Flow-based Management Language - PowerPoint PPT Presentation
1 / 17
Title:
Flow-based Management Language
Description:
Design a policy language to simplify network configuration without loss of ... Amenable to efficient implementation. Extensibility. Multiple Authorship. FML Overview ... – PowerPoint PPT presentation
Number of Views:222
Avg rating:3.0/5.0
Title: Flow-based Management Language
1
Flow-based Management Language
- Tim Hinrichs
- Natasha Gude
- MartÃn Casado
- John Mitchell
- Scott Shenker
- University of Chicago
- Stanford University
- Stanford University
- Stanford University
- ICSI/UC Berkeley
2
Network Configuration Today
- Distributed state
- VLANs, subnets, ACLs, NAT, routing policies
- Problems
- Low-level, indirect mechanismsMaltz04
- Topology-dependentBellovin99
- Connectivity is difficult to reason aboutXie04
3
Our Goal
- Design a policy language to simplify network
configuration without loss of todays
expressiveness.
4
Language Goals
- Maintain Todays Expressiveness
- Support High-level Naming
- Guests must send all HTTP traffic via a proxy
- Single Point of Declaration
- Clear how traffic will be treated
- Support Composition and Exception Policy Models
- Performance
- Amenable to efficient implementation
- Extensibility
- Multiple Authorship
5
FML Overview
- Form of nonrecursive Datalog
- Flow-based
- An FML policy is a set of rules declared over a
flow and its high-level attributes - Attributes include src/dst access points, hosts,
and users - Rules that match a flow dictate its policy
6
Rule Definition
- action - condition
- h - ?b1 ? ? ?bn
- Guest users must send all HTTP traffic
- via a proxy
- allow(Flow) - guest(Usrc) ? http Prot ?
proxy(Hdst)
7
- allow(Flow) - guest(Usrc) ? http Prot ?
proxy(Hdst)
allow(Flow) - guest(Usrc) ? http Prot ?
proxy(Hdst)
allow(Flow) - guest(Usrc) ? http Prot ?
proxy(Hdst)
allow(Flow) - guest(Usrc) ? http Prot ?
proxy(Hdst)
allow(Flow) - guest(Usrc) ? http Prot ?
proxy(Hdst)
NAC Actions allow waypoint rate-limit deny Varia
bles access points hosts users protocol flow
header tuple
An FML policy is an unordered set of rules
8
Example Rules
- Require authentication
- http_redirect(Flow) - unauthenticated Usrc ?
http Prot - Define group behavior
- allow(Flow) - (registered(Hsrc)
registered(Hdst)) ? http Prot - waypoint(Flow, proxy) - guest(Usrc) ? http
Prot - rate-limit(Flow, 1Mbps) - students(Usrc)
students(Udst) - Quarantine hosts
- deny(Flow) - blacklist(Hsrc) blacklist(Hdst)
- Isolate hosts
- deny(Flow) - classified(Hsrc) ?
unclassified(Hdst)
9
Policy Model Goals
- Exception Model
- waypoint(Flow, proxy) - guest(Usrc) ? http
Prot - deny(Flow) - guest(Usrc)
- Composition Model
- waypoint(Flow, proxy) - guest(Usrc) ? http
Prot - rate-limit(Flow, 1Mbps) - http Prot
10
Conflict Resolution
- Action Reconciliation
- deny gt waypoint, rate-limit gt allow
- Ordering of Rule Sets
- Policy 1 gt Policy 2
- waypoint(Flow, proxy) - guest(Usrc) ? http
Prot - cascade()
- deny(Flow) - guest(Usrc)
11
Implementation Requirements
- At least per flow interposition
- Name-to-address bindings
- Any system providing these capabilities can
support FML.
12
NOX
- Openflow Controller
- Maintains Global View of Topology
- Dictates Switch Behavior
- Provides Authentication Framework
13
Policy Engine
Flow Actions
Flow
14
Performance
Flows/second
FML Rules
15
Deployment Experience
- Medical University Network in Japan
- 200 hosts
- In-use for 10 months
- 40 line policy
- NAC-focused
- http_redirect(Flow) - unauthenticated Usrc ?
(workstation(Hsrc) laptop(Hsrc))
? http Prot
16
Ongoing Work
- Distribute Policy Enforcement
- Virtualized Datacenter Support in Progress
- Expand FML to Define Actions
- Conflict Resolution Scheme
- Administrator Debugging Tools
17
Questions?
