Download - Intercloud Registry
© 2009 Infoblox Inc. All Rights Reserved.
Infrastructure 2.0: Objects and Identifiers: Toward an Inter/Inner-Cloud Registry System
Stuart BaileyAndrew BentonI2.0 Workshop, January 2010
© 2009 Infoblox Inc. All Rights Reserved.
Specific Issues for the Intercloud Challenge
IPv4 lacks “number portability”IP also lacks metadata portability (e.g. vm binding, vn membership, policy, state, location, etc.)Both are required to take full advantage of cloudA dynamic context rich registry and rendezvous service may help with these requirementsMany other dynamic patterns may be expressible in a such a registryThere are several technologies and efforts which seem to be relevant: DNS, SNMP, X.500/LDAP, XMPP, RDF, LISP, HIP, DHCP, DEN, CMDB, etc.
© 2009 Infoblox Inc. All Rights Reserved.
What patterns are important?
URI=a
dns-name=testbed.
opencloudconsortium.orgdns-name=cloud.sun.com
interface=Sun
Version Z
URI=b
interface=AWS
Version X
interface=Yahoo
Version Y
URI=c
Intercloud
member ofmember of
© 2009 Infoblox Inc. All Rights Reserved.
Complex Patterns May Emerge
MAC Address
IP Address
MAC Address
IP Address
VirtualMachine
VirtualMachine
Device
VirtualNetwork
MAC Address IP Address
VirtualNetwork
Cloudmember of member of
member of member of
assigned to
assigned to assigned to
assigned to assigned to
assigned toruns on
runs on
Cloud
© 2009 Infoblox Inc. All Rights Reserved.
Patterns Evolve
MAC Address
IP Address
MAC Address
IP Address
VirtualMachine
VirtualMachine
Device
VirtualNetwork
MAC Address IP Address
VirtualNetwork
Cloudmember of member of
member of member of
assigned-to
assigned-to assigned-to
assigned-to assigned-to
assigned to
© 2009 Infoblox Inc. All Rights Reserved.
Patterns Evolve
MAC Address
IP Address
MAC Address
IP Address
VirtualMachine
VirtualMachine
VirtualMachine
VirtualNetwork
MAC Address
VirtualNetwork
Cloudmember of member of
member of member of
assigned to
assigned to assigned to
assigned to
assigned to
runs on
Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
MAP: Metadata Access Point
• MAP is specifically designed to infrastructure coordination use cases
Optimized for loosely structured metadata
Publish/Subscribe capability for asynchronous searches
Highly scalable architecture
Design is based on the assumption that you will never find the data relation schema to satisfy all needs
So you can move forward in spite of a lack of full relation specifications
Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
Routing RFIDIDS Switching Wireless Firewalls
IPAM
RADIUS
ADIF-MAP Protocol
SIM / SEM
Asset Management
SystemNAC Decision
Point
DHCP
Custom Integration
IF-MAP for Network Security
MAP Service
Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
Properties of Dynamic Coordination
1. Lots of real-time data writes
2. Unstructured relationships
3. Diverse interest in changes to the current state as they occur
4. Distributed data producers & consumers
Relational Database
LDAP/DNS Directory
MAP Database
Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
MAP Access Operations
Publish:Clients store metadata into MAP for others to see
Incorporates create, modify and delete functionality
Search:Clients retrieve published metadata associated with a particular identifier and linked identifiers
Constrained by link-match and result-filter criteria
Constrained by maximum depth and size criteria
Subscribe:Clients request asynchronous results for searches that match when others publish new metadata
A client’s subscription consists of a list of one or more searches
Client names its searches so that asynchronous results are unambiguous
Tell others that…<metadata…>
Tell me when…match(metadata pattern)
Tell me if…match(metadata pattern)
Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
MAP Element Model
Model Components:
Important Properties:
All identifiers and links exist implicitly, but have no meaning until metadata is attached to them
Identifier and Metadata types are defined in modular XML schemas
Metadata in particular is designed to be extensible
IdentifiersAll objects are represented by unique identifiers
LinksConnote relationships between pairs of identifiers
Metadata Attributes attached to Identifiers or Links
Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
Example Use Scenario
1. Initial setup:
a) HR publishes its metadata to MAP. This will the one side of the links it will later create for each employee.
b) Servers each subscribe to a pattern that will match newly added employees
dns-name = hr.corp.myco.co
m
content-owner = hr-dept,contact =
123-456-7890
Server1
identifier = “dns-name[name=hr.corp.myco.com]”match-links = “employee-attribute[name=“active]max-depth = “1” result-filter = “distinguished-name”
Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
Example Use Scenario
2. New Employee:
a) HR later publishes an “employee-attribute=active”metadata link between itself and the new employee’s identifier
b) Server1 receives an asynchronous notification of each new employee due to its subscription, which causes it to creates a new user account.
dns-name = hr.corp.myco.co
m
content-owner = hr-dept,contact =
123-456-7890
distinguished-name = C=US, O=myco,
OU=people, CN=12534
employee-attribute = active
Server1
identifier = “dns-name[name=hr.corp.myco.com]”match-links = “employee-attribute[name=“active]max-depth = “1” result-filter = “distinguished-name”
Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
Example Use Scenario
3. Provisioning Pattern
a) This pattern repeats itself for each new employee
b) Notifications of transitions to inactive states can occur at the same time.
c) Other related identifermetadata and link metadata may be published by others at a later time.
dns-name = hr.corp.myco.co
m
content-owner = hr-dept,contact =
123-456-7890
distinguished-name = C=US, O=myco,
OU=people, CN=12534
employee-attribute = active
role = access-finance-server-allowed
failed-login-attempts = 3, login-status = allowed
Server1
identifier = “dns-name[name=hr.corp.myco.com]”match-links = “employee-attribute[name=“active]max-depth = “1” result-filter = “distinguished-name”
Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
TCG published IF-MAP v1.1 Standard in May’09Coincided with Interop’09 with multi-vendor collaborative demonstrations
Interop’09 demonstration use cases:Remote User Access Security
Industrial Controls Security
Physical Access Security
Datacenter Management Security
Current State
© 2009 Infoblox Inc. All Rights Reserved.
An October 2009 Proposal (Working #2)
• IF-MAP 1.1 Specification (A Free and Open Standard):• http://www.trustedcomputinggroup.org/
• Proposal: Quick collaboration on an Intercloud registry prototype (a step toward a golden spike)
• Open Cloud Consortium agreed has agreed to host prototype on their network
• Infoblox will donate IF-MAP service software and operations and IF-MAP client developer training
• Need: cloud provider prototype participation, IF-MAP service hardware partners, governance activity
• Unencumbered IF-MAP client stacks available• Andrew Benton is an IF-MAP client development expert!
© 2009 Infoblox Inc. All Rights Reserved.
Intercloud and Innercloud Registries
© 2009 Infoblox Inc. All Rights Reserved.
Clouds can publish capabilities and entry points
IF-MAPPublish
© 2009 Infoblox Inc. All Rights Reserved.
Entry points and capabilities can be discovered
1. IF-MAPSearch
2. IF-MAPSearch
© 2009 Infoblox Inc. All Rights Reserved.
Response to changes can be automated
IF-MAPSubscribe
Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.
IF-MAP 1.1 STANDARD Identifiersidentity
dns-name
email-address
kerberos-principal
username
other (vendor defined)
ip-adddress (v4 or v6)
mac-address
device
© 2009 Infoblox Inc. All Rights Reserved.
OCC IF-MAP 1.1 Metadata for Inter/Inner Cloud Registries (v1)
assigned-to (Link) Recommended for: dns-name, ip-address, mac-address, anddevice
cloud (Link) Recommended for: dns-name and other:Intercloudinterface (Link) Recommended for: dns-name and other:URImember-of (Link) Recommended for: dns-name, ip-address, mac-address, and
other:nameresides-on (Link) Recommended for: other:name and devicevdatacenter Recommended for: other:namevmachine Recommended for: dns-name, ip-address, and mac-addressvnet Recommended for: other:name
Also defines: file, directory, table, collection, datastore
© 2009 Infoblox Inc. All Rights Reserved.
Patterns Evolve
MAC Address
IP Address
MAC Address
IP Address
VirtualMachine
VirtualMachine
Device
VirtualNetwork
MAC Address IP Address
VirtualNetwork
Cloudmember of member of
member of member of
assigned-to
assigned-to assigned-to
assigned-to assigned-to
assigned to
© 2009 Infoblox Inc. All Rights Reserved.
An Update
• Initial Inter/Inner-Cloud metadata schema for IF-MAP 1.1 proposed by Open Cloud Consortium (OCC)
• IF-MAP 1.1 based Intercloud Registry prototype using the OCC Inter/Inner-Cloud metadata schema running and tested on Cisco UCS blade server
• Cisco agreed to donate UCS blade server system to Open Cloud Consortium for further registry research
• IF-MAP enabled Multicloud prototype running on Eucalyptus running on Amazon AWS for InnercloudRegistry Protyping
© 2009 Infoblox Inc. All Rights Reserved.
Next Steps
• Define Standard Registry Semantics and Metadata• Rainmaker?• Lighthouse?• Others?
• Distributed Unencumbered Open Source Registry Clients