wiki:PLfed/VICCIPolicyConfig

Version 1 (modified by acb@cs.princeton.edu, 13 years ago) (diff)

--

VICCI Policy Configuration

The control framework of the VICCI testbed is based on MyPLC and supports the GENI AM API. Access to VICCI via the GENI AM API is limited to a set of approved PlanetLab slices (a “whitelist”). Only whitelisted slices are able to list and allocate VICCI resources. The whitelist is enforced by the sfatables policy engine that runs as part of the VICCI Aggregate Manager. Sfatables is inspired by the iptables firewall tool, so configuring sfatables should be fairly intuitive for those familiar with iptables.

Following is a brief description on how the VICCI whitelist is configured using sfatables. The first step is to configure sfatables to reject resource requests by default. To accomplish this, two commands are run on the machine that hosts the VICCI Aggregate Manager:

# sfatables -A INCOMING -- -m all -- -j REJECT
# sfatables -A OUTGOING -- -m all -- -j REJECT

All resource requests that match these default rules will receive a response like this:

<?xml version="1.0"?>
<sfa-verdict>
    Your resource-allocation request has been rejected. 
</sfa-verdict>

In order to allow some slices to access VICCI resources, the PI at a VICCI site emails the name of the slice to PlanetLab support, and the support team adds the slice HRN to the sfatables whitelist. For example, suppose that the slice is plc.princeton.foo. The support team would execute the following commands at the VICCI Aggregate Manager:

# sfatables -I INCOMING 1 -- -m slice --hrn=plc.princeton.foo -- -j ACCEPT
# sfatables -I OUTGOING 1 -- -m slice --hrn=plc.princeton.foo -- -j ACCEPT

These rules would inserted at the front of the INCOMING and OUTGOING chains. A resource request for the specified slice is allowed to proceed. Otherwise the default rule is matched, and the request is denied.