Flow-based Management Language

1
Flow-based Management Language

• Tim Hinrichs
• Natasha Gude
• Martín Casado
• John Mitchell
• Scott Shenker
• University of Chicago
• Stanford University
• Stanford University
• Stanford University
• ICSI/UC Berkeley

2
Network Configuration Today

• Distributed state
• VLANs, subnets, ACLs, NAT, routing policies
• Problems
• Low-level, indirect mechanismsMaltz04
• Topology-dependentBellovin99
• Connectivity is difficult to reason aboutXie04

3
Our Goal

• Design a policy language to simplify network
  configuration without loss of todays
  expressiveness.

4
Language Goals

• Maintain Todays Expressiveness
• Support High-level Naming
• Guests must send all HTTP traffic via a proxy
• Single Point of Declaration
• Clear how traffic will be treated
• Support Composition and Exception Policy Models
• Performance
• Amenable to efficient implementation
• Extensibility
• Multiple Authorship

5
FML Overview

• Form of nonrecursive Datalog
• Flow-based
• An FML policy is a set of rules declared over a
  flow and its high-level attributes
• Attributes include src/dst access points, hosts,
  and users
• Rules that match a flow dictate its policy

6
Rule Definition

• action - condition
• h - ?b1 ? ? ?bn
• Guest users must send all HTTP traffic
• via a proxy
• allow(Flow) - guest(Usrc) ? http Prot ?
  proxy(Hdst)

7

• allow(Flow) - guest(Usrc) ? http Prot ?
  proxy(Hdst)

allow(Flow) - guest(Usrc) ? http Prot ?
proxy(Hdst)
allow(Flow) - guest(Usrc) ? http Prot ?
proxy(Hdst)
allow(Flow) - guest(Usrc) ? http Prot ?
proxy(Hdst)
allow(Flow) - guest(Usrc) ? http Prot ?
proxy(Hdst)
NAC Actions allow waypoint rate-limit deny Varia
bles access points hosts users protocol flow
header tuple
An FML policy is an unordered set of rules
8
Example Rules

• Require authentication
• http_redirect(Flow) - unauthenticated Usrc ?
  http Prot
• Define group behavior
• allow(Flow) - (registered(Hsrc)
  registered(Hdst)) ? http Prot
• waypoint(Flow, proxy) - guest(Usrc) ? http
  Prot
• rate-limit(Flow, 1Mbps) - students(Usrc)
  students(Udst)
• Quarantine hosts
• deny(Flow) - blacklist(Hsrc) blacklist(Hdst)
• Isolate hosts
• deny(Flow) - classified(Hsrc) ?
  unclassified(Hdst)

9
Policy Model Goals

• Exception Model
• waypoint(Flow, proxy) - guest(Usrc) ? http
  Prot
• deny(Flow) - guest(Usrc)
• Composition Model
• waypoint(Flow, proxy) - guest(Usrc) ? http
  Prot
• rate-limit(Flow, 1Mbps) - http Prot

10
Conflict Resolution

• Action Reconciliation
• deny gt waypoint, rate-limit gt allow
• Ordering of Rule Sets
• Policy 1 gt Policy 2
• waypoint(Flow, proxy) - guest(Usrc) ? http
  Prot
• cascade()
• deny(Flow) - guest(Usrc)

11
Implementation Requirements

• At least per flow interposition
• Name-to-address bindings
• Any system providing these capabilities can
  support FML.

12
NOX

• Openflow Controller
• Maintains Global View of Topology
• Dictates Switch Behavior
• Provides Authentication Framework

13
Policy Engine
Flow Actions
Flow
14
Performance
Flows/second
FML Rules
15
Deployment Experience

• Medical University Network in Japan
• 200 hosts
• In-use for 10 months
• 40 line policy
• NAC-focused
• http_redirect(Flow) - unauthenticated Usrc ?
  (workstation(Hsrc) laptop(Hsrc))
  ? http Prot

16
Ongoing Work

• Distribute Policy Enforcement
• Virtualized Datacenter Support in Progress
• Expand FML to Define Actions
• Conflict Resolution Scheme
• Administrator Debugging Tools

17
Questions?