Transcript slides - Microsoft

Brief-out: Isolation Working
Group
Topic discussion leader:
Ken Birman
Isolation



Right now we have firewalls, VPNs, networks that
are physically disjoint
Question: Could we invent some new architectural
abstraction to make it easier to isolate a subnet and
yet have it also be part of the larger Internet?
Success enables a federation of subnets: a
heirarchy of “domains” operated using distinct
policies and perhaps even incompatible technologies
Basic Understanding


Isolation has boundary, physical and even
application-level ramifications
This recognition leads us to a multi-edged goal
–
–

Even in current networks, we need new and more flexible
options for isolating systems and resources from undesired
influences
We are also seeing emerging needs to isolate subnets for
purposes such as security, QoS, sensitive data, special
AUPs, etc. Existing options (like firewalls) are inadequate
In the limit, a kind of “multiverse” with multiple sideby-side networks connected by controlled tunnels
Value proposition

Fault-containment seen as an irresistible draw for
many potential enterprise users
–
–

Such users would also benefit from improvement options for
specifying desired management policy
Value may be measurable by enumerating cases where
lack of isolation technology resulted in costly failures.
Potentially huge “new” opportunity for QoS and
multimedia-enabled applications frustrated by
current IP networks, which have poor isolation
–
Microsoft has invested billions on such applications…
Research Challenges
1.
2.
3.
4.
5.
How to express, store and implement properties of networks
and applications, specify desired policy, verify that policy is
being adhered to
Composition and tunneling between otherwise isolated
subnets
Network admission control policies for isolated subsystems,
with the usual issues of authentication, authorization,
enforcement…
Are there “unimplementable” forms of isolation?
Are there forms of isolation that can only be supported on
bare-bones hardware (as opposed to overlays on existing IP
networks)?
Research Challenges
6.
7.
8.
9.
What sorts of client-side or O/S mechanisms are required in
support of a new generation of networks offering isolation for
network traffic?
What are ramifications of isolation in hosts, infrastructure
components? “Network is not just wires”
Could we improve the behavior of wireless networks to
improve isolation (in the sense of fair sharing, security, noninterference)?
Isolation evokes a future world of hierarchical administration,
provisioning, administration tools… how to build these?
Research Challenges (cont)
11.
12.
13.
How to strike appropriate balance between need for trust,
authorization, resource control and management,
enforcement of scoped AUPs
Isolation could be a powerful architecture tool for those who
design and manage networks today. But we lack the needed
architectural abstractions and need to invent them
Can a system offering interesting isolation properties scale as
well as the Internet does? (Would it need to? Perhaps
isolated subnetworks are usually more limited in scope and
more homogeneous…)
Research Challenges (cont)
14.
15.
16.
Are there automated ways to discover and assemble policy
information in a decentralized world where each “scope”
might define its own policies?
How would one implement exception handling in a
hierarchical world where isolated subnetworks might view the
same event in different ways (“your exception is my breadand-butter”)
Theory of isolation: Formally characterize conditions under
which isolation is compatible with sharing resources (Recall
that isolation is trivial if we don’t share anything…)
Can it be done?



Question is too broad: depends what “it”
means. We concluded that at least some of
these goals can definitely be achieved
Even an architectural building block would
represent a valuable step forward
Need to separate concept of isolation from
question of what those isolated subnets
might be “doing” – one can imagine many
behaviors subnets could possibly implement
Enablers for Progress, Partnering

Two technical enablers:
–
–


Need a standard way to partition traffic and route relevant
traffic (only) into appropriate subset
Possible O/S requirement: Might VMMs be required for an
O/S to enable isolation in multi-homed setups?
NSF GENI initiative seen as very promising, could
bring a community together with a focus on this
issue (if this issue emerges as a key priority)
Industry/academic partnership: could try to articulate
value proposition in ways that will motivate
government to act….
Conclusions




Our breakout group believes this topic is
quite promising
It would be hard to do, but seems feasible
Has ramifications in many dimensions
Impact of success could be very significant