Your SlideShare is downloading. ×
Intercloud Registry
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Intercloud Registry

409
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
409
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Infrastructure 2.0: Objects and Identifiers: Toward an Inter/Inner-Cloud Registry System Stuart Bailey Andrew Benton I2.0 Workshop, January 2010 © 2009 Infoblox Inc. All Rights Reserved.
  • 2. Specific Issues for the Intercloud Challenge IPv4 lacks “number portability” IP also lacks metadata portability (e.g. vm binding, vn membership, policy, state, location, etc.) Both are required to take full advantage of cloud A dynamic context rich registry and rendezvous service may help with these requirements Many other dynamic patterns may be expressible in a such a registry There are several technologies and efforts which seem to be relevant: DNS, SNMP, X.500/LDAP, XMPP, RDF, LISP, HIP, DHCP, DEN, CMDB, etc. © 2009 Infoblox Inc. All Rights Reserved.
  • 3. What patterns are important? Intercloud member of member of dns-name= testbed. dns-name= opencloudconsortium.org cloud.sun.com interface= interface= URI=a AWS Yahoo interface= Version Y Sun Version X Version Z URI=b URI=c © 2009 Infoblox Inc. All Rights Reserved.
  • 4. Complex Patterns May Emerge member of Cloud member of Cloud Virtual Virtual member of Network member of Network assigned to runs on Virtual assigned to Machine Virtual Machine runs on MAC Address MAC Address assigned to Device assigned to IP Address IP Address assigned to assigned to MAC Address IP Address © 2009 Infoblox Inc. All Rights Reserved.
  • 5. Patterns Evolve member of Cloud member of Virtual Virtual member of Network member of Network assigned-to Virtual assigned to Machine Virtual Machine MAC Address MAC Address assigned-to Device assigned-to IP Address IP Address assigned-to assigned-to MAC Address IP Address © 2009 Infoblox Inc. All Rights Reserved.
  • 6. Patterns Evolve member of Cloud member of Virtual Virtual member of Network member of Network assigned to Virtual assigned to Machine Virtual Machine MAC Address runs on MAC Address assigned to Virtual assigned to Machine IP Address IP Address assigned to MAC Address © 2009 Infoblox Inc. All Rights Reserved.
  • 7. MAP: Metadata Access Point • MAP is specifically designed to infrastructure coordination use cases Optimized for loosely structured metadata Publish/Subscribe capability for asynchronous searches Highly scalable architecture Design is based on the assumption that you will never find the data relation schema to satisfy all needs So you can move forward in spite of a lack of full relation specifications Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
  • 8. IF-MAP for Network Security Asset Management NAC Decision System Point Custom Integration SIM / SEM MAP IPAM Service DHCP IF-MAP Protocol AD RADIUS Routing IDS RFID Switching Wireless Firewalls Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
  • 9. Properties of Dynamic Coordination Relational Database 1. Lots of real-time data writes LDAP/DNS Directory 2. Unstructured relationships 3. Diverse interest in changes to the MAP Database current state as they occur 4. Distributed data producers & consumers Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
  • 10. MAP Access Operations Publish: Tell others that…<metadata…> Clients store metadata into MAP for others to see Incorporates create, modify and delete functionality Search: Tell me if…match(metadata pattern) Clients retrieve published metadata associated with a particular identifier and linked identifiers Constrained by link-match and result-filter criteria Constrained by maximum depth and size criteria Subscribe: Tell me when…match(metadata pattern) Clients request asynchronous results for searches that match when others publish new metadata A client’s subscription consists of a list of one or more searches Client names its searches so that asynchronous results are unambiguous Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
  • 11. MAP Element Model Model Components: All objects are represented by unique Identifiers identifiers Connote relationships between pairs of Links identifiers Metadata Attributes attached to Identifiers or Links Important Properties: All identifiers and links exist implicitly, but have no meaning until metadata is attached to them Identifier and Metadata types are defined in modular XML schemas Metadata in particular is designed to be extensible Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
  • 12. Example Use Scenario 1. Initial setup: dns-name = hr.corp.myco.co m a) HR publishes its metadata to MAP. This will the one content-owner side of the links it will later = hr-dept, create for each employee. contact = 123-456-7890 b) Servers each subscribe to a pattern that will match newly added employees identifier = “dns-name[name=hr.corp.myco.com]” match-links = “employee-attribute[name=“active] Server1 max-depth = “1” result-filter = “distinguished-name” Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
  • 13. Example Use Scenario employee-attribute 2. New Employee: dns-name = = active hr.corp.myco.co m a) HR later publishes an “employee-attribute=active” distinguished-name = content-owner metadata link between C=US, O=myco, OU=people, = hr-dept, itself and the new contact = CN=12534 123-456-7890 employee’s identifier b) Server1 receives an asynchronous notification of each new employee due to its subscription, which causes it to creates a new user account. identifier = “dns-name[name=hr.corp.myco.com]” match-links = “employee-attribute[name=“active] Server1 max-depth = “1” result-filter = “distinguished-name” Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
  • 14. Example Use Scenario employee-attribute 3. Provisioning Pattern dns-name = = active hr.corp.myco.co m a) This pattern repeats itself for each new employee distinguished-name = C=US, O=myco, content-owner = hr-dept, b) Notifications of transitions OU=people, CN=12534 contact = to inactive states can occur 123-456-7890 at the same time. c) Other related identifer failed-login-attempts = 3, login-status = allowed metadata and link metadata may be published by others role = access-finance-server-allowed at a later time. identifier = “dns-name[name=hr.corp.myco.com]” match-links = “employee-attribute[name=“active] Server1 max-depth = “1” result-filter = “distinguished-name” Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
  • 15. Current State TCG published IF-MAP v1.1 Standard in May’09 Coincided with Interop’09 with multi-vendor collaborative demonstrations Interop’09 demonstration use cases: Remote User Access Security Industrial Controls Security Physical Access Security Datacenter Management Security Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
  • 16. An October 2009 Proposal (Working #2) • IF-MAP 1.1 Specification (A Free and Open Standard): • http://www.trustedcomputinggroup.org/ • Proposal: Quick collaboration on an Intercloud registry prototype (a step toward a golden spike) • Open Cloud Consortium agreed has agreed to host prototype on their network • Infoblox will donate IF-MAP service software and operations and IF-MAP client developer training • Need: cloud provider prototype participation, IF-MAP service hardware partners, governance activity • Unencumbered IF-MAP client stacks available • Andrew Benton is an IF-MAP client development expert! © 2009 Infoblox Inc. All Rights Reserved.
  • 17. Intercloud and Innercloud Registries © 2009 Infoblox Inc. All Rights Reserved.
  • 18. Clouds can publish capabilities and entry points IF-MAP Publish © 2009 Infoblox Inc. All Rights Reserved.
  • 19. Entry points and capabilities can be discovered 1. IF-MAP Search 2. IF-MAP Search © 2009 Infoblox Inc. All Rights Reserved.
  • 20. Response to changes can be automated IF-MAP Subscribe © 2009 Infoblox Inc. All Rights Reserved.
  • 21. IF-MAP 1.1 STANDARD Identifiers identity dns-name email-address kerberos-principal username other (vendor defined) ip-adddress (v4 or v6) mac-address device Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
  • 22. OCC IF-MAP 1.1 Metadata for Inter/Inner Cloud Registries (v1) assigned-to (Link) Recommended for: dns-name, ip-address, mac-address, and device cloud (Link) Recommended for: dns-name and other:Intercloud interface (Link) Recommended for: dns-name and other:URI member-of (Link) Recommended for: dns-name, ip-address, mac-address, and other:name resides-on (Link) Recommended for: other:name and device vdatacenter Recommended for: other:name vmachine Recommended for: dns-name, ip-address, and mac-address vnet Recommended for: other:name Also defines: file, directory, table, collection, datastore © 2009 Infoblox Inc. All Rights Reserved.
  • 23. Patterns Evolve member of Cloud member of Virtual Virtual member of Network member of Network assigned-to Virtual assigned to Machine Virtual Machine MAC Address MAC Address assigned-to Device assigned-to IP Address IP Address assigned-to assigned-to MAC Address IP Address © 2009 Infoblox Inc. All Rights Reserved.
  • 24. An Update • Initial Inter/Inner-Cloud metadata schema for IF-MAP 1.1 proposed by Open Cloud Consortium (OCC) • IF-MAP 1.1 based Intercloud Registry prototype using the OCC Inter/Inner-Cloud metadata schema running and tested on Cisco UCS blade server • Cisco agreed to donate UCS blade server system to Open Cloud Consortium for further registry research • IF-MAP enabled Multicloud prototype running on Eucalyptus running on Amazon AWS for Innercloud Registry Protyping © 2009 Infoblox Inc. All Rights Reserved.
  • 25. Next Steps • Define Standard Registry Semantics and Metadata • Rainmaker? • Lighthouse? • Others? • Distributed Unencumbered Open Source Registry Clients © 2009 Infoblox Inc. All Rights Reserved.