Group Based Policy

Open Source Policy in OpenDaylight and OpenStack Neutron

Kyle MesteryOpenStack Neutron PTL

Abstract

As computing has continued to evolve to a more utility or cloud-like environment, one area which has not evolved as much is networking. Concepts relevant 20 years ago such as switches, ports, networks, subnets and routers are today still very much the basic building blocks for operators and application deployers. Group Based Policy looks to extend this landscape by introducing the concepts of groups of endpoints and policy abstractions governing the communication between the groups. With Group Based Policy, application deployers can think in terms relevant to their applications when deploying networking for their applications. This talk will cover an introduction to Group Based Policy and explore it’s implementation in OpenStack Neutron and OpenDaylight. An overview of how the two work together to achieve harmony for application deployers will also be discussed.

Our hero … the application developer

Application Developer

But first, some history

What is a computer network?

A computer network is a collection of computers and other hardware components interconnected by communication channels that allow sharing of resources and information.

A typical computer network ...

Protocol Soup ...

What if this could be simplified?

Now, back to our hero

Application Developer

Our hero wants to deploy this

Internet Web/App Server DB

Client Tier Web/App Tier DB Tier

Currently she does this ...

Q

Network/subnet

Network/subnet

Network/subnet

Router

External Network

Q

What if she could do this!

PGWeb

PGApplication

PGDB

PGExternal Network

(Internet) C1 C2 C3

Protocol: TCPPort: 80Action: Redirect to FW_LB_CHAIN

Protocol: TCPPort: 9080Action: ALLOW

Protocol: TCPPort: 3306Action: ALLOW

Introducing Group Based Policy

● APIs to allow the user to express intent○ Separates intent from the actual underlying networking

infrastructure

● Application policy abstracted from network specifics

● Open Standards, Open Source, Community Driver○ OpenDaylight○ OpenStack Neutron

Group Based Policy Terminology

● Existing constructs○ Switches○ Networks○ Subnets○ Ports○ Routers○ Load balancers○ Firewalls

● GBP Constructs○ Policy Point○ Policy Group

Group Based Policy Elements

● Policy Repository● Endpoint Repository● Observer● Policy Enforcer

The Benefits of Group Based Policy

● Easier application focused networking● Improved automation● Consistency● Extensible policy model● User defined policy is not dependent on

specific networking technologies

Open Source Implementations

By utilizing OpenStack Neutron with OpenDaylight and GBP APIs, application developers and deployers get a fully open source networking policy system.

But first, back to our hero

Application Developer

I need some background information on OpenDaylight and OpenStack.

What is OpenDaylight?

Code Acceptance Community

To create a robust, extensible, open source code base that covers the major common components required to build an SDN solution

To get broad industry acceptance amongst vendors and users

• Using OpenDaylight code directly or through vendor products

•Vendors using OpenDaylight code as part of commercial products

To have a thriving and growing technical community contributing to the code base, using the code in commercial products, and adding value above, below and around.

OpenDaylight is an Open Source Software project under the Linux Foundation with the goal of furthering the adoption and innovation of Software Defined Networking (SDN) through the creation of a common industry supported platform

What is OpenDaylight Building?

OpenDaylight is an open community that is building:

● An evolvable SDN platform capable of handling diverse use cases and implementation approaches

● Common abstractions of capabilities NorthBound for people to program● Intermediation of those capabilities to multiple Southbound

implementations● Programmable Network services ● Network Applications● Whatever else we need to make it work

○ Including engineering systems

What Is OpenStack?

Self-service provisioning of virtual machines through a software API

Massively scalable, distributed object storeFor tenant created, virtual isolated networks and subnets, and services

Your Application

OpenStack continues to build services which abstract infrastructure and provide highly scalable utilities through REST APIs, command tools and user portals

Compute(VM provisioning)

Networking(Virtual, Physical)

Storage(Object)

Identity/Authentication

VM Image Catalog

User/Admin Portal

Metering(Ceilometer)

Storage(Block)

Orchestration(HEAT)

Networking Services(LB, FW, VPN, IDS..)

How Does Group Based Policy Fit Into OpenDaylight and OpenStack?

Application Developer

GBP In OpenDaylight

● Active project targeting the Helium Release of OpenDaylight

● Initial code available:○ https://git.opendaylight.org/gerrit/groupbasedpolicy

● More info on the wiki○ https://wiki.opendaylight.org/view/Group_Policy:

Main

OpenDaylight GBP Architecture

Group Based Policy Renders

● GBP supports a variety of underlying technologies○ Possible because policy model is based on high

level user intent○ Complexity lies in the renderers

● Renders being worked include:○ OVS Overlay○ OpenFlow Render○ OpFlex Render

Group Based Policy In OpenStack Neutron

● GBP sub-team focused on proof of concept during Icehouse cycle

● Code patches out for review during Juno○ https://blueprints.launchpad.

net/neutron/+spec/group-based-policy-abstraction○ Patches encompass neutron, CLI, Horizon and Heat

CLI

Neutron

Heat Horizon

Policy Manager

LegacyPolicy Driver

ODLPolicy Driver

others

OpenStack GBP Architecture

The Open Source Policy “Stack”

OpFlex Policy Agent with northbound OpFlex protocol interface and southbound interface for device (OVS is the

reference implementation).

OpFlex protocol defined through IETF (OpFlex Control Protocol draft-smith-opflex-00)

Group Policy as defined by OpenStack

OpenDaylight provide northbound API for Group Policy and southbound interface for OpFlex protocol.

LinuxOVS

libvirtOpenFlow OVSDB

Back to our hero

Application Developer

In Summary

● Group Based Policy goals:○ Separate application intent from underlying

implementation○ Provide application oriented APIs for application

developers and deployers○ Uses and extends existing open standards and

protocols○ Simplify complex networking for application

deployers!

Allows anyone to accomplish this!

PGWeb

PGApplication

PGDB

PGExternal Network

(Internet) C1 C2 C3

More Information

● For more information on OpFlex and how it integrates with GBP, attend Scott Mann’s talk:○ Open Source Policy: OpenDaylight and OpFlex○ Thursday, 2:30-3:20PM○ Room SB 3

Thank you!

Application Developer