Orchestration is a sub-function of the overall DAQ framework that enables the enforcement of network microsegmentation using the capabilities provided by the Faucet OpenFlow network controller. The system takes in a number of device topology specification descriptiors, and dynamically applies network-based port restrctions at runtime.
NB: The various file formats are in various stages of specification and are subject to change.
The overall orchestration capability relies on several simple data sources:
- Overall network topology, which indicates how the network hardware is configured.
- Device MUD files, which provide an IETF Standard MUD descriptor that describes the network protocol/ports (e.g. UDP on port 47808) utilized by a device.
- System device topology specification, which indicates how devices are interconnected.
- Pre-runtime, MUD file are compiled into templatized fACLs (Faucet ACLs), such as the BACnet ACL example.
- When a new device is detected (characterized by a Faucet switch learning event), the system
looks up the device's specification in the configured
device_spec, correlating it'stypefield with a similarly-named MUD template. - Templatized field information (like destination hosts) are resolved based on the current state of the network topology.
- The resolved fACLs are applied to the device's switch port and switch-interconnect, effectively limiting network flows.
To see how the system is configured and executed, see the integration tests defined in the
testing/test_topo.sh test script.