Transcript The Center for Autonomic Computing: Vision, Value and Capabilities

Autonomic Virtual Networks and
Applications in Cloud and
Collaborative Computing
Environments
Renato Figueiredo
Associate Professor
Center for Autonomic Computing
ACIS Lab
University of Florida
Center for Autonomic Computing
Intel Portland, April 30, 2010
Outlook

Architecting autonomic virtual networks



Isolation, security, encapsulation, dynamic configuration,
migration
Self-configuration, self-healing, self-optimization
Applications in cloud and collaborative environments


Virtual Private Clusters
Social VPNs

Archer: a collaborative environment for computer
architecture simulation

Ongoing/future work
2
Social VPNs

Focus on usability of security



VPNs: can recover Internet end-to-end connectivity
From a user’s perspective: it needs to be simple
My computer gets a virtual network card


It connects me directly to my social peers
All IP packets: authenticated, encrypted, end-to-end


No configuration besides establishing social links


Leverage well-known PKI techniques
All I need to do to is log in to a web based social network
Applications, middleware work as if the
computers were on the same local-area network
3
Social VPN Overview
Social relationships
web-based profiles,
email/chat networks.
Public key certificates
retrieved through social
API or XMPP
carol.facebook.ipop
10.10.0.2
node0.alice.facebook.ipop
10.10.0.3
Overlay network
(IPOP)
Alice’s services:
Samba share
RDP server
VoIP, Chat
Advertise to Bob, Carol
Bob: browses Alice’s SMB share
Symmetric keys
exchanged and point-topoint private tunnels
created on demand;
Social
Network API
Alice’s public key certificate
Bob’s public key certificate
Carol’s public key certificate
Social network Information system
Multicast-based
resource discovery
Social network
(e.g. Google chat)
Alice
Social
Network
Web interface
Bob
Carol
4
SocialVPN Control Plane

Use APIs of well-established social networks for
peer discovery and certificate exchange

Centralized user identity and data store for certificate
exchange


Facebook APIs and data store
Federated user identities and peer-to-peer
messaging for synchronous certificate exchange


XMPP online chat protocol (Google chat, Jabber.org;
Facebook has partial support)
May use DHT for asynchronous certificate exchange
5
SocialVPN Data Plane
IPOP core, with end-to-end security
 Dynamic IP address assignment


Key to supporting IPv4 in large social networks





Facebook has more users than there are class A private IPs!
Avoid conflicts with local private networks
Dynamic IP translation; supports mobility
Key: while whole social network is huge, my social
network fits in a subnet
[Figueiredo et al, COPS 2008]
6
SocialVPN dynamic IP translation
Non-conflicting private network
10.10.x.y
Alice
Alice: 10.10.1.1
Bob: 10.10.1.2
Ann: 10.10.1.3
Src: 10.10.1.1
Dst: 10.10.1.3
VNIC
Src: 172.16.1.10
Dst: 172.16.1.1
VNIC
172.16.x.y
Ann
Ann: 172.16.1.1
Bill: 172.16.1.2
Alice: 172.16.1.10
Src: AliceOverlayID
Dst: AnnOverlayID
7
SocialVPN Connection times
128 nodes on Amazon EC2, 450 nodes on PlanetLab
-Majority of links formed in less than a second
-DHT lookup, symmetric key exchange
-Few additional seconds for NAT traversal
8
Per-node Bandwidth
Small cost of maintaining overlay connections
- 1KByte/s for 128 peers
9
Trust relationships

I manage who I trust - SocialVPN


Alice friend of Bob, Bob friend of Carol
Social VPN links: Alice <-> Bob, Bob <-> Carol




No direct connection between Alice and Carol
Self-signed certificates
Small-scale, ad-hoc; social VPN is not all-to-all connected
I delegate trust to a third party - GroupVPN


Alice, Bob and Carol trust Trent, a group moderator
Social VPN links: A<->B, B<->C, A<->C


Trent acts as CA, signing as a side-effect of approving user
GroupVPN is all-to-all connected
10
GroupVPN security management

IPOP creates VPN links autonomously



Key approaches:




But who decides on VPN membership?
How to multiplex many virtual private IP overlays over the
same P2P overlay?
Namespaces: separation of virtual IP address spaces
VPN configuration: Web-based group front-end to
manage certificates, automatic signing and configuration
Centralized user and certificate management,
decentralized VPN routing
Users create, configure VPN groups, namespaces

Group owner manages joining/leaving of a group


Certificate signing/revocation is automated
PKI infrastructure, simple usage model for virtual clusters
11