Transcript The Center for Autonomic Computing: Vision, Value and Capabilities

Autonomic Virtual Networks and
Applications in Cloud and
Collaborative Computing
Environments
Renato Figueiredo
Associate Professor
Center for Autonomic Computing
ACIS Lab
University of Florida
Center for Autonomic Computing
Intel Portland, April 30, 2010
Outlook

Architecting autonomic virtual networks



Isolation, security, encapsulation, dynamic configuration,
migration
Self-configuration, self-healing, self-optimization
Applications in cloud and collaborative environments


Virtual Private Clusters
Social VPNs

Archer: a collaborative environment for computer
architecture simulation

Ongoing/future work
2
Background
Collaboration, entertainment:
streaming, data sharing, games
N
Public
Self-configuring
Internet
A
End-to-end
T Virtual Private Network
Resource aggregation:
Cross-institution sharing,
opportunistic computing,
on-demand provisioning
N
A
T
3
Self-organizing virtual networks

Focus:


Why virtual?



Software overlays that provide virtual network
infrastructure over existing Internet infrastructure
Support unmodified TCP/IP applications and existing
Internet physical infrastructure
Hide heterogeneity of physical network (firewalls,
NATs), avoid IPv4 address space constraints
Why self-organizing?


Autonomous behavior: low management cost
compared to typical VPNs
Decentralized architecture for scalability and fault
tolerance
4
Virtual networking

Isolation: dealt with similarly to VMs

Multiple, isolated virtual networks time-share physical
network
Key technique: tunneling (VPNs)
 Related work


Grid computing





VNET (P. Dinda at Northwestern U.)
Violin (D. Xu at Purdue U.)
ViNe (J. Fortes at U. Florida)
PVC (F. Cappello at INRIA)
“P2P” VPNs

Hamachi, tinc, Gbridge
5
The IP-over-P2P (IPOP) Approach

Isolation


Virtual address space decoupled from Internet
address space
Self-managing

Self-organizing, self-healing topology

Decentralized – structured peer-to-peer (P2P)
 No global state, no central points of failure

Self-optimizing IP overlay routing


On-demand direct/relay connections
Self-configuring decentralized NAT traversal
6
Use case scenarios

Sharing resources/services in a virtual end host



VM provides isolation
Virtual appliances provide software encapsulation
Distributed virtual appliance clusters



Homogeneous software environment on top of
heterogeneous infrastructure
Homogeneous virtual network on top of wide-area,
NATed environments
Cross-institution collaboration; cloud-bursting
7
Example: virtual clusters
NOWs, COWs
“WOWs”
•Local-area
•Wide-area
•Physical machines
•Virtual machines (VMs)
•Self-organizing switching
•Self-organizing overlay
(e.g. Ethernet spanning tree)
IP tunnels, P2P routing
Installation
image
Switched
network
Physical machines
Virtual machines
VM image
8
Use case scenarios

There are various successful overlays enabling
peer-to-peer communication among users



VoIP sessions over skype
File transfers over bittorrent
iChat (video, chat, desktop sharing)
Application (and/or platform) specific
 Users: richer set of applications over a generic
IP network for communication and collaboration



But they don’t have public IPs, and don’t want to
directly connect to all users – hence NATs
And they don’t want to or know how to configure and
discover network services manually
9
Example: Social VPNs
carol.facebook.ipop
10.10.0.2
node0.alice.facebook.ipop
10.10.0.3
Overlay network
(IPOP)
Bob: browses Alice’s SMB share
Social
Network API
Alice’s services:
Samba share
RDP server
VoIP, Chat
Advertise to Bob, Carol
Alice’s public keys
Bob’s public keys
Carol’s public key
Social network Information system
Social network
(e.g. Facebook)
Alice
Social
Network
Web interface
Bob
Carol
10
IP-over-P2P Tunneling

As in many other VPNs, use virtual network
device to capture/inject IP (e.g. tap/tun)


Tunnel IP over UDP or TCP
Unlike traditional VPNs, tunnels are not
established by an administrator


Rather, IPOP implements self-organizing techniques
to discover, establish and maintain overlay links
Each IPOP peer is capable of picking packets,
injecting packets, and routing
11
Virtual network architecture
Unmodified applications
Connect(10.10.1.2,80)
Application
VNIC
Capture/tunnel, scalable,
resilient, self-configuring
routing and object store
Virtual
Router
Wide-area
Overlay network
10.10.1.1
Isolated,
private virtual
address space
Virtual
Router
Application
VNIC
10.10.1.2
12
Overlay architecture




Bi-directional structured overlay (Brunet library)
Constant number of edges (K) per node
O((1/k)log2(n)) overlay hops
Self-organizing topology
Ordered
ID space
Near
edge
Overlay
router
Shortcut
(far) edge
Overlay
router
13
Overlay Edges



Abstract bi-directional communication channels
Edges can use various transports:
 UDP; TCP; DTLS; Tunnel
UDP
TCP edge
UDP/DTLS:
edge
 NAT traversal
“Tunnel” edge
Overlay
router
Overlay
router
14
NAT traversal



Reflection: learn NAT-mapped endpoints
 From public overlay peers
Peers exchange “connect to me” through overlay
 Set up hole punching
Self-configuring
2. Exchange learned
Endpoint with peer
1. Reflection:
udp://IP:port
3. Simultaneous
open: NAT traversal
15
Self-healing structure



Greedy routing relies on consistent bi-directional
ring topology
Faults in structure due to routing outages,
symmetric NATs
Tunnel near edges Tunnel
edge
Unavailable
physical path
Peers exchange
neighbor set
16
Self-optimization

Create direct edges based on traffic inspection



O(log2(N)) -> O(1)
Direct connection when NAT traversal possible
Relay through a peer – “far” tunnel edge
2. Exchange learned
Endpoint with peer
1. Reflection:
udp://IP:port
3. Simultaneous
open: NAT traversal
17
Bootstrapping
Received by left and
right neighbors
Forwarder
CTM request
New P2P
node
Forms
a “leaf” connection with a well-known node
Selected at random from list of “bootstrap” nodes
Sends “Connect to me” CTM request addressed to itself
Received by nearest neighbors
18
Autonomous IP allocation

One P2P overlay supports multiple IPOP namespaces


IP routing within a namespace
Each IPOP namespace: a unique string

Distributed Hash Table (DHT) stores mapping



IPOP node configured with a namespace



Query namespace for DHCP configuration
Guess an IP address at random within range
Attempt to store in DHT



Key=namespace
Value=DHCP configuration (IP range, lease, ...)
Key=namespace+IP
Value=IPOPid (160-bit)
IP->P2P Address resolution:

Given namespace+IP, lookup IPOPid
19
Avoiding overlay overheads
LAN Router
Application
Virtual
Router
NIC
VNIC
Wide-area
Overlay network
Local
Interface
Application
NIC
Virtual
Router
Application
VNIC
20
VN Interfaces
●
●
Each machine has local
VN Interface
ARP, DHCP captured
locally
●
●
Router responds as
gateway
DHCP: DHT put/get
VPN
Overlay
NIC
NIC
VPN Client
Software
VPN Client
Software
Virtual Network
Device
APP
Virtual
LAN
Virtual Network
Device
APP
21
Supporting VN Routers
●
●
●
Single VN (Router) for
entire cluster
Avoid need for VN
software stack on end
host
Avoid VN overhead on
LAN communication
Virtual Router
TAP
Device
VPN
Software
NIC0
IP=10.1.1.2
Eth=A:B:C:D:E:0
NIC1
Internet
IP=10.1.1.4
IP=10.1.1.3
Eth=A:B:C:D:E:2 Eth=A:B:C:D:E:1
22
VN Hybrid
●
VN instance for each
member in a cluster
VPN
Software
TAP
Device
BRIDGE
128.227.56.40/24
VETH0_0
●
VN hosts in the same
LAN bypass VN
software stack
VETH0_1
10.250.1.25/16
IP0=128.227.56.41/24
IP1=10.250.5.5/16
ETH0
Internet
IP0=128.227.56.21/24 IP0=128.227.56.33/24
IP1=10.250.255.1/16
23
Autonomic features

Self-configuration [IPDPS’06, HPDC’06, PCgrid’07]



Self-optimization [HPDC’06]



Direct shortcut connections created/trimmed based upon IP
traffic inspection for fast end-to-end IP tunnels
Proximity neighbor selection based on network coordinate
estimates for improved structured routing
Self-healing [HPDC’08]


Routing tables using structured P2P links
NAT traversal, DHCP over DHT
“Tunnel” edges created to maintain overlay structure to deal
with routing outages and NATs/firewalls that are not traversable
VLAN routers, overlay bypass within VLAN [VTDC09,
SC09]
24
Overlay security architecture

Abstract senders encapsulate security logic


Supports both edge (point-to-point) and IPOP (endto-end) authentication and encryption
Public key infrastructure



DTLS (Datagram TLS) library or native IPOP stack


Keys/certificates
Symmetric key exchange
UDP-based; amenable to NAT traversal
IPsec tunneling also supported
25
Performance

IPOP implementation


C# user-level router
Tap virtual network device
Latency (ms) Bwidth (Mb/s) Mem (KB)
Host
0.27
941
n/a
C
0.34
738
9988
C#
0.37
716
21500
IPOP
0.52
284
38312
IPOP sec
0.75
55
50976
26
Security management

Overlay point-to-point and/or end-to-end
security need to be configured

PKI management can be complex and error-prone


Certificate signing/distribution, revocation
Approach: leverage Web 2.0, social networking
infrastructures for security management


SocialVPN: enable point-to-point VPN connectivity
among socially-networked peers
GroupVPN: enable sharing of resources with all-to-all
VPN connectivity within a group of users
27