Intent-based networking (IBN) promises to simplify the network management and automated orchestration of high-level policies in future networking architectures such as software-defined networking (SDN). However, such abstraction and automation creates new network visibility challenges. Existing SDN network forensics and diagnostics tools operate at a lower level of network abstraction, which makes intent-level reasoning difficult. We present PROVINTENT, a framework extension for SDN control plane tools that accounts for intent semantics. PROVINTENT records the provenance and evolution of intents as the network’s state and apps’ requests change over time and enables reasoning at multiple abstractions. We define an intent provenance model, we implement a proof-of-concept tool, and we evaluate the efficacy of PROVINTENT’s explanatory capabilities by using a representative intent-driven network application.
more »
« less
A Behavior-Driven Approach to Intent Specification for Software-Defined Infrastructure Management
One of the goals of Software-Defined Networking (SDN) is to allow users to specify high-level policies into lower level network rules. Managing a network and decide what policy
set is appropriate requires, however, expertise and low level know-how. An emerging SDN paradigm is to allow higher level network level decisions wishes in the form of “intents”.
Despite its importance in simplifying network management, intent specification is not yet standardized. In this work, we propose a northbound interface (NBI) for intent declaration, based on Behavior-Driven Development. In our approach, intents are specified in plain English and translated by our system into pre-compiled network policies, that are in turn, converted into low-level rules by the software-defined infrastructure e.g. an SDN controller. We demonstrated our behavior-driven approach with two practical use cases: service function chaining deployed on OpenStack, supported by both ONOS and Ryu controllers, and dynamic firewall programming. We also measured the overhead and response time of our NBI. We believe that our approach is far more general and paves the way for a more expressive and simplified northbound interface for intent-driven networking.
more »
« less
- Award ID(s):
- 1647084
- NSF-PAR ID:
- 10082121
- Date Published:
- Journal Name:
- 2018 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN)
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Poster Abstract: To interconnect research facilities across wide geographic areas, network operators deploy science networks, also referred to as Research and Education (R&E) networks. These networks allow experimenters to establish dedicated network connections between research facilities for transferring large amounts of data. Recently, R&E networks have started using Software-Defined Networking (SDN) and Software Defined Exchanges (SDX) for deploying these connections. AtlanticWave/SDX is a response to the growing demand to support end-to-end network services spanning multiple SDN domains. However, requesting these services is a challenging task for domain-expert scientists, because the interfaces of the R&E networks have been developed by network operators for network operators. In this paper, we propose interfaces that allow domain expert scientists to reserve resources of the scientific network using abstractions that focus on their data transfer needs for scientific workflow management. Recent trends in the networking field pursue better interfaces for requesting network services (e.g., intent-based networking). Although intents are sufficient for the needs of network operations, they are not abstract enough in most cases to be used by domain-expert scientists. This is an issue we are addressing in the AtlanticWave/SDX design: network operators and domain expert scientists will have their own interfaces focusing on their specific needs.more » « less
-
To interconnect research facilities across wide geographic areas, network operators deploy science networks, also referred to as Research and Education (R&E) networks. These networks allow experimenters to establish dedicated network connections between research facilities for transferring large amounts of data. Recently, R&E networks have started using Software-Defined Networking (SDN) and Software Defined Exchanges (SDX) for deploying these connections. AtlanticWave/SDX is a response to the growing demand to support end-to-end network services spanning multiple SDN domains. However, requesting these services is a challenging task for domain-expert scientists, because the interfaces of the R&E networks have been developed by network operators for network operators. In this paper, we propose interfaces that allow domain expert scientists to reserve resources of the scientific network using abstractions that focus on their data transfer needs for scientific workflow management. Recent trends in the networking field pursue better interfaces for requesting network services (e.g., intent-based networking). Although intents are sufficient for the needs of network operations, they are not abstract enough in most cases to be used by domain-expert scientists. This is an issue we are addressing in the AtlanticWave/SDX design: network operators and domain-expert scientists will have their own interfaces focusing on their specific needs.more » « less
-
In the Software Defined Networking (SDN) and Network Function Virtualization (NFV) era, it is critical to enable dynamic network access control. Traditionally, network access control policies are statically predefined as router entries or firewall rules. SDN enables more flexibility by re-actively installing flow rules into the switches to achieve dynamic network access control. However, SDN is limited in capturing network anomalies, which are usually important signs of security threats. In this paper, we propose to employ anomaly-based Intrusion Detection System (IDS) to capture network anomalies and generate SDN flow rules to enable dynamic network access control. We gain the knowledge of network anomalies from anomaly-based IDS by training an interpretable model to explain its outcome. Based on the explanation, we derive access control policies. We demonstrate the feasibility of our approach by explaining the outcome of an anomaly-based IDS built upon a Recurrent Neural Network (RNN) and generating SDN flow rules based on our explanation.more » « less
-
Policy information in computer networking today, such as reachability objectives of a controller program running on a Software Defined Network (henceforth referred to as SDN) or Border Gateway Protocol (henceforth referred to as BGP) configurations independently set by autonomous networks, are hard to manage. This is in sharp contrast to the relational data structured in a database that allows easy access. This paper asks why cannot (or how can) we turn network policies into relational data. One difficulty to such an approach is that a policy does not always translate to a \textit{definite} network snapshot, but rather is fully described only when we include all the possible network states it admits. We propose relational policies that, while capable of representing and manipulating sets of network states in exactly the same way as a single one, form a strong representation system and accurately capture the information in a policy with the usual Structured Query Language (henceforth referred to as SQL) interface. We demonstrate how, like relational database improves application productivity and enables rapid innovation, relational policies allow us to extend the elegant solutions that the database community developed, to mediate multiple data sources in order to address long-standing challenges and new opportunities for autonomous policy making in the distributed networking environment. We also show the feasibility of relational policies by evaluation on synthetic policies and realistic network topologies.more » « less
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Conference Paper:
- The DOI is not currently available.
