Network Working Group M. Klyus
Internet Draft NetCracker
Intended status: Standard Track J. Strassner
Expires: September 21, 2016 W. Liu
G. Karagiannis
Huawei Technologies
J. Bi
Tsinghua University
Mar 21, 2016
SUPA Value Proposition
draft-klyus-supa-value-proposition-00
Abstract
Simplified Use of Policy Abstractions (SUPA) defines a set of rules
that define how services are designed, delivered, and operated
within an operator's environment independent of any one particular
service or networking device. SUPA expresses policy rules using a
generic policy information model, which serves as a unifying
influence to enable different data model implementations to be
simultaneously developed.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet
Engineering Task Force (IETF), its areas, and its working
groups. Note that other groups may also distribute working
documents as Internet-Drafts.
Internet-Drafts are working documents of the Internet
Engineering Task Force (IETF). Note that other groups may also
distribute working documents as Internet-Drafts. The list of
current Internet-Drafts is at
http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-
Drafts as reference material or to cite them other than as
"work in progress."
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
Klyus, et al. Expires September 21, 2016 [Page 1]
Internet-Draft SUPA - Proposition March 2016
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described
in Section 4.e of the Trust Legal Provisions and are provided
without warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction...................................................3
1.1. Problem Statement.........................................4
1.2. Proposed Solution.........................................4
1.3. Value of the SUPA Approach ...............................5
2. Framework for Generic Policy-based Management..................6
2.1. Overview..................................................6
2.2. Operation.................................................8
2.3. The GPIM and the EPRIM ...................................9
2.4. Creation of Generic YANG Modules .........................9
3. Application of Generic Policy-based Management................10
3.1. ECA Examples.............................................10
4. Related Work..................................................11
4.1. Related Work within the IETF.............................11
4.1.1. I2RS Working Group..................................11
4.1.2. L3SM Working Group..................................11
4.1.3. ALTO Working Group..................................12
4.1.4. TEAS Working Group..................................12
4.1.5. BESS Working Group..................................12
4.1.6. SFC Working Group...................................13
4.1.7. NVO3 Working Group..................................13
4.1.8. ACTN BoF (IETF-90)..................................13
4.1.9. Previous IETF Policy Models.........................14
4.2. Related Work outside the IETF............................14
4.2.1. TM Forum............................................14
4.2.2. MEF.................................................15
4.2.3. Open Daylight.......................................15
4.2.4. Open Networking Foundation..........................16
4.2.5. OpenStack...........................................16
4.2.6. The NEMO Project (Not a BoF Yet)....................17
4.2.7. The Floodlight Project..............................17
4.2.8. The ONOS Project....................................17
5. Conclusions - Value of SUPA...................................17
6. Security Considerations.......................................18
7. IANA Considerations...........................................18
8. Contributors..................................................18
9. Acknowledgments...............................................18
Klyus, et al. Expires September 21, 2016 [Page 2]
Internet-Draft SUPA - Proposition March 2016
10. References...................................................19
10.1. Informative References..................................19
Authors' Addresses ..............................................20
1. Introduction
The rapid growth in the variety and importance of traffic flowing
over increasingly complex enterprise and service provider network
architectures makes the task of network operations and management
applications and deploying new services much more difficult. In
addition, network operators want to deploy new services quickly
and efficiently. Two possible mechanisms for dealing with this
growing difficulty are the use of software abstractions to
simplify the design and configuration of monitoring and control
operations and the use of programmatic control over the
configuration and operation of such networks. Policy-based
management can be used to combine these two mechanisms into an
extensible framework.
Policy rules can be used to express high-level network operator
requirements directly, or from a set of management applications,
to a network management or element system. The network management
or element system can then control the configuration and/or
monitoring of network elements and services.
Simplified Use of Policy Abstractions (SUPA) will define a generic
policy information model (GPIM) [SUPA-info-model] for use in network
operations and management applications. The GPIM defines concepts
and terminology needed by policy management indepednent of the form
and content of the policy rule. The ECA Policy Rule Information
Model (EPRIM) [SUPA-info-model] extends the GPIM to define how to
build policy rules according to the event-condition-action paradigm.
Both the GPIM and the EPRIM are targeted at controlling the
configuration and monitoring of network elements throughout the
service development and deployment lifecycle. The GPIM and the EPRIM
will both be translated into corresponding YANG [RFC6020] modules
that define policy concepts, terminology, and rules in a generic and
interoperable manner; additional YANG modules may also be defined
from the GPIM and/or EPRIM to manage specific functions.
The key benefit of policy management is that it enables different
network elements and services to be instructed to behave the same
way, even if they are programmed differently. Management
applications will benefit from using policy rules that enable
scalable and consistent programmatic control over the
configuration and monitoring of network elements and services.
Klyus, et al. Expires September 21, 2016 [Page 3]
Internet-Draft SUPA - Proposition March 2016
1.1. Problem Statement
Network operators must construct networks of increasing size
and complexity in order to improve their availability and
quality, as more and more business services depend on them.
Currently, different technologies and network elements require
different forms of the same policy that governs the production of
network configuration snippets. The power of policy management is
its applicability to many different types of systems, services,
and networking devices. This provides significant improvements in
configuration agility, error detection, and uptime for operators.
Many different types of actors can be identified that can use a
policy management system, including applications, end-users,
developers, network administrators, and operators. Each of these
actors typically has different skills and uses different concepts
and terminologies. For example, an operator may want to express
that only Platinum and Gold users can use streaming and interactive
multimedia applications. As a second example, an operator may want
to define a more concrete policy rule that looks at the number of
dropped packets. If, for example, this number exceeds a certain
threshold value, then the applied queuing, dropping and
scheduling algorithms could be changed in order to reduce the
number of dropped packets. The power of SUPA is that both of these
examples may be abstracted. For example, in the latter example,
different thresholds and algorithms could be defined for different
classes of service.
1.2. Proposed Solution
SUPA enables network operators to express policies to control
network configuration and monitoring data models in a generic
manner. The configuration and monitoring processes are independent
of device, as well as domain or type of application, and result in
configuration according to YANG data models.
Both of the examples in section 1.1 can be referred to as "policy
rules", but they take very different forms, since they are defined
at different levels of abstraction and likely authored by different
actors. The first example described a very abstract policy rule, and
did not contain any technology-specific terms, while the second
example included more concrete policy rules and likely used
technical terms of a general (e.g., IP address range and port
numbers) as well as vendor-specific nature (e.g., specific
algorithms implemented in a particular device). Furthermore,
these two policy rules could affect each other. For example,
Gold and Platinum users might need different device
configurations to give the proper QoS markings to their
streaming multimedia traffic. This is very difficult to do if a
common policy framework does not exist.
Klyus, et al. Expires September 21, 2016 [Page 4]
Internet-Draft SUPA - Proposition March 2016
Note that SUPA is not limited to any one type of technology.
While the above two policies could be considered "QoS"
policies, other examples include:
- network elements must not accept passwords for logins
- all SNMP agents in this network must drop all SNMP traffic
unless it is originating from, or targeting, the
management network
- Periodically perform workload consolidation if average CPU
utilization falls below X%
The above three examples are not QoS related; this emphasizes the
utility of the SUPA approach in being able to provide policies
to control different types of network element configuration and/or
monitoring snippets.
There are many types of policies. SUPA differentiates between
"management policies" and "embedded policies". Management
policies are used to control the configuration of network
elements. Management policies can be interpreted externally to
network elements, and the interpretation typically results in
configuration changes of collections of network elements. In
contrast, "embedded policies" are policies that are embedded
in the configuration of network elements, and are usually
interpreted on network elements in isolation. Since embedded
policies are interpreted in the network device, they are
typically composed in a very specific fashion to run at
near-realtime timescales.
1.3. Value of the SUPA Approach
SUPA will achieve an optimization and reduction in the amount of
work required to define and implement policy-based data models in
the IETF. This is due to the generic and extensible framework
provided by SUPA.
SUPA defines policy independent of where it is located. Other
WGs are working on embedding policy in the configuration of a
network element; SUPA is working on defining policies that
can be interpreted external to network elements (i.e., management
policies). Hence, SUPA policies can be used to define the behavior
of and interaction between embedded policies.
Since the GPIM defines common policy terminology and concepts, it
can be used to both define more specific policies as part of a
data model as well as derive a (more abstract) information model
from a (more specific) data model.
Klyus, et al. Expires September 21, 2016 [Page 5]
Internet-Draft SUPA - Proposition March 2016
This latter approach may be of use in discovering common structures
that occur in data models that have been designed in isolation of
each other.
The SUPA policy framework defines a set of consistent, flexible,
and scalable mechanisms for monitoring and controlling resources
and services. It may be used to create a management and operations
interface that can enable existing IETF data models, such as those
from I2RS and L3SM, to be managed in a unified way that is
independent of application domain, technology and vendor. Resource
and service management become more effective, because policy
defines the context that different operations, such as configuration
and monitoring, are applied to.
2. Framework for Generic Policy-based Management
This section briefly describes the design and operation of the
SUPA policy-based management framework.
2.1. Overview
Figure 1 shows a simplified functional architecture of how SUPA is
used to define policies for creating network element configuration
and monitoring snippets. SUPA uses the GPIM to define a consensual
vocabulary that different actors can use to interact with network
elements and services. The EPRIM defines a generic structure for
imperative policies. The GPIM, as well as the combination of the
GPIM and EPRIM, are converted to generic YANG data modules. The
IETF produces the modules, and IANA is used to register the module
and changes to it.
In the preferred approach, SUPA generic policy data modules are
then used to create vendor- and technology-specific data models.
These define the specific elements that will be controlled by
policies. The Policy Interface uses this information to create
appropriate input mechanisms for the operator to define policies
(e.g., a web form or a script) for creating and managing the
network configuration. The operator interacts with the interface,
which is then translated to configuration snippets. Note that the
policy interface is NOT being designed in SUPA.
In one of possibly several alternate approaches (shown with
asterisks in Figure 1), the SUPA generic policy YANG data modules
contain enough information for the Policy Interface to create
appropriate input mechanisms for the operator to define policies.
This transfers the work of building vendor- and technology-specific
data models to the SUPA Data Model-Specific Translation Function.
In either case, the output may then either be used as is, or goals
through a subsequent set of transformations before it is ready to
be consumed by the target device or management system.
Klyus, et al. Expires September 21, 2016 [Page 6]
Internet-Draft SUPA - Proposition March 2016
+---------------------+
+----------+ \| SUPA Generic Policy |
| IETF |---+----| Information Model |
+----------+ | /| |
| +---------+-----------+
| |
Assignments | | Defines Policy Concepts
and Manage | |
Content | \|/
| +---------+-----------+ Preferred
| \| SUPA GPIM and EPRIM | Approach
+----| Generic YANG |------------+
/| Data Modules | |
+---------+-----------+ |
* |
* Possible |
* Approach |
* |
+--------------------------------+------------------------+---------+
| Management System * | |
| * | |
| \*/ \|/ |
| Fills +----------+----------+ +--------|------+ |
| +--------+ Forms \| Policy Interface |/ |Technology and | |
| |Operator|----------| (locally defined +----|Vendor-specific| |
| +--------+ Runs /| forms, scripts,...) |\ | Data Models | |
| Scripts +----------+----------+ +-------+-------+ |
| /| \ |
| | |
| | Produces Policy Rules |
| | |
| \|/ |
| +----------+--------+ |
| | Policy Management | |
| | Functions | |
| +----------+--------+ |
| | |
| | |
| +---------------------+ |
| Optional Additional | | |
| Transformation \|/ \|/ |
| +---------------+-------+ +-------+--------+ |
| Local SUPA | YANG-to-device and/or | \| Local Devices | |
| Execution | Technology-Specific +-----+ and Management | |
| Environment | Translation Functions | /| Systems | |
| +-----------------------+ +----------------+ |
| |
+-------------------------------------------------------------------+
Figure 1. SUPA Framework
Klyus, et al. Expires September 21, 2016 [Page 7]
Internet-Draft SUPA - Proposition March 2016
Figure 1 is exemplary. The Operator actor shown in Figure 1 can
interact with SUPA in other ways not shown in Figure 1. In addition,
other actors (e.g., an application developer) that can interact with
SUPA are not shown for simplicity.
The EPRIM defines an Event-Condition-Action (ECA) policy as an
example of imperative policies. An ECA policy rule is activated
when its event clause is true; the condition clause is then
evaluated and, if true, signals the execution of one or more
actions in the action clause. Imperative policy rules require
additional management functions, which is explained in section
2.2 below.
2.2. Operation
SUPA can be used to define various types of policies, including
policies that affect services and/or the configuration of
individual or groups of network elements. SUPA can be used by a
centralized and/or distributed set of entities for creating,
managing, interacting with, and retiring policy rules.
The duties of the Policy Management Function (PMF) depend on the
type and nature of policies being used. For example, imperative
(e.g., ECA) policies require conflict detection and resolution,
while declarative policies do not. A short exemplary list of
functions that are common to many types of policies include:
o policy creation, update, delete, and view functions
(typically in conjunction with policy repositories)
o policy storage, search, and retrieval (typically uses
distributed repositories that the PMF communicates with)
o policy distribution (typically uses a message bus; note that
this involves requesting and responding to requests for
policy decisions as well as distributing policies and
informing interested entities of policy results)
o making policy decisions (this SHOULD include more than the
simple Policy Decision Point function defined in [RFC3198])
o executing policy decisions (this SHOULD include more than the
simple Policy Enforcement Point functions defined in [RFC3198])
o validating that the execution of the policy produced what
was expected (this is NOT defined in [RFC3198]).
An exemplary architecture that illustrates these concepts is shown
in [TR235].
The SUPA scope is limited to policy information and data models.
SUPA will not define network resource data models or network
service data models; both are out of scope. Instead, SUPA will make
use of network resource data models defined by other WGs or SDOs.
Klyus, et al. Expires September 21, 2016 [Page 8]
Internet-Draft SUPA - Proposition March 2016
Declarative policies that specify the goals to achieve but not
how to achieve those goals (also called "intent-based" policies)
are out of scope for the initial phase of SUPA.
2.3. The GPIM and the EPRIM
The GPIM provides a common vocabulary for representing concepts
that are common to expressing different types of policy, but
which are independent of language, protocol, repository, and
level of abstraction.
This enables different policies at different levels of abstraction
to form a continuum, where more abstract policies can be translated
into more concrete policies, and vice-versa. For example, the
information model can be extended by generalizing concepts from an
existing data model into the GPIM; the GPIM extensions can then be
used by other data models.
The SUPA working group develops models for expressing policy at
different levels of abstraction. Specifically, two models are
envisioned (both of which are contained in the Generic Policy
Information Model block in Figure 1:
(i) a generic model (the GPIM) that defines concepts and vocabulary
needed by policy management systems independent of the form and
content of the policy
(ii) a more specific model (the EPRIM) that refines the GPIM to
specify policy rules in an event-condition-action form
2.4. Creation of Generic YANG Modules
An information model is abstract. As such, it cannot be directly
instantiated (i.e., objects cannot be created directly from it).
Therefore, both the GPIM, as well as the combination of the GPIM
and the EPRIM, are translated to generic YANG modules.
SUPA will provide guidelines for translating the GPIM (or the
combination of the GPIM and the EPRIM) into concrete YANG data models
that define how to manage and communicate policies between systems.
Multiple imperative policy YANG data models may be instantiated
from the GPIM (or the combination of the GPIM and the EPRIM). In
particular, SUPA will specify a set of YANG data models that will
consist of a base policy model for representing policy management
concepts independent of the type or structure of a policy, and as
well, an extension for defining policy rules according to the ECA
paradigm.
The process of developing the GPIM, EPRIM and the derived/translated
YANG data models is realized following the sequence shown below.
After completing this process and if the implementation of the YANG
data models requires it, the GPIM and EPRIM and the
derived/translated YANG data models are updated and synchronized.
(1)=>(2)=>(3)=>(4)=>(3')=>(2')=>(1')
Where, (1)=GPIM; (2)=EPRIM; (3)YANG data models;
(4) Implementation; (3')= update of YANG data models;
(2')=update of EPRIM; (1') = update of GPIM
The YANG module derived from the GPIM contains concepts and
terminology for the common operation and administration of
policy-based systems, as well as an extensible structure for
policy rules of different paradigms. The YANG module derived from
the EPRIM extends the generic nature of the GPIM to represent
policies using an event-condition-action structure.
Klyus, et al. Expires September 21, 2016 [Page 9]
Internet-Draft SUPA - Proposition March 2016
3. Application of Generic Policy-based Management
This section provides examples of how SUPA can be used to define
different types of policies. Examples applied to various domains,
including system management, operations management, access control,
routing, and service function chaining, are also included.
3.1. ECA Examples
ECA policies are rules that consist of an event clause, a condition
clause, and an action clause.
Network Service Management Example
Event: too many interface alarms received from an
L3VPN service
Condition: alarms resolve to the same interface within a
specified time period
Action: if error rate exceeds x% then put L3VPN service
to Error State and migrate users to one or more
new L3VPNs
Security Management Example
Event: anomalous traffic detected in network
Condition: determine the severity of the traffic
Action: apply one or more actions to affected NEs based
on the type of the traffic detected (along with
other factors, such as the type of resource
being attacked if the traffic is determined to
be an attack)
Traffic Management Examples
Event: edge link close to being overloaded by
incoming traffic
Condition: if link utilization exceeds Y% or if link
utilization average is increasing over a
specified time period
Action: change routing configuration to other peers
that have better metrics
Event: edge link close to be overloaded by
outgoing traffic
Condition: if link utilization exceeds Z% or if link
utilization average is increasing over a
specified time period
Action: reconfigure affected nodes to use source-based
routing to balance traffic across multiple links
Klyus, et al. Expires September 21, 2016 [Page 10]
Internet-Draft SUPA - Proposition March 2016
Service Management Examples
Event: alarm received or periodic time period check
Condition: CPU utilization level comparison
Action: no violation: no action
violation:
1) determine workload profile in time interval
2) determine complementary workloads (e.g.,
whose peaks are at different times in day)
3) combine workloads (e.g., using integer
programming)
Event: alarm received or periodic time check
Condition: if DSCP == AFxy and
throughput < T% or packet loss > P%
Action: no: no action
yes: remark to AFx'y'; reconfigure queuing;
configure shaping to S pps; ...
Note: it is possible to construct an ECA policy rule that is
directly tied to configuration parameters.
4. Related Work
4.1. Related Work within the IETF
4.1.1. I2RS Working Group
I2RS defines an interface that interacts with the routing
system using a collection of protocol-based control or
management interfaces. Users of I2RS interfaces are typically
management applications and controllers. SUPA does not directly
interface to the routing system. Rather, SUPA uses data
produced by I2RS (e.g., topological information) to construct
its policies.
4.1.2. L3SM Working Group
L3SM defines an L3 VPN service model that can be used for
communication between customers and network operators. This
model enables an orchestration application or customers to
request network services provided by L3 VPN technologies. The
implementation of network services is often guided by specific
policies, and SUPA provides a tool that can help with the
mapping of L3 VPN service requests to L3 VPN configurations of
network elements.
Klyus, et al. Expires September 21, 2016 [Page 11]
Internet-Draft SUPA - Proposition March 2016
4.1.3. ALTO Working Group
The ALTO working group defined an architecture for exposing
topology information, more specifically the cost of paths
through an infrastructure, as defined in [RFC7285]. ALTO
services are able to provide network maps defined as groups of
endpoints, and can therefore represent any granularity of network,
from the physical to groups of networks following similar paths or
restraints. Although this model can represent different levels of
granularities, it is not clear if it could be adapted easily for
other purposes than providing cost maps in the context of ALTO.
The ALTO model is meant to be used outside of the trust domain of
an ISP by external clients.
SUPA does not generate data that is similar to ALTO. Rather,
SUPA could use ALTO data as part of its policies to configure
services and/or resources.
4.1.4. TEAS Working Group
The Traffic Engineering Architecture and Signaling (TEAS)
working group is responsible for defining MPLS- and GMPLS-based
Traffic Engineering architectures that enable operators to
control how specific traffic flows are treated within their
networks. It covers YANG models for a traffic engineering
database. In coordination with other working groups (I2RS)
providing YANG models for network topologies.
Both TEAS and SUPA use YANG data models. SUPA does not generate
traffic engineering (TE) data. However, SUPA could use TE data
as part of its policies for configuring resources and/or
services. SUPA could also define policies that define which
service, path, and link properties to use for a given customer,
and consequently, which protocol extensions to use. TEAS data
could also be used to enable operators to define how particular
traffic flows are treated in a more abstract (but still
consistent) manner.
4.1.5. BESS Working Group
The BGP Enabled Services (BESS) working group defines and
extends network services that are based on BGP. This includes
BGP/MPLS IP provider-provisioned L3VPNs, L2VPNs, BGP-enabled
VPN solutions for use in data center networking, and extensions
to BGP-enabled solutions to construct virtual topologies in
support of services such as Service Function Chaining. The
working group is also chartered to work on BGP extensions to
YANG models and data models for BGP-enabled services.
Klyus, et al. Expires September 21, 2016 [Page 12]
Internet-Draft SUPA - Proposition March 2016
Both BESS and SUPA use YANG data models. SUPA could generate
BGP configurations by using data defined by BESS as part of
its policies for configuring resources and/or services.
SUPA could also define policies that govern different aspects
of services defined by BESS.
4.1.6. SFC Working Group
The Service Function Chaining (SFC) working group defines a
mechanism where traffic is classified; that classification is
then use to select an ordered set of services to pass the
traffic through.
Both SFC and SUPA use YANG data models. SUPA could define
policies that augment the functionality of SFC in several
different ways, including: (1) path selection based on context,
(2) which set of mechanisms to use to steer traffic through
which set of service functions, (3) simplify the definition of
dynamic service function chains (e.g., service paths that
change based upon a set of data that is discovered at runtime),
and (4) scalable mechanisms to monitor and control the
configuration of SFC components.
4.1.7. NVO3 Working Group
The NVO3 group proposes a way to virtualize the network edge
for data centers in order to be able to move virtual instances
without impacting their network configuration. This is realized
through a centrally controlled overlay layer-3 network. The
NVO3 work is not about defining policy information; rather, it
uses policy information to perform some functions. Both NVO3 and
SUPA use YANG data models. SUPA could define policies that define
how the logically centralized network virtualization management
entity (or entities) of NVO3 behave (e.g., the functions in the
network virtualization control plane).
4.1.8. ACTN BoF (IETF-90)
The ACTN proposed work, as described in [actn] framework, has
two main goals, the abstraction of multiple optical transport
domains into a single controller offering a common abstract
topology, and the splitting of that topology into abstract
client views that are usually a fraction of the complete
network. The ACTN work is therefore about unification of
several physical controllers into a virtual one, and also about
the segmentation, isolation and sharing of network resources.
The ACTN work is not about defining policy information. Both ACTN
and SUPA use YANG data models. SUPA could define policies that
define the behavior of the controller.
Klyus, et al. Expires September 21, 2016 [Page 13]
Internet-Draft SUPA - Proposition March 2016
4.1.9. Previous IETF Policy Models
SUPA is technology-neutral, previous RFCs weren't. SUPA defines a
common structure from which ECA policies can be defined; this was
not possible in previous RFCs. Previous RFCs do NOT define metadata,
and do NOT enable policies to formally define obligation,
permission, and related concepts. Finally, SUPA uses software
patterns, which previous RFCs didn't.
A more complete analysis is in Appendix A of [SUPA-info-model].
4.2. Related Work outside the IETF
4.2.1. TM Forum
The TM Forum (a.k.a., the TeleManagement Forum) develops standards
and best practices, research, and collaborative programs focused on
digital business transformation. It consists of three major
programs:
1) Agile Business and IT
2) Customer Centricity (experience)
3) Open Digital Ecosystem
Of these, the ZOOM (Zero-touch Orchestration, Operations, and
Management) project, located in the Agile Business and IT project,
is the main sub-project in this area that is of interest to SUPA.
Within ZOOM, the Foundational Studies project contains work on
an information model and management architecture that are
directly relevant to SUPA. The TMF Information Model, Policy,
and Security working groups are involved in this work.
The ZOOM information model updates the existing Shared
Information and Data (SID) information model to add support for
the management of physical and virtual infrastructure, event-
and data-driven systems, policy management (architecture and
model), metadata for describing and prescribing behavior that can
support changes at runtime, and access control. The policy
information model defines imperative (ECA), declarative (intent-
based), utility function, and promise policies. The work in
[SUPA-info-model] is based on, but extends and enhances, the
ZOOM ECA model and provides additional detail not currently
present in ZOOM.
There is currently no plan to use the utility function and
promise policies of ZOOM in SUPA. Finally, it should be noted
that the data model work planned for SUPA is not currently
planned for the ZOOM project.
Klyus, et al. Expires September 21, 2016 [Page 14]
Internet-Draft SUPA - Proposition March 2016
4.2.2. MEF
The MEF (originally named the Metro Ethernet Forum) develops
architecture, service and management specifications related to
Carrier Ethernet (CE). The CE architecture includes the definition
of several interfaces specific to CE like the User Network Interface
(UNI) and External Network Network Interface (ENNI). Specifications
developed in this space include the definitions of CE services, CE
service attributes, Ethernet Access Services, Class of Service, OAM
and Management interfaces, Service Activation and Test. The more
recent vision of the MEF is described as The Third Network, and
includes plans to develop Lifecycle Service Orchestration with APIs
for existing network, NFV, and SDN implementations enabling Agile,
Assured, and Orchestrated Services. This stage of the MEF activity
is now in early phases with focus on architectural work.
The MEF has developed a number of Information and Data Models, and
has recently started a project that uses YANG to model and manage
the services defined by the MEF. While the MEF has created rigorous
definitions of these services, they are specific to transport
technology, and they do not currently include and rely on policies.
4.2.3. Open Daylight
Open Daylight network controller implements a number of models
through its service abstraction Layer (MD-SAL) based on draft
IETF Yang models. Open Daylight is an open source project. Two of
these could be relevant to SUPA in the future (since they both are
focused on declarative policies, which are currently out of scope
for SUPA) and are described below.
4.2.3.1. Network Intent Composition (NIC)
The Network Intent Composition project aims at providing better
flexibility by using declarative policies. It does not cover
other types of policies, such as ECA policy rules. The intent-
based interface aims to provide a high level of abstraction,
primarily for use by an application developer. Its progress
has recently stalled.
4.2.3.2. Group Based Policy
The Group Based Policy project defines an application-centric
policy model for Open Daylight that separates information about
application connectivity requirements from information about
the underlying details of the network infrastructure. The model
is positioned as declarative, but uses a relational approach to
specifying policy. It does not cover other types of policies,
such as ECA policy rules.
Klyus, et al. Expires September 21, 2016 [Page 15]
Internet-Draft SUPA - Proposition March 2016
4.2.4. Open Networking Foundation
The ONF created a group responsible of defining northbound
interfaces, but this hasn't lead to the publication of
standards in this area so far. A blog entry on the ONF web site
showed an interest in using the principle of intents at ONF,
but no details were provided on the status of this project. A
members-only whitepaper was recently published.
4.2.5. OpenStack
OpenStack software controls large pools of compute, storage,
and networking resources throughout a datacenter, managed
through a dashboard or via the OpenStack API. OpenStack works
with popular enterprise and open source technologies making it
ideal for heterogeneous infrastructure. Few of the below
mentioned OpenStack projects provides policy abstraction and
better flexibility to the user.
4.2.5.1. Group-Based Policy
The Group-Based Policy project for OpenStack Neutron is built
around entities assembled in Endpoints Groups (EPG) that
provide or consume Contracts. Such Contracts are hierarchical
entities containing policy rules. A first version was released
in January 2015, based on the Juno release. This type of
approach is more relational than declarative, but could be used
to describe a large amount of possible scenarios. It has the
advantage of providing a relatively simple policy model that
covers a large applicability. From an OpenStack point of view,
the scope of Group-Based Policies is limited to networking
within the Neutron module. Note that other types of policies, such
as ECA policies, are not covered in Group-Based Policy.
4.2.5.2. Congress
The Congress project within OpenStack provides a way to define
complex policies using extensions to the Datalog language.
Datalog is entirely declarative, and its evaluation is based on
first-order logic with restrictions. This gives it interesting
properties, such as providing the same result no matter the order
in which the statements are made. The language allows for the
definition of types and for active enforcement or verification
of the policies. However, it does not cover ECA policies.
There is a significant body of knowledge and experience relating
to declarative languages and their implementation. Congress
policies aim at manipulating objects exposed by multiple
OpenStack modules, and is therefore larger in scope than network
element policies.
Klyus, et al. Expires September 21, 2016 [Page 16]
Internet-Draft SUPA - Proposition March 2016
4.2.6. The NEMO Project (not a BoF yet)
The NEMO project is a research activity aimed at defining a
simple framework for "intent-based" networking. This project
concentrates on creating a domain-specific language and associated
API, not a model or even a rigorous definition of what a policy
rule is. NEMO does not define ECA policies.
The NEMO syntax defines a very simple information model that has
three basic elements for network manipulation: nodes, links, and
flows. A policy rule is NOT defined in this model. Rather, policy
is defined as a command. The NEMO project has been successfully
demonstrated at IETF-91, along with a companion graphical user
interface.
NEMO declarative policies use a flatter, simpler object model with
fewer objects to represent targets of policy. NEMO uses a condition-
action paradigm to execute its declarative policies. In contrast,
SUPA uses a richer class model to represent ECA policies. However,
SUPA has not proposed a language.
4.2.7. The Floodlight Project
The Floodlight is an OpenFlow-enabled SDN controller. It uses
another open source project called Indigo to support OpenFlow
and manage southbound devices. The Indigo agent also supports
an abstraction layer to make it easy to integrate with physical
and virtual switches. It supports configuration of an abstraction
layer so that it can configure OpenFlow in hybrid mode.
4.2.8. The ONOS Project
The ONOS is an SDN controller design for Service Provider networks.
It uses a distributed architecture, and supports abstraction for
both southbound and northbound interfaces. Its modules are managed
as OSGi bundles. It is an open source project. ONOS announced an
"application-intent framework". However, no object model or
language has been defined yet.
5. Conclusions: the Value of SUPA
SUPA can be used to define high-level, possibly network-wide
policies to create interoperable network element configuration
snippets. SUPA expresses policies and associated concepts using a
generic policy information model, and produces generic policy YANG
data modules. SUPA focuses on management policies that control the
configuration of network elements. Management policies can be
interpreted outside of network elements, and the interpretation
typically results in configuration changes to collections of
network elements.
Klyus, et al. Expires September 21, 2016 [Page 17]
Internet-Draft SUPA - Proposition March 2016
Policies embedded in the configuration of network elements are not
in the scope of SUPA. In contrast to policies targeted by SUPA,
embedded policies are usually interpreted on network elements in
isolation, and often at timescales that require the representation
of embedded policies to be optimized for a specific purpose.
The SUPA information model generalizes common concepts from multiple
technology-specific data models, and makes it reusable.
Conceptually, SUPA can be used to interface and manage existing and
future data models produced by other IETF working groups. In
addition, by defining an object-oriented information model with
metdata, the characteristics and behavior of data models can be
better defined.
6. Security Considerations
TBD.
7. IANA Considerations
This document has no actions for IANA.
8. Contributors
The following people all contributed to creating this document,
listed in alphabetical order:
Vikram Choudhary, Huawei Technologies
Luis M. Contreras, Telefonica I+D
Dan Romascanu, Avaya
J. Schoenwaelder, Jacobs University, Germany
Qiong Sun, China Telecom
Parviz Yegani, Juniper Networks
9. Acknowledgments
This document has benefited from reviews, suggestions, comments
and proposed text provided by the following members, listed in
alphabetical order: H. Rafiee, J. Saperia and C. Zhou.
The initial draft of this document merged one document, and this
section lists the acknowledgements from it.
From Problem Statement for Simplified Use of Policy Abstractions
(SUPA)" [Karagiannis2015]
Klyus, et al. Expires September 21, 2016 [Page 18]
Internet-Draft SUPA - Proposition March 2016
The authors of this draft would like to thank the following
persons for the provided valuable feedback and contributions:
Diego Lopez, Spencer Dawkins, Jun Bi, Xing Li, Chongfeng Xie, Benoit
Claise, Ian Farrer, Marc Blancet, Zhen Cao, Hosnieh Rafiee, Mehmet
Ersue, Simon Perreault, Fernando Gont, Jose Saldana, Tom Taylor,
Kostas Pentikousis, Juergen Schoenwaelder, John Strassner, Eric Voit,
Scott O. Bradner, Marco Liebsch, Scott Cadzow, Marie-Jose Montpetit.
Tina Tsou, Will Liu and Jean-Francois Tremblay contributed to an
early version of this draft.
The authors of "Problem Statement for Simplified Use of Policy
Abstractions (SUPA)" [Karagiannis2015] were:
Georgios Karagiannis
Qiong Sun
Luis M. Contreras
Parviz Yegani
John Strassner
Jun Bi
10. References
10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
10.2. Informative References
[RFC3198] Westerinen, A., Schnizlein, J., Strassner, J.,
Scherling, M., Quinn, B., Herzog, S., Huynh, A., Carlson, M.,
Perry, J., Waldbusser, S., "Terminology for Policy-Based
Management", RFC 3198, November, 2001
[RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the
Network Configuration Protocol (NETCONF)", RFC 6020, October 2010.
[RFC7285] R. Alimi, R. Penno, Y. Yang, S. Kiesel, S. Previdi, W.
Roome, S. Shalunov, R. Woundy "Application-Layer Traffic
Optimization (ALTO) Protocol", September 2014
[SUPA-info-model] J. Strassner, J. Halpern, J. Coleman, "Generic
Policy Information Model for Simplified Use of Policy Abstractions
(SUPA)", IETF Internet draft, draft-strassner-supa-generic-policy-
info-model-04, February 2016
[TR235] J. Strassner, ed., "ZOOM Policy Architecture and
Information Model Snapshot", TR245, part of the TM Forum ZOOM
project, October 26, 2014
[Karagiannis2015] G. Karagiannis, ed., "Problem Statement for
Simplified Use of Policy Abstractions (SUPA)", IETF Internet draft,
draft-karagiannis-supa-problem-statement-07, June 5, 2015
Klyus, et al. Expires September 21, 2016 [Page 19]
Internet-Draft SUPA - Proposition March 2016
Authors' Addresses
Maxim Klyus, Ed.
NetCracker
Kozhevnicheskaya str.,7 Bldg. #1
Moscow, Russia
E-mail: klyus@netcracker.com
John Strassner, Ed.
Huawei Technologies
2330 Central Expressway
Santa Clara, CA 95138 USA
Email: john.sc.strassner@huawei.com
Will(Shucheng) Liu
Huawei Technologies
Bantian, Longgang District, Shenzhen 518129
P.R. China
Email: liushucheng@huawei.com
Georgios Karagiannis
Huawei Technologies
Hansaallee 205, 40549 Dusseldorf
Germany
Email: Georgios.Karagiannis@huawei.com
Jun Bi
Tsinghua University
Network Research Center, Tsinghua University
Beijing 100084
P.R. China
Email: junbi@tsinghua.edu.cn
Klyus, et al. Expires September 21, 2016 [Page 20]