More Related Content
Similar to Intercloud Registry
Similar to Intercloud Registry (20)
More from Infrastructure 2.0
More from Infrastructure 2.0 (7)
Intercloud Registry
- 1. Infrastructure 2.0:
Objects and Identifiers:
Toward an Inter/Inner-Cloud
Registry System
Stuart Bailey
Andrew Benton
I2.0 Workshop, January 2010
© 2009 Infoblox Inc. All Rights Reserved.
- 2. Specific Issues for the Intercloud Challenge
IPv4 lacks “number portability”
IP also lacks metadata portability (e.g. vm binding,
vn membership, policy, state, location, etc.)
Both are required to take full advantage of cloud
A dynamic context rich registry and rendezvous
service may help with these requirements
Many other dynamic patterns may be expressible
in a such a registry
There are several technologies and efforts which
seem to be relevant: DNS, SNMP, X.500/LDAP,
XMPP, RDF, LISP, HIP, DHCP, DEN, CMDB, etc.
© 2009 Infoblox Inc. All Rights Reserved.
- 3. What patterns are important?
Intercloud
member of
member of
dns-name=
testbed.
dns-name= opencloudconsortium.org
cloud.sun.com
interface= interface=
URI=a AWS Yahoo
interface= Version Y
Sun Version X
Version Z
URI=b URI=c
© 2009 Infoblox Inc. All Rights Reserved.
- 4. Complex Patterns May Emerge
member of Cloud member of
Cloud
Virtual Virtual
member of Network member of Network
assigned to runs on
Virtual assigned to
Machine Virtual
Machine
runs on
MAC Address
MAC Address
assigned to Device assigned to
IP Address
IP Address
assigned to assigned to
MAC Address IP Address
© 2009 Infoblox Inc. All Rights Reserved.
- 5. Patterns Evolve
member of Cloud member of
Virtual Virtual
member of Network member of Network
assigned-to
Virtual assigned to
Machine Virtual
Machine
MAC Address
MAC Address
assigned-to Device assigned-to
IP Address
IP Address
assigned-to assigned-to
MAC Address IP Address
© 2009 Infoblox Inc. All Rights Reserved.
- 6. Patterns Evolve
member of Cloud member of
Virtual Virtual
member of Network member of Network
assigned to
Virtual assigned to
Machine Virtual
Machine
MAC Address runs on
MAC Address
assigned to Virtual
assigned to
Machine
IP Address
IP Address
assigned to
MAC Address
© 2009 Infoblox Inc. All Rights Reserved.
- 7. MAP: Metadata Access Point
• MAP is specifically designed to infrastructure
coordination use cases
Optimized for loosely structured metadata
Publish/Subscribe capability for asynchronous
searches
Highly scalable architecture
Design is based on the assumption that you
will never find the data relation schema to
satisfy all needs
So you can move forward in spite of a lack of full
relation specifications
Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
- 8. IF-MAP for Network Security
Asset
Management NAC Decision
System Point
Custom
Integration
SIM / SEM
MAP IPAM
Service
DHCP
IF-MAP
Protocol AD
RADIUS
Routing IDS RFID Switching Wireless Firewalls
Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
- 9. Properties of Dynamic Coordination
Relational Database
1. Lots of real-time
data writes
LDAP/DNS Directory 2. Unstructured
relationships
3. Diverse interest in
changes to the
MAP Database
current state as they
occur
4. Distributed data
producers &
consumers
Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
- 10. MAP Access Operations
Publish: Tell others that…<metadata…>
Clients store metadata into MAP for others to see
Incorporates create, modify and delete functionality
Search: Tell me if…match(metadata pattern)
Clients retrieve published metadata associated with a particular
identifier and linked identifiers
Constrained by link-match and result-filter criteria
Constrained by maximum depth and size criteria
Subscribe: Tell me when…match(metadata pattern)
Clients request asynchronous results for searches that match when
others publish new metadata
A client’s subscription consists of a list of one or more searches
Client names its searches so that asynchronous results are unambiguous
Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
- 11. MAP Element Model
Model Components:
All objects are represented by unique
Identifiers
identifiers
Connote relationships between pairs of
Links
identifiers
Metadata Attributes attached to Identifiers or Links
Important Properties:
All identifiers and links exist implicitly, but have no
meaning until metadata is attached to them
Identifier and Metadata types are defined in modular XML
schemas
Metadata in particular is designed to be extensible
Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
- 12. Example Use Scenario
1. Initial setup:
dns-name =
hr.corp.myco.co
m a) HR publishes its metadata
to MAP. This will the one
content-owner
side of the links it will later
= hr-dept, create for each employee.
contact =
123-456-7890
b) Servers each subscribe to a
pattern that will match
newly added employees
identifier = “dns-name[name=hr.corp.myco.com]”
match-links = “employee-attribute[name=“active]
Server1 max-depth = “1” result-filter = “distinguished-name”
Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
- 13. Example Use Scenario
employee-attribute 2. New Employee:
dns-name =
= active
hr.corp.myco.co
m a) HR later publishes an
“employee-attribute=active”
distinguished-name = content-owner
metadata link between
C=US, O=myco,
OU=people,
= hr-dept, itself and the new
contact =
CN=12534 123-456-7890 employee’s identifier
b) Server1 receives an
asynchronous notification
of each new employee due
to its subscription, which
causes it to creates a new
user account.
identifier = “dns-name[name=hr.corp.myco.com]”
match-links = “employee-attribute[name=“active]
Server1 max-depth = “1” result-filter = “distinguished-name”
Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
- 14. Example Use Scenario
employee-attribute 3. Provisioning Pattern
dns-name =
= active
hr.corp.myco.co
m a) This pattern repeats itself
for each new employee
distinguished-name =
C=US, O=myco,
content-owner
= hr-dept,
b) Notifications of transitions
OU=people,
CN=12534
contact = to inactive states can occur
123-456-7890
at the same time.
c) Other related identifer
failed-login-attempts = 3,
login-status = allowed metadata and link metadata
may be published by others
role =
access-finance-server-allowed
at a later time.
identifier = “dns-name[name=hr.corp.myco.com]”
match-links = “employee-attribute[name=“active]
Server1 max-depth = “1” result-filter = “distinguished-name”
Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
- 15. Current State
TCG published IF-MAP v1.1 Standard in May’09
Coincided with Interop’09 with multi-vendor
collaborative demonstrations
Interop’09 demonstration use cases:
Remote User Access Security
Industrial Controls Security
Physical Access Security
Datacenter Management Security
Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
- 16. An October 2009 Proposal (Working #2)
• IF-MAP 1.1 Specification (A Free and Open Standard):
• http://www.trustedcomputinggroup.org/
• Proposal: Quick collaboration on an Intercloud registry
prototype (a step toward a golden spike)
• Open Cloud Consortium agreed has agreed to host
prototype on their network
• Infoblox will donate IF-MAP service software and
operations and IF-MAP client developer training
• Need: cloud provider prototype participation, IF-MAP
service hardware partners, governance activity
• Unencumbered IF-MAP client stacks available
• Andrew Benton is an IF-MAP client development expert!
© 2009 Infoblox Inc. All Rights Reserved.
- 18. Clouds can publish capabilities and entry points
IF-MAP
Publish
© 2009 Infoblox Inc. All Rights Reserved.
- 19. Entry points and capabilities can be discovered
1. IF-MAP
Search
2. IF-MAP
Search
© 2009 Infoblox Inc. All Rights Reserved.
- 20. Response to changes can be automated
IF-MAP
Subscribe
© 2009 Infoblox Inc. All Rights Reserved.
- 21. IF-MAP 1.1 STANDARD Identifiers
identity
dns-name
email-address
kerberos-principal
username
other (vendor defined)
ip-adddress (v4 or v6)
mac-address
device
Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
- 22. OCC IF-MAP 1.1 Metadata for Inter/Inner Cloud
Registries (v1)
assigned-to (Link) Recommended for: dns-name, ip-address, mac-address, and
device
cloud (Link) Recommended for: dns-name and other:Intercloud
interface (Link) Recommended for: dns-name and other:URI
member-of (Link) Recommended for: dns-name, ip-address, mac-address, and
other:name
resides-on (Link) Recommended for: other:name and device
vdatacenter Recommended for: other:name
vmachine Recommended for: dns-name, ip-address, and mac-address
vnet Recommended for: other:name
Also defines: file, directory, table, collection, datastore
© 2009 Infoblox Inc. All Rights Reserved.
- 23. Patterns Evolve
member of Cloud member of
Virtual Virtual
member of Network member of Network
assigned-to
Virtual assigned to
Machine Virtual
Machine
MAC Address
MAC Address
assigned-to Device assigned-to
IP Address
IP Address
assigned-to assigned-to
MAC Address IP Address
© 2009 Infoblox Inc. All Rights Reserved.
- 24. An Update
• Initial Inter/Inner-Cloud metadata schema for IF-MAP 1.1
proposed by Open Cloud Consortium (OCC)
• IF-MAP 1.1 based Intercloud Registry prototype using
the OCC Inter/Inner-Cloud metadata schema running
and tested on Cisco UCS blade server
• Cisco agreed to donate UCS blade server system to
Open Cloud Consortium for further registry research
• IF-MAP enabled Multicloud prototype running on
Eucalyptus running on Amazon AWS for Innercloud
Registry Protyping
© 2009 Infoblox Inc. All Rights Reserved.
- 25. Next Steps
• Define Standard Registry Semantics and Metadata
• Rainmaker?
• Lighthouse?
• Others?
• Distributed Unencumbered Open Source Registry
Clients
© 2009 Infoblox Inc. All Rights Reserved.