This document discusses network policy abstractions in Neutron called Group Policy. It outlines the current network-centric Neutron API and proposes new abstractions including endpoint groups, contracts between groups, and policy rules defining network access. A proof-of-concept implementation separates concerns by allowing administrators to define contracts while users work with application-oriented groups and contracts. Future directions include integrating with network services and advanced policy frameworks.

1. May 2014
Network Policy
Abstractions in Neutron
Mohammad Banikazemi
Sumit Naiksatam
Stephen Wong

2. Outline
❖ Introduction
❖ Neutron Abstractions
❖ Group Policy Extension
❖ PoC Implementation and Demo
❖ Future Directions
❖ Q&A

3. Networking in the Cloud
❖ Current API: network centric
❖ Need a more application centric set of abstractions
as well
❖ More easily understood/utilized by higher layers
❖ Declarative model
❖ Separation of concerns

4. Desired Features
❖ Provide policy-based connectivity between
application tiers
❖ Support dynamic application of policies
❖ Redirection to Network services and chains
❖ Policies defined by administrators and users

5. Current Neutron API
❖ Network centric, close to physical devices
❖ Network: isolated layer-2 broadcast domain; private/shared
❖ Subnet: CIDR IP address block associated with a network;
optionally associated with gateway, DNS/DHCP servers
❖ Port: virtual switch port on a network; has MAC and IP
address properties
❖ Router: connects networks, supports SNAT

6. Example: Multi Tier Apps
Q
Web
Application
DB
Firewall Load
Balancer
QoS
External Network
(Internet)

7. Neutron Representation
Q
Network/
subnet
Network/
subnet
Network/
subnet
Router
External Network
Port
Q
neutron net-create web_tier
neutron subnet-create web_tier 10.0.0.0/24
neutron router-create router1
neutron router-add-interface router1 web_subnet
. . .

8. Group Policy e x t e n s i o n

9. The Basic Idea
❖ Endpoint (EP): Lowest unit of
abstraction where policy is applied
❖ Endpoint Group (EPG): Logical
grouping of endpoints
❖ Policy Rule: Network policies to
access EPGs
❖ Contract: Collection of policy rules

10. EPG-Contract Relationship
❖ An EPG may provide one or more contracts
❖ An EPG may consume one or more contracts
Endpoint
Group
Contract
❖ Application deployer focused

11. Policy Rules
❖ Action is applied to traffic specified by Classifier
Policy Rule
Classifier
Protocol Ports Direction
Action
Type Value
Action
Type
Allow
Redirect
QoS
Log
Copy
Mark
Value
None
Service/Chain
QoS args
Log args
Copy args
Mark args

12. Group Policy - Workflow
neutron classifier-create Insecure-Web-Access --port 80 --protocol TCP --direction IN
neutron policy-rule insecure-web --policy-classifier Insecure-Web-Access --actions ALLOW
neutron contract-create Web-Server-Contract --policy-rule insecure-web
❖ Create contract
❖ Create EPGs and provide/consume contracts
neutron epg-create Web-Server-EPG --provides-contract Web-Server-Contract
neutron ep-create --endpoint-group Web-Server-EPG
neutron epg-create Outside-EPG --consumes-contract Web-Server-Contract

13. Putting It All Together – 3 Tier App
Web
Application
DB
Firewall Load
Balancer
External Network
(Internet)

14. Group Policy Realization
EPG
Web
EPG
Application
EPG
DB
Firewall
EPG
External Network
(Internet)
Contract
Protocol:TCP
Port:80
Action:Redirect
To FW_LB_CHAIN
ProvidesConsumes
Protocol:TCP
Port:3306
Action:ALLOW
Protocol:TCP
Port:9080
Action:ALLOW
EPG EPG

15. Optional Constructs in Model
❖ Scopes: put constraints around how provider and consumer
EPGs are matched
❖ Policy Rule Filters: allow for tagging Policy Rules with Labels
such that subsets can be created in a Contract
❖ Contract hierarchy: infra admin constraints can be achieved
by Contract hierarchical composition
❖ Endpoint labels: policies get triggered automatically when
labels are added or removed

16. Proof of Concept i m p l e m e n t a t i o n

17. PoC Implementation
❖ Team has worked on a PoC
implementation
❖ Considering various model and
implementation alternatives
❖ Using legacy driver
❖ CLI, Horizon, and Heat
CLI
Neutron
Heat Horizon
Policy Manager
Legacy
Policy Driver
ODL
Policy Driver
others

18. The Group Policy PoC Team
❖ Sumit Naiksatam, Robert Kukura, Mandeep Dhami (Cisco)
❖ Mohammad Banikazemi (IBM)
❖ Stephen Wong (Midokura)
❖ Ronak Shah (Nuage Networks)
❖ Hemanth Ravi, Susaant Kondapaneni, Prasad Vellanki (One
Convergence)
❖ Rudra Rugge (Juniper)

19. State of Implementation
❖ The blueprint for Group Policy has been
reviewed/approved
❖ Working PoC available (install from:
https://github.com/noironetworks/devstack/tree/group-
policy-poc)
❖ Neutron reference implementation for Group Policy is in
progress
❖ Complementary work on network services framework is in
progress

20. More Information
❖ Neutron Group-based Policy design session
May 16 • 10:50am - 11:30am • B304
❖ Wiki page:
https://wiki.openstack.org/wiki/Neutron/GroupPolicy
❖ Neutron Group Policy Sub-Team Meeting IRC weekly meetings:
https://wiki.openstack.org/wiki/Meetings/Neutron_Group_Policy

21. Backup

22. PoC

23. Separation of Concerns
❖ Different aspect of operations
performed by different agents
❖ Administrators specify the more
network specific requirements
❖ Other tenants specify app
specific

24. Dynamic/Automatic Updates
❖ Slide 12

25. Dynamic / Automatic Updates
❖ Slide 12

26. Multiple Policy Frameworks
Network
Policy
Manager
AdministratorMark hosts
as infected
All infected machines
should be quarantined Create access policy quarantine
(to end points labeled "infected")
SystemWide
PolicyManager

27. Outline of Policies
❖ Contract C1:
❖ Policy rule: redirect my_service_chain_fw_lb
❖ Contract C2:
❖ Policy rule: allow all
❖ Contract C3:
❖ Policy rule: allow all
❖ Policy rule: QoS my_qos_spec

28. Group Policy
a
c l o s e r
l o o k

29. EPG-Contract Relationship
Provide /
Consume
❖ Let’s look at more details
Endpoint
Group
Contract

30. Contract Scopes
❖ Contracts are provided and consumed through contract scopes
Contract Scope
Selector
Provider-
Capability/Consumer-
Role
Selector
Scope
Global
Tenant
EPG
Value
None
Tenant ID
EPG ID
❖ Selectors specify the scope: Global/Tenant/EPG
❖ Provider-Capabilities/Consumer-Roles: Policy labels, which allow
defining granular constraints within the contract

31. Policy Rules
Policy Rule
Classifier
Protocol Ports Direction
Action
Type Value

32. Policy Rules
❖ Filters/Labels used to limit policy rules provided/consumed
Policy Rule
Filter
Provider
Capability
Consumer
Role
Classifier
Protocol Ports Direction
Action
Type Value

33. Contract
Hierarchy of Contracts
❖ Contracts can refer to other contracts
❖ Specifying base contracts by administrators
Provide /
Consume
Endpoint
Group

34. Using Neutron Advanced Services
To fully take advantage of Group Policy:
❖ Defining a policy container for services
Leveraging advanced services:
❖ Unified, generic and flexible service definition
❖ Support for various service insertion modes
❖ Support for various service manifestations
❖ Service chaining and traffic steering

35. Group Policy r i c h
c o n s t r u c t

36. Dynamic Updates
Q
Web
Application
DB
Firewall Load
Balancer
QoS
External Network
(Internet)
Web

37. Separation of Concerns
Group
Policy
Manager
Administrator
Users
Allocate Network Resources
Sets up network contracts
Sets up access contracts
Create application contracts
Provide/consume contracts

38. Multiple Providers with Failover
Group
Policy
Manager
ProviderA
Provide contract
Set scope to Global
ProviderB
Users
Consume contract
Provide contract
Set scope to Global
Administrator
Create contracts

39. Other Policy Frameworks
Group
Policy
Manager
Administrator
Congress
Label hosts
as infected
All infected machines
should be quarantined Create access contract quarantine
(to end points labeled "infected")

40. Heat Implementation
❖ Native Neutron heat resources
❖ WIP patch available on Gerrit
❖ Provides richer and simpler abstraction
❖ Allows for complex topology declaration
❖ Demo HOT template
❖ Publishes secure web service