Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker...
-
Upload
charles-clark -
Category
Documents
-
view
214 -
download
1
Transcript of Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker...
![Page 1: Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55150681550346a87d8b45fc/html5/thumbnails/1.jpg)
Flow-based Management Language
![Page 2: Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55150681550346a87d8b45fc/html5/thumbnails/2.jpg)
Network Configuration Today
•Distributed state
• VLANs, subnets, ACLs, NAT, routing policies…
•Problems
• Low-level, indirect mechanisms[Maltz04]
• Topology-dependent[Bellovin99]
• Connectivity is difficult to reason about[Xie04]
![Page 3: Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55150681550346a87d8b45fc/html5/thumbnails/3.jpg)
Our Goal
Design a policy language to simplify network configuration without loss of
today’s expressiveness.
![Page 4: Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55150681550346a87d8b45fc/html5/thumbnails/4.jpg)
Language Goals•Maintain Today’s Expressiveness• Support High-level Naming• “Guests must send all HTTP traffic via a proxy”
• Single Point of Declaration• Clear how traffic will be treated
• Support Composition and Exception Policy Models• Performance• Amenable to efficient implementation
• Extensibility•Multiple Authorship
![Page 5: Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55150681550346a87d8b45fc/html5/thumbnails/5.jpg)
FML Overview•Form of nonrecursive Datalog•Flow-based
An FML policy is a set of rules declared over a flow and its high-level attributes
•Attributes include src/dst access points, hosts, and users
•Rules that match a flow dictate its policy
![Page 6: Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55150681550346a87d8b45fc/html5/thumbnails/6.jpg)
Rule Definition
action :- condition
h :- []b1 ∧ … ∧ []bn
“Guest users must send all HTTP trafficvia a proxy”
allow(Flow) :- guest(Usrc) ∧ http = Prot ∧ proxy(Hdst)
![Page 7: Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55150681550346a87d8b45fc/html5/thumbnails/7.jpg)
allow(Flow) :- guest(Usrc) ∧ http = Prot ∧ proxy(Hdst)allow(Flow) :- guest(Usrc) ∧ http = Prot ∧ proxy(Hdst)allow(Flow) :- guest(Usrc) ∧ http = Prot ∧ proxy(Hdst)allow(Flow) :- guest(Usrc) ∧ http = Prot ∧ proxy(Hdst)
An FML policy is an unordered set of rules
allow(Flow) :- guest(Usrc) ∧ http = Prot ∧ proxy(Hdst)
![Page 8: Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55150681550346a87d8b45fc/html5/thumbnails/8.jpg)
Example Rules
![Page 9: Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55150681550346a87d8b45fc/html5/thumbnails/9.jpg)
Policy Model Goals•Exception Model
waypoint(Flow, proxy) :- guest(Usrc) ∧ http = Prot
deny(Flow) :- guest(Usrc)
•Composition Model
waypoint(Flow, proxy) :- guest(Usrc) ∧ http = Prot
rate-limit(Flow, 1Mbps) :- http = Prot
![Page 10: Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55150681550346a87d8b45fc/html5/thumbnails/10.jpg)
Conflict Resolution•Action Reconciliation
deny > [ waypoint, rate-limit ] > allow
•Ordering of Rule SetsPolicy 1 > Policy 2
waypoint(Flow, proxy) :- guest(Usrc) ∧ http = Prot
cascade()deny(Flow) :- guest(Usrc)
![Page 11: Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55150681550346a87d8b45fc/html5/thumbnails/11.jpg)
Implementation Requirements
•At least per flow interposition•Name-to-address bindings
Any system providing these capabilities can support FML.
![Page 12: Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55150681550346a87d8b45fc/html5/thumbnails/12.jpg)
NOX
•Openflow Controller•Maintains Global View of
Topology•Dictates Switch Behavior•Provides Authentication
Framework
![Page 13: Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55150681550346a87d8b45fc/html5/thumbnails/13.jpg)
Policy Engine
+Flow
Flow Actions
Rule Lookup
Policy
CompilerNamespace
Auth Bindings
![Page 14: Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55150681550346a87d8b45fc/html5/thumbnails/14.jpg)
Performance
# FML Rules
Flow
s/se
cond
![Page 15: Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55150681550346a87d8b45fc/html5/thumbnails/15.jpg)
Deployment Experience•Medical University Network in Japan• 200 hosts• In-use for 10 months• 40 line policy• NAC-focused
http_redirect(Flow) :- unauthenticated = Usrc ∧ (workstation(Hsrc) |
laptop(Hsrc)) ∧ http = Prot
![Page 16: Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55150681550346a87d8b45fc/html5/thumbnails/16.jpg)
Ongoing Work•Distribute Policy Enforcement• Virtualized Datacenter Support in Progress
•Expand FML to Define Actions• Conflict Resolution Scheme
•Administrator Debugging Tools
![Page 17: Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55150681550346a87d8b45fc/html5/thumbnails/17.jpg)
Questions?