Paper Title
Thoughts on Practical Declarative Network Management
Authors
Timothy Hinrichs, Natasha Gude, Martin Casado, John Mitchell, Scott Shenker
Date
Workshop on Research in Enterprise Networks (WREN) 2009
Novel Idea
This paper present Flow Management Language (FML), a declarative language for network policy and management. Basically this language specify policies based on flows in network. Another idea is that the order of the policies is irrelevant. The authors argue that order irrelevance makes it easier to combine and interpret policies. FML is implemented on top of NOX, although the authors mention that the principles of their design generalize to any flow-based architecture.
Evidence
The authors discuss four network management tasks: access control, quality of service, NAT administration and admission control. They first demonstrate how FML can be used in these tasks, and then they describe their implementation of FML and their experience of deploying it on operational networks.
Prior Work
FML is based on a subset of DataLog[15]. It also relates to prior research in PL about policy conflicts, conflict detection and conflict resolution[3][15][18].
Reproducibility
The language itself doesn't seem to be tricky, although the algorithms in Appendix B could take some work to implement. The authors mention that the implementation is roughly 10,000 lines of Python and C++ code.
Question & Criticism
I don't quite buy the idea of order irrelevance is better than the other way. The authors argue that order irrelevance is simpler in language design and implementation. However, the order is still relevant in FML cascades, and priority is another form of order. I doubt that order irrelevance with all these schemes can be better than an order-based design. After all these two are in some sense theoretical identical to me.
Paper Review - Christopher B. Picardo
Paper Title:
Practical Declrative Network Management
Author(s):
Timothy L. Hinrichs, Natasha s. Gude, Martin Casado, John C. Mitchell, Scott Shenker.
Date:
August 21, 2009, Barcelona, Spain.
Novel Idea:
FML (Flow-based Management Language), is a declarative policy language for managing the configuration of enterprise networks. It allows succinct, structured, high-level specification of various management tasks, freeing network administrators from the dull work of configuring a large number of router ACLs, firewalls, NATs, and VLANs to achieve comprehensive and conceptually simple network usage policies.
Main Results:
Enables administrators to focus on policy decisions instead of implementation
details.
Supports prioritized policy combination, a way to express many policies and enables incremental policy updates.
FML can scale to very large networks while supporting policy files of tens of thousands of rules.
Impact:
FML is a simple language that can be used to express many common configurations used in networks today.
FML was designed to admit efficient implementation, suitable for large enterprise networks.
Evidence:
Authors apply FML to several common network management tasks: access control, quality of service, conflict resolution, NAT administration, and admission control.
Prior work:
NOX, a network-wide control plane that enforces policies on every flow in the network, is implemented as the successor of Ethane, and checks the first package of every flow against the network policy before admitting the flow onto the network.
[7] M. Casado, M. J. Freedman, J. Pettit, J. Luo, N. McKeown, and S. Shenker. Ethane: Taking control of the enterprise. In Proc. ACM SIGCOMM Conference, Kyoto, Japan, Aug. 2007.
Question:
Maintainability and scalability of policy statements for very large networks seems to be a problem, also, how do network administrators can modify policy statements to provide context like xml, to suit their needs?
Criticism:
It is not clear to me what is the meaning of the average matches found in Tables 5 and 6. Please clarify.
Rodrigo--
You received this message because you are subscribed to the Google Groups "CSCI2950-u Spring 13 - Brown" group.
To unsubscribe from this group and stop receiving emails from it, send an email to csci2950u-sp13-b...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Paper Title: Practical Declarative Network Management
Authors: Timothy L. Hinrichs, Natasha S. Gude, Martin Casado, John C. Mitchell, Scott Shenker
Novel Idea: In this paper, the authors present Flow-based Management Language (FML), a high-level declarative policy language for managing the configuration of enterprise networks, that is built to replace existing network configuration practices. FML can be used to express network-wide policies about a variety of different management tasks within a single framework.
Main Results: The main result is the design, implementation and testing of FML, a simple language that can be used to express many common configurations used in networks today. The authors show how FML can allow high-level specification of various management tasks and free network administrators from configuring router ACLs, firewalls, NATs and VLANs.
Impact: The contribution of this paper is significant, since it proposes a language that can replace existing configuration mechanisms that are traditionally used in enterprise networks and often result in networks whose connectivity is determined by low-level configuration code that doesn't evolve as the network does.
Evidence: In this paper, the authors provide a detailed description and analysis of FML. They demonstrate its features through a series of example applications and provide an analysis of its implementation environment. They share their experiences from testing the language in two operational networks and present performance numbers that show its scaling properties. Specifically, they report performance and overhead numbers of their FML implementation over policies with increasing rule count. During the presentation of FML, the authors use formal definitions and proved theorems. They include examples in which they apply FML to various common network management tasks such as access control, quality of service, NAT administration and admission control.
Prior Work: FML was built as the underlying policy language for NOX [10] - a successor of Ethane [7] - that is a network-wide control plane that enforces policies on every flow in the network. Also, FML is based on a restricted form of DATALOG. The formal semantics of FML can be defined using usual semantics [17] of logic programming or database theory.
Reproducibility: The results of this work are reproducible.
Competitive Work: A number of approaches have been proposed for making firewall configuration more manageable (for example, using entity relationship modeling [2] and high level language design [11]). This work has similar objectives but it has a boarder scope compared to the aforementioned works (for example it includes other common network configurations such as QoS, route control, NAT and broadcast isolation)
Criticism: Overall, this is a very good work that proposes a complete solution that could replace existing traditional configuration mechanisms. FML enforces policies efficiently and allows structured, high-level specification of various management tasks. Apart from demonstrating its efficiency through a series of examples and describing its design in theory, the authors also tested FML in various operational networks under demanding loads, to show that it has modest memory requirements and can scale to vary large networks. Finally, they include concrete future plans and discuss how they plan to improve FML further.
Rodrigo
On Behalf of Jeff Rasley (just to be on the same thread):
Authors: U. Chicago (T. Hinrichs), Stanford, and S. Shenker
Context: WREN '09, SIGCOMM workshop
This paper presents the declarative policy language called Flow-based Management Language (FML) which is used to manage enterprise networks. This work builds off of the previous work by NOX and Ethane and is directly implemented within NOX. They group created FML to provide a high level mechanism to create network policies, throughout the paper they use the following example applications: ACLs, NAT, QoS, & Admission Controls.
The primary contribution of this work is the FML language itself and its resulting implementation. The authors also state that its expressiveness to work with various applications and its efficient implementation are also contributions.
The only real previously related work to this is DATALOG and XACML, which are both declarative languages. Additionally, an interesting aspect of FML is how it deals with conflicts. Policies that conflict have static rules about how the conflict is resolved, for example allow/deny flows will always defer to the deny rule, this seems potentially restricting and/or cumbersome for certain rules. The authors discuss ways around it with the use of what they call FML Cascades, which are policies with ordering priorities.
Comment: The authors mention that they implemented all of the applications they list except for QoS, however this seems to be the most difficult/interesting of the applications listed. I am curious about how specifically one could enforce jitter, latency and bandwidth policies in the same concrete way as an ACL. I know there exists a decent amount of recent work in trying to enforce bandwidth guarantees. I guess the authors are just saying that if we had efficient mechanisms to enforce these features then FML would be a good way for network operators to set them without having to deal with the low-level details.
Rodrigo