Network policy conflict detection and resolution
First Claim
1. A system, comprising:
- a policy compilation engine to compile a plurality of network policies based on an intent format, wherein the intent format specifies a classifier for network traffic, a context of the network traffic, an action of the network traffic, a source endpoint identifier for the network traffic and a destination endpoint identifier for the network traffic;
a policy optimization engine to optimize the plurality of network policies by removing any network policies from the plurality of network policies that lacks a destination endpoint identifier or a source endpoint identifier;
a conflict detection engine to detect a conflict between a first network policy among the plurality of network policies and a second network policy among the plurality of network policies, using the intent format;
a conflict resolution engine to resolve the detected conflict between the first network policy and the second network policy; and
a translation engine to translate the resolution of the detected conflict to a protocol-specific format.
2 Assignments
0 Petitions
Accused Products
Abstract
Example implementations relate to network policy conflict detection and resolution. For example, a system for network policy conflict detection and resolution can include a policy compilation engine to compile a plurality of network policies based on an intent format, a conflict detection engine to detect a conflict between a first network policy among the plurality of network policies and a second network policy among the plurality of network policies, using the intent format, and a conflict resolution engine to resolve the detected conflict between the first network policy and the second network policy. Further, the system for network policy conflict detection and resolution can include a translation engine to translate the resolution of the detected conflict to a protocol-specific format.
21 Citations
11 Claims
-
1. A system, comprising:
-
a policy compilation engine to compile a plurality of network policies based on an intent format, wherein the intent format specifies a classifier for network traffic, a context of the network traffic, an action of the network traffic, a source endpoint identifier for the network traffic and a destination endpoint identifier for the network traffic; a policy optimization engine to optimize the plurality of network policies by removing any network policies from the plurality of network policies that lacks a destination endpoint identifier or a source endpoint identifier; a conflict detection engine to detect a conflict between a first network policy among the plurality of network policies and a second network policy among the plurality of network policies, using the intent format; a conflict resolution engine to resolve the detected conflict between the first network policy and the second network policy; and a translation engine to translate the resolution of the detected conflict to a protocol-specific format. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A non-transitory computer readable medium storing instructions executable by a processing resource to cause a computer to:
-
compile a plurality of network policies based on an intent format, wherein the intent format specifies a classifier for network traffic, a context of the network traffic, an action of the network traffic, a source endpoint identifier for the network traffic and a destination endpoint identifier for the network traffic; optimize the plurality of network policies by removing any network policies from the plurality of network policies that lacks a destination endpoint identifier or a source endpoint identifier; detect an overlap in application between a first network policy among the plurality of network policies and a second network policy among the plurality of network policies, using the intent format; separate the overlapping first network policy and second network policy into a plurality of orthogonal policies; and resolve the detected overlap between the first network policy and the second network policy, based on the plurality of orthogonal policies. - View Dependent Claims (7, 8, 9)
-
-
10. A method, comprising:
-
compiling a plurality of network policies based on an intent format, wherein the intent format includes a classifier, a context, a source endpoint identifier, and a destination endpoint identifier for each network policy among the plurality of network policies; optimizing the plurality of network policies by removing any network policies from the plurality of network policies that lacks a destination endpoint identifier or a source endpoint identifier; detecting that a first network policy and a second network policy conflict in application within a software defined network (SDN), based on the intent format; separating the conflicting first network policy and second network policy into a plurality of orthogonal network policies; resolving the detected conflict between the first network policy and the second network policy using the plurality of orthogonal network policies; and translating the resolution of the detected conflict into a protocol-specific format for distribution to devices within the SDN. - View Dependent Claims (11)
-
Specification