#opendaylight-group-policy: ODL usecases

Meeting started by alagalah at 20:07:16 UTC (full logs).

Meeting summary

  1. Enterprise Access Use Cases (alagalah, 20:07:48)
    1. Sanjay says that he hasn’t received any comments/questions on his presentations (tbachman, 20:08:22)
    2. Sanjay asks if we can spend 20-30 minutes to provide this now (tbachman, 20:08:36)
    3. https://wiki.opendaylight.org/view/File:Policy_Usecases.pptx (lenrow, 20:09:47)
    4. Enterprise acces control, multi-tier access control are some of the use cases (tbachman, 20:11:15)
    5. alagalah asks if reputation should be in the operational state repository (tbachman, 20:13:36)
    6. Sanjay says that how you handle that should be in the policy repository, but what you with it could be in an operational repo (tbachman, 20:13:59)
    7. Sanjay notes that the endpoint mapping could change (tbachman, 20:14:26)
    8. readams says that the contract there are targets, which can be used for quality matching (tbachman, 20:17:47)
    9. the producer and consumer EPGs can have consumer/producer target selectors, which can match on the target qualities (tbachman, 20:18:22)
    10. a condition is something that applies to an endpoint, not to the entire endpoint group (tbachman, 20:19:50)
    11. lenrow asks if a condition is just a boolean (either/or) (tbachman, 20:22:48)
    12. readams says that right now it’s just a flag, but they could be parameterized, but doing so would affect flow rules (tbachman, 20:23:15)
    13. (i.e. increase flow rules exponentially) (tbachman, 20:23:35)
    14. Sanjay thinks that the outside/inside could be treated as a condition, because it changes (tbachman, 20:24:44)
    15. readams says that you can in general avoid using conditions, as you can change EP groups as easly as you change conditions (tbachman, 20:26:02)
    16. Sanjay thinks reputation could also be treated as a condition (tbachman, 20:26:48)
    17. Sanjay asks what a capability is in this example (tbachman, 20:27:33)
    18. readams says you often don’t need requirements and capabilities (tbachman, 20:27:45)
    19. and that those are needed for more advanced policy (tbachman, 20:27:54)
    20. which might be for things like shared services, where you have lots of EPGs mapping to shared services (tbachman, 20:28:12)
    21. readams says that in the common case, that’s easily done as a named contract selection (tbachman, 20:28:29)
    22. lenrow asks if the assumption that the state of any given condition is maintained by the EP registry? (tbachman, 20:31:33)
    23. Sanjay says yes (tbachman, 20:32:24)
    24. mickey_spiegel says there a question of how dynamic a reputation is (tbachman, 20:32:56)
    25. lenrow wonders whether the change is infrequent enough to be handled by the renderer — does it change at such a rate so that the control plane can be “pre-configured” to handle this (tbachman, 20:34:05)
    26. readams says that you have to update the switches on ingress whether changing EP’s EPG membership vs. changing the EP’s condition (tbachman, 20:34:46)
    27. readams says that in general, the condition is a bit of a workaround to the fact that an EP can only belong to one EPG (tbachman, 20:35:23)
    28. mickey_spiegel says that the point is you have to touch the EP Registry either way (tbachman, 20:36:10)
    29. readams says that complexity will be quadratic for the number of EPGs, and exponential with the number of conditions (tbachman, 20:37:11)
    30. readams points out you can’t withdraw a subject, but you can create another subject who has classifiers with higher priority (tbachman, 20:41:59)
    31. Sanjay wants the ability to take away the access, without introducing a condition — just introduce a higher priority rule (tbachman, 20:42:47)
    32. readams says you can introduce a higher priority rule, as long as it uses the same classifiers (tbachman, 20:43:07)
    33. lenrow asks what the action associated “withdraw” looks like — is it a drop? (tbachman, 20:44:27)
    34. Sanjay says yes. (tbachman, 20:44:34)
    35. readams says that classifiers in general should be applying to layer 4 and up (tbachman, 20:45:46)
    36. mickey_spiegel asks if subjects have priorities (tbachman, 20:46:43)
    37. readams says yes - the reason that if you just put them on the rules, then it’s much harder (tbachman, 20:47:01)
    38. mickey_spiegel asks if he has QoS permit, deny, and redirect — they would be in different subjects? (tbachman, 20:47:44)
    39. readams says that you get one action-set, and then you’re done (tbachman, 20:48:10)
    40. Sanjay says that in order to create deny rules — effectively do away with deny, that they came up with the idea of withdrawing subjects… overriding subjects with other subjects (tbachman, 20:49:00)
    41. readams says that’s not the way the current GBP model works (tbachman, 20:49:14)
    42. readams says you can have two classifiers that apply to different sets of traffic (tbachman, 20:49:32)
    43. readams says that in the case where the only action is permit-only, then it’s easy (tbachman, 20:50:03)
    44. but multiple actions based on different classifiers, then it becomes a multi-stage process (tbachman, 20:50:22)
    45. readams says that trying to map the semantics of this onto actual systems, then you end up with a large number of rules to be generated (tbachman, 20:50:57)
    46. Sanjay would like to have follow-on discussions with the “withdraw” concept (tbachman, 20:52:46)
    47. Sanjay recommends moving this to the arch/model meeting (Friday), and continuing for now (tbachman, 20:53:20)
    48. mickey_spiegel thinks there are two overlapping things here (tbachman, 20:54:14)
    49. one is wanting to do different actions in logically different tables (tbachman, 20:54:23)
    50. the other is whether this construct allows for conflicts, where it looks like two things apply but one has to win (tbachman, 20:54:40)
    51. readams says that the model documentation does a good job of describing the semantics (tbachman, 20:55:02)
    52. this only becomes an issue when you want to do things like apply QoS and do allow/deny (tbachman, 20:55:30)
    53. lenrow asks what if you want to do QoS and NAT? (tbachman, 20:55:41)
    54. readams says that NAT can be provided by the infrastructure (tbachman, 20:56:01)
    55. readams says that every EPG has an L3 context associated with it, which affects addressability (tbachman, 20:57:10)
    56. If they are in different L3 contexts, you could allow them to communicate with a sort of double-NAT (tbachman, 20:57:31)
    57. readams says this is a forwarding context property (tbachman, 20:58:08)
    58. readams says that anything L3 or below shouldn’t be in your policy (tbachman, 20:58:22)
    59. this would be an infrastructure-level configuration item (tbachman, 20:58:50)
    60. readams says that any kind of labeling action (QoS, add a timestamp, etc.) then it makes sense (tbachman, 20:59:39)
    61. readams says that multi-table can grow complexity, and needs to be thought through (tbachman, 21:03:09)
    62. mickey_spiegel says that 2 or 3 lookups based on separate keys is a useful thing to have (tbachman, 21:05:18)
    63. readams says that this gets complicated when you start looking at different HW vendors (tbachman, 21:05:32)
    64. lenrow asks about HW that does TTP, where multiple tables are used to do multi-table OF? (tbachman, 21:06:00)
    65. readams says we can probably define specific sets of things, that might be doable (tbachman, 21:06:59)
    66. lenrow asks if we want to talk about any more of these use cases today? (tbachman, 21:09:26)
    67. mickey_spiegel asks if any of these use cases bring out new issues (tbachman, 21:10:11)
    68. Sanjay says he’s already covered these: service inclusion in the clauses, and priority between static and dynamic rules (tbachman, 21:10:37)
    69. lenrow asks what language we’re using to express this (e.g. the language that dvorkin introduced in a recent meeting) (tbachman, 21:12:24)
    70. Sanjay says that the first step would be to make sure that the use case maps to all the constructs (tbachman, 21:12:49)
    71. and the second step is to write it out in that language (tbachman, 21:13:01)
    72. uchau1 asks if dvorkinista’s language is reconciled with the current model (tbachman, 21:13:22)
    73. ACTION: tbachman to provide the latest UML model (tbachman, 21:14:38)
    74. uchau1 asks if the yang has been updated with all the latest policy constructs (tbachman, 21:16:31)
    75. uchau1 asks what the right language is to create this (tbachman, 21:16:45)
    76. readams says that the language that exists right now is the RESTCONF XML or JSON (tbachman, 21:17:52)
    77. readams says you can check out the GBP project, run it, and look at the auto-generated API documentation (tbachman, 21:18:21)
    78. readams says that you get the REST APIs exposed on port 8080 (tbachman, 21:18:43)
    79. uchau1 says that the documentation doesn’t really describe how it’s structured. (tbachman, 21:19:22)
    80. readams says that the yang model and policy arch documentation should provide a good basis for this (tbachman, 21:19:40)
    81. http://localhost:8080/apidoc/explorer (readams, 21:20:43)
    82. http://localhost:8080/apidoc/explorer is the link to use for looking at the documentation (tbachman, 21:21:18)
    83. Sanjay asks if anyone wants to help him with the conversion? (tbachman, 21:21:58)
    84. readams points out that the JSON is an internal API, and not what would be presented to an end-user (tbachman, 21:22:29)

  2. Service Function Chaining IETF Use Cases (tbachman, 21:27:28)
    1. lenrow says that he’s been having 1-on-1 conversations w/Paul Quinn (tbachman, 21:27:45)
    2. ACTION: lenrow will post the SFC use case slides to the wiki (tbachman, 21:28:39)
    3. A tenant identifier has to be carried along with the traffic to be serviced (tbachman, 21:29:25)
    4. IT has to be noted that the SNs themselves may be deployed in different domains to suit the deployment needs of the SP and hence using the domain in whcih the SN is deployed is not an option. Although such a model is feasible it removes the deployment flexibility for the servife providers to the WAN edge. (tbachman, 21:30:42)
    5. To support multi-tenant aware service functions or SNs, traffic being serviced by a service function chain has to be identified by a tenant identifier. (tbachman, 21:31:15)
    6. lenrow thinks the right thing to do is to match SFC behaviors onto EPGs (tbachman, 21:32:31)
    7. Firewall engines are an EPG, etc. (tbachman, 21:32:44)
    8. and question becomes how you pick an EPG (e.g. proximity) (tbachman, 21:32:56)
    9. mickey_spiegel asks what lenrow means by allocating pools of firewalls (tbachman, 21:33:34)
    10. lenrow says that the policy shouldn’t be boggd down by “which device implements the FW" (tbachman, 21:34:28)
    11. mickey_spiegel then asks why you’d want that implied by the intent? (tbachman, 21:34:46)
    12. lenrow says that the physical and virtual middle-boxes are an EPG and it makes sense to model them that way b/c that’s how you think about them. (tbachman, 21:35:15)
    13. Sanjay says this feels like an intent kind of thing (tbachman, 21:35:30)
    14. lenrow says that the intent is for the two EPGs to go through a third EPG (tbachman, 21:35:44)
    15. lenrow says that we’re not turning the renderer into an L4 services platform — it only knows how to steer things. (tbachman, 21:36:04)
    16. Sanjay says he thought things were specified at a higher level. (tbachman, 21:36:35)
    17. mickey_spiegel understands that the details of L4-7 don’t need to be in the renderer, but that the renderer doesn’t need to care about which device it is. (tbachman, 21:37:09)
    18. mickey_spiegel says we can use an indirection to avoid putting this into the intent (tbachman, 21:37:41)
    19. the indirection allows an expert to define all of this (tbachman, 21:38:04)
    20. Sanjay says that at the intent level we’d need to define a few more primitives (tbachman, 21:46:02)
    21. lenrow would like to spend time on Friday’s call on things like “what does a redirect look like” (tbachman, 21:46:48)
    22. lenrow is also trying to coordinate with the AAA folks (tbachman, 21:48:11)
    23. lenrow asks if someone would be up for proposing a straw-man for what to talk about on Friday’s meeting (tbachman, 21:51:56)


Meeting ended at 21:53:09 UTC (full logs).

Action items

  1. tbachman to provide the latest UML model
  2. lenrow will post the SFC use case slides to the wiki


Action items, by person

  1. lenrow
    1. lenrow will post the SFC use case slides to the wiki
  2. tbachman
    1. tbachman to provide the latest UML model


People present (lines said)

  1. tbachman (110)
  2. odl_meetbot (5)
  3. alagalah (5)
  4. lenrow (1)
  5. readams (1)


Generated by MeetBot 0.1.4.