Re: [openstack-dev] [neutron][policy] Using network services with network policies
Thanks Sumit and Stephen for information provided. It appears to me that we can (and should) use the notion of services/service chains within the group policy extension (and that has been always one of our options). If this is a reasonable approach, then we need to see how we can bring in these services to our group policy and if there are changes we may require. The first thing that comes to mind is to have a new service insertion context, namely policy (or should it be policy_rule?). If that is in place, then a service chain (we can start with a chain of one single service) gets created with it's context set to a particular policy. While the service plugin is responsible for standing up the service, the connectivity is established through the implementation of the group policy extension, in particular the redirect action. Is this a reasonable approach? This approach requires some kind of coordination wrt how these operations are done by the service plugin and the group policy extension. May be a policy simply provides the insertion context for creation of the service chain (in isolation and by the appropriate service plugin) and policy rules are then used to make the service operational. This is different from how services are expected to be instantiated right now. Right? Thinking aloud here. Please comment. A lot of interesting things to work on. May be Juno is where all these efforts come to fruition together :) Mohammad From: Sumit Naiksatam sumitnaiksa...@gmail.com To: Mohammad Banikazemi/Watson/IBM@IBMUS, Cc: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Date: 02/17/2014 02:12 AM Subject:Re: [openstack-dev] [neutron][policy] Using network services with network policies Thanks Mohammad for bringing this up. I responded in another thread: http://lists.openstack.org/pipermail/openstack-dev/2014-February/027306.html ~Sumit. On Sun, Feb 16, 2014 at 7:27 AM, Mohammad Banikazemi m...@us.ibm.com wrote: During the last IRC call we started talking about network services and how they can be integrated into the group Policy framework. In particular, with the redirect action we need to think how we can specify the network services we want to redirect the traffic to/from. There has been a substantial work in the area of service chaining and service insertion and in the last summit advanced service in VMs were discussed. I think the first step for us is to find out the status of those efforts and then see how we can use them. Here are a few questions that come to mind. 1- What is the status of service chaining, service insertion and advanced services work? 2- How could we use a service chain? Would simply referring to it in the action be enough? Are there considerations wrt creating a service chain and/or a service VM for use with the Group Policy framework that need to be taken into account? Let's start the discussion on the ML before taking it to the next call. Thanks, Mohammad inline: graycol.gif___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron][policy] Using network services with network policies
Inline... On Tue, Feb 18, 2014 at 10:33 AM, Mohammad Banikazemi m...@us.ibm.com wrote: Thanks Sumit and Stephen for information provided. It appears to me that we can (and should) use the notion of services/service chains within the group policy extension (and that has been always one of our options). If this is a reasonable approach, then we need to see how we can bring in these services to our group policy and if there are changes we may require. Agreed. Our thinking was that the service instance, insertion context, and the service chain are elemental abstractions on which the policy could be layered upon. The first thing that comes to mind is to have a new service insertion context, namely policy (or should it be policy_rule?). If that is in place, then a service chain (we can start with a chain of one single service) gets created with it's context set to a particular policy. The notion of a service insertion context is being introduced in this patch: https://review.openstack.org/#/c/62599/16/neutron/db/service_context.py Although the service insertion context need not necessarily be aware of the policy, I think the mapping is probably the other way around. The rendering of the policy would lead to a particular service insertion context for that service/chain. While the service plugin is responsible for standing up the service, the connectivity is established through the implementation of the group policy extension, in particular the redirect action. Is this a reasonable approach? Agreed. This approach requires some kind of coordination wrt how these operations are done by the service plugin and the group policy extension. May be a policy simply provides the insertion context for creation of the service chain (in isolation and by the appropriate service plugin) and policy rules are then used to make the service operational. This is different from how services are expected to be instantiated right now. Right? Thinking aloud here. Please comment. Agreed. That said, the two models/workflows can very nicely coexist. The first one is using the elemental abstractions (service instances, chains, etc) where the user needs to manage each of them individually to realize the entire logical topology. The second option is where a group policy plugin interprets the policy, and proceeds to render that policy using the elemental abstractions (but might also perform the same directly on a backend that supports the policy model). A lot of interesting things to work on. May be Juno is where all these efforts come to fruition together :) Totally. We have been incubating some of these ideas for a while now, and hopefully its becoming more apparent as to why these constructs are required in Neutron. Mohammad [image: Inactive hide details for Sumit Naiksatam ---02/17/2014 02:12:12 AM---Thanks Mohammad for bringing this up. I responded in anot]Sumit Naiksatam ---02/17/2014 02:12:12 AM---Thanks Mohammad for bringing this up. I responded in another thread: http://lists.openstack.org/pipe From: Sumit Naiksatam sumitnaiksa...@gmail.com To: Mohammad Banikazemi/Watson/IBM@IBMUS, Cc: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Date: 02/17/2014 02:12 AM Subject: Re: [openstack-dev] [neutron][policy] Using network services with network policies -- Thanks Mohammad for bringing this up. I responded in another thread: http://lists.openstack.org/pipermail/openstack-dev/2014-February/027306.html ~Sumit. On Sun, Feb 16, 2014 at 7:27 AM, Mohammad Banikazemi m...@us.ibm.com wrote: During the last IRC call we started talking about network services and how they can be integrated into the group Policy framework. In particular, with the redirect action we need to think how we can specify the network services we want to redirect the traffic to/from. There has been a substantial work in the area of service chaining and service insertion and in the last summit advanced service in VMs were discussed. I think the first step for us is to find out the status of those efforts and then see how we can use them. Here are a few questions that come to mind. 1- What is the status of service chaining, service insertion and advanced services work? 2- How could we use a service chain? Would simply referring to it in the action be enough? Are there considerations wrt creating a service chain and/or a service VM for use with the Group Policy framework that need to be taken into account? Let's start the discussion on the ML before taking it to the next call. Thanks, Mohammad inline: graycol.gif___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [neutron][policy] Using network services with network policies
During the last IRC call we started talking about network services and how they can be integrated into the group Policy framework. In particular, with the redirect action we need to think how we can specify the network services we want to redirect the traffic to/from. There has been a substantial work in the area of service chaining and service insertion and in the last summit advanced service in VMs were discussed. I think the first step for us is to find out the status of those efforts and then see how we can use them. Here are a few questions that come to mind. 1- What is the status of service chaining, service insertion and advanced services work? 2- How could we use a service chain? Would simply referring to it in the action be enough? Are there considerations wrt creating a service chain and/or a service VM for use with the Group Policy framework that need to be taken into account? Let's start the discussion on the ML before taking it to the next call. Thanks, Mohammad___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron][policy] Using network services with network policies
Thanks Mohammad for bringing this up. I responded in another thread: http://lists.openstack.org/pipermail/openstack-dev/2014-February/027306.html ~Sumit. On Sun, Feb 16, 2014 at 7:27 AM, Mohammad Banikazemi m...@us.ibm.com wrote: During the last IRC call we started talking about network services and how they can be integrated into the group Policy framework. In particular, with the redirect action we need to think how we can specify the network services we want to redirect the traffic to/from. There has been a substantial work in the area of service chaining and service insertion and in the last summit advanced service in VMs were discussed. I think the first step for us is to find out the status of those efforts and then see how we can use them. Here are a few questions that come to mind. 1- What is the status of service chaining, service insertion and advanced services work? 2- How could we use a service chain? Would simply referring to it in the action be enough? Are there considerations wrt creating a service chain and/or a service VM for use with the Group Policy framework that need to be taken into account? Let's start the discussion on the ML before taking it to the next call. Thanks, Mohammad ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
