intercloud registry

© 2009 Infoblox Inc. All Rights Reserved.

Infrastructure 2.0: Objects and Identifiers: Toward an Inter/Inner-Cloud Registry System

Stuart BaileyAndrew BentonI2.0 Workshop, January 2010


Specific Issues for the Intercloud Challenge

IPv4 lacks “number portability”IP also lacks metadata portability (e.g. vm binding, vn membership, policy, state, location, etc.)Both are required to take full advantage of cloudA dynamic context rich registry and rendezvous service may help with these requirementsMany other dynamic patterns may be expressible in a such a registryThere are several technologies and efforts which seem to be relevant: DNS, SNMP, X.500/LDAP, XMPP, RDF, LISP, HIP, DHCP, DEN, CMDB, etc.


What patterns are important?

URI=a

dns-name=testbed.

opencloudconsortium.orgdns-name=cloud.sun.com

interface=Sun

Version Z

URI=b

interface=AWS

Version X

interface=Yahoo

Version Y

URI=c

Intercloud

member ofmember of


Complex Patterns May Emerge

MAC Address

IP Address

MAC Address

IP Address

VirtualMachine

VirtualMachine

Device

VirtualNetwork

MAC Address IP Address

VirtualNetwork

Cloudmember of member of

member of member of

assigned to

assigned to assigned to


assigned toruns on

runs on

Cloud


Patterns Evolve

MAC Address

IP Address

MAC Address

IP Address

VirtualMachine

VirtualMachine

Device

VirtualNetwork


VirtualNetwork


member of member of

assigned-to

assigned-to assigned-to


assigned to


Patterns Evolve

MAC Address

IP Address

MAC Address

IP Address

VirtualMachine

VirtualMachine

VirtualMachine

VirtualNetwork

MAC Address

VirtualNetwork


member of member of

assigned to


assigned to

assigned to

runs on

Copyright© 2009 Trusted Computing Group – Other names and brands are properties of their respective owners.

MAP: Metadata Access Point

• MAP is specifically designed to infrastructure coordination use cases

Optimized for loosely structured metadata

Publish/Subscribe capability for asynchronous searches

Highly scalable architecture

Design is based on the assumption that you will never find the data relation schema to satisfy all needs

So you can move forward in spite of a lack of full relation specifications


Routing RFIDIDS Switching Wireless Firewalls

IPAM

RADIUS

ADIF-MAP Protocol

SIM / SEM

Asset Management

SystemNAC Decision

Point

DHCP

Custom Integration

IF-MAP for Network Security

MAP Service


Properties of Dynamic Coordination

1. Lots of real-time data writes

2. Unstructured relationships

3. Diverse interest in changes to the current state as they occur

4. Distributed data producers & consumers

Relational Database

LDAP/DNS Directory

MAP Database


MAP Access Operations

Publish:Clients store metadata into MAP for others to see

Incorporates create, modify and delete functionality

Search:Clients retrieve published metadata associated with a particular identifier and linked identifiers

Constrained by link-match and result-filter criteria

Constrained by maximum depth and size criteria

Subscribe:Clients request asynchronous results for searches that match when others publish new metadata

A client’s subscription consists of a list of one or more searches

Client names its searches so that asynchronous results are unambiguous

Tell others that…<metadata…>

Tell me when…match(metadata pattern)

Tell me if…match(metadata pattern)


MAP Element Model

Model Components:

Important Properties:

All identifiers and links exist implicitly, but have no meaning until metadata is attached to them

Identifier and Metadata types are defined in modular XML schemas

Metadata in particular is designed to be extensible

IdentifiersAll objects are represented by unique identifiers

LinksConnote relationships between pairs of identifiers

Metadata Attributes attached to Identifiers or Links


Example Use Scenario

1. Initial setup:

a) HR publishes its metadata to MAP. This will the one side of the links it will later create for each employee.

b) Servers each subscribe to a pattern that will match newly added employees

dns-name = hr.corp.myco.co

m

content-owner = hr-dept,contact =

123-456-7890

Server1

identifier = “dns-name[name=hr.corp.myco.com]”match-links = “employee-attribute[name=“active]max-depth = “1” result-filter = “distinguished-name”



2. New Employee:

a) HR later publishes an “employee-attribute=active”metadata link between itself and the new employee’s identifier

b) Server1 receives an asynchronous notification of each new employee due to its subscription, which causes it to creates a new user account.


m


123-456-7890

distinguished-name = C=US, O=myco,

OU=people, CN=12534

employee-attribute = active

Server1




3. Provisioning Pattern

a) This pattern repeats itself for each new employee

b) Notifications of transitions to inactive states can occur at the same time.

c) Other related identifermetadata and link metadata may be published by others at a later time.


m


123-456-7890

distinguished-name = C=US, O=myco,

OU=people, CN=12534

employee-attribute = active

role = access-finance-server-allowed

failed-login-attempts = 3, login-status = allowed

Server1



TCG published IF-MAP v1.1 Standard in May’09Coincided with Interop’09 with multi-vendor collaborative demonstrations

Interop’09 demonstration use cases:Remote User Access Security

Industrial Controls Security

Physical Access Security

Datacenter Management Security

Current State


An October 2009 Proposal (Working #2)

• IF-MAP 1.1 Specification (A Free and Open Standard):• http://www.trustedcomputinggroup.org/

• Proposal: Quick collaboration on an Intercloud registry prototype (a step toward a golden spike)

• Open Cloud Consortium agreed has agreed to host prototype on their network

• Infoblox will donate IF-MAP service software and operations and IF-MAP client developer training

• Need: cloud provider prototype participation, IF-MAP service hardware partners, governance activity

• Unencumbered IF-MAP client stacks available• Andrew Benton is an IF-MAP client development expert!

http://www.trustedcomputinggroup.org/


Intercloud and Innercloud Registries


Clouds can publish capabilities and entry points

IF-MAPPublish


Entry points and capabilities can be discovered

1. IF-MAPSearch

2. IF-MAPSearch


Response to changes can be automated

IF-MAPSubscribe


IF-MAP 1.1 STANDARD Identifiersidentity

dns-name

email-address

kerberos-principal

username

other (vendor defined)

ip-adddress (v4 or v6)

mac-address

device


OCC IF-MAP 1.1 Metadata for Inter/Inner Cloud Registries (v1)

assigned-to (Link) Recommended for: dns-name, ip-address, mac-address, anddevice

cloud (Link) Recommended for: dns-name and other:Intercloudinterface (Link) Recommended for: dns-name and other:URImember-of (Link) Recommended for: dns-name, ip-address, mac-address, and

other:nameresides-on (Link) Recommended for: other:name and devicevdatacenter Recommended for: other:namevmachine Recommended for: dns-name, ip-address, and mac-addressvnet Recommended for: other:name

Also defines: file, directory, table, collection, datastore


Patterns Evolve

MAC Address

IP Address

MAC Address

IP Address

VirtualMachine

VirtualMachine

Device

VirtualNetwork


VirtualNetwork


member of member of

assigned-to



assigned to


An Update

• Initial Inter/Inner-Cloud metadata schema for IF-MAP 1.1 proposed by Open Cloud Consortium (OCC)

• IF-MAP 1.1 based Intercloud Registry prototype using the OCC Inter/Inner-Cloud metadata schema running and tested on Cisco UCS blade server

• Cisco agreed to donate UCS blade server system to Open Cloud Consortium for further registry research

• IF-MAP enabled Multicloud prototype running on Eucalyptus running on Amazon AWS for InnercloudRegistry Protyping


Next Steps

• Define Standard Registry Semantics and Metadata• Rainmaker?• Lighthouse?• Others?

• Distributed Unencumbered Open Source Registry Clients

intercloud registry

Documents