2 - challenges for enabling cloud computing over optical networks

8/7/2019 2 - Challenges for Enabling Cloud Computing Over Optical Networks

1/21

Scuola Superiore SantAnna

Challenges for enabling Cloud

Piero Castoldi, Barbara Martini, Fabio Baroncelli

Workshop Grid vs Cloud Computing and Why This Should

OFC/NFOEC 2009 March 22-26, 2009 - San Diego, USA


2/21

Outline

Challenges Resource virtualization

erv ce s rac on User-driven service deliver

Security

Conclusion

2009 Scuola Superiore SantAnna

2/20


3/21

The network as a service paradigm

Cloud Computing is a general paradigm ofoperat on w ere t e capa t es o an

infrastructure (e.g., computation, storage, servers,

.

Users are able to access ICT capabilities from the

n erne .e., e c ou w ou now e ge o ancontrol over the technology infrastructure that.

According to the network-as-a-service (NaaS), -

oriented capabilities


3/20


4/21

User-oriented network capabilities

Cloud computing will require dynamic complex service set-up and tear down withstrict requirements (e.g. content streaming are with adequate bandwidth, delayan er an per ormance o s ream ng server

Tri erin of network services in

User

ClientRequestFormat:

Disney,WallE (Session,ServerLocation)

HDMovie (Bandwidth)

transport network is available vianetwork technology-dependentinterfaces (e.g. the User to Network

GoodQuality (QoS) ,

network has a different grain inservice description with respect to an

Edge

?? ??NetworkDirectivesFormat:

mpls{

trafficengineeringbgpigpbothribs;

nocspf;

intimate knowledge of the networktechnology is required

no mechanism is available fore

to10.20.0.1;

install10.20.12.0/24active;

bandwidth10m;

}

coordinating set-up of complex privatenetworks


4/204

What is needed: a provisioningframework operating at a level of abstraction suitable for being invoked


5/21

Concepts (1)

Network resource a network ca abilit of su ortin set-u confi ure monitor tear-

down) the forwarding of data, possibly across multiple nodes,

according to a certain encapsulation (e.g. a MPLS L2 LSP)- a data processing capability over the payload of a data flow, realized

in software or in hardware in a network node (e.g. a random access

Network service a service, described in a technology-independent way that,

leveraging on network resources, offers connectivity capabilities,directly or indirectly, to the customers applications (e.g. a L2 VPN)

Non-network service a service, described in a technology-independent way, that

leveraging on an IT resources offers a data manipulation capabilitye. . a stora e service .


5/20


6/21

Concepts (2)

Virtualization of resources

application

Service abstraction capability to map the set of high-level parameters specified by an

application, into a set of specific parameters used by the networkfor the provisioning of that service.

The process of service abstraction requires virtualization ofresources:

services that can be accessed without knowledge of theirunderlying technical implementation.

their composition.

Semantic rules can be defined to compose or orchestrate services


6/20


7/21

Cloud computing and optical networks

Cloud Computing can benefit from ultra high-capacity,

adapted to support user-oriented capabilities:

, . .,session control among end-user applicationsincludin messa e exchan e for session state

monitoring, resource negotiation and mediatransfer control.

Resource control signaling, i.e., signaling for

resource control for the purpose of a consistent- -the Control Plane, serving for:


7/20

network attachment functions (e.g., auto-discovery ofborder network topology)


8/21

Challenges

Resource virtualization

Network resource discovery and virtualization at

Service abstraction:

erv ce expos on or r g ng app ca ons anCP-enabled Optical Network

-

On-demand service triggering Security

AAA in multi-operator scenario and distributed


8/20environment Advanced mechanisms for user access control


9/21

Network resources

Grid computing Cloud computing

Service concept Capability to transfer a specific type ofdata traffic generated by a customer

network:

Capacity to match application requestto network resource availability and

accordingly affect network resource

QoS support

Advanced mesh connectivity (e.g.L1/L2/L3 VPN, VPLS)

Traffic enforcement on per-flow basis

QoS guarantees

End-to-end resource control

Requesting

application

E-science applications

TE/Management application (OSS)

Multimedia applications

Virtual terminal applications

- -WAN context

-hosts

Service Coarse rain GB u to TB Fine rain 100s MBgranularity


9/20


10/21

Non-network (IT) resources

IT Resources are more difficult to be described thannetwork resources

IT resources are more heterogeneous and may

lack of a relation of hierarch Some virtualization efforts exist but solutions are

heterogeneous (e.g. naming for addressing:

Universal Unique Identifier, Universal ResourceIdentifier, etc)

n a equate, typ ca y comp ex, n ormat onmodel is needed to handle IT resource (discover,

,

Some applications, e.g. grid, already have a well


10/20

that do not involve provider networks at all.


11/21

Virtualization of resources and service abstraction1

Control Plane-enabled optical transport networks Approach based on the introduction of a Service Plane:

t e n ormat ona -gap etween t e pp cat on- ayer erv ce ontroFunction) and the Network-Layer

Decouples network technologies from future evolution of the network services

boundary of the Transport Network via CMI (Control-Plane ManagementInterface)

Defines a technology-independent network service definition at a level ofa s rac on su a e or e ng nvo e y an app ca on v a ser- o-

Service Interface).F. Baroncelli, B. Martini, V. Martini, P.

Castoldi, "A distributed si nalin or the

provisioning of on-demand VPN services in

transport networks" Proc. of IM 2007, May

2007, Munich, Germany.

. , . , . , .

Torkman, P. Castoldi, Application-driven

Resource Management in Multi-Service Optical

Networks, Journal of Optical Communications

and Networking, June 2009, to appear


11/20


12/21

Virtualization of resources and serviceabstraction (2)

Fully distributed and technology-independent approach based on a Service Plane thatsupports on-the-fly invocation of services

Po ulated b a set of distributed entities that inter-communicate via dedicate si nallin usin

The Service Control Function (SCF)

Acts as a gateway

XML messages

Request Network services

The Centralized Service Element (CSE)

Verifies the SCF identity (Client

Controls the access (Service Authorization);The Distributed Service Element (DSE)

Handles multiple service requests

Composes the Network-Services

Performs technology-specific configurationson controlled PEs using the BNS module

Performs configuration of devices viaControl Plane Management Interface (CMI)

Two main procedures are envisioned:


12/20

The Background Signalling

The Service Provisioning Signalling


13/21

Network topology virtualization

Background Signalling:

Collects and abstracts Network status

Update the NR-DB within the DSEs

Is Continuously repeated in background at regular intervals

1 - Network Resource Discovery phasearrow 1 2 : DSEs athers at re ular intervals

the information

2 - Service Abstraction phase: DSEs map- -

independent information and stores it in theNR-DB

3 - Information Distribution phase (arrow3, 4): DSEs distribute information to CSE

module(CSE acts as a Database Reflector of the


13/20

overall knowledge of Network)


14/21

On-demand service triggering

The Service Provisioning Signalling

is responsible of the actual service provisioning

is triggered by a service request issued by a SCF to aDSE

1 - The DSE-master receives a Network-Service re uest from an SCF

[Authorization] A messages exchangeoccurs between DSE and CSE

2 - The DSE elaborates and distributesdirectives to the relevant DSEs

[*] DSEs-slave execute service commandscoming from a DSE-master.

3 - Each DSE map directive in a set of CMINetwork primitives to its controlled PEs(3).

response from the PE

[Ack] DSEs-slave send a reply-message toreport the established service


14/20[Ack] to SCF


15/21

Security

security at application layer pro ec on aga ns unau or ze access o app ca on p a orms e.g.,

server, data base or web portal) for corruption of information,

interruption of service

security at service (control) layer protection against unauthorized access to service control element (e.g.,

SIP rox HSS to subscriber information e. . user and service

profiles for identity theft), network provider information (e.g., repositorywith routing, numbering and addressing information)

protection against unauthorized access to network elements (e.g., IP

routers, MPLS nodes), to transport control information (e.g., OSPF,e , to transport user pro e n ormat on e.g., su scr pt on atarepository, user location information)


15/20


16/21

Authorization

Authorization mechanisms are categorized as: Authentication-based mechanisms which assi n a set of ri hts

based on the (authenticated) user identity

Credentials-based (a.k.a. role-based) mechanisms, which. .,credentials) being held by the user

Role-based Authorization process is composed of twop ases: Based on user credentials, the resource provider deduce the

level of trust it can place in him and consequently assign a (setof) role(s)

Based on the role, the authorization engine identifies and

enforces a policy determine the set of actions the user is allowed to perform

verify if the user is allowed to perform the required action on theresource


16/20


17/21

Traditional vs. advanced access control

In traditional access control The decision process is based on the identity or the role of users

t at are reg stere w t t e m n strat ve oma n

The policy rules are static, i.e., changed only through administrative

actions, typically performed by human operator

In a multi-domain scenario the user may be unknown in the Administrative Domain of the

resource access rights may be revoked or may expire

Role-based Access Control Traditionaltechniques

Role-basedUsa e CONtrol

Advancedtechni ues


17/20


18/21

Trust management

Trust definition:

Trust of a art A in a art B for a service X is the measurablebelief of A in B behaving dependably for a specified period within

a specified context in relation to X... [Dimitrakos, 2001] rus anagemen e n on:

Technique to make decisions about the dependability of

Role-Based Trust Management: A sub ect has a set of roles in each Administrative Domain to

which he belongs

A set of access rules define the relations among Administrative

roles for the same subject in Administrative Domain to which hedoes not belong.


18/20[Blaze96] M. Blaze, J. Feigenbaum, J. Lacy. Decentralized Trust Management. In 17th

Symposium on Security and Privacy (pp. 164-173). IEEE Computer Society. 2006


19/21

Usage Control Model

The decision process is based on:

Authorizations

Subjects: entities that perform actions onObjects

Obligations

Conditions

after checking subject/object

Identity; Role; Reputation; Credits;

Objects: entities that are used by Subjects.attributes

Value; Role permission;

pre-decision ongoing-decisions

before usage ongoing usage after usage

pre-updates ongoing updates post-updates

Mutability of attributes time


19/20

J. Park, R. Sandhu. The UCON Usage Control Model,ACM Trans. On Information and System

Security, 7(1), 2004.


20/21

Conclusion

Re-use of many concepts coming from grid for

enabling cloud computing

cloud computing

Optical networks can be good candidatebecause the are CP-enabled

From security to trustworthiness


20/20


21/21

Thank you

- .


21/20

ola Superiore SantAnna, CNR research area, Via Moruzzi 1, 56124 Pisa, Italy

2 - challenges for enabling cloud computing over optical networks

Documents