Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.

Flow-based Management Language

Network Configuration Today

•Distributed state

• VLANs, subnets, ACLs, NAT, routing policies…

•Problems

• Low-level, indirect mechanisms[Maltz04]

• Topology-dependent[Bellovin99]

• Connectivity is difficult to reason about[Xie04]

Our Goal

Design a policy language to simplify network configuration without loss of

today’s expressiveness.

Language Goals•Maintain Today’s Expressiveness• Support High-level Naming• “Guests must send all HTTP traffic via a proxy”

• Single Point of Declaration• Clear how traffic will be treated

• Support Composition and Exception Policy Models• Performance• Amenable to efficient implementation

• Extensibility•Multiple Authorship

FML Overview•Form of nonrecursive Datalog•Flow-based

An FML policy is a set of rules declared over a flow and its high-level attributes

•Attributes include src/dst access points, hosts, and users

•Rules that match a flow dictate its policy

Rule Definition

action :- condition

h :- []b1 ∧ … ∧ []bn

“Guest users must send all HTTP trafficvia a proxy”

allow(Flow) :- guest(Usrc) ∧ http = Prot ∧ proxy(Hdst)

allow(Flow) :- guest(Usrc) ∧ http = Prot ∧ proxy(Hdst)allow(Flow) :- guest(Usrc) ∧ http = Prot ∧ proxy(Hdst)allow(Flow) :- guest(Usrc) ∧ http = Prot ∧ proxy(Hdst)allow(Flow) :- guest(Usrc) ∧ http = Prot ∧ proxy(Hdst)

An FML policy is an unordered set of rules

allow(Flow) :- guest(Usrc) ∧ http = Prot ∧ proxy(Hdst)

Example Rules

Policy Model Goals•Exception Model

waypoint(Flow, proxy) :- guest(Usrc) ∧ http = Prot

deny(Flow) :- guest(Usrc)

•Composition Model

waypoint(Flow, proxy) :- guest(Usrc) ∧ http = Prot

rate-limit(Flow, 1Mbps) :- http = Prot

Conflict Resolution•Action Reconciliation

deny > [ waypoint, rate-limit ] > allow

•Ordering of Rule SetsPolicy 1 > Policy 2

waypoint(Flow, proxy) :- guest(Usrc) ∧ http = Prot

cascade()deny(Flow) :- guest(Usrc)

Implementation Requirements

•At least per flow interposition•Name-to-address bindings

Any system providing these capabilities can support FML.

NOX

•Openflow Controller•Maintains Global View of

Topology•Dictates Switch Behavior•Provides Authentication

Framework

Policy Engine

+Flow

Flow Actions

Rule Lookup

Policy

CompilerNamespace

Auth Bindings

Performance

# FML Rules

Flow

s/se

cond

Deployment Experience•Medical University Network in Japan• 200 hosts• In-use for 10 months• 40 line policy• NAC-focused

http_redirect(Flow) :- unauthenticated = Usrc ∧ (workstation(Hsrc) |

laptop(Hsrc)) ∧ http = Prot

Ongoing Work•Distribute Policy Enforcement• Virtualized Datacenter Support in Progress

•Expand FML to Define Actions• Conflict Resolution Scheme

•Administrator Debugging Tools

Questions?