Reviews for Hinrichs2009FML

[Rodrigo Fonseca]

Hi,

Please post your reviews a a group reply to this message.

Rodrigo

[Zhiyuan "Eric" Zhang]

Paper Title

Thoughts on Practical Declarative Network Management

 

Authors

Timothy Hinrichs, Natasha Gude, Martin Casado, John Mitchell, Scott Shenker

 

Date

Workshop on Research in Enterprise Networks (WREN) 2009

 

Novel Idea

This paper present Flow Management Language (FML), a declarative language for network policy and management. Basically this language specify policies based on flows in network. Another idea is that the order of the policies is irrelevant. The authors argue that order irrelevance makes it easier to combine and interpret policies. FML is implemented on top of NOX, although the authors mention that the principles of their design generalize to any flow-based architecture.

 

Evidence

The authors discuss four network management tasks: access control, quality of service, NAT administration and admission control. They first demonstrate how FML can be used in these tasks, and then they describe their implementation of FML and their experience of deploying it on operational networks.

 

Prior Work

FML is based on a subset of DataLog[15]. It also relates to prior research in PL about policy conflicts, conflict detection and conflict resolution[3][15][18].

 

Reproducibility

The language itself doesn't seem to be tricky, although the algorithms in Appendix B could take some work to implement. The authors mention that the implementation is roughly 10,000 lines of Python and C++ code.

 

Question & Criticism

I don't quite buy the idea of order irrelevance is better than the other way. The authors argue that order irrelevance is simpler in language design and implementation. However, the order is still relevant in FML cascades, and priority is another form of order. I doubt that order irrelevance with all these schemes can be better than an order-based design. After all these two are in some sense theoretical identical to me.

[Tan "Charles" Zhang]

Paper Title: Practical declarative network management

Authors: Timothy L. Hinrichs, Natasha S. Gude, Martin Casado, John C. Mitchell, Scott Shenker

Date: August 21st, 2009 WREN

Novel Idea:
This paper presented a high level declarative policy language for managing the configuration of enterprise networks called flow-based management language(FML).

Main Results and evidence: They gave a description of the formal definition of the FML rules and policies as well as conflict resolution, and applied FML to several common network management tasks including access control, quality of service, NAT administration, and admission control, and discussed conflict resolution in these scenarios. They deployed FML to manage two operational networks. In benchmarks using generated traffic, their implementation running with their internal policy file supports permission checks on over 30,000/s flows.

Impact:
FML is a high level network management language which provide much simplicity and flexibility compared with old ways of doing it.

Prior work: The security and artificial intelligence communities have contributed to some of the features of declarative language to the design of FML like DATALOG.

Criticism:
Limited real world testing and deployment.

[Christopher Picardo]

 

Paper Review - Christopher B. Picardo

Paper Title:

Practical Declrative Network Management

Author(s):

Timothy L. Hinrichs, Natasha s. Gude, Martin Casado, John C. Mitchell, Scott Shenker.

Date:

August 21, 2009,  Barcelona, Spain.

Novel Idea:

FML (Flow-based Management Language), is a declarative policy language for managing the configuration of enterprise networks. It allows succinct, structured, high-level specification of various management tasks, freeing network administrators from the dull work of configuring a large number of router ACLs, firewalls, NATs, and VLANs to achieve comprehensive and conceptually simple network usage policies. 

Main Results:

Enables administrators to focus on policy decisions instead of implementation details.

Supports prioritized policy combination, a way to express many policies and enables incremental policy updates.

FML can scale to very large networks while supporting policy files of tens of thousands of rules.

 

 

Impact:

FML is a simple language that can be used to express many common configurations used in networks today.

FML was designed to admit efficient implementation, suitable for large enterprise networks.

Evidence:

Authors apply FML to several common network management tasks: access control, quality of service, conflict resolution, NAT administration, and admission control.

 

Prior work:

NOX, a network-wide control plane that enforces policies on every flow in the network,  is implemented as the successor of Ethane, and checks the first package of every flow against the network policy before admitting the flow onto the network.

[7] M. Casado, M. J. Freedman, J. Pettit, J. Luo, N. McKeown, and S. Shenker. Ethane: Taking control of the enterprise. In Proc. ACM SIGCOMM Conference, Kyoto, Japan, Aug. 2007.  

Question:

Maintainability and scalability of policy statements for very large networks seems to be a problem, also,  how do network administrators can modify policy statements to provide context like xml, to suit their needs?

 

Criticism:

It is not clear to me what is the meaning of the average matches found in Tables 5 and 6. Please clarify.

[DTrejo]

Paper: Practical Declarative Network Management by Timothy L. Hinrichs, Natasha S. Gude, Martin Casado, John C. Mitchell, Scott Shenker

Novel Idea: A high-level declarative language to replace acls, vlans, nats, policy-routing, proprietary admission control systems.

Results: FML proved to be effective in example applications and multiple operational networks. A linear-time FML implementation approach is presented which allows network-speed decision making.

Impact: A battle-tested language model for flow-management that can serve as a great inspiration for future evolution of flow-management languages.

Evidence: Sample applications and operational network deployments.

Prior work: XACML, P3P, NOX.

Reproducibility: High, implementation details are well-fleshed out.

Criticism: None. Implementation was tested in real-world scenarios and bore out its performance goals.

On Wednesday, March 6, 2013 10:02:41 PM UTC-5, Rodrigo Fonseca wrote:

[Shao, Tuo]

Paper Title

Practical Declarative Network Management

Authors

Timothy L. Hinrichs, Natasha S. Gude, Martin Casado, John C. Mitchell, Scott Shenker

Date

WREN’09, August 21, 2009

Novel Idea

This paper presents a lightweight declarative language called FML to provide abstraction for statical SDN configuration.

Main Results

The paper gives the definition of FML RULE and FML POLICY as the syntax of this language. In order to resolve conflicts, it assign keywords and policies with different priorities. It also provides the internal policy evalutation mechanism.

Impact

The FML Language helps reducing the labor for network configuration by declaring policies.

Evidence

The paper discussed about the examples like access control, quality of service, NAT and admission control which this language can apply to. By using this language in deployment of small business network and a large medical university network, it shows this language could be used to enforce admission and access control. In its benchmark test, the performance also satisfy the requirements of large enterprises.

Prior Work and Competetive Work

The FML language is a restricted form of Datalog and its highest-level design decision is based on Datalog. unlike entity relationship modeling and high-level language design, the FML language broaden the scope of network configuration.

Reproductivity

Given the syntax of this language and internal evaluation mechanicsm, we can rewrite the compiler of the language and apply it to SDN network like NOX.

Critism and Question

This language is lightweight and statical and lacks many useful feature. For example, we can group variables together like users in same department or IP addresses in the same subnet. This could save a lot of labor configuring for each of these variables.

It also couldn't react to dynamic change of the network. For example, the QoS like delay and jitter of previous flow could be affected by latter flows.

Rodrigo

--
You received this message because you are subscribed to the Google Groups "CSCI2950-u Spring 13 - Brown" group.
To unsubscribe from this group and stop receiving emails from it, send an email to csci2950u-sp13-b...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Place, Jordan]

Practical Declarative Network Management
Timothy L Hinrichs, Natasha S. Gude, Martin Casado, John C. Mitchell,
Scott Shenker
WREN '09
This paper presents Flow-based Management Language (FML) as an
easy and correct means of expressing network flow policies. FML,
similar to Ethane, allows network administrators to express policies
in terms of high-level network entities and have these policies
automatically installed in routers. The rules these policies consist
of are composed of predicates and a set of eight flow properties used
to match flows. These policies are compiled into a decision tree which
is then traversed to determine what should happen to new flows
entering the network.
The authors focus on the semantics and expressibility of the
language. FML is designed to prevent network administrator error.
Conflicts in policies are not order-based, but instead are resolved by
either priority or restrictiveness. This not only prevents network
adminstrators from ordering rules incorrectly, but also allows for
collabrative or distributed policy construction.
This paper is well written. The authors justify their language
design decisions clearly: FML is simple to read, write and understand
and allows policy authors total control over how flows enter and move
through a network.
FML is already deployed so all functionality and performance
claims are highly reproducable. The authors mention FML's limitations
in terms of scalability and policy debugging.
I wonder if FML might be expanded to incoporate user-made policies
on top of network administration policies. Suppose FML manages Brown's
network but the CS department (or some research group with in it)
wants to make some policies to better secure computing clusters or
guarantee bandwidth for high priority flows. Might they be able to
write some policies for hosts and routers under their control?

On Wed, Mar 6, 2013 at 10:02 PM, Rodrigo Fonseca
<rodrigo...@gmail.com> wrote:

[Papagiannopoulou, Dimitra]

Paper Title: Practical Declarative Network Management

 

Authors: Timothy L. Hinrichs, Natasha S. Gude, Martin Casado, John C. Mitchell, Scott Shenker

 

 

Novel Idea: In this paper, the authors present Flow-based Management Language (FML), a high-level declarative policy language for managing the configuration of enterprise networks, that is built to replace existing network configuration practices. FML can be used to express network-wide policies about a variety of different management tasks within a single framework.

 

Main Results: The main result is the design, implementation and testing of FML, a simple language that can be used to express many common configurations used in networks today. The authors show how FML can allow high-level specification of various management tasks and free network administrators from configuring router ACLs, firewalls, NATs and VLANs.

 

 

Impact: The contribution of this paper is significant, since it proposes a language that can replace existing configuration mechanisms that are traditionally used in enterprise networks and often result in networks whose connectivity is determined by low-level configuration code that doesn't evolve as the network does.

 

Evidence: In this paper, the authors provide a detailed description and analysis of FML. They demonstrate its features through a series of example applications and provide an analysis of its implementation environment. They share their experiences from testing the language in two operational networks and present performance numbers that show its scaling properties. Specifically, they report performance and overhead numbers of their FML implementation over policies with increasing rule count. During the presentation of FML, the authors use formal definitions and proved theorems. They include examples in which they apply FML to various common network management tasks such as access control, quality of service, NAT administration and admission control.

 

Prior Work: FML was built as the underlying policy language for NOX [10] - a successor of Ethane [7] - that is a network-wide control plane that enforces policies on every flow in the network. Also, FML is based on a restricted form of DATALOG. The formal semantics of FML can be defined using usual semantics [17] of logic programming or database theory.

 

Reproducibility: The results of this work are reproducible.

 

Competitive Work: A number of approaches have been proposed for making firewall configuration more manageable (for example, using entity relationship modeling [2] and high level language design [11]). This work has similar objectives but it has a boarder scope compared to the aforementioned works (for example it includes other common network configurations such as QoS, route control, NAT and broadcast isolation)

 

Criticism: Overall, this is a very good work that proposes a complete solution that could replace existing traditional configuration mechanisms. FML enforces policies efficiently and allows structured, high-level specification of various management tasks. Apart from demonstrating its efficiency through a series of examples and describing its design in theory, the authors also tested FML in various operational networks under demanding loads, to show that it has modest memory requirements and can scale to vary large networks. Finally, they include concrete future plans and discuss how they plan to improve FML further.

 

 

On Wed, Mar 6, 2013 at 10:02 PM, Rodrigo Fonseca <rodrigo...@gmail.com> wrote:

Rodrigo

[Rodrigo Fonseca]

On Behalf of Jeff Rasley (just to be on the same thread):

Authors: U. Chicago (T. Hinrichs), Stanford, and S. Shenker

Context: WREN '09, SIGCOMM workshop

This paper presents the declarative policy language called Flow-based Management Language (FML) which is used to manage enterprise networks. This work builds off of the previous work by NOX and Ethane and is directly implemented within NOX. They group created FML to provide a high level mechanism to create network policies, throughout the paper they use the following example applications: ACLs, NAT, QoS, & Admission Controls.

The primary contribution of this work is the FML language itself and its resulting implementation. The authors also state that its expressiveness to work with various applications and its efficient implementation are also contributions.

The only real previously related work to this is DATALOG and XACML, which are both declarative languages. Additionally, an interesting aspect of FML is how it deals with conflicts. Policies that conflict have static rules about how the conflict is resolved, for example allow/deny flows will always defer to the deny rule, this seems potentially restricting and/or cumbersome for certain rules. The authors discuss ways around it with the use of what they call FML Cascades, which are policies with ordering priorities.

Comment: The authors mention that they implemented all of the applications they list except for QoS, however this seems to be the most difficult/interesting of the applications listed. I am curious about how specifically one could enforce jitter, latency and bandwidth policies in the same concrete way as an ACL. I know there exists a decent amount of recent work in trying to enforce bandwidth guarantees. I guess the authors are just saying that if we had efficient mechanisms to enforce these features then FML would be a good way for network operators to set them without having to deal with the low-level details.

On Wed, Mar 6, 2013 at 10:02 PM, Rodrigo Fonseca <rodrigo...@gmail.com> wrote:

Rodrigo