Re: [Ibnemo] Policies and Intent-Based Networking

["Susan Hares" <shares@ndzh.com>]

Laurent: 

Thank you for letting me know the use case of a network administrator is
valid.  Could you send me a direct pointer to the policy continuum paper.  I
am having trouble finding it on the site.  The research at
www.univerself-project.eu is very interesting, but I just cannot find the
specific paper you mention. 

Sue Hares 

 

From: Laurent Ciavaglia [mailto:Laurent.Ciavaglia@alcatel-lucent.com] 
Sent: Tuesday, October 06, 2015 11:43 AM
To: Susan Hares; 'PEDRO ANDRES ARANDA GUTIERREZ'; ibnemo@ietf.org
Subject: Re: [Ibnemo] Policies and Intent-Based Networking

 

Dear Sue, all,

Please see inline...



On 05/10/2015 20:57, Susan Hares wrote:

Laurent: 

I agree that the important part of this discussion is: 

a)      At which level of abstraction we start (end-user level,
administrator for network), 

b)      At which level the “end-systems)  operate – “user end-systems” or
“routers that provide entry to network”, 

c)       What mechanisms exist to translate from a) starting abstraction to
b) ending abstraction. 

 

In earlier discussions, we simply looked at the end user as (a) and the
router in a large network as (b).    Do you think this is the right place to
start? 

It is surely good enough to start with network operator/administrator and
routers in a large network as policy "end points".
My initial comment was more to stress the levels of abstraction considered:
if the policy entry point is quite abstract (cf previous policy example) and
the policy exit point understands "only" low level commands, then the
mechanism(s) in between will have to cope with such "distance" between the
policy end points, ensuring the continuum of the policy from the top to the
bottom levels.
The main challenge is thus to identify in the defined policy what are the
informational elements (here the modeling is key), these elements shall then
be interpreted (semantics/ontology come to mind), and finally translated in
a format understandable by the next element in the policy chain.
We have defined such mechanisms for policy continuum in a recent research
project (www.univerself-project.eu), applied to autonomic networking.

Best regards, Laurent.






Thanks for the insight, 

Sue 

From: Ibnemo [mailto:ibnemo-bounces@ietf.org] On Behalf Of Laurent Ciavaglia
Sent: Monday, October 05, 2015 11:36 AM
To: PEDRO ANDRES ARANDA GUTIERREZ; Susan Hares; ibnemo@ietf.org
Subject: Re: [Ibnemo] Policies and Intent-Based Networking

 

Hello,

My naive opinion on the topic would be as follows:
    -Can all policies be expressed as an Intent? 
     Yes, in the sense that Intent is the "mother" of all policies; this is
what the user initially wants the system to achieve. 

    -Should all policies be expressed as Intent? 
     Not necessarily. Systems limitations and complexity make it more
simple/direct to write a low-level policy/command (i.e. what the majority of
policy-based systems does).

A key, hidden point is the policy continuum: 
    1)-at which level of abstraction the policy starts, 
    2)-which level of abstraction the end systems (those receiving the
policy) "understand" (the level of support may be non-uniform),
    3)-what mechanisms exist to translate from 1) to 2), taking into account
possible intermediate levels/layers (e.g. user or service level, network
level, function level, protocol level, resource level..)

Wrt. Sue's example, I would see an intent-policy defined as: "Steer customer
traffic to relevant customer gateway, and all other traffic to default
(Internet) gateway." (i.e. the "system" will have to figure out how to
understand and translate different customers, what are the right gateways,
etc.)

HTH, best regards, Laurent.




On 05/10/2015 16:49, PEDRO ANDRES ARANDA GUTIERREZ wrote:

Hi Sue,

 

Thanks for clarifying… this is a good food for thought. Answers inline…

 

/PA

 

De: Sue Hares
Fecha: lunes, 5 de octubre de 2015, 14:49
Para: "ibnemo@ietf.org"
CC: 'Zhoutianran', "'Bert Wijnen (IETF)'", paag
Asunto: Policies and Intent-Based Networking 

 

Hi all: 

 

Can all policies be expressed an Intent?

 

OK, then we end up with something we didn’t quite like/agree upon in Prague:
there are different players with different interests and background.
Therefore, there will be different intents (scoped by the actor’s view of
the world) and maybe different ways of expressing intent, depending on the
user’s background.

 

I’m trying to determine what policies can or cannot be expressed.  Any
example would be helpful.

 

Here’s three policies I’d like to discuss: 

 

1)      Traffic flow policies   

2)      BGP policies for route flow 

3)      Policy filters controlling routes, 

 

I’m working on the I2RS extensions for Filter-Based RIB and BGP (normal and
flow filters).    The I2RS Filter-based RIB allow for policies for routing
(forwarding a layer 3) to be associated with a set of interfaces.   For
example, 

 

Forwarding filter 1:  128.2/16 nexthop 128.2.1.1     

Forwarding filters 2:   128.5.1/24 nexthop 128.2.1.2  

 

And the rest get forwarded to the default RIB which 

                  128/8  nexthop 128.2.1.3 

 

The intent  is that customer 1 has 128.2/16, and customer 2 has 128.5.1/24.
This node links to these VPNs via 128.2.1.1 (customer1), and 128.2.1.2
(customer 3).  All other traffic goes to the Internet.

How do I link this to the normal example of Intent?   Can we render intent
down to this level or should I be using a higher level?

 

 

Let me try a hands-on in NEMO ;-) 

 

So we have two LinkModels:

 

LinkModel VPN Property IPPrefix:nextHop, IPPrefix:destinationPrefix;

LinkModel Internet Property IPPrefix:nextHop;

 

And three Links

 

Link VPN1 Type VPN Property nextHop:”128.2.1.1/32”,
destinationPrefix:”128.2/16” ;

Link VPN2 Type VPN Property nextHop:”128.2.1.2/32”,
destinationPrefix:”128.5.1/24” ;

Link Default Type Internet Property nextHop:”128.2.1.3/32” ;

 

Then we would need 2 NodeModels:

 

NodeModel VPNTermination Property IPPrefix:ID, list(IPPrefix): subnets ;

NodeModel InternetNode Property IPPrefix:ID;

 

And then the nodes:

 

Node VPNTermination1 Type VPNTermination Property ID:”128.2.1.1/32”,
subnets:”128.2/16” ;

Node VPNTermination2 Type VPNTermination Property ID:”128.2.1.2/32”,
subnets:”128.5.1/24” ;

Node InternetAccess Type InternetNode Property ID:”128.2.1.3/32” ;

 

And finally the connections between the nodes:

 

Link VPN1 Type VPN EndNodes thisNode,VPNTermination1 ;

Link VPN2 Type VPN EndNodes thisNode,VPNTermination2 ;

Link Default Type Internet EndNodes thisNode,InternetAccess ;

 

So 

 

Conclusion no. 1: Yes we can… 

Conclusion no.2: Maybe a bit redundant, right? But this can also be
positive, because it would allow for a lot of consistency checking …

 

Dunno what others think…

 

My .02 cents,

 

---

Dr. Pedro A. Aranda Gutiérrez

 

Technology Exploration -

Network Innovation & Virtualisation

email: pedroa d0t aranda At telefonica d0t com

Telefónica, Investigación y Desarrollo

C/ Zurbarán,12

28010 Madrid, Spain

 

Fragen sind nicht da, um beantwortet zu werden.

Fragen sind da, um gestellt zu werden.

Georg Kreisler

 

 


  _____  



Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario,
puede contener información privilegiada o confidencial y es para uso
exclusivo de la persona o entidad de destino. Si no es usted. el
destinatario indicado, queda notificado de que la lectura, utilización,
divulgación y/o copia sin autorización puede estar prohibida en virtud de la
legislación vigente. Si ha recibido este mensaje por error, le rogamos que
nos lo comunique inmediatamente por esta misma vía y proceda a su
destrucción.

The information contained in this transmission is privileged and
confidential information intended only for the use of the individual or
entity named above. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution or
copying of this communication is strictly prohibited. If you have received
this transmission in error, do not read it. Please immediately reply to the
sender that you have received this communication in error and then delete
it.

Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário,
pode conter informação privilegiada ou confidencial e é para uso exclusivo
da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário
indicado, fica notificado de que a leitura, utilização, divulgação e/ou
cópia sem autorização pode estar proibida em virtude da legislação vigente.
Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique
imediatamente por esta mesma via e proceda a sua destruição






_______________________________________________
Ibnemo mailing list
Ibnemo@ietf.org
https://www.ietf.org/mailman/listinfo/ibnemo

 

-- 




Bien cordialement, Best regards,

 

Laurent Ciavaglia

Secure Cloud Networking

Bell Labs | Alcatel Lucent

 

phone: +33 160 402 636 

email: laurent.ciavaglia@alcatel-lucent.com

linkedin:  <http://fr.linkedin.com/in/laurentciavaglia/> laurentciavaglia

address: Route de Villejust | 91620 Nozay | France

 

-- 



Bien cordialement, Best regards,

 

Laurent Ciavaglia

Secure Cloud Networking

Bell Labs | Alcatel Lucent

 

phone: +33 160 402 636 

email: laurent.ciavaglia@alcatel-lucent.com

linkedin:  <http://fr.linkedin.com/in/laurentciavaglia/> laurentciavaglia

address: Route de Villejust | 91620 Nozay | France