flow-based management language (FML), a declarative policy language for managing the configuration of enterprise networks — designed to replace the many disparate configuration mechanism … including ACLs, VLANs, NATs, policy-routing, and proprietary admission control systems. FML balances the desire to express policies naturally and enforce policies efficiently.
use of VLANs and sub-netting for isolation, NATs for client protection, and policy-routing for source-based policies and the integration of middleboxes
assume the network policy engine can derive the associated high-level names for all flows on the network. FML must assume the possibility of distributed authorship within a single policy domain. Lead to policies with conflicts … two conflict resolution mechanisms:
because all application statements follow the same logical model, multiple applications can be used to used to manage the network from the same policy file (provided a sane conflict resolution strategy exists) …
FML is a language for specifying policies about flows. FML is based on nonrecursive datalog with negation. A FML policy is a set of statements, each representing a simple if-then relationship.
The resolution mechanism throws away all con- straints except those with the highest priority.
… multiple applications can be used to manage the network from the same policy file (provided a sane conflict resolution strategy exists …
Figure 1: Example decision tree
Flow setup latencies (involving two permission checks, route calculations, and flow-entry setups) are generally under 20ms. In our deployments, there is not enough traffic to stress our implementation (we generally see less than 100 new flow setups/s even in the larger network).