Abstract
Software Defined Networking (SDN) and cloud automation enable a large number of diverse parties (network operators, application admins, tenants/end-users) and control programs (SDN Apps, network services) to generate network policies independently and dynamically. Yet existing policy abstractions and frameworks do not support natural expression and automatic composition of high-level policies from diverse sources. We tackle the open problem of automatic, correct and fast composition of multiple independently specified network policies. We first develop a high-level Policy Graph Abstraction (PGA) that allows network policies to be expressed simply and independently, and leverage the graph structure to detect and resolve policy conflicts efficiently. Besides supporting ACL policies, PGA also models and composes service chaining policies, i.e., the sequence of middleboxes to be traversed, by merging multiple service chain requirements into conflict-free composed chains. Our system validation using a large enterprise network policy dataset demonstrates practical composition times even for very large inputs, with only sub-millisecond runtime latencies.
Supplemental Material
- Docker. https://github.com/docker/docker/issues/11187.Google Scholar
- Mininet. http://mininet.org/.Google Scholar
- NEMO (NEtwork MOdeling) Language. http://www.hickoryhill-consulting.com/nemo/.Google Scholar
- Network Service Header. https://tools.ietf.org/html/draft-quinn-sfc-nsh-07.Google Scholar
- Open Network Operating System (ONOS) Intent Framework. https://wiki.onosproject.org/display/ONOS/The+Intent+Framework.Google Scholar
- OpenDaylight Group Policy. https://wiki.opendaylight.org/view/Group_Policy:Main.Google Scholar
- Openstack Congress. https://wiki.openstack.org/wiki/Congress.Google Scholar
- Openstack Networking -- Neutron. https://wiki.openstack.org/wiki/Neutron.Google Scholar
- SELinux. http://selinuxproject.org/page/Main_Page.Google Scholar
- Service Function Chaining Architecture. https://tools.ietf.org/html/draft-merged-sfc-architecture-02.Google Scholar
- Service Function Chaining General Use Cases. https://tools.ietf.org/html/draft-liu-sfc-use-cases-08.Google Scholar
- C. J. Anderson, N. Foster, A. Guha, J.-B. Jeannin, D. Kozen, C. Schlesinger, and D. Walker. NetKAT: Semantic Foundations for Networks. In POPL, 2014. Google ScholarDigital Library
- A. AuYoung, Y. Ma, S. Banerjee, J. Lee, P. Sharma, Y. Turner, C. Liang, and J. C. Mogul. Democratic Resolution of Resource Conflicts Between SDN Control Programs. In CoNEXT, 2014. Google ScholarDigital Library
- M. Banikazemi et al. Meridian: an SDN platform for cloud network services. Communications Magazine, IEEE, 51(2):120--127, February 2013.Google ScholarCross Ref
- P. Bonatti, S. de Capitani di Vimercati, and P. Samarati. A Modular Approach to Composing Access Control Policies. In CCS, 2000. Google ScholarDigital Library
- H. Edelsbrunner et al. Optimal Point Location in a Monotone Subdivision. SIAM J. Comput., 15(2):317--340, May 1986. Google ScholarDigital Library
- S. K. Fayaz and V. Sekar. Testing Stateful and Dynamic Data Planes with FlowTest. In HotSDN, 2014. Google ScholarDigital Library
- S. K. Fayazbakhsh, L. Chiang, V. Sekar, M. Yu, and J. C. Mogul. Enforcing Network-wide Policies in the Presence of Dynamic Middlebox Actions Using Flowtags. In NSDI, 2014. Google ScholarDigital Library
- A. D. Ferguson, A. Guha, C. Liang, R. Fonseca, and S. Krishnamurthi. Participatory Networking: An API for Application Control of SDNs. In SIGCOMM, 2013. Google ScholarDigital Library
- N. Foster, R. Harrison, M. J. Freedman, C. Monsanto, J. Rexford, A. Story, and D. Walker. Frenetic: A Network Programming Language. In ICFP, 2011. Google ScholarDigital Library
- N. Foster, D. Kozen, M. Milano, A. Silva, and L. Thompson. A Coalgebraic Decision Procedure for NetKAT. In POPL, 2015. Google ScholarDigital Library
- A. Gember-Jacobson, R. Viswanathan, C. Prakash, R. Grandl, J. Khalid, S. Das, and A. Akella. OpenNF: Enabling Innovation in Network Function Control. In SIGCOMM, 2014. Google ScholarDigital Library
- T. L. Hinrichs, N. S. Gude, M. Casado, J. C. Mitchell, and S. Shenker. Practical Declarative Network Management. In WREN, 2009. Google ScholarDigital Library
- X. Jin, J. Gossels, and D. Walker. CoVisor: A Compositional Hypervisor for Software-Defined Networks. In NSDI, 2015. Google ScholarDigital Library
- D. Joseph and I. Stoica. Modeling Middleboxes. Netwrk. Mag. of Global Internetwkg., 22(5):20--25, Sept. 2008. Google ScholarDigital Library
- N. Kang, Z. Liu, J. Rexford, and D. Walker. Optimizing the "One Big Switch" Abstraction in Software-defined Networks. In CoNEXT, 2013. Google ScholarDigital Library
- A. Khurshid, X. Zou, W. Zhou, M. Caesar, and P. B. Godfrey. VeriFlow: Verifying Network-wide Invariants in Real Time. In NSDI, 2013. Google ScholarDigital Library
- H. Kim, J. Reich, A. Gupta, M. Shahbaz, N. Feamster, and R. Clark. Kinetic: Verifiable Dynamic Network Control. In NSDI, 2015. Google ScholarDigital Library
- T. Koponen et al. Network Virtualization in Multi-tenant Datacenters. In NSDI, 2014. Google ScholarDigital Library
- J. Lee, Y. Turner, M. Lee, L. Popa, S. Banerjee, J.-M. Kang, and P. Sharma. Application-driven Bandwidth Guarantees in Datacenters. In SIGCOMM, 2014. Google ScholarDigital Library
- L. Li et al. PACE: Policy-Aware Application Cloud Embedding. In INFOCOM, 2013.Google ScholarCross Ref
- H. H. Liu, S. Kandula, R. Mahajan, M. Zhang, and D. Gelernter. Traffic Engineering with Forward Fault Correction. In SIGCOMM, 2014. Google ScholarDigital Library
- J. C. Mogul, A. AuYoung, S. Banerjee, L. Popa, J. Lee, J. Mudigonda, P. Sharma, and Y. Turner. Corybantic: Towards the Modular Composition of SDN Control Programs. In HotNets, 2013. Google ScholarDigital Library
- C. Monsanto, J. Reich, N. Foster, J. Rexford, and D. Walker. Composing Software Defined Networks. In NSDI, 2013. Google ScholarDigital Library
- T. Nelson, A. D. Ferguson, M. J. G. Scheer, and S. Krishnamurthi. Tierless Programming and Reasoning for Software-defined Networks. In NSDI, 2014. Google ScholarDigital Library
- C. Schlesinger, M. Greenberg, and D. Walker. Concurrent NetCore: From Policies to Pipelines. In ICFP, 2014. Google ScholarDigital Library
- J. Sherry et al. Making Middleboxes Someone else's Problem: Network Processing As a Cloud Service. SIGCOMM CCR, 42(4):13--24, Aug. 2012. Google ScholarDigital Library
- R. Soulé, S. Basu, P. J. Marandi, F. Pedone, R. Kleinberg, E. G. Sirer, and N. Foster. Merlin: A Language for Provisioning Network Resources. In CoNEXT, 2014. Google ScholarDigital Library
- P. Sun, R. Mahajan, J. Rexford, L. Yuan, M. Zhang, and A. Arefin. A Network-state Management Service. In SIGCOMM, 2014. Google ScholarDigital Library
- A. Verma, L. Pedrosa, M. Korupolu, D. Oppenheimer, E. Tune, and J. Wilkes. Large-scale cluster management at Google with Borg. In EuroSys, 2015. Google ScholarDigital Library
- A. Voellmy, J. Wang, Y. R. Yang, B. Ford, and P. Hudak. Maple: Simplifying SDN Programming Using Algorithmic Policies. In SIGCOMM, 2013. Google ScholarDigital Library
- D. M. Volpano, X. Sun, and G. G. Xie. Towards Systematic Detection and Resolution of Network Control Conflicts. In HotSDN, 2014. Google ScholarDigital Library
Index Terms
- PGA: Using Graphs to Express and Automatically Reconcile Network Policies
Recommendations
PGA: Using Graphs to Express and Automatically Reconcile Network Policies
SIGCOMM '15: Proceedings of the 2015 ACM Conference on Special Interest Group on Data CommunicationSoftware Defined Networking (SDN) and cloud automation enable a large number of diverse parties (network operators, application admins, tenants/end-users) and control programs (SDN Apps, network services) to generate network policies independently and ...
PLAN: a policy-aware VM management scheme for cloud data centres
UCC '15: Proceedings of the 8th International Conference on Utility and Cloud ComputingPolicies play an important role in network configuration and therefore in offering secure and high performance services especially over multi-tenant Cloud Data Center (DC) environments. At the same time, elastic resource provisioning through ...
OpenBox: A Software-Defined Framework for Developing, Deploying, and Managing Network Functions
SIGCOMM '16: Proceedings of the 2016 ACM SIGCOMM ConferenceWe present OpenBox — a software-defined framework for network-wide development, deployment, and management of network functions (NFs). OpenBox effectively decouples the control plane of NFs from their data plane, similarly to SDN solutions that only ...
Comments