OpenDaylight and OpFlex Scott Mann
The Open Source Policy Stack Group Policy as defined by OpenDaylight/OpenStack OpenDaylight and OpenStack provide northbound API for Group Policy and southbound interface for OpFlex protocol. OpFlex protocol defined through IETF (OpFlex Control Protocol draft-smith-opflex-00) OpFlex Policy Agent with northbound OpFlex protocol interface and southbound interface for device (OVS is the reference implementation). Linux (Netlink) OVS (OpenFlow, OVSDB) libvirt API
ODL Group-Based Policy Project The group-based policy project defines an applicationcentric policy model for OpenDaylight that separates information about application connectivity requirements from information about the underlying details of the network infrastructure.
Group Policy Elements Policy Repository A database of policies A policy consists of Endpoint Groups (EPGs) described below Contracts, which describe how/if EPGs communicate with each other Endpoint Repository Database of endpoints and their meta-data Endpoints are things that can communicate like virtual/physical ports Includes mapping of endpoints into of Endpoint Groups (EPG) EPGs are the smallest entity that can be specified in a policy Observer A repository that maintains a database of status updates and exceptions
The Policy Agent s Role The policy agent s function is to exchange and enforce policy, acting as a participant in a larger policy management system.
The Policy Agent in the Policy System Policy Repository End Point Registry Observer Policy Resolution End Point Declaratio n End Point Policy Update Status Policy Update Policy Agent Policy Peering via Triggers Policy Agent (on another device)
Policy Agent in the Policy System Explained The policy agent (PA) Requests policy resolution from a Policy Repository (PR) Receives policy updates from a PR Indicate end points to an End Point Registry (EPR) Receive policy resolutions Receive updates for the End Points Trigger behaviors in peering Policy Elements (PEs), using the Policy Trigger OpFlex messaging Status information is sent to an Observer Collects and archives status Observer may communicate status to other PEs PRs, EPRs, PAs, and Observers may be referred to as PEs
Policy Resolution within the Agent Policy Manager Inbound/Outbound TCP/IP Policy Agent Managed Object Database Policy Enforcer In/Out to device (e.g., OVS, vswitches, HW switches, etc.)
Agent Policy Resolution Explained Policy Manager Speaks OpFlex Converts OpFlex into format useful to Managed Object Database Manages TCP connections with PR, EPR, and Observer Managed Object Database (MODB) Maintains hierarchical tree model of physical/virtual devices under management Updates are propagated appropriately via northbound and southbound APIs Policy Enforcer Conceptually similar to a device driver Translates data from MODB into sets of appropriate commands/communications to physical and/or virtual devices Monitors devices for updates, which are propagated to MODB via API
Reference/OVS Implementation OpFlex (Policy Manager) OpFlex Agent Managed Objects Store (MODB) OVS Render Plugin (Policy Enforcement) Open vswitch OVSDB OpenFlow Flow Table Datapath SW/HW Datapath
Reference/OVS Implementation Written in C using standard libraries Developed with the OpenDaylight project Eclipse and Apache licensing Runs on common Linux distributions Policy Manager Supports the OpFlex protocol with JSON at L-6 Support at least 3 PRs Managed Object Database Queries by class, object ID, or URIs Updates generate notifications to Policy Manager and/or Policy Enforcer as appropriate DB persistence with crash recovery Policy Enforcer Policy enforcement between containers and/or virtual machines Interface to libvirt API (supporting many hypervisors) and OVSDB OVS management via ovs-vsctl, ovs-ofctl, etc Network management via ip commands
Policy Agent Southbound Path (OVS Implementation) Policy/End Point Repository Policy Enforcer Translate managed object Issue appropriate commands JSON Policy Manager Receive update Convert JSON to internal form ovs-vsctl... ovs-ofctl... ip addr... ip link... MODB Update database Inform policy enforcer etc.
OVS Policy Agent Southbound Path Explained A policy or policy update arrives at the port of the Policy Manager JSON is translated into internal form Internal data is passed to Managed Object module Data inserted into database Notification of database change goes out to subscribers Policy enforcer receives update New or modified data is passed to translator Translator produces list of commands suitable for underlying virtual/physical device Dependencies are identified Commands are executed asynchronously Pass/Fail of command execution is recorded Failure may cause roll back of successful commands Since all commands are issued asynchronously, determination of successful implementation follows the northbound path described next
Policy Agent Northbound Path (OVS Implementation) Policy/End Point Repository JSON Observer JSON Policy Enforcer Monitor runs continuously Translate received data into MODB Policy Manager Receive update Convert MODB to JSON OVSDB Initial Scan MODB Update database Inform policy manager Asynchronous OVS updates libvirt
OVS Policy Agent Northbound Path Explained Policy Enforcer receives update and/or asynchronous responses Translates responses into managed object as appropriate Notifies Managed Object module of changes Managed Object module Notifies Policy Manager of changes Policy Manager Converts MO data into JSON Sends data to appropriate elements (Policy Repository, Endpoint Repository, Observer)
Start Up Start Up PE initializes communication with OVS and libvirt Essentially collects current state MO module Reads in crash recovery file, if it exists Populates MODB with recovery data and/or PE scan data Policy Manager Initializes connections with know PEs Sends current policy (or state) to appropriate PEs
Summary Currently working on reference policy agent Implementation: C, Linux, JSON, OVS, libvirt More detail about the reference architecture may be found at https://wiki. opendaylight.org/view/opflex_architecture The OpFlex IETF draft specification may be found at http://tools.ietf. org/html/draft-smith-opflex-00 More detail about ODL group policy may be found at https://wiki. opendaylight.org/view/group_policy:main ODL group policy architecture https://wiki.opendaylight.org/view/group_policy:architecture