee@barefootnetworks.com

Talk Outline

3

Policy management in OpenStack

Policy Canvas DemoPolicy Canvas for OpenStack

How to define policies

Nova

Neutron

Keystone

Heat

Glance

Swift

CinderIronic

Murano

Policy Management in OpenStack

4

Tacker

Nova

Neutron

Keystone

Heat

Glance

Swift

CinderIronic

Murano

Policy Management in OpenStack

5

Tacker

Cloud operator

NetworkAdministrator

TenantAdministrator

ApplicationDeveloper

User

Application

Multiple Users

Nova

Neutron

Keystone

Heat

Glance

Swift

CinderIronic

Murano

Policy Management in OpenStack

6

Tacker

Cloud operator

NetworkAdministrator

TenantAdministrator

ApplicationDeveloper

User

Application

ACL

QoS

Performance

Firewall

LoadBalancer

DPI

IDS

Multiple Users

Multiple Policies

Network Policy Management in OpenStack

– Security groups and rules– Allow/Deny protocols and ports– Associate to VMs or ports

– Automation (Heat, Murano, etc.)– Pre-define templates and application-specific policies

7

Low-level commandsFragmented interfacesStatic configurations

Network Policy Management in OpenStack

– Security groups and rules– Allow/Deny protocols and ports– Associate to VMs or ports

– Automation (Heat, Murano, etc.)– Pre-define templates and application-specific policies

– Group-based Policy (GBP)– High-level Intent based management for OpenStack– Policies between Endpoint Groups (EPG)

8

Additional API SupportMultiple-writer problem

Policy Management in OpenStack

– Security groups and rules– Allow/Deny protocols and ports– Associate to VMs or ports

– Automation (Heat, Murano, etc.)– Pre-define templates and application-specific policies

– Group-based Policy (GBP)– High-level Intent based management for OpenStack– Policies between Endpoint Groups (EPG)

– Congress– Global policy framework for OpenStack– SQL-like language (Datalog) defining policies

across services

9

Steep learning curveMultiple-writer problem

Policy Management in OpenStackChallenges

– Decouple high-level intent (the “what”) from the underlying implementation (the “how”)

– Easy to use, intuitive, high-level interfaces

– Automated deployment mechanisms

– Scalable

10

Policy CanvasDraw network policies for OpenStack

11

Policy Management for OpenStackIdea from Real World

12

Policy CanvasDraw your policies for OpenStack services

13

Policy Canvas

Policy Canvas: Graph Abstraction & Composition

14

Mktg&Cmp-B&Normal

Engg&Cmp-A&Normal

HTTP Web&Cloud

DNS

DB&Cloud

RemedyService

Engg&Cmp-A&Qn

Mktg&Cam-B&Qn

Ping,SSH

HTTP

monitor

SQL, monitorsync,

monitor

monitor

DNS DNS

*

*

BC

BC

BCLBFW

BCLBFW

DPIDPI

BC

BC

graph composition

QuarantinedRemedyService

Policy sources Graph Abstraction Unified, conflict-free policy graph Deploy

Proactive policy composition1) Resolve policy conflicts prior to runtime deployment2) Simplify policy enforcement & runtime trouble-shooting

Intuitive to human, readable to system

PGA: Policy Graph Abstraction

15

& Composition

P1 & ~P2

P1 & P2(conflict?)

~P1 & P2

vP1 & ~P2

P1 & P2(conflict-free)

~P1 & P2

PGA: Graph Model & Composition

Graph model Graph compositionLogical labels

WebMktg.

CloudCampus

LB

BChttps, ssh

httpsP1:

P2:

Exclusive to Mktg

Venn-diagrammerging

Web & Cloud

Mktg & Campus

~Web &Cloud

~Mktg & Campus

BC

BChttps, ssh

https LB

BC

https, ssh

Label relationsMktg ⊂ CampusWeb ⊂ Cloud

Node: End-Point Group (EPG)Edge: communication intent

Decouple policy from target specificsDefined from existing data sources

Compute the union of input policies Resolve conflicts in the intersectionNormalize into disjoint sets

App admin

Cloud operator

Current solutions: manual composition

Composition Algorithm

Group-based policy (GBP)

App admin P1:Allow Marketing employees exclusive https access to Web servers through Load Balancer (LB)Cloud operator P2:Allow https and ssh traffic from Campus to Cloud through Byte Counter (BC)

Placements: Marketing in CampusWeb in Cloud

Overlap and

conflict

Subject1: Web-Accesstcp, dstport=https : Permit, LB-BC chain

Subject2: Web-Block* : Deny

Subject3: Cloud-Accesstcp, dstport=https|ssh : Permit, BC chain

Clauses (prioritized) :1. Mktg Web: Web-Access2. * Web: Web-Block3. Campus Cloud: Cloud-Access

Mktg ⊂ CampusWeb ⊂ Cloud

WebMktg.

CloudCampus

LB

BChttps, ssh

httpsP1:

P2:

Exclusive to MktgApp admin

Cloud operator

Web & Cloud

Mktg & Campus

~Web &Cloud

~Mktg & Campus

BC

BChttps, ssh

https LB

BC

https, ssh

PGA continued• Formal graph model, data structure, algorithm• Label relations in Label Trees

• Scalable: 13 mins to compose 20K ACL + service policies• Intuitive reasoning & troubleshooting by graph walk

(a) Departmentsadmin

Engg.

MktgPing,SSH

Cloud

monitor

QuarantinedRemedyService

*

(b) Application admin

(d) Cloud operator(c) SDN app: Net Protector

Campus Cloud*

*

HTTPEmpl Web

SQLsync

DBLB

Normal DNSDNS

(a) Enterprise IT admin

DPI FW BC

BC

Label NamespaceLabel Trees

Label Mappings

Cmp-A

Status

Tenant

Empl App

Mktg

Web DBCampus Cloud Net

protector

Normal Qn

Location

Engg: Campus-A Mktg: Campus-BApp : CloudEmpl: Net protector

Cmp-BEngg

compose

Mktg&Cmp-B&Normal

Engg&Cmp-A&Normal

HTTP Web&Cloud

DNS

DB&Cloud

RemedyService

Engg&Cmp-A&Qn

Mktg&Cam-B&Qn

Ping,SSH

HTTP

monitor

SQL, monitorsync,

monitor

monitor

DNS DNS

*

*

BC

BC

BCLBFW

BCLBFW

DPIDPI

BC

BC

18

overlap

mutually exclusive

Intent APIs to Express Hidden Intents

Whitelisting WL = {HTTPS} MUST allows d

s d CAN communicate

s d Block

s d Conditional

src dstWL

Default edge: MUST

No edge: Conditional

BlacklistingBL = {SSH, ICMP}

src dstBL

{*} – WL : deny or don’t care?

Default edge: Block

No edge: CAN communicate

{*} – BL : allow or don’t care?

Intent ACL edges

Reduce %conflict: 50% 12.5%Enable systematic composition

PGA Adoption and Publicity

Adoption– ODL Network Intent Composition (NIC) project adopted graph compiler and intent ACL

https://wiki.opendaylight.org/view/Network_Intent_Composition:Graph

Paper, Demo– “PGA: Using graphs to express and automatically reconcile network policies”, ACM Sigcomm

2015, London. – “Network Policy Whiteboarding and Composition”, ACM Sigcomm 2015 Demo, London.

Talks– OpenStack Summit Vancouver #vBrownBag session, https://www.youtube.com/watch?v=jDCxUQ5D4Y4– OpenDaylight Summit 2015, Santa Clara, CA, https://www.youtube.com/watch?v=EHMSuWz3LHw

Policy Canvas System

21

Policy CanvasSystem overview

22

Policy Canvas (Horizon module)

Python-pgaclient(python bindings to PGA API)

PGA servicePGA extension- Input policy graph- Composed policy graph- Deployed policy graph- Label tree- Function box

REST APIs

Labeldrivers

Compilationdrivers

Enforcementdrivers

Policy CanvasPolicy graph creation/composition

23

Policy Canvas (Horizon module)

PGA service

Label drivers

Draw policy graphs

Input policy graphs

Label tree(s)

Input policy graphs

Composed policy graph

…User/App1 User/App2 User/Appn

Composed policy graph

Label tree(s) Compilation drivers

PGA graph composer

OpenDaylight NIC graph compiler

Data sources(nova, keystone, ...)

Policy CanvasPolicy graph deployment

24

Congress

Composed policy graph

Deploy

Neutron

Admin

Policy Canvas (Horizon module)

PGA service

enforcement driversCongress driver Neutron driver

Endpoint monitoring rules security groups, SFC, LB/FW …

Nodes and edges

Data sources(nova, keystone, ...)

actionclassifier

classifier + action

clients webLBHTTP

Policy CanvasAutomatic policy mapping

25

CongressNeutron

Admin

Policy Canvas (Horizon module)

PGA service

enforcement driversCongress driver Neutron driver

Data sources(nova, keystone, ...)VM

notify membership change Associate security group

clients webLBHTTP

Policy Canvas1. Demo Scenario2. Demo

26

Demo Scenario

27

VM VM

VM VM

Availability Zone 1 (AZ1)

Availability Zone 2 (AZ2)

cnc4cnc3

cnc32 cnc27

HTTPSSHPING

Zone Manager

Host Manager

Global Policy

Policy Canvas Demo

28

Future Directions

29

Extending Policy Canvas

–Importing already-expressed policies directly from neutron or other services for composition and analysis

–Modeling and composing newlly-added neutron features QoS–Port-level connectivity

30

Policy Enforcement and Verification

Policy is eventually enforced at various network dataplanes

Need abstraction to capture capabilities and limitations Can this network implement my policy?

Need programmable dataplane to implement complex policiesTailor the network, rather than retrofit your policy into it

Need complete network visibility to verify policyDoes my policy get correctly enforced?

Industry-wide open-source effortsOpenFlow Data Plane Abstraction (OF-DPA)OpenCompute Switch Abstraction Interface (SAI)P4: Programming Protocol-independent Packet Processor

31

Composed policy graph

Neutron

Security Group, SFC, LB, FW …

Data planes (hw, sw, edge, core)

Network controllers(overlay, underlay)

P4: Programming Protocol-independent Packet Processor

High-level language to define and modify dataplane

Protocol/target independent

Open source, Apache 2.0 CLA

Adopted by OpenSwitch, OpenCompute SAI

Benefits in policy enforcementPick the best protocol for your policy, remove the othersCustom protocol carrying SFC metadataEmbed service functions (e.g., L4 LB) in the switchPolicy verification by In-Network Telemetry

/*********************************************//* Router MAC lookup *//*********************************************/action rmac_hit() {

modify_field(l3_metadata.rmac_hit, TRUE);}

action rmac_miss() {modify_field(l3_metadata.rmac_hit, FALSE);

}

table rmac {reads {

l3_metadata.rmac_group : exact;l2_metadata.lkp_mac_da : exact;

}actions {

rmac_hit;rmac_miss;

}size : ROUTER_MAC_TABLE_SIZE;

}

Copyright © 2016 P4 Language Consortium.

Fixed Data Plane

Driver

SBI Agent

Network controller

Southbound API (SBI)

Northbound APIProgram

Compile

Target Binary

Auto-Generated runtime API

Copyright © 2016 P4 Language Consortium.

Composed Policy

Policy down to Dataplane

Neutron

Programmable Data Plane (hw, sw)

Conclusions

– Policy Canvas– Simple and intuitive abstraction (Graph model)– Portable policies, decoupled from infrastructure specifics– Automatic and proactive composition of independently

specified policies

– Status– Horizon GUI– PGA service and API– Neutron/Congress drivers– Graph compiler in OpenDaylight NIC

– Collaboration with OpenStack community– More use cases and feedback– Code contribution to OpenStack

34

Policy Canvas (Horizon module)

PGA service

Policies

Input policy graphs

…User/App1 User/App2 User/Appn

Infrastructure

composed policy graph

33

Thank you

35