Distributed Network Service Policy Enforcement
Transcript of Distributed Network Service Policy Enforcement
June 17, 2016
Distributed Network Service Policy Enforcement
Jun Li
Contributions from my students, Xiang Wang and Xiaohe Hu
Outline
• Background
• Related Work
• Policy Space Analysis
• Policy Enforcement with PSA
2016/6/17 NSLab, RIIT, Tsinghua Univ. 2
Orthogonal Perspective
• Forwarding vs. Service
2016/6/17 NSLab, RIIT, Tsinghua Univ. 3
Forwarding Service
Task Delivery Security, Measurement, Optimization
Logical Object Packet Flow
Physical Object L2 ~ L3, Header L3 ~ L7, Header + Payload
Basis Topology Resource/Policy
State Stateless Stateful
Manner Local autonomy Global governance
Device Switch/Router Middlebox
Algorithm Routing origination,
Routing lookup Packet classification, Pattern matching,
AppID, Traffic management
Outline
• Background
• Related Work
• Policy Space Analysis
• Policy Enforcement with PSA
2016/6/17 NSLab, RIIT, Tsinghua Univ. 4
Data Center Network (DCN)
• Virtualization & Multi-tenancy
2016/6/17 NSLab, RIIT, Tsinghua Univ. 5
Aggregation
Core
Access
Storage Storage Compute Compute Compute Compute
Security
Fabric
Access
Storage Storage Compute Compute Compute Security
Traditional DCN architecture Cloud DCN architecture
Cloud DCN
• Logical View vs. Tenant View
2016/6/17 NSLab, RIIT, Tsinghua Univ. 6
[X. Wang et al., CouldCom 2012]
LiveCloud
Operator view for orchestration Tenant view for provision
Service in Cloud DCN
• Network Service Mechanism
– Share vs. Aggregation
– Software vs. Hardware
2016/6/17 NSLab, RIIT, Tsinghua Univ. 7
Router
Internet
Subnet 1
Subnet 2
AB
Security Policy
CD
E
Edge vSwitch
Security Controller
Network Controller
Security Workload Scheduler
Tenant Subnet1
Tenant Subnet2
Security Network
Host Host Host Host
Fabric Switch
Tenant view Operator view
[X. Wang et al., ICCCN 2014]
Tualatin
Policy in Cloud DCN
• Network Service Policy
– Global vs. Local
– Distributed and Dynamic Interaction
2016/6/17 NSLab, RIIT, Tsinghua Univ. 8
Rule1 Rule3
Rule2 Rule4
Policy Management
Tenant / Operator
NetworkState
Policy Management (I)
2016/6/17 NSLab, RIIT, Tsinghua Univ. 9
Centralized Control Plane
Service Policy Configuration
Topology
Forwarding Policy
* -> 10.2.1.*, ssh DROP
10.1.*.* -> * FWIDS
10.1.1.*->10.2.1.*
𝑝𝑎𝑡ℎ{𝑠𝑤3. 𝑠𝑤2. 𝑠𝑤1}
𝑠𝑤1: Forwarding Rules
Forwarding Device
𝑚𝑏−𝑐𝑙𝑢𝑠𝑡𝑒𝑟1: Service Rules
id=1,in_port=1,ip_dst=10.2.1.*,ssh DROP
id=3,in_port=1,ip_dst=* Signtr
Middlebox
Distributed Data Plane
Measurement Security Application Policy
Admin
Optimization Users and
Applications
Network Controller
Service Controller
id=1,in_port=3,ip_dst=* port2
id=3,in_port=2,ip_dst=10.2.1.* port1
1
2
3 4
5 6
7 1
2
Policy Management (II)
2016/6/17 NSLab, RIIT, Tsinghua Univ. 10
Policy Enforcement
Policy Definition
Policy Composition
Policy Assignment
Policy Dispatch
Policy Lookup
Policy Verification
User/App1
* -> 10.2.1.*, ssh DROP
10.1.*.*-> * FWIDS Service Policy
User/App3 User/App2
Forwarding Policy 10.1.1.*->10.2.1.*
𝑝𝑎𝑡ℎ{𝑠𝑤3. 𝑠𝑤2. 𝑠𝑤1}
Application Plane
Centralized Control Plane
Distributed Data Plane
Policy Language
Outline
• Background
• Related Work
• Policy Space Analysis
• Policy Enforcement with PSA
2016/6/17 NSLab, RIIT, Tsinghua Univ. 11
Policy Language
• Policy Definition
– DATALOG-based query
• FML [T. L. Hinrichs et al., WREN’09]
– Logical labels
• PGA [C. Prakash et al., SIGCOMM’15]
• Policy Composition
– High-level language for writing and composing modules
• Frenetic [N. Foster et al., SIGPLAN’11]
• Pyretic [C. Monsanto et al., NSDI’13]
2016/6/17 NSLab, RIIT, Tsinghua Univ. 12
Policy Enforcement (I)
• Policy Assignment
– Distributed policies on switches w/ forwarding change
• DIFANE [M. Yu et al., SIGCOMM’11]
• vCRIB [M. Moshref et al., NSDI’13]
– Distributed policies on switches w/o forwarding change
• Palette [Y. Kanizo et al., INFOCOM’13]
• One-Big-Switch [N. Kang et al., CoNEXT’13]
– Distributed policies on middleboxes w/ forwarding change
• SIMPLE [Z. A. Qazi et al., SIGCOMM’13]
– Distributed policies on middleboxes w/o forwarding change
• MBPE [X. Wang et al., TON’16]
2016/6/17 NSLab, RIIT, Tsinghua Univ. 13
Policy Enforcement (II)
• Policy Dispatch
– Incremental updates
• Update Abstractions [M. Reitblatt et al., SIGCOMM’12]
• CCG [W. Zhou et al., NSDI’15]
– Minimal flow-table
• DevoFlow [A. R. Curtis et al., SIGCOMM’11]
• Policy Verification
– Firewall policy analysis
• FDD [M. G. Gouda et al., ICDCS’04]
– Header space analysis
• HSA [P. Kazemian et al., NSDI’12 & 13]
– Real-time verification
• Veriflow [A. Khurshid et al., NSDI’13]
2016/6/17 NSLab, RIIT, Tsinghua Univ. 14
Outline
• Background
• Related Work
• Policy Space Analysis
– Motivation
– Design
– Evaluation
• Policy Enforcement with PSA
2016/6/17 NSLab, RIIT, Tsinghua Univ. 15
Motivation
• What is the model and theoretical foundation of
service policy?
• What is the common policy enforcement
functionalities for assignment, dispatch, and
verification?
• What is the performance requirements for
practical policy enforcement?
2016/6/17 NSLab, RIIT, Tsinghua Univ. 16
Header Space Analysis (HSA)
• A simple abstraction to model all kinds of forwarding
functionalities
– Mathematical modeling
– Header space + Transfer function
– Forwarding policy distribution,
optimization, and conflict detection
2016/6/17 NSLab, RIIT, Tsinghua Univ. 17
01110011…1
L
Header
0xxxx0101xxx
T1(h, p)
R1 R2 R3
T2(h, p)
T3(h, p)
[P. Kazemian et al., NSDI 2012 & 2013]
Problems with HSA
• HSA is inefficient for service policy management
– Space representation in indiscriminate bits
• The number of HSA computing dimensions is 104 for the classic
5-tuple policy.
• Service policies usually contain arbitrary range values.
– Set operations in an overlapping manner
• Header space (xxxx) minus point (1010) is (xxx1) union (xx0x)
union (x1xx) union (0xxx), resulting in more computing tasks and
duplicated sub-spaces while doing set operations.
– Lack of efficient indexing data structures
• Set operations are conducted in a linear manner.
2016/6/17 NSLab, RIIT, Tsinghua Univ. 18
Outline
• Background
• Related Work
• Policy Space Analysis
– Motivation
– Design
– Evaluation
• Policy Enforcement with PSA
2016/6/17 NSLab, RIIT, Tsinghua Univ. 19
Policy Space Analysis
• Computational geometry view
– Multi-dimensional space
• Expression
– HyperRect: a D-field rule is viewed as a range-based D-
dimension hyper-rectangle
– PolicySpace: a set of multiple non-overlapping HyperRects
• Boolean and Set Operations
– Supported by both HyperRect and PolicySpace
– Boolean Operations
• is_equal, is_subset, and is_intersected
– Set Operations
• intersect, subtract, and union
2016/6/17 NSLab, RIIT, Tsinghua Univ. 20
[X. Wang et al., TON 2016]
PSA
PSA Implementation • HyperRect Operation
– Different dimension inspecting sequences produce diverse operation results
• PolicySpace Operation
– Most operations implemented as the iteration of the same operations of the
HyperRect
– is_equal implemented as bidirectional is_subset operations
– is_subset implemented as volume comparison of the minuend policy space
and the intersected policy space based on the non-overlapping property
2016/6/17 NSLab, RIIT, Tsinghua Univ. 21
Subtract Union
Outline
• Background
• Related Work
• Policy Space Analysis
– Motivation
– Design
– Evaluation
• Policy Enforcement with PSA
2016/6/17 NSLab, RIIT, Tsinghua Univ. 22
PSA Evaluation (I)
• Spatial performance
– Iterated subtraction of
high-priority rules from
low-priority rules to
construct a non-
overlapping ruleset
2016/6/17 NSLab, RIIT, Tsinghua Univ. 23
0.0E+00
1.0E+03
2.0E+03
3.0E+03
4.0E+03
5.0E+03
6.0E+03
7.0E+03
1 11 21 31 41 51 61 71 81 91
基础数据类型实例(个)
规则数目
HSA_ACL1_100 HSA_FW1_100
HSA_IPC1_100 PSA_ACL1_100
PSA_FW1_100 PSA_IPC1_100
Num
ber
of
Wild
card
or
HyperR
ect
Number of Operated Rules
PSA vs. HSA
• Temporal performance
PSA Evaluation (II)
2016/6/17 NSLab, RIIT, Tsinghua Univ. 24
Linear Array R Tree
1.0E+01
1.0E+03
1.0E+05
1.0E+07
处理时间(ms)
规则集
R树索引 线性存储
Pro
cess
ing t
ime (
ms)
Ruleset
1.0E+04
1.0E+06
1.0E+08
1.0E+10处理时间(us)
规则集
体积计算 空间剪切
Pro
cess
ing t
ime (
ms)
Ruleset
Space Clipping Volume Comparison
— Iterated subtraction of high-priority rules from low-priority rules to construct a non-overlapping ruleset
— is_equal operation between the union of non-overlapping rules and the union of overlapping rules
Outline
• Background
• Related Work
• Policy Space Analysis
• Policy Enforcement with PSA
– Topological Analysis of Service Policy
– Policy Assignment
– Policy Verification
2016/6/17 NSLab, RIIT, Tsinghua Univ. 25
Topological Analysis of Service Policy (I)
• Analysis of three classical policies
– Policy topology: Hierarchical addresses
– Topological statistics: Rule distribution
2016/6/17 NSLab, RIIT, Tsinghua Univ. 26
Access Control
0.0
.0.0
/58
.0.0
.0/6
12
.0.0
.0/7
14
.0.0
.0/8
15
.0.0
.0/8
16
.0.0
.0/4
32
.0.0
.0/3
64
.0.0
.0/2
12
8.0
.0.0
/1
0100200300400500600
0.0
.0.0
/58
.0.0
.0/6
12
.0.0
.0/7
14
.0.0
.0/8
15
.0.0
.0/8
16
.0.0
.0/4
32
.0.0
.0/3
64
.0.0
.0/2
12
8.0
.0.0
/1
源地址段
规则数目
目的地址段Destination Source
Num
ber
of
Rule
s
(exact rules)
Topological Analysis of Service Policy (II)
2016/6/17 NSLab, RIIT, Tsinghua Univ. 27
Firewall
IP Chain
10
.0.0
.0/8
16
.1.0
.4/3
21
31
.10
7.3
.43/
32
13
1.1
07.
39.
10/3
21
31
.10
7.3
9.11
/32
17
2.1
6.0
.0/1
21
92
.5.4
.0/2
31
92
.16
8.0
.0/1
61
92
.24
6.1
08.4
/32
19
8.3
2.1
76.
6/3
22
04
.12
3.2
.5/3
22
04
.15
2.1
84.0
/21
20
6.1
59.
213
.125
/32
20
7.1
59.
9.1
18/3
2
0
40
80
120
160
10
.0.0
.0/8
16
.1.0
.4/3
21
31
.10
7.3
.43/
32
13
1.1
07.
39.
10/3
21
31
.10
7.3
9.11
/32
17
2.1
6.0
.0/1
21
92
.5.4
.0/2
31
92
.16
8.0
.0/1
61
92
.24
6.1
08.4
/32
19
8.3
2.1
76.
6/3
22
04
.12
3.2
.5/3
22
04
.15
2.1
84.0
/21
20
6.1
59.
213
.125
/32
20
7.1
59.
9.1
18/3
2
源地址段
规则数目
目的地址段
Num
ber
of
Rule
s
Source Destination
(exact rules)
1.0
.0.0
/81
0.0
.0.0
/81
04
.0.0
.0/8
11
1.0
.0.0
/81
21
.0.0
.0/8
15
0.0
.0.0
/81
72
.0.0
.0/8
19
2.0
.0.0
/82
02
.0.0
.0/8
20
4.0
.0.0
/82
06
.0.0
.0/8
20
8.0
.0.0
/82
09
.0.0
.0/8
21
2.0
.0.0
/82
16
.0.0
.0/8
22
2.0
.0.0
/82
55
.0.0
.0/8
0
20
40
60
80
100
120
140
1.0
.0.0
/81
0.0
.0.0
/81
04
.0.0
.0/8
11
1.0
.0.0
/81
21
.0.0
.0/8
15
0.0
.0.0
/81
72
.0.0
.0/8
19
2.0
.0.0
/82
02
.0.0
.0/8
20
4.0
.0.0
/82
06
.0.0
.0/8
20
8.0
.0.0
/82
09
.0.0
.0/8
21
2.0
.0.0
/82
16
.0.0
.0/8
22
2.0
.0.0
/82
55
.0.0
.0/8
源地址段
规则数目
目的地址段
Num
ber
of
Rule
s
Destination Source
(exact rules)
10
.0.0
.0/8
16
.1.0
.4/3
21
31
.10
7.3
.43/
32
13
1.1
07.
39.
10/3
21
31
.10
7.3
9.11
/32
17
2.1
6.0
.0/1
21
92
.5.4
.0/2
31
92
.16
8.0
.0/1
61
92
.24
6.1
08.4
/32
19
8.3
2.1
76.
6/3
22
04
.12
3.2
.5/3
22
04
.15
2.1
84.0
/21
20
6.1
59.
213
.125
/32
20
7.1
59.
9.1
18/3
2
0
40
80
120
160
10
.0.0
.0/8
16
.1.0
.4/3
21
31
.10
7.3
.43/
32
13
1.1
07.
39.
10/3
21
31
.10
7.3
9.11
/32
17
2.1
6.0
.0/1
21
92
.5.4
.0/2
31
92
.16
8.0
.0/1
61
92
.24
6.1
08.4
/32
19
8.3
2.1
76.
6/3
22
04
.12
3.2
.5/3
22
04
.15
2.1
84.0
/21
20
6.1
59.
213
.125
/32
20
7.1
59.
9.1
18/3
2
源地址段
规则数目
目的地址段
Destination Source
Num
ber
of
Rule
s
(partially specified rules)
1.0
.0.0
/81
0.0
.0.0
/81
04
.0.0
.0/8
11
1.0
.0.0
/81
21
.0.0
.0/8
15
0.0
.0.0
/81
72
.0.0
.0/8
19
2.0
.0.0
/82
02
.0.0
.0/8
20
4.0
.0.0
/82
06
.0.0
.0/8
20
8.0
.0.0
/82
09
.0.0
.0/8
21
2.0
.0.0
/82
16
.0.0
.0/8
22
2.0
.0.0
/82
55
.0.0
.0/8
0
20
40
60
80
100
120
140
1.0
.0.0
/81
0.0
.0.0
/81
04
.0.0
.0/8
11
1.0
.0.0
/81
21
.0.0
.0/8
15
0.0
.0.0
/81
72
.0.0
.0/8
19
2.0
.0.0
/82
02
.0.0
.0/8
20
4.0
.0.0
/82
06
.0.0
.0/8
20
8.0
.0.0
/82
09
.0.0
.0/8
21
2.0
.0.0
/82
16
.0.0
.0/8
22
2.0
.0.0
/82
55
.0.0
.0/8
源地址段
规则数目
目的地址段Destination Source
Num
ber
of
Rule
s
(partially specified rules)
Topological Analysis of Service Policy (III)
• Forwarding policy vs. Service Policy
– Forwarding Policy
• Entire network view, fine-grained address objects, less rule
overlapping
– Service Policy
• Choke points of subnets, relationship of organization,
wildcard and more rule overlapping
• Implication for packet classification
– Rule distribution is asymmetrical
– Firewall and IP Chain type scenarios have more overlapping
– Either source IP or destination IP is highly separable
2016/6/17 NSLab, RIIT, Tsinghua Univ. 28
Outline
• Background
• Related Work
• Policy Space Analysis
• Policy Enforcement with PSA
– Topological Analysis of Service Policy
– Policy Assignment
– Policy Verification
2016/6/17 NSLab, RIIT, Tsinghua Univ. 29
MBPE
• Principles
– Preserve Forwarding Rules
• On-datapath processing to reduce bandwidth cost introduced by traffic
steering
– Dispatch onto middleboxes
• From path-wise to network-wise to reduce wildcard rules replication
• Requirements
– Correctness
• Each policy or policy partition is processed once and only once
– Efficiency
• As less enforced nodes as possible
2016/6/17 NSLab, RIIT, Tsinghua Univ. 30
MiddleBox Policy Enforcement
Set Cover Problem (SCP)
• Given a set U of n elements and a collection S of subsets of U, find
the smallest collection C of S whose union is U
• 𝑺𝑷 is mapped to U and 𝑺𝒇 is mapped to S
MBPE modeled as SCP
2016/6/17 NSLab, RIIT, Tsinghua Univ. 31
𝑚𝑖𝑛 𝑥𝑗
𝑁
𝑗=1
subject to
∀𝑖 ∈ 1,… ,𝑀 : 𝑆𝑟𝑖𝑗
𝑁
𝑗=1
= 𝑆𝑟𝑖 , 𝑆𝑟𝑖𝑗⊆ 𝑆𝑟𝑖 ∩ 𝑆𝑓
𝑗
∀𝑗1, 𝑗2 ∈ 1,… , 𝑁 , 𝑗1 ≠ 𝑗2, ∀𝑖 ∈ 1,… ,𝑀 : 𝑆𝑟𝑖𝑗1 ∩ 𝑆𝑟𝑖
𝑗2 = ∅
𝑥𝑗 = 1, ∃𝑖 ∈ 1,… ,𝑀 , 𝑠. 𝑡. 𝑆𝑟𝑖
𝑗≠ ∅
0, 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒
𝑆𝑓 The flow space of all network nodes
𝑆𝑓𝑗 The flow space that the traffic
covers at enforced node 𝑗
𝑆𝑟𝑖 The rule space that 𝑖𝑡ℎ rule
covers
𝑆𝑟𝑖𝑗 The rule space that 𝑖𝑡ℎ rule
covers at enforced node 𝑗
Greedy Algorithm
• Iteratively select the network node whose flow space can
cover most of the remaining policy space
• Enforce two types of rules in each iteration
– Bypass rule with high priority: subtraction of the remaining flow
space from the flow space of the selected node
– Enforced rule with low priority: intersection of the remaining
flow space of the selected node and the complete policy space
• Two heuristics to select network nodes
– Policy-oriented: node intersects with the maximum number of
policy rules
– Flow-oriented: the node has the maximum number of hyper-
rectangles
2016/6/17 NSLab, RIIT, Tsinghua Univ. 32
Evaluation
• Enforced nodes and rules
2016/6/17 NSLab, RIIT, Tsinghua Univ. 33
1
1.5
2
2.5
3
膨胀倍数
网络拓扑
基于相交规则数目 基于子空间数目 面向源端
1.0E+00
1.0E+01
1.0E+02
膨胀倍数
网络拓扑
基于相交规则数目 基于子空间数目 面向源端
1.0E+00
1.0E+01
1.0E+02
1.0E+03
部署节点(个)
网络拓扑
基于相交规则数目 基于子空间数目 面向源端
1.0E+00
1.0E+01
1.0E+02
1.0E+03
部署节点(个)
网络拓扑
基于相交规则数目 基于子空间数目 面向源端flow-oriented policy-oriented source-oriented
Network Topology
Num
ber
of
Nodes
Overh
ead o
f R
ule
s
flow-oriented policy-oriented source-oriented
Num
ber
of
Nodes
Network Topology
Network Topology Network Topology
Overh
ead o
f Rule
s
flow-oriented policy-oriented source-oriented flow-oriented policy-oriented source-oriented
# of all enforced rules / # of the original policy rules
exact policies wildcard policies
# of enforced nodes
Extended MBPE
• Practical constraints to Set Cover Problem
– Rule size of forwarding devices
– Processing capability of middleboxes
2016/6/17 NSLab, RIIT, Tsinghua Univ. 34
𝑚𝑖𝑛 𝑥𝑗
𝑁
𝑗=1
subject to
∀𝑖 ∈ 1,… ,𝑀 : 𝑆𝑟𝑖𝑗
𝑁
𝑗=1
= 𝑆𝑟𝑖 , 𝑆𝑟𝑖𝑗⊆ 𝑆𝑟𝑖 ∩ 𝑆𝑓
𝑗
∀𝑗1, 𝑗2 ∈ 1,… ,𝑁 , 𝑗1 ≠ 𝑗2, ∀𝑖 ∈ 1,… ,𝑀 : 𝑆𝑟𝑖𝑗1 ∩ 𝑆𝑟𝑖
𝑗2 = ∅
∀𝑗 ∈ 1,… , 𝑁 : 𝐹(𝑆𝑟𝑖𝑗)
𝑀
𝑖=1
≤ 𝐶𝑗
𝑥𝑗 = 1, ∃𝑖 ∈ 1, … ,𝑀 , 𝑠. 𝑡. 𝑆𝑟𝑖
𝑗≠ ∅
0, 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒
𝑆𝑓 The flow space of all network nodes
𝑆𝑓𝑗 The flow space that the traffic
covers at enforced node 𝑗
𝑆𝑟𝑖 The rule space that 𝑖𝑡ℎ rule
covers
𝑆𝑟𝑖𝑗 The rule space that 𝑖𝑡ℎ rule
covers at enforced node 𝑗
𝐹() Cost mapping function
𝐶𝑗 Constraints of node 𝑗
Outline
• Background
• Related Work
• Policy Space Analysis
• Policy Enforcement with PSA
– Topological Analysis of Service Policy
– Policy Assignment
– Policy Verification
2016/6/17 NSLab, RIIT, Tsinghua Univ. 35
Policy Verification
• Distributed data plane policies verification
– Decompose network scope problem into path scope
problems according to forwarding policy
– Operate policies along the specified flow path
– Leverage the set operations of PSA
2016/6/17 NSLab, RIIT, Tsinghua Univ. 36
Policy Verification
• Distributed data plane policies verification
– Consistency
• 𝑆𝑓′ = 𝑆𝑓′ ∩ 𝑆𝑃
– Redundancy
• ∃ 𝑗1 ≠ 𝑗2: 𝑆𝑓′𝑗1 ⊆ 𝑆
𝑓′𝑗2 , 𝑆
𝑓′𝑗1 . 𝑎𝑐𝑡𝑖𝑜𝑛 = 𝑆
𝑓′𝑗2 . 𝑎𝑐𝑡𝑖𝑜𝑛
– Confliction
• ∃ 𝑗1 ≠ 𝑗2: 𝑆𝑓′𝑗1 ∩ 𝑆
𝑓′𝑗2 ≠ ∅, 𝑆
𝑓′𝑗1 . 𝑎𝑐𝑡𝑖𝑜𝑛 ≠ 𝑆
𝑓′𝑗2 . 𝑎𝑐𝑡𝑖𝑜𝑛
2016/6/17 NSLab, RIIT, Tsinghua Univ. 37
𝑓′ flow of one network policy
𝑆𝑓′ flow space
𝑆𝑃 The policy space of all rule space
𝑆𝑓′𝑗= 𝑆𝑟𝑖
𝑗∩ 𝑆𝑓′
𝑀
𝑖=1 rule space on node 𝑗
𝑆𝑓′ = 𝑆𝑓′𝑗𝑡
𝐾
𝑡=1
combined rule space on 𝑝𝑎𝑡ℎ of flow 𝑓′
Summary
• An orthogonal perspective of network
forwarding and network service
• A framework of policy space analysis
definitions and operations
• A few policy enforcement algorithms as
research in progress
2016/6/17 NSLab, RIIT, Tsinghua Univ. 38