troubleshooting for intent based networking
play

Troubleshooting for Intent-based Networking Joon-Myung Kang and - PowerPoint PPT Presentation

Open Networking Summit 2017 Troubleshooting for Intent-based Networking Joon-Myung Kang and Mario A. Snchez Hewlett Packard Labs Intent-based Networking Policy Graph Abstraction and Demo Troubleshooting and Demo QnA 2 Software-Defined


  1. Open Networking Summit 2017 Troubleshooting for Intent-based Networking Joon-Myung Kang and Mario A. Sánchez Hewlett Packard Labs

  2. Intent-based Networking Policy Graph Abstraction and Demo Troubleshooting and Demo QnA 2

  3. Software-Defined Networking Application Plane (SDN Apps) Open APIs SDN Northbound Interfaces Program Languages Control Plane (OpenDaylight, ONOS, etc.) Abstraction Vendor specific Infrastructure Control Interfaces Low-level specifics Manual operations Infrastructure (Data) Plane (Cloud/IT/SDN/NFV) … 3

  4. Software-Defined Networking Application Plane (SDN Apps) Open APIs SDN Northbound Interfaces Program Languages Control Plane (OpenDaylight, ONOS, etc.) Abstraction Vendor specific Infrastructure Control Interfaces Low-level specifics Manual operations Infrastructure (Data) Plane (Cloud/IT/SDN/NFV) … 4

  5. Intent-based Networking Application Plane − Application Plane says “What” (doesn’t care how) (SDN Apps) − Control Plane reasons “How” (doesn’t care why) INTENT North Bound Interface Intent − “what”, not “how” (non-prescriptive) Control Plane − Is portable (OpenDaylight, ONOS, etc.) − Is universal − Is compose-able Infrastructure Control Interfaces − Is invariant − Is scale-able Intent Infrastructure (Data) Plane Prescription (Cloud/IT/SDN/NFV) “I want my headache “Give me two to stop” aspirins” Source: Dave Lenrow, “Intent As The Common Interface to Network Resources,” Intent Based Network Summit 2015 ONF Boulder: Intent NBI 5

  6. Intent-based Networking Examples WEB/Gold/Working Hour No connect/Wireless Configure new guest WiFi 6

  7. Intent-based Networking Examples WEB/Gold/Working Hour INVISIBLE No connect/Wireless Configure new guest WiFi 7

  8. Intent-based Networking Open Source Efforts – ONF Open Source SDN Boulder – Define Intent North Bound Interface (NBI) – http://opensourcesdn.org/projects/project-boulder-intent-northbound-interface-nbi/ – https://community.opensourcesdn.org/wg/IntentNBI/dashboard ONF Intent NBI – Definition and Principles, Draft Version 6, Sep. 2016 – OpenDaylight NIC – Network Intent Composition – Manage and direct network services and network resources based on the given “Intent” – https://wiki.opendaylight.org/view/Network_Intent_Composition:Main https://wiki.opendaylight.org/view/Network_Intent_Composition:Graph – ONOS Intent Framework – Allows applications to specify their network control desires in form of policy rather than mechanism (Intent) – https://wiki.onosproject.org/display/ONOS/Intent+Framework 8

  9. Policy Graph Abstraction (PGA) PGA overview Troubleshooting for Intent-based Networking 9

  10. PGA is Real Public resources Research Paper and Demo Running System and Open Source Contributions ACM SIGCOMM 2015 OpenStack Summit London, UK 2015, 2016 OpenDaylight Summit 2015, 2016 10

  11. Policy Management in Practice 11

  12. Policy Graph Abstraction (PGA) Policy sources Graph abstraction Unified, conflict-free policy graph Deploy DNS DPI DPI DNS DNS HTTP Mktg&Cmp-B Engg&Cmp-A FW LB BC graph &Normal &Normal BC Ping,SSH composition sync, SQL, monitor monitor HTTP Web& DB& FW LB BC BC Cloud Cloud Remedy Engg&Cmp-A * BC Quarantined &Qn monitor Service monitor Remedy BC Service Mktg&Cam-B * &Qn 12

  13. PGA Example − Label namespace across cloud services and network, capturing overlap vs. disjoint relations between labels CPU Utilization > 90% <= 90% 13

  14. PGA Example − Label namespace across cloud services and network, capturing overlap vs. disjoint relations between labels − 4 individual input policies (a) Enterprise IT admin (b) Application admin (a) Departments admin sync HTTP SQL Ping,SSH Mktg Empl LB Engg. Web DB (c) SDN app: HPE Net Protector (d) Cloud operator BC * DNS * BC Normal DPI FW Cloud DNS Campus monitor * Remedy Quarantined Cloud Service Label Namespace Tenant Label Mappings Location Status Empl App Engg: Campus-A Cloud Campus Web DB Net Mktg: Campus-B Protector Application: Cloud disjoint Cmp-B Engg Mktg Cmp-A Empl: Net protector Normal Qn 14

  15. PGA Example − 4 individual input policies − Label namespace across cloud services and network, capturing overlap vs. disjoint relations between labels − Proactive, automatic composition − Scalable algorithm: 13 mins to compose 20K ACL + service chain policies compose (a) Enterprise IT admin (b) Application admin (a) Departments admin sync HTTP SQL Ping,SSH Mktg Empl LB Engg. Web DB DNS (c) SDN app: HPE Net Protector (d) Cloud operator DPI DPI BC * DNS * DNS DNS BC Normal DPI FW Cloud DNS Campus HTTP Mktg&Cmp-B Engg&Cmp-A FW LB BC monitor &Normal &Normal BC * Remedy Ping,SSH Quarantined Cloud Service sync, monitor SQL, monitor HTTP Web& FW LB BC DB& BC Label Namespace Cloud Cloud Tenant Label Mappings Location Status Empl App Engg&Cmp-A * BC &Qn monitor Engg: Campus-A Cloud Campus Web DB monitor Remedy Net Mktg: Campus-B BC Protector Service Application: Cloud disjoint Cmp-B Engg Mktg Cmp-A Mktg&Cam-B Empl: Net protector * &Qn Normal Qn 15

  16. PGA Current status PGA implementation and impact − PGA model, composition, deployment, and tool to convert ACL policy configuration to PGA intent specification − PGA prototype for OpenStack (Juno ~ Newton) − PGA Intent APIs and graph compiler contributed to ODL/NIC Beryllium release − Troubleshooting for intent based policy management − Conflict detection − Composition correctness verification − Intent addition/modification/deletion 16

  17. Live Demo PGA Basic Operations 17

  18. PGA Demo 18

  19. Troubleshooting With Intent-based Networking

  20. Network debugging/troubleshooting a difficult task NO CONNECT WEB Policy tcpdump ping traceroute Network SNMP sflow Picture sources: http://simplearchitectures.blogspot.com/2013/08/addressing-data-center-complexity.html Picture source: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_Center/ServerFarmSec_2- 1/ServSecDC/8_NIDS.html http://www.ntstn.com/category/troubleshooting/network- troubleshooting

  21. Systematic troubleshooting –Know intent of the operator Difficult to achieve in legacy networks –Check network behavior against operator intent Intent-based networking Opportunity to –Policy is a first-class citizen rethink network debugging –Intent explicitly expressed at policy layer –Forwarding semantics explicitly defined –Code compiles policy description into lower-level configuration

  22. Intent-based Networking – Control Apps Application Plane – Specify routing/access control policies (SDN Apps) – Logical view – Simplified/abstract representation of network INTENT North Bound Interface – Physical view – One-to-one correspondence with the physical network Controller Plane – Controller’s job to configure the network devices (OpenDaylight, ONOS, etc.) (OpenFlow) Infrastructure Control Interfaces Infrastructure (Data) Plane (Cloud/IT/SDN/NFV)

  23. Intent-based Networking – Control Apps Application Plane – Specify routing/access control policies (SDN Apps) – Logical view – Simplified/abstract representation of network INTENT North Bound Interface • Each layer performs one piece of translation process – Physical view – One-to-one correspondence with the physical network • Every layer should correctly map to every other layer Controller Plane – Controller’s job to configure the network devices (OpenDaylight, ONOS, etc.) (OpenFlow) • Most errors in SDN are mistranslations between layers Infrastructure Control Interfaces Infrastructure (Data) Plane (Cloud/IT/SDN/NFV)

  24. Checking network behavior against intent –Early debugging tools for OpenFlow-enabled networks –Ndb, OFRewind, NetSight, netwatch, netshark, nprof… –Easier to discover the source of network problems [ Faulty device firmware, inconsistent flow rules, faulty routing…] – Testing and verification complement network troubleshooting and debugging [Loop freedom, black holes, performance of OpenFlow switches…] Too low level!

  25. Knowing the operator’s intent Does the Actual Network Behavior Match the Policy? – If NO… Match the symptoms to responsible system component – If YES… The policy itself is the problem, a human must resolve the discrepancy –If unwanted behavior persists & all state layers are equivalent : –The configured policy must not match the operator’s intent

  26. Troubleshooting System User/App 1 User/App 2 User/Appn Query Examples User Intents Query – Reachability/Connectivity checking GUI – Can A talk to B? – Security vulnerability or Risk Input graphs Results assessment Troubleshooting Metadata – Addition/removal/edition correctness PGA System Composed graph Infrastructure Controllers

  27. Troubleshooting Examples Reachability – Can A talk to B? –What EPG do nodes belong to? –Is there an edge connecting both EPGs? –What security groups should be checked? –What middleboxes should be checked?

Recommend


More recommend