<html><body>
<p><font size="2" face="sans-serif">Louis, We are still working on the details of the new contract based model. To get an idea please refer to the original project google document [1] and look under the section titled </font><br>
<font size="2" face="Trebuchet MS"><b>Use Cases: </b></font><font size="2" face="Arial"><b>3-tier Application with Security Policies </b></font><font size="2" face="sans-serif">where policies are described through a provider/consumer relationship. The contract model is similar to the model being worked out by a similarly named project in OpenDaylight. You can find more information on the contract model there [2].</font><br>
<br>
<font size="2" face="sans-serif">Best,</font><br>
<br>
<font size="2" face="sans-serif">Mohammad</font><br>
<br>
<br>
<font size="2" face="sans-serif">[1] <a href="https://docs.google.com/document/d/1ZbOFxAoibZbJmDWx1oOrOsDcov6Cuom5aaBIrupCD9E/edit#heading=h.gebyoou6khks">https://docs.google.com/document/d/1ZbOFxAoibZbJmDWx1oOrOsDcov6Cuom5aaBIrupCD9E/edit#heading=h.gebyoou6khks</a></font><br>
<font size="2" face="sans-serif">[2] <a href="https://wiki.opendaylight.org/view/Project_Proposals:Application_Policy_Plugin">https://wiki.opendaylight.org/view/Project_Proposals:Application_Policy_Plugin</a></font><br>
<br>
<img width="16" height="16" src="cid:1__=0ABBF633DF85BCAC8f9e8a93df938@us.ibm.com" border="0" alt="Inactive hide details for "Louis.Fourie" ---03/18/2014 03:23:05 PM---Mohammad, Can you share details on the contract-based po"><font size="2" color="#424282" face="sans-serif">"Louis.Fourie" ---03/18/2014 03:23:05 PM---Mohammad, Can you share details on the contract-based policy model?</font><br>
<br>
<font size="1" color="#5F5F5F" face="sans-serif">From: </font><font size="1" face="sans-serif">"Louis.Fourie" <Louis.Fourie@huawei.com></font><br>
<font size="1" color="#5F5F5F" face="sans-serif">To: </font><font size="1" face="sans-serif">"OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org>, </font><br>
<font size="1" color="#5F5F5F" face="sans-serif">Date: </font><font size="1" face="sans-serif">03/18/2014 03:23 PM</font><br>
<font size="1" color="#5F5F5F" face="sans-serif">Subject: </font><font size="1" face="sans-serif">Re: [openstack-dev] [neutron][policy] Integrating network policies and network services</font><br>
<hr width="100%" size="2" align="left" noshade style="color:#8091A5; "><br>
<br>
<br>
<font size="2" color="#1F497D" face="Calibri">Mohammad,</font><br>
<font size="2" color="#1F497D" face="Calibri"> Can you share details on the contract-based policy model?</font>
<ul style="padding-left: 20pt"><font size="2" color="#1F497D" face="Calibri">- Louis</font></ul>
<font size="2" color="#1F497D" face="Calibri"> </font><br>
<font size="2" face="Tahoma"><b>From:</b></font><font size="2" face="Tahoma"> Mohammad Banikazemi [</font><font size="2" face="Tahoma"><a href="mailto:mb@us.ibm.com">mailto:mb@us.ibm.com</a></font><font size="2" face="Tahoma">] </font><font size="2" face="Tahoma"><b><br>
Sent:</b></font><font size="2" face="Tahoma"> Friday, March 14, 2014 3:18 PM</font><font size="2" face="Tahoma"><b><br>
To:</b></font><font size="2" face="Tahoma"> OpenStack Development Mailing List (not for usage questions)</font><font size="2" face="Tahoma"><b><br>
Subject:</b></font><font size="2" face="Tahoma"> [openstack-dev] [neutron][policy] Integrating network policies and network services</font><br>
<font size="3" face="Times New Roman"> </font>
<p><font size="2" face="Arial">We have started looking at how the Neutron advanced services being defined and developed right now can be used within the Neutron policy framework we are building. Furthermore, we have been looking at a new model for the policy framework as of the past couple of weeks. So, I have been trying to see how the services will fit in (or can be utilized by) the policy work in general and with the new contract-based model we are considering in particular. Some of the I like to discuss here are specific to the use of service chains with the group policy work but some are generic and related to service chaining itself.</font><font size="3" face="Times New Roman"><br>
</font><font size="2" face="Arial"><br>
If I understand it correctly, the proposed service chaining model requires the creation of the services in the chain without specifying their insertion contexts. Then, the service chain is created with specifying the services in the chain, a particular provider (which is specific to the chain being built) and possibly source and destination insertion contexts.</font><font size="3" face="Times New Roman"><br>
</font><font size="2" face="Arial"><br>
1- This fits ok with the policy model we had developed earlier where the policy would get defined between a source and a destination policy endpoint group. The chain could be instantiated at the time the policy gets defined. (More questions on the instantiation below marked as 1.a and 1.b.) How would that work in a contract based model for policy? At the time a contract is defined, it's producers and consumers are not defined yet. Would we postpone the instantiation of the service chain to the time a contract gets a producer and at least a consumer? </font><font size="3" face="Times New Roman"><br>
</font><font size="2" face="Arial"><br>
1.a- It seems to me, it would be helpful if not necessary to be able to define a chain without instantiating the chain. If I understand it correctly, in the current service chaining model, when the chain is created, the source/destination contexts are used (whether they are specified explicitly or implicitly) and the chain of services become operational. We may want to be able to define the chain and postpone its creation to a later point in time.</font><font size="3" face="Times New Roman"><br>
</font><font size="2" face="Arial"><br>
1.b-Is it really possible to stand up a service without knowing its insertion context (explicitly defined or implicitly defined) in all cases? For certain cases this will be ok but for others, depending on the insertion context or other factors such as the requirements of other services in the chain we may need to for example instantiate the service (e.g. create a VM) at a specific location that is not known when the service is created. If that may be the case, would it make sense to not instantiate the services of a chain at any level (rather than instantiating them and mark them as not operational or not routing traffic to them) before the chain is created? (This leads to question 3 below.)</font><font size="3" face="Times New Roman"><br>
</font><font size="2" face="Arial"><br>
2- With one producer and multiple consumers, do we instantiate a chain (meaning the chain and the services in the chain become operational) for each consumer? If not, how do we deal with using the same source/destination insertion context pair for the provider and all of the consumers?</font><font size="3" face="Times New Roman"><br>
</font><font size="2" face="Arial"><br>
3- For the service chain creation, I am sure there are good reasons for requiring a specific provider for a given chain of services but wouldn't it be possible to have a generic "chain" provider which would instantiate each service in the chain using the required provider for each service (e.g., firewall or loadbalancer service) and with setting the insertion contexts for each service such that the chain gets constructed as well? I am sure I am ignoring some practical requirements but is it worth rethinking the current approach? </font><font size="3" face="Times New Roman"><br>
</font><font size="2" face="Arial"><br>
Best,</font><font size="3" face="Times New Roman"><br>
</font><font size="2" face="Arial"><br>
Mohammad</font><tt><font size="2">_______________________________________________<br>
OpenStack-dev mailing list<br>
OpenStack-dev@lists.openstack.org<br>
</font></tt><tt><font size="2"><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></font></tt><tt><font size="2"><br>
</font></tt>
<p></body></html>