Presentation is loading. Please wait.

Presentation is loading. Please wait.

Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.

Published byCharles Clark Modified over 11 years ago

Similar presentations

Presentation on theme: "Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley."— Presentation transcript:

1 Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley

2 Network Configuration Today Distributed state VLANs, subnets, ACLs, NAT, routing policies… Problems Low-level, indirect mechanisms [Maltz04] Topology-dependent [Bellovin99] Connectivity is difficult to reason about [Xie04]

3 Our Goal Design a policy language to simplify network configuration without loss of todays expressiveness.

4 Language Goals Maintain Todays Expressiveness Support High-level Naming Guests must send all HTTP traffic via a proxy Single Point of Declaration Clear how traffic will be treated Support Composition and Exception Policy Models Performance Amenable to efficient implementation Extensibility Multiple Authorship

5 FML Overview Form of nonrecursive Datalog Flow-based An FML policy is a set of rules declared over a flow and its high-level attributes Attributes include src/dst access points, hosts, and users Rules that match a flow dictate its policy

6 Rule Definition action :- condition h :- [ ] b 1 … [ ] b n Guest users must send all HTTP traffic via a proxy allow(Flow) :- guest(U src ) http = Prot proxy(H dst )

7 NAC Actions allow waypoint rate-limit deny Variables access points hosts users protocol flow header tuple allow(Flow) :- guest(U src ) http = Prot proxy(H dst ) An FML policy is an unordered set of rules allow(Flow) :- guest(U src ) http = Prot proxy(H dst )

8 Example Rules # Require authentication http_redirect(Flow) :- unauthenticated = U src http = Prot # Define group behavior allow(Flow) :- (registered(H src ) | registered(H dst )) http = Prot waypoint(Flow, proxy) :- guest(U src ) http = Prot rate-limit(Flow, 1Mbps) :- students(U src ) | students(U dst ) # Quarantine hosts deny(Flow) :- blacklist(H src ) | blacklist(H dst ) # Isolate hosts deny(Flow) :- classified(H src ) unclassified(H dst )

9 Policy Model Goals Exception Model waypoint(Flow, proxy) :- guest(U src ) http = Prot deny(Flow) :- guest(U src ) Composition Model waypoint(Flow, proxy) :- guest(U src ) http = Prot rate-limit(Flow, 1Mbps) :- http = Prot

10 Conflict Resolution Action Reconciliation deny > [ waypoint, rate-limit ] > allow Ordering of Rule Sets Policy 1 > Policy 2 waypoint(Flow, proxy) :- guest(U src ) http = Prot cascade() deny(Flow) :- guest(U src )

11 Implementation Requirements At least per flow interposition Name-to-address bindings Any system providing these capabilities can support FML.

12 NOX Openflow Controller Maintains Global View of Topology Dictates Switch Behavior Provides Authentication Framework

13 Policy Engine + Flow Flow Actions Rule Lookup Policy Compiler Namespace Auth Bindings

14 Performance # FML Rules Flows/second

15 Deployment Experience Medical University Network in Japan 200 hosts In-use for 10 months 40 line policy NAC-focused http_redirect(Flow) :- unauthenticated = U src (workstation(H src ) | laptop(H src )) http = Prot

16 Ongoing Work Distribute Policy Enforcement Virtualized Datacenter Support in Progress Expand FML to Define Actions Conflict Resolution Scheme Administrator Debugging Tools

17 Questions?

Download ppt "Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley."

Similar presentations

June 2007NSF Find Forensics and Attribution in Ethane Martin Casado Stanford University With: Michael Freedman, Justin Pettit, Jianying Luo, Natasha Gude,

June 2007NSF Find Forensics and Attribution in Ethane Martin Casado Stanford University With: Michael Freedman, Justin Pettit, Jianying Luo, Natasha Gude,
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
1 Data-Oriented Network Architecture (DONA) Scott Shenker (M. Chowla, T. Koponen, K. Lakshminarayanan, A. Ramachandran, A. Tavakoli, I. Stoica)

1 Data-Oriented Network Architecture (DONA) Scott Shenker (M. Chowla, T. Koponen, K. Lakshminarayanan, A. Ramachandran, A. Tavakoli, I. Stoica)
An OpenFlow Extension for the OMNeT++ INET Framework

An OpenFlow Extension for the OMNeT++ INET Framework
Toward Practical Integration of SDN and Middleboxes

Toward Practical Integration of SDN and Middleboxes
Implementing Inter-VLAN Routing

Implementing Inter-VLAN Routing
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Applying NOX to the Datacenter Arsalan Tavakoli, Martin Casado, Teemu Koponen, and Scott Shenker 10/22/2009Hot Topics in Networks Workshop 2009.

Applying NOX to the Datacenter Arsalan Tavakoli, Martin Casado, Teemu Koponen, and Scott Shenker 10/22/2009Hot Topics in Networks Workshop 2009.
An Overview of Software-Defined Network Presenter: Xitao Wen.

An Overview of Software-Defined Network Presenter: Xitao Wen.
OpenFlow Costin Raiciu Using slides from Brandon Heller and Nick McKeown.

OpenFlow Costin Raiciu Using slides from Brandon Heller and Nick McKeown.
Leveraging SDN Layering to Systematically Troubleshoot Networks Brandon Heller ★ Colin Scott  Nick McKeown ⌘ Scott Shenker  Andreas Wundsam § Hongyi.

Leveraging SDN Layering to Systematically Troubleshoot Networks Brandon Heller ★ Colin Scott  Nick McKeown ⌘ Scott Shenker  Andreas Wundsam § Hongyi.
An OpenFlow based virtual network environment for Pragma Cloud virtual clusters Kohei Ichikawa, Taiki Tada, Susumu Date, Shinji Shimojo (Osaka U.), Yoshio.

An OpenFlow based virtual network environment for Pragma Cloud virtual clusters Kohei Ichikawa, Taiki Tada, Susumu Date, Shinji Shimojo (Osaka U.), Yoshio.
Software-Defined Networking, OpenFlow, and how SPARC applies it to the telecommunications domain Pontus Sköldström - Wolfgang John – Elisa Bellagamba November.

Software-Defined Networking, OpenFlow, and how SPARC applies it to the telecommunications domain Pontus Sköldström - Wolfgang John – Elisa Bellagamba November.
OpenFlow : Enabling Innovation in Campus Networks SIGCOMM 2008 Nick McKeown, Tom Anderson, et el. Stanford University California, USA 2011. 04. 11 Presented.

OpenFlow : Enabling Innovation in Campus Networks SIGCOMM 2008 Nick McKeown, Tom Anderson, et el. Stanford University California, USA Presented.
May, 2006 EdgeNet 2006 The Protection Problem in Enterprise Networks Martin Casado PhD Student in Computer Science, Stanford University

May, 2006 EdgeNet 2006 The Protection Problem in Enterprise Networks Martin Casado PhD Student in Computer Science, Stanford University
Flowspace revisited OpenFlow Basics Flow Table Entries Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot L4 sport L4 dport Rule Action.

Flowspace revisited OpenFlow Basics Flow Table Entries Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot L4 sport L4 dport Rule Action.
June, 2006 Stanford 2006 Ethane: Addressing the Protection Problem in Enterprise Networks Martin Casado Michael Freedman Glen Gibb Lew Glendenning Dan.

June, 2006 Stanford 2006 Ethane: Addressing the Protection Problem in Enterprise Networks Martin Casado Michael Freedman Glen Gibb Lew Glendenning Dan.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Gap Analysis of Simplified Use of Policy Abstractions (SUPA) Presenter: Jun Bi draft-bi-supa-gap-analysis-02 IETF 92 SUPA BoF Dallas, TX March 23, 2015.

Gap Analysis of Simplified Use of Policy Abstractions (SUPA) Presenter: Jun Bi draft-bi-supa-gap-analysis-02 IETF 92 SUPA BoF Dallas, TX March 23, 2015.
Policy Based Routing using ACL & Route Map By Group 7 Nischal (304360958) Pranali (304378534)

Policy Based Routing using ACL & Route Map By Group 7 Nischal ( ) Pranali ( )

Similar presentations

Ads by Google