Network Working Group M. Klyus Internet Draft NetCracker Intended status: Standard Track J. Strassner Expires: September 21, 2016 W. Liu G. Karagiannis Huawei Technologies J. Bi Tsinghua University Mar 21, 2016 SUPA Value Proposition draft-klyus-supa-value-proposition-00 Abstract Simplified Use of Policy Abstractions (SUPA) defines a set of rules that define how services are designed, delivered, and operated within an operator's environment independent of any one particular service or networking device. SUPA expresses policy rules using a generic policy information model, which serves as a unifying influence to enable different data model implementations to be simultaneously developed. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. Klyus, et al. Expires September 21, 2016 [Page 1] Internet-Draft SUPA - Proposition March 2016 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction...................................................3 1.1. Problem Statement.........................................4 1.2. Proposed Solution.........................................4 1.3. Value of the SUPA Approach ...............................5 2. Framework for Generic Policy-based Management..................6 2.1. Overview..................................................6 2.2. Operation.................................................8 2.3. The GPIM and the EPRIM ...................................9 2.4. Creation of Generic YANG Modules .........................9 3. Application of Generic Policy-based Management................10 3.1. ECA Examples.............................................10 4. Related Work..................................................11 4.1. Related Work within the IETF.............................11 4.1.1. I2RS Working Group..................................11 4.1.2. L3SM Working Group..................................11 4.1.3. ALTO Working Group..................................12 4.1.4. TEAS Working Group..................................12 4.1.5. BESS Working Group..................................12 4.1.6. SFC Working Group...................................13 4.1.7. NVO3 Working Group..................................13 4.1.8. ACTN BoF (IETF-90)..................................13 4.1.9. Previous IETF Policy Models.........................14 4.2. Related Work outside the IETF............................14 4.2.1. TM Forum............................................14 4.2.2. MEF.................................................15 4.2.3. Open Daylight.......................................15 4.2.4. Open Networking Foundation..........................16 4.2.5. OpenStack...........................................16 4.2.6. The NEMO Project (Not a BoF Yet)....................17 4.2.7. The Floodlight Project..............................17 4.2.8. The ONOS Project....................................17 5. Conclusions - Value of SUPA...................................17 6. Security Considerations.......................................18 7. IANA Considerations...........................................18 8. Contributors..................................................18 9. Acknowledgments...............................................18 Klyus, et al. Expires September 21, 2016 [Page 2] Internet-Draft SUPA - Proposition March 2016 10. References...................................................19 10.1. Informative References..................................19 Authors' Addresses ..............................................20 1. Introduction The rapid growth in the variety and importance of traffic flowing over increasingly complex enterprise and service provider network architectures makes the task of network operations and management applications and deploying new services much more difficult. In addition, network operators want to deploy new services quickly and efficiently. Two possible mechanisms for dealing with this growing difficulty are the use of software abstractions to simplify the design and configuration of monitoring and control operations and the use of programmatic control over the configuration and operation of such networks. Policy-based management can be used to combine these two mechanisms into an extensible framework. Policy rules can be used to express high-level network operator requirements directly, or from a set of management applications, to a network management or element system. The network management or element system can then control the configuration and/or monitoring of network elements and services. Simplified Use of Policy Abstractions (SUPA) will define a generic policy information model (GPIM) [SUPA-info-model] for use in network operations and management applications. The GPIM defines concepts and terminology needed by policy management indepednent of the form and content of the policy rule. The ECA Policy Rule Information Model (EPRIM) [SUPA-info-model] extends the GPIM to define how to build policy rules according to the event-condition-action paradigm. Both the GPIM and the EPRIM are targeted at controlling the configuration and monitoring of network elements throughout the service development and deployment lifecycle. The GPIM and the EPRIM will both be translated into corresponding YANG [RFC6020] modules that define policy concepts, terminology, and rules in a generic and interoperable manner; additional YANG modules may also be defined from the GPIM and/or EPRIM to manage specific functions. The key benefit of policy management is that it enables different network elements and services to be instructed to behave the same way, even if they are programmed differently. Management applications will benefit from using policy rules that enable scalable and consistent programmatic control over the configuration and monitoring of network elements and services. Klyus, et al. Expires September 21, 2016 [Page 3] Internet-Draft SUPA - Proposition March 2016 1.1. Problem Statement Network operators must construct networks of increasing size and complexity in order to improve their availability and quality, as more and more business services depend on them. Currently, different technologies and network elements require different forms of the same policy that governs the production of network configuration snippets. The power of policy management is its applicability to many different types of systems, services, and networking devices. This provides significant improvements in configuration agility, error detection, and uptime for operators. Many different types of actors can be identified that can use a policy management system, including applications, end-users, developers, network administrators, and operators. Each of these actors typically has different skills and uses different concepts and terminologies. For example, an operator may want to express that only Platinum and Gold users can use streaming and interactive multimedia applications. As a second example, an operator may want to define a more concrete policy rule that looks at the number of dropped packets. If, for example, this number exceeds a certain threshold value, then the applied queuing, dropping and scheduling algorithms could be changed in order to reduce the number of dropped packets. The power of SUPA is that both of these examples may be abstracted. For example, in the latter example, different thresholds and algorithms could be defined for different classes of service. 1.2. Proposed Solution SUPA enables network operators to express policies to control network configuration and monitoring data models in a generic manner. The configuration and monitoring processes are independent of device, as well as domain or type of application, and result in configuration according to YANG data models. Both of the examples in section 1.1 can be referred to as "policy rules", but they take very different forms, since they are defined at different levels of abstraction and likely authored by different actors. The first example described a very abstract policy rule, and did not contain any technology-specific terms, while the second example included more concrete policy rules and likely used technical terms of a general (e.g., IP address range and port numbers) as well as vendor-specific nature (e.g., specific algorithms implemented in a particular device). Furthermore, these two policy rules could affect each other. For example, Gold and Platinum users might need different device configurations to give the proper QoS markings to their streaming multimedia traffic. This is very difficult to do if a common policy framework does not exist. Klyus, et al. Expires September 21, 2016 [Page 4] Internet-Draft SUPA - Proposition March 2016 Note that SUPA is not limited to any one type of technology. While the above two policies could be considered "QoS" policies, other examples include: - network elements must not accept passwords for logins - all SNMP agents in this network must drop all SNMP traffic unless it is originating from, or targeting, the management network - Periodically perform workload consolidation if average CPU utilization falls below X% The above three examples are not QoS related; this emphasizes the utility of the SUPA approach in being able to provide policies to control different types of network element configuration and/or monitoring snippets. There are many types of policies. SUPA differentiates between "management policies" and "embedded policies". Management policies are used to control the configuration of network elements. Management policies can be interpreted externally to network elements, and the interpretation typically results in configuration changes of collections of network elements. In contrast, "embedded policies" are policies that are embedded in the configuration of network elements, and are usually interpreted on network elements in isolation. Since embedded policies are interpreted in the network device, they are typically composed in a very specific fashion to run at near-realtime timescales. 1.3. Value of the SUPA Approach SUPA will achieve an optimization and reduction in the amount of work required to define and implement policy-based data models in the IETF. This is due to the generic and extensible framework provided by SUPA. SUPA defines policy independent of where it is located. Other WGs are working on embedding policy in the configuration of a network element; SUPA is working on defining policies that can be interpreted external to network elements (i.e., management policies). Hence, SUPA policies can be used to define the behavior of and interaction between embedded policies. Since the GPIM defines common policy terminology and concepts, it can be used to both define more specific policies as part of a data model as well as derive a (more abstract) information model from a (more specific) data model. Klyus, et al. Expires September 21, 2016 [Page 5] Internet-Draft SUPA - Proposition March 2016 This latter approach may be of use in discovering common structures that occur in data models that have been designed in isolation of each other. The SUPA policy framework defines a set of consistent, flexible, and scalable mechanisms for monitoring and controlling resources and services. It may be used to create a management and operations interface that can enable existing IETF data models, such as those from I2RS and L3SM, to be managed in a unified way that is independent of application domain, technology and vendor. Resource and service management become more effective, because policy defines the context that different operations, such as configuration and monitoring, are applied to. 2. Framework for Generic Policy-based Management This section briefly describes the design and operation of the SUPA policy-based management framework. 2.1. Overview Figure 1 shows a simplified functional architecture of how SUPA is used to define policies for creating network element configuration and monitoring snippets. SUPA uses the GPIM to define a consensual vocabulary that different actors can use to interact with network elements and services. The EPRIM defines a generic structure for imperative policies. The GPIM, as well as the combination of the GPIM and EPRIM, are converted to generic YANG data modules. The IETF produces the modules, and IANA is used to register the module and changes to it. In the preferred approach, SUPA generic policy data modules are then used to create vendor- and technology-specific data models. These define the specific elements that will be controlled by policies. The Policy Interface uses this information to create appropriate input mechanisms for the operator to define policies (e.g., a web form or a script) for creating and managing the network configuration. The operator interacts with the interface, which is then translated to configuration snippets. Note that the policy interface is NOT being designed in SUPA. In one of possibly several alternate approaches (shown with asterisks in Figure 1), the SUPA generic policy YANG data modules contain enough information for the Policy Interface to create appropriate input mechanisms for the operator to define policies. This transfers the work of building vendor- and technology-specific data models to the SUPA Data Model-Specific Translation Function. In either case, the output may then either be used as is, or goals through a subsequent set of transformations before it is ready to be consumed by the target device or management system. Klyus, et al. Expires September 21, 2016 [Page 6] Internet-Draft SUPA - Proposition March 2016 +---------------------+ +----------+ \| SUPA Generic Policy | | IETF |---+----| Information Model | +----------+ | /| | | +---------+-----------+ | | Assignments | | Defines Policy Concepts and Manage | | Content | \|/ | +---------+-----------+ Preferred | \| SUPA GPIM and EPRIM | Approach +----| Generic YANG |------------+ /| Data Modules | | +---------+-----------+ | * | * Possible | * Approach | * | +--------------------------------+------------------------+---------+ | Management System * | | | * | | | \*/ \|/ | | Fills +----------+----------+ +--------|------+ | | +--------+ Forms \| Policy Interface |/ |Technology and | | | |Operator|----------| (locally defined +----|Vendor-specific| | | +--------+ Runs /| forms, scripts,...) |\ | Data Models | | | Scripts +----------+----------+ +-------+-------+ | | /| \ | | | | | | Produces Policy Rules | | | | | \|/ | | +----------+--------+ | | | Policy Management | | | | Functions | | | +----------+--------+ | | | | | | | | +---------------------+ | | Optional Additional | | | | Transformation \|/ \|/ | | +---------------+-------+ +-------+--------+ | | Local SUPA | YANG-to-device and/or | \| Local Devices | | | Execution | Technology-Specific +-----+ and Management | | | Environment | Translation Functions | /| Systems | | | +-----------------------+ +----------------+ | | | +-------------------------------------------------------------------+ Figure 1. SUPA Framework Klyus, et al. Expires September 21, 2016 [Page 7] Internet-Draft SUPA - Proposition March 2016 Figure 1 is exemplary. The Operator actor shown in Figure 1 can interact with SUPA in other ways not shown in Figure 1. In addition, other actors (e.g., an application developer) that can interact with SUPA are not shown for simplicity. The EPRIM defines an Event-Condition-Action (ECA) policy as an example of imperative policies. An ECA policy rule is activated when its event clause is true; the condition clause is then evaluated and, if true, signals the execution of one or more actions in the action clause. Imperative policy rules require additional management functions, which is explained in section 2.2 below. 2.2. Operation SUPA can be used to define various types of policies, including policies that affect services and/or the configuration of individual or groups of network elements. SUPA can be used by a centralized and/or distributed set of entities for creating, managing, interacting with, and retiring policy rules. The duties of the Policy Management Function (PMF) depend on the type and nature of policies being used. For example, imperative (e.g., ECA) policies require conflict detection and resolution, while declarative policies do not. A short exemplary list of functions that are common to many types of policies include: o policy creation, update, delete, and view functions (typically in conjunction with policy repositories) o policy storage, search, and retrieval (typically uses distributed repositories that the PMF communicates with) o policy distribution (typically uses a message bus; note that this involves requesting and responding to requests for policy decisions as well as distributing policies and informing interested entities of policy results) o making policy decisions (this SHOULD include more than the simple Policy Decision Point function defined in [RFC3198]) o executing policy decisions (this SHOULD include more than the simple Policy Enforcement Point functions defined in [RFC3198]) o validating that the execution of the policy produced what was expected (this is NOT defined in [RFC3198]). An exemplary architecture that illustrates these concepts is shown in [TR235]. The SUPA scope is limited to policy information and data models. SUPA will not define network resource data models or network service data models; both are out of scope. Instead, SUPA will make use of network resource data models defined by other WGs or SDOs. Klyus, et al. Expires September 21, 2016 [Page 8] Internet-Draft SUPA - Proposition March 2016 Declarative policies that specify the goals to achieve but not how to achieve those goals (also called "intent-based" policies) are out of scope for the initial phase of SUPA. 2.3. The GPIM and the EPRIM The GPIM provides a common vocabulary for representing concepts that are common to expressing different types of policy, but which are independent of language, protocol, repository, and level of abstraction. This enables different policies at different levels of abstraction to form a continuum, where more abstract policies can be translated into more concrete policies, and vice-versa. For example, the information model can be extended by generalizing concepts from an existing data model into the GPIM; the GPIM extensions can then be used by other data models. The SUPA working group develops models for expressing policy at different levels of abstraction. Specifically, two models are envisioned (both of which are contained in the Generic Policy Information Model block in Figure 1: (i) a generic model (the GPIM) that defines concepts and vocabulary needed by policy management systems independent of the form and content of the policy (ii) a more specific model (the EPRIM) that refines the GPIM to specify policy rules in an event-condition-action form 2.4. Creation of Generic YANG Modules An information model is abstract. As such, it cannot be directly instantiated (i.e., objects cannot be created directly from it). Therefore, both the GPIM, as well as the combination of the GPIM and the EPRIM, are translated to generic YANG modules. SUPA will provide guidelines for translating the GPIM (or the combination of the GPIM and the EPRIM) into concrete YANG data models that define how to manage and communicate policies between systems. Multiple imperative policy YANG data models may be instantiated from the GPIM (or the combination of the GPIM and the EPRIM). In particular, SUPA will specify a set of YANG data models that will consist of a base policy model for representing policy management concepts independent of the type or structure of a policy, and as well, an extension for defining policy rules according to the ECA paradigm. The process of developing the GPIM, EPRIM and the derived/translated YANG data models is realized following the sequence shown below. After completing this process and if the implementation of the YANG data models requires it, the GPIM and EPRIM and the derived/translated YANG data models are updated and synchronized. (1)=>(2)=>(3)=>(4)=>(3')=>(2')=>(1') Where, (1)=GPIM; (2)=EPRIM; (3)YANG data models; (4) Implementation; (3')= update of YANG data models; (2')=update of EPRIM; (1') = update of GPIM The YANG module derived from the GPIM contains concepts and terminology for the common operation and administration of policy-based systems, as well as an extensible structure for policy rules of different paradigms. The YANG module derived from the EPRIM extends the generic nature of the GPIM to represent policies using an event-condition-action structure. Klyus, et al. Expires September 21, 2016 [Page 9] Internet-Draft SUPA - Proposition March 2016 3. Application of Generic Policy-based Management This section provides examples of how SUPA can be used to define different types of policies. Examples applied to various domains, including system management, operations management, access control, routing, and service function chaining, are also included. 3.1. ECA Examples ECA policies are rules that consist of an event clause, a condition clause, and an action clause. Network Service Management Example Event: too many interface alarms received from an L3VPN service Condition: alarms resolve to the same interface within a specified time period Action: if error rate exceeds x% then put L3VPN service to Error State and migrate users to one or more new L3VPNs Security Management Example Event: anomalous traffic detected in network Condition: determine the severity of the traffic Action: apply one or more actions to affected NEs based on the type of the traffic detected (along with other factors, such as the type of resource being attacked if the traffic is determined to be an attack) Traffic Management Examples Event: edge link close to being overloaded by incoming traffic Condition: if link utilization exceeds Y% or if link utilization average is increasing over a specified time period Action: change routing configuration to other peers that have better metrics Event: edge link close to be overloaded by outgoing traffic Condition: if link utilization exceeds Z% or if link utilization average is increasing over a specified time period Action: reconfigure affected nodes to use source-based routing to balance traffic across multiple links Klyus, et al. Expires September 21, 2016 [Page 10] Internet-Draft SUPA - Proposition March 2016 Service Management Examples Event: alarm received or periodic time period check Condition: CPU utilization level comparison Action: no violation: no action violation: 1) determine workload profile in time interval 2) determine complementary workloads (e.g., whose peaks are at different times in day) 3) combine workloads (e.g., using integer programming) Event: alarm received or periodic time check Condition: if DSCP == AFxy and throughput < T% or packet loss > P% Action: no: no action yes: remark to AFx'y'; reconfigure queuing; configure shaping to S pps; ... Note: it is possible to construct an ECA policy rule that is directly tied to configuration parameters. 4. Related Work 4.1. Related Work within the IETF 4.1.1. I2RS Working Group I2RS defines an interface that interacts with the routing system using a collection of protocol-based control or management interfaces. Users of I2RS interfaces are typically management applications and controllers. SUPA does not directly interface to the routing system. Rather, SUPA uses data produced by I2RS (e.g., topological information) to construct its policies. 4.1.2. L3SM Working Group L3SM defines an L3 VPN service model that can be used for communication between customers and network operators. This model enables an orchestration application or customers to request network services provided by L3 VPN technologies. The implementation of network services is often guided by specific policies, and SUPA provides a tool that can help with the mapping of L3 VPN service requests to L3 VPN configurations of network elements. Klyus, et al. Expires September 21, 2016 [Page 11] Internet-Draft SUPA - Proposition March 2016 4.1.3. ALTO Working Group The ALTO working group defined an architecture for exposing topology information, more specifically the cost of paths through an infrastructure, as defined in [RFC7285]. ALTO services are able to provide network maps defined as groups of endpoints, and can therefore represent any granularity of network, from the physical to groups of networks following similar paths or restraints. Although this model can represent different levels of granularities, it is not clear if it could be adapted easily for other purposes than providing cost maps in the context of ALTO. The ALTO model is meant to be used outside of the trust domain of an ISP by external clients. SUPA does not generate data that is similar to ALTO. Rather, SUPA could use ALTO data as part of its policies to configure services and/or resources. 4.1.4. TEAS Working Group The Traffic Engineering Architecture and Signaling (TEAS) working group is responsible for defining MPLS- and GMPLS-based Traffic Engineering architectures that enable operators to control how specific traffic flows are treated within their networks. It covers YANG models for a traffic engineering database. In coordination with other working groups (I2RS) providing YANG models for network topologies. Both TEAS and SUPA use YANG data models. SUPA does not generate traffic engineering (TE) data. However, SUPA could use TE data as part of its policies for configuring resources and/or services. SUPA could also define policies that define which service, path, and link properties to use for a given customer, and consequently, which protocol extensions to use. TEAS data could also be used to enable operators to define how particular traffic flows are treated in a more abstract (but still consistent) manner. 4.1.5. BESS Working Group The BGP Enabled Services (BESS) working group defines and extends network services that are based on BGP. This includes BGP/MPLS IP provider-provisioned L3VPNs, L2VPNs, BGP-enabled VPN solutions for use in data center networking, and extensions to BGP-enabled solutions to construct virtual topologies in support of services such as Service Function Chaining. The working group is also chartered to work on BGP extensions to YANG models and data models for BGP-enabled services. Klyus, et al. Expires September 21, 2016 [Page 12] Internet-Draft SUPA - Proposition March 2016 Both BESS and SUPA use YANG data models. SUPA could generate BGP configurations by using data defined by BESS as part of its policies for configuring resources and/or services. SUPA could also define policies that govern different aspects of services defined by BESS. 4.1.6. SFC Working Group The Service Function Chaining (SFC) working group defines a mechanism where traffic is classified; that classification is then use to select an ordered set of services to pass the traffic through. Both SFC and SUPA use YANG data models. SUPA could define policies that augment the functionality of SFC in several different ways, including: (1) path selection based on context, (2) which set of mechanisms to use to steer traffic through which set of service functions, (3) simplify the definition of dynamic service function chains (e.g., service paths that change based upon a set of data that is discovered at runtime), and (4) scalable mechanisms to monitor and control the configuration of SFC components. 4.1.7. NVO3 Working Group The NVO3 group proposes a way to virtualize the network edge for data centers in order to be able to move virtual instances without impacting their network configuration. This is realized through a centrally controlled overlay layer-3 network. The NVO3 work is not about defining policy information; rather, it uses policy information to perform some functions. Both NVO3 and SUPA use YANG data models. SUPA could define policies that define how the logically centralized network virtualization management entity (or entities) of NVO3 behave (e.g., the functions in the network virtualization control plane). 4.1.8. ACTN BoF (IETF-90) The ACTN proposed work, as described in [actn] framework, has two main goals, the abstraction of multiple optical transport domains into a single controller offering a common abstract topology, and the splitting of that topology into abstract client views that are usually a fraction of the complete network. The ACTN work is therefore about unification of several physical controllers into a virtual one, and also about the segmentation, isolation and sharing of network resources. The ACTN work is not about defining policy information. Both ACTN and SUPA use YANG data models. SUPA could define policies that define the behavior of the controller. Klyus, et al. Expires September 21, 2016 [Page 13] Internet-Draft SUPA - Proposition March 2016 4.1.9. Previous IETF Policy Models SUPA is technology-neutral, previous RFCs weren't. SUPA defines a common structure from which ECA policies can be defined; this was not possible in previous RFCs. Previous RFCs do NOT define metadata, and do NOT enable policies to formally define obligation, permission, and related concepts. Finally, SUPA uses software patterns, which previous RFCs didn't. A more complete analysis is in Appendix A of [SUPA-info-model]. 4.2. Related Work outside the IETF 4.2.1. TM Forum The TM Forum (a.k.a., the TeleManagement Forum) develops standards and best practices, research, and collaborative programs focused on digital business transformation. It consists of three major programs: 1) Agile Business and IT 2) Customer Centricity (experience) 3) Open Digital Ecosystem Of these, the ZOOM (Zero-touch Orchestration, Operations, and Management) project, located in the Agile Business and IT project, is the main sub-project in this area that is of interest to SUPA. Within ZOOM, the Foundational Studies project contains work on an information model and management architecture that are directly relevant to SUPA. The TMF Information Model, Policy, and Security working groups are involved in this work. The ZOOM information model updates the existing Shared Information and Data (SID) information model to add support for the management of physical and virtual infrastructure, event- and data-driven systems, policy management (architecture and model), metadata for describing and prescribing behavior that can support changes at runtime, and access control. The policy information model defines imperative (ECA), declarative (intent- based), utility function, and promise policies. The work in [SUPA-info-model] is based on, but extends and enhances, the ZOOM ECA model and provides additional detail not currently present in ZOOM. There is currently no plan to use the utility function and promise policies of ZOOM in SUPA. Finally, it should be noted that the data model work planned for SUPA is not currently planned for the ZOOM project. Klyus, et al. Expires September 21, 2016 [Page 14] Internet-Draft SUPA - Proposition March 2016 4.2.2. MEF The MEF (originally named the Metro Ethernet Forum) develops architecture, service and management specifications related to Carrier Ethernet (CE). The CE architecture includes the definition of several interfaces specific to CE like the User Network Interface (UNI) and External Network Network Interface (ENNI). Specifications developed in this space include the definitions of CE services, CE service attributes, Ethernet Access Services, Class of Service, OAM and Management interfaces, Service Activation and Test. The more recent vision of the MEF is described as The Third Network, and includes plans to develop Lifecycle Service Orchestration with APIs for existing network, NFV, and SDN implementations enabling Agile, Assured, and Orchestrated Services. This stage of the MEF activity is now in early phases with focus on architectural work. The MEF has developed a number of Information and Data Models, and has recently started a project that uses YANG to model and manage the services defined by the MEF. While the MEF has created rigorous definitions of these services, they are specific to transport technology, and they do not currently include and rely on policies. 4.2.3. Open Daylight Open Daylight network controller implements a number of models through its service abstraction Layer (MD-SAL) based on draft IETF Yang models. Open Daylight is an open source project. Two of these could be relevant to SUPA in the future (since they both are focused on declarative policies, which are currently out of scope for SUPA) and are described below. 4.2.3.1. Network Intent Composition (NIC) The Network Intent Composition project aims at providing better flexibility by using declarative policies. It does not cover other types of policies, such as ECA policy rules. The intent- based interface aims to provide a high level of abstraction, primarily for use by an application developer. Its progress has recently stalled. 4.2.3.2. Group Based Policy The Group Based Policy project defines an application-centric policy model for Open Daylight that separates information about application connectivity requirements from information about the underlying details of the network infrastructure. The model is positioned as declarative, but uses a relational approach to specifying policy. It does not cover other types of policies, such as ECA policy rules. Klyus, et al. Expires September 21, 2016 [Page 15] Internet-Draft SUPA - Proposition March 2016 4.2.4. Open Networking Foundation The ONF created a group responsible of defining northbound interfaces, but this hasn't lead to the publication of standards in this area so far. A blog entry on the ONF web site showed an interest in using the principle of intents at ONF, but no details were provided on the status of this project. A members-only whitepaper was recently published. 4.2.5. OpenStack OpenStack software controls large pools of compute, storage, and networking resources throughout a datacenter, managed through a dashboard or via the OpenStack API. OpenStack works with popular enterprise and open source technologies making it ideal for heterogeneous infrastructure. Few of the below mentioned OpenStack projects provides policy abstraction and better flexibility to the user. 4.2.5.1. Group-Based Policy The Group-Based Policy project for OpenStack Neutron is built around entities assembled in Endpoints Groups (EPG) that provide or consume Contracts. Such Contracts are hierarchical entities containing policy rules. A first version was released in January 2015, based on the Juno release. This type of approach is more relational than declarative, but could be used to describe a large amount of possible scenarios. It has the advantage of providing a relatively simple policy model that covers a large applicability. From an OpenStack point of view, the scope of Group-Based Policies is limited to networking within the Neutron module. Note that other types of policies, such as ECA policies, are not covered in Group-Based Policy. 4.2.5.2. Congress The Congress project within OpenStack provides a way to define complex policies using extensions to the Datalog language. Datalog is entirely declarative, and its evaluation is based on first-order logic with restrictions. This gives it interesting properties, such as providing the same result no matter the order in which the statements are made. The language allows for the definition of types and for active enforcement or verification of the policies. However, it does not cover ECA policies. There is a significant body of knowledge and experience relating to declarative languages and their implementation. Congress policies aim at manipulating objects exposed by multiple OpenStack modules, and is therefore larger in scope than network element policies. Klyus, et al. Expires September 21, 2016 [Page 16] Internet-Draft SUPA - Proposition March 2016 4.2.6. The NEMO Project (not a BoF yet) The NEMO project is a research activity aimed at defining a simple framework for "intent-based" networking. This project concentrates on creating a domain-specific language and associated API, not a model or even a rigorous definition of what a policy rule is. NEMO does not define ECA policies. The NEMO syntax defines a very simple information model that has three basic elements for network manipulation: nodes, links, and flows. A policy rule is NOT defined in this model. Rather, policy is defined as a command. The NEMO project has been successfully demonstrated at IETF-91, along with a companion graphical user interface. NEMO declarative policies use a flatter, simpler object model with fewer objects to represent targets of policy. NEMO uses a condition- action paradigm to execute its declarative policies. In contrast, SUPA uses a richer class model to represent ECA policies. However, SUPA has not proposed a language. 4.2.7. The Floodlight Project The Floodlight is an OpenFlow-enabled SDN controller. It uses another open source project called Indigo to support OpenFlow and manage southbound devices. The Indigo agent also supports an abstraction layer to make it easy to integrate with physical and virtual switches. It supports configuration of an abstraction layer so that it can configure OpenFlow in hybrid mode. 4.2.8. The ONOS Project The ONOS is an SDN controller design for Service Provider networks. It uses a distributed architecture, and supports abstraction for both southbound and northbound interfaces. Its modules are managed as OSGi bundles. It is an open source project. ONOS announced an "application-intent framework". However, no object model or language has been defined yet. 5. Conclusions: the Value of SUPA SUPA can be used to define high-level, possibly network-wide policies to create interoperable network element configuration snippets. SUPA expresses policies and associated concepts using a generic policy information model, and produces generic policy YANG data modules. SUPA focuses on management policies that control the configuration of network elements. Management policies can be interpreted outside of network elements, and the interpretation typically results in configuration changes to collections of network elements. Klyus, et al. Expires September 21, 2016 [Page 17] Internet-Draft SUPA - Proposition March 2016 Policies embedded in the configuration of network elements are not in the scope of SUPA. In contrast to policies targeted by SUPA, embedded policies are usually interpreted on network elements in isolation, and often at timescales that require the representation of embedded policies to be optimized for a specific purpose. The SUPA information model generalizes common concepts from multiple technology-specific data models, and makes it reusable. Conceptually, SUPA can be used to interface and manage existing and future data models produced by other IETF working groups. In addition, by defining an object-oriented information model with metdata, the characteristics and behavior of data models can be better defined. 6. Security Considerations TBD. 7. IANA Considerations This document has no actions for IANA. 8. Contributors The following people all contributed to creating this document, listed in alphabetical order: Vikram Choudhary, Huawei Technologies Luis M. Contreras, Telefonica I+D Dan Romascanu, Avaya J. Schoenwaelder, Jacobs University, Germany Qiong Sun, China Telecom Parviz Yegani, Juniper Networks 9. Acknowledgments This document has benefited from reviews, suggestions, comments and proposed text provided by the following members, listed in alphabetical order: H. Rafiee, J. Saperia and C. Zhou. The initial draft of this document merged one document, and this section lists the acknowledgements from it. From Problem Statement for Simplified Use of Policy Abstractions (SUPA)" [Karagiannis2015] Klyus, et al. Expires September 21, 2016 [Page 18] Internet-Draft SUPA - Proposition March 2016 The authors of this draft would like to thank the following persons for the provided valuable feedback and contributions: Diego Lopez, Spencer Dawkins, Jun Bi, Xing Li, Chongfeng Xie, Benoit Claise, Ian Farrer, Marc Blancet, Zhen Cao, Hosnieh Rafiee, Mehmet Ersue, Simon Perreault, Fernando Gont, Jose Saldana, Tom Taylor, Kostas Pentikousis, Juergen Schoenwaelder, John Strassner, Eric Voit, Scott O. Bradner, Marco Liebsch, Scott Cadzow, Marie-Jose Montpetit. Tina Tsou, Will Liu and Jean-Francois Tremblay contributed to an early version of this draft. The authors of "Problem Statement for Simplified Use of Policy Abstractions (SUPA)" [Karagiannis2015] were: Georgios Karagiannis Qiong Sun Luis M. Contreras Parviz Yegani John Strassner Jun Bi 10. References 10.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. 10.2. Informative References [RFC3198] Westerinen, A., Schnizlein, J., Strassner, J., Scherling, M., Quinn, B., Herzog, S., Huynh, A., Carlson, M., Perry, J., Waldbusser, S., "Terminology for Policy-Based Management", RFC 3198, November, 2001 [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, October 2010. [RFC7285] R. Alimi, R. Penno, Y. Yang, S. Kiesel, S. Previdi, W. Roome, S. Shalunov, R. Woundy "Application-Layer Traffic Optimization (ALTO) Protocol", September 2014 [SUPA-info-model] J. Strassner, J. Halpern, J. Coleman, "Generic Policy Information Model for Simplified Use of Policy Abstractions (SUPA)", IETF Internet draft, draft-strassner-supa-generic-policy- info-model-04, February 2016 [TR235] J. Strassner, ed., "ZOOM Policy Architecture and Information Model Snapshot", TR245, part of the TM Forum ZOOM project, October 26, 2014 [Karagiannis2015] G. Karagiannis, ed., "Problem Statement for Simplified Use of Policy Abstractions (SUPA)", IETF Internet draft, draft-karagiannis-supa-problem-statement-07, June 5, 2015 Klyus, et al. Expires September 21, 2016 [Page 19] Internet-Draft SUPA - Proposition March 2016 Authors' Addresses Maxim Klyus, Ed. NetCracker Kozhevnicheskaya str.,7 Bldg. #1 Moscow, Russia E-mail: klyus@netcracker.com John Strassner, Ed. Huawei Technologies 2330 Central Expressway Santa Clara, CA 95138 USA Email: john.sc.strassner@huawei.com Will(Shucheng) Liu Huawei Technologies Bantian, Longgang District, Shenzhen 518129 P.R. China Email: liushucheng@huawei.com Georgios Karagiannis Huawei Technologies Hansaallee 205, 40549 Dusseldorf Germany Email: Georgios.Karagiannis@huawei.com Jun Bi Tsinghua University Network Research Center, Tsinghua University Beijing 100084 P.R. China Email: junbi@tsinghua.edu.cn Klyus, et al. Expires September 21, 2016 [Page 20]