Center for Autonomic ComputingIntel Portland, April 30, 2010
Autonomic Virtual Networks and Applications in Cloud and
Collaborative Computing Environments
Renato FigueiredoAssociate Professor
Center for Autonomic ComputingACIS Lab
University of Florida
2
Outlook Architecting autonomic virtual networks
Isolation, security, encapsulation, dynamic configuration, migration
Self-configuration, self-healing, self-optimization
Applications in cloud and collaborative environments Virtual Private Clusters Social VPNs
Archer: a collaborative environment for computer architecture simulation
Ongoing/future work
3
Social VPNs Focus on usability of security
VPNs: can recover Internet end-to-end connectivity From a user’s perspective: it needs to be simple
My computer gets a virtual network card It connects me directly to my social peers All IP packets: authenticated, encrypted, end-to-end
Leverage well-known PKI techniques No configuration besides establishing social links
All I need to do to is log in to a web based social network Applications, middleware work as if the
computers were on the same local-area network
4
Social VPN Overview
Alice
CarolBob
SocialNetworkWeb interface
Social network(e.g. Google chat)
Overlay network(IPOP)
carol.facebook.ipop10.10.0.2
node0.alice.facebook.ipop10.10.0.3
SocialNetwork API
Social network Information system
Alice’s public key certificateBob’s public key certificateCarol’s public key certificate
Social relationships web-based profiles, email/chat networks. Public key certificates retrieved through social API or XMPP
Symmetric keys exchanged and point-to-point private tunnels created on demand;
Multicast-based resource discovery
Bob: browses Alice’s SMB shareAlice’s services:
Samba shareRDP serverVoIP, ChatAdvertise to Bob, Carol
5
SocialVPN Control Plane Use APIs of well-established social networks for
peer discovery and certificate exchange Centralized user identity and data store for certificate
exchange Facebook APIs and data store
Federated user identities and peer-to-peer messaging for synchronous certificate exchange
XMPP online chat protocol (Google chat, Jabber.org; Facebook has partial support)
May use DHT for asynchronous certificate exchange
6
SocialVPN Data Plane IPOP core, with end-to-end security Dynamic IP address assignment
Key to supporting IPv4 in large social networks Facebook has more users than there are class A private IPs!
Avoid conflicts with local private networks Dynamic IP translation; supports mobility Key: while whole social network is huge, my social
network fits in a subnet
[Figueiredo et al, COPS 2008]
7
SocialVPN dynamic IP translation
Non-conflicting private network
Alice
10.10.x.yAlice: 10.10.1.1Bob: 10.10.1.2Ann: 10.10.1.3 Ann
172.16.x.yAnn: 172.16.1.1
Alice: 172.16.1.10Src: 10.10.1.1Dst: 10.10.1.3
VNIC
VNIC
Src: 172.16.1.10Dst: 172.16.1.1
Src: AliceOverlayIDDst: AnnOverlayID
Bill: 172.16.1.2
8
SocialVPN Connection times
128 nodes on Amazon EC2, 450 nodes on PlanetLab
- Majority of links formed in less than a second- DHT lookup, symmetric key exchange- Few additional seconds for NAT traversal
9
Per-node Bandwidth
Small cost of maintaining overlay connections- 1KByte/s for 128 peers
10
Trust relationships I manage who I trust - SocialVPN
Alice friend of Bob, Bob friend of Carol Social VPN links: Alice <-> Bob, Bob <-> Carol
No direct connection between Alice and Carol Self-signed certificates Small-scale, ad-hoc; social VPN is not all-to-all connected
I delegate trust to a third party - GroupVPN Alice, Bob and Carol trust Trent, a group moderator Social VPN links: A<->B, B<->C, A<->C
Trent acts as CA, signing as a side-effect of approving user GroupVPN is all-to-all connected
11
GroupVPN security management
IPOP creates VPN links autonomously But who decides on VPN membership? How to multiplex many virtual private IP overlays over
the same P2P overlay? Key approaches:
Namespaces: separation of virtual IP address spaces VPN configuration: Web-based group front-end to
manage certificates, automatic signing and configuration Centralized user and certificate management,
decentralized VPN routing Users create, configure VPN groups, namespaces
Group owner manages joining/leaving of a group Certificate signing/revocation is automated
PKI infrastructure, simple usage model for virtual clusters
Top Related