Presentation on theme: "Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley."— Presentation transcript:
Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley
Network Configuration Today Distributed state VLANs, subnets, ACLs, NAT, routing policies… Problems Low-level, indirect mechanisms [Maltz04] Topology-dependent [Bellovin99] Connectivity is difficult to reason about [Xie04]
Our Goal Design a policy language to simplify network configuration without loss of todays expressiveness.
Language Goals Maintain Todays Expressiveness Support High-level Naming Guests must send all HTTP traffic via a proxy Single Point of Declaration Clear how traffic will be treated Support Composition and Exception Policy Models Performance Amenable to efficient implementation Extensibility Multiple Authorship
FML Overview Form of nonrecursive Datalog Flow-based An FML policy is a set of rules declared over a flow and its high-level attributes Attributes include src/dst access points, hosts, and users Rules that match a flow dictate its policy
Rule Definition action :- condition h :- [ ] b 1 … [ ] b n Guest users must send all HTTP traffic via a proxy allow(Flow) :- guest(U src ) http = Prot proxy(H dst )
NAC Actions allow waypoint rate-limit deny Variables access points hosts users protocol flow header tuple allow(Flow) :- guest(U src ) http = Prot proxy(H dst ) An FML policy is an unordered set of rules allow(Flow) :- guest(U src ) http = Prot proxy(H dst )
Deployment Experience Medical University Network in Japan 200 hosts In-use for 10 months 40 line policy NAC-focused http_redirect(Flow) :- unauthenticated = U src (workstation(H src ) | laptop(H src )) http = Prot
Ongoing Work Distribute Policy Enforcement Virtualized Datacenter Support in Progress Expand FML to Define Actions Conflict Resolution Scheme Administrator Debugging Tools
Your consent to our cookies if you continue to use this website.