summaryrefslogtreecommitdiffstats
path: root/docs/design/architecture/architecture.rst
blob: aca32d2eb82a60b7b4eade0eb225adc3e1785bce (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
..
 This work is licensed under a Creative Commons Attribution 3.0 Unported
 License.

 http://creativecommons.org/licenses/by/3.0/legalcode

===================
Policy Architecture
===================

.. NOTE::
   This is a working document through which general aspects of a policy 
   architecture are analyzed.

This document records the development of policy architecture design goals for 
the OPNFV Copper project. 

Document Version 20150514.1

Definitions
===========

+-------+--------------------------------------------------------------+
| Term  | Meaning                                                      |
+=======+==============================================================+
| State | Information that can be used to convey or imply the state of |
|       | something, e.g. an application, resource, entity, etc. This  |
|       | can include data held inside OPNFV components, "events" that |
|       | have occurred (e.g. "policy violation"), etc.                |
+-------+--------------------------------------------------------------+
| Event | An item of significance to the policy engine, for which the  |
|       | engine has become aware through some method of discovery e.g.|
|       | polling or notification.                                     |
+-------+--------------------------------------------------------------+

=====================
Architectural Concept
=====================

The following example diagram illustrates a "relationship diagram" type view of an NFVI platform, in which the roles of components focused on policy management, services, and infrastructure are shown. This view illustrates that a large-scale deployment of NFVI may leverage multiple components of the same "type" (e.g. SDN Controller), which fulfill specific purposes for which they are optimized. For example, a global SDN controller and cloud orchestrator can act as directed by a service orchestrator in the provisioning of VNFs per intent, while various components at a local and global level handle policy-related events directly and/or feed them back through a closed-loop policy design that responds as needed, directly or through the service orchestrator.
 
.. image::images/policy_architecture.png
   :width: 700 px
   :alt: policy_architecture.png
   :align: center

(source of the diagram above: https://wiki.opnfv.org/_media/copper/copper_work_items/policy_architecture.pptx)

=====================
Architectural Aspects
=====================

  * Policies are reflected in two high-level goals
    * Ensure resource requirements of VNFs are applied per VNF designer, service, and tenant intent
    * Ensure that generic policies are not violated, e.g. *networks connected to VMs must either be public or owned by the VM owner*
  * Policies are distributed through two main means
    * As part of VNF packages, customized if needed by Service Design tools, expressing intent of the VNF designer and service provider, and possibly customized or supplemented by service orchestrators per the intent of specific tenants
    * As generic policies provisioned into VIMs (SDN controllers and cloud orchestrators), expressing intent of the service provider re what states/events need to be policy-governed independently of specific VNFs
  * Policies are applied locally and in closed-loop systems per the capabilities of the local policy enforcer and the impact of the related state/event conditions
    * VIMs should be able to execute most policies locally
    * VIMs may need to pass policy-related state/events to a closed-loop system, where those events are relevant to other components in the architecture (e.g. service orchestrator), or some additional data/arbitration is needed to resolve the state/event condition
  * Policies are localized as they are distributed/delegated
    * High-level policies (e.g. expressing “intent”) can be translated into VNF package elements or generic policies, perhaps using distinct syntaxes
    * Delegated policy syntaxes are likely VIM-specific, e.g. Datalog (Congress), YANG (ODL-based SDNC), or other schemas specific to other SDNCs (Contrail, ONOS)
  * Closed-loop policy and VNF-lifecycle event handling are //somewhat// distinct
    * Closed-loop policy is mostly about resolving conditions that can't be handled locally, but as above in some cases the conditions may be of relevance and either delivered directly or forwarded to service orchestrators
    * VNF-lifecycle events that can't be handled by the VIM locally are delivered directly to the service orchestrator
  * Some events/analytics need to be collected into a more "open-loop" system which can enable other actions, e.g.
    * audits and manual interventions
	* machine-learning focused optimizations of policies (largely a future objective)
	
Issues to be investigated as part of establishing an overall cohesive/adaptive policy architecture:

  * For the various components which may fulfill a specific purpose, what capabilities (e.g. APIs) do they have/need to
    * handle events locally
	* enable closed-loop policy handling components to subscribe/optimize policy-related events that are of interest
  * For global controllers and cloud orchestrators
    * How do they support correlation of events impacting resources in different scopes (network and cloud)
	* What event/response flows apply to various policy use cases
  * What specific policy use cases can/should fall into each overall class
    * locally handled by NFVI components
	* handled by a closed-loop policy system, either VNF/service-specific or VNF-independent
	
============
Requirements
============

General requirements for a policy architecture are below, with an assessment of the current state of support for these across major OPNFV components (1=poor, 5=excellent).

  1. Polled monitoring: Exposure of state via request-response APIs.
  2. Notifications: Exposure of state via pub-sub APIs.
  3. Realtime/near-realtime notifications: Notifications that occur in actual or near realtime.
  4. Delegated policy: CRUD operations on policies that are distributed to specific components for local handling, including one/more of monitoring, violation reporting, and enforcement.
  5. Violation reporting: Reporting of conditions that represent a policy violation.
  6. Reactive enforcement: Enforcement actions taken in response to policy violation events.
  7. Proactive enforcement: Enforcement actions taken in advance of policy violation events, e.g. blocking actions that could result in a policy violation.
  8. Compliance auditing: Periodic auditing of state against policies.

Table 1: Assessment of NFVI VIM Support for General Requirements  

+---+------------------------------------+------------------------------------+
| # |            OpenStack               |            OpenDaylight            |
+===+====================================+====================================+
| 1 |                                    |                                    |
+---+------------------------------------+------------------------------------+
| 2 |                                    |                                    |
+---+------------------------------------+------------------------------------+
| 3 |                                    |                                    |
+---+------------------------------------+------------------------------------+
| 4 |                                    |                                    |
+---+------------------------------------+------------------------------------+
| 5 |                                    |                                    |
+---+------------------------------------+------------------------------------+
| 6 |                                    |                                    |
+---+------------------------------------+------------------------------------+
| 7 |                                    |                                    |
+---+------------------------------------+------------------------------------+
| 8 |                                    |                                    |
+---+------------------------------------+------------------------------------+