Nebula - The Future Internet Architecture

transcript

CS7002 Data CommunicationsThe Nebula Future Internet Architecture

RANJAN DHARdharr@tcd.ie

Trinity College Dublin, The University of Dublin CS7002 Data Communications

Overview

• Three basic foundations of Nebula.

• Sponsored and supported by National Science Foundation and CISCO systems.

• Focussed on a future network enabling enabling the vision of cloud computing.

Motivation/Problem

• The bloom of Cloud Computing.• Security of network.• Broad applicability.

Motivation / Problem

“”We need a new network architecture !!!””• Availability and Dependability.

• Cloud Computing have embraced weak consistency.

• Redefined security.

• Smarter network. (Flexible and Extensible)

Example ( Critical Application)

Monitor current glucose levelMonitor what was being eatenMonitor exercise activityInsulin infusion recommendation Insulin Infusion recommendation

Machine Learning

Enters “NEBULA”

• Nebula is an architecture for the cloud based future Internet.

• Comprehensive, Clean slate and Reliable.

• Basic decisions include use of packet switching, multiple paths & store-and-forward routers.

• Backbone of Data Centers.

Principles & Architecture

ARCHITECTURE

• Services provided by cloud data centers.• Multiple cloud providers, that use replication• Variety of access mechanisms.• Transit networks to interconnect data centers.

PRINCIPLES

• Ultra reliable interconnecting data centers.• Parallel paths between data centers and core routers.• Secure and authentic connection establishment.• Policy based path selection.

NEBULA – Building blocksNEBULA

NCORE NDP NVENT

• Nebula Core Architecture.

• Nebula Data Plane.

• Nebula Virtual and Extensible Networking Techniques.

NEBULA

NEBULA (NCORE)

• High Performance Core Routers.

• Highly Reliable.

• Programmable.

• Load balancing.

• Supports features like Network Provence, failure detection and path diversity.

• Problems can be diagnosed and repaired during runtime.

ROUTERS

NEBULA(NCORE)ROUTERS

Redundant paths.

SCENARIO’S

NEBULA (NDP)

• Primarily focussed on Distributed multiple path establishment and policy enforcement.

• Policies may include security, privacy and fault tolerance requests.

• Uses path verification mechanism known as ICING.

• Proof of Consent & Proof of Provenance.

• It must check whether the path is authorized.

• It must also check whether the authorized path was followed.

DATA PLANE

NEBULA (NDP)Data Plane

• POC is basically a Cryptographic token.• As packet traverses the path, it is incrementally marked with POP.• Enforces network provenance by using POP.• Denial of service attacks are much difficult to carry out. (Secure)

NEBULA (NVENT)

• Nebula Virtual and Extensible Networking Technology.

• NVENT embodies new control-plane technologies that focus on policy specification, policy-based path setup and service naming.

• NVENT uses declarative networking.

CONTROL PLANE

NEBULA (NVENT)CONTROL PLANE

NEBULA (NVENT)

• Declarative Networking is a programming methodology that enables developers to concisely specify network protocols and services, which are directly compiled to a dataflow framework that executes the specifications.

• Just as BGP in the current Internet, NVENT provides a set of default paths to ensure global reachability, but it also provides an interface to NDP, which is available to users for requesting custom paths, e.g., for applications that require high reliability

CONTROL PLANE

NEBULA (NVENT)CONTROL PLANE

PUTTING NEBULA TOGETHER

• Cell phone contacts NVENT & requests a path to NCORE.

• NVENT looks for path compiling to the policy and contacts NDP policy server to obtain necessary POC’s.

• NVENT returns all the POC’s to the cell phone.

• Cell phone uses these POC’s to send packets via NDP to nearest NCORE router.

• NCORE performs network provenance to verify the path and forwards packets to Data Center.

PUTTING NEBULA TOGETHER• Nebula’s security can be related to the

immigration process.

• Detailed security with high efficiency.

• POP’s usually happen at boundaries.

• Policy Server may have 0 or more policies.

• If Policies = 0, then DEFAULT DENY.

• Policies are cacheable.

• Policies can be queried by clients.

• Example: NEBULAPATH = HIPAA.

PROTOTYPE - ZODIAC

RESEARCH QUESTIONS ?

• ICING vs. TorIP vs. TaaS.

• Application interface to specify policy.

• Relationship between Policy enforcing plane and NCORE routers still in flux.

• Organization contracts ?

• Name service implementation ?

NEBULA CONFIGURATION & OPERATION

• Policy Configuration – API level work in NVENT to determine client requirements.

• Path Setup – Policy request.

• Forwarding - POC’s & POP’s.

• Naming – TorIP (ISP, ID) “ID indentifies a mailbox”

ICING (DNS augmented by policy enforcement)

www. foo . comEXAMPLE(ICING):

POC1 POC2

Remember POC’s are cacheable

NEBULA ARCHITECTURAL CHOICESDesign Goal NEBULA

Communication must continue despite loss of networks, links, or gateways.

NEBULA uses multiple dynamically allocated paths and reliable transport.

Allow host attachment and operation with a low level of effort

NVENT/NDP is as easy to automate and use as DHCP/IP.

Support secure communication (authentication, authorization, integrity, confidentiality) among trusted nodes.

Mutually suspicious NDP nodes self-select paths exhibiting cryptographic proofs of properties required for security.

Provide a cost-effective communications infrastructure

NCORE places resources where architecturally needed; policy analysis.

Implement network and user policies Policies implemented with NDP and NVENT.

The architecture must accommodate a variety of networks.

NDP sends packets by encapsulation, NVENT networks by virtualization

The architecture must permit distributed management of its resources.

NDP path establishment decentralized, NVENT

FUTURE

HOW NEBULA WILL REDEFINE INTERNET ?

• From best effort to delivery assurance.

• Dynamic routers.

• Evolution in network rather than at end points.

• Revolutionising cloud infrastructure.

EVALUATION

• The design choices for NDP was strongly focused on the following parameters:

1. Assured Paths.

2. Controlled Access.

3. Availability.

4. Autonomous control of resources.

5. Privacy enhanced communication.

“NDP provides a superset of the union of the features provided by other projects.” Eg : BGP, Byzantine routing.

Average header = 250 bytesAverage packet = 1300 bytes 20 % more space

• Nebula is a future internet architecture that is intrinsically more secure and addresses threats to the emerging computer utility capabilities (cloud computing) while meeting the challenges of flexibility, extensibility and economic viability.

• Architecture divided into NDP, NCORE and NVENT.

• Interconnecting data centers is the primary focus.

• Highly secure, realiable & efficient.

• Can be used in areas such as Biotelemetry & Defence.

SUMMARY

• Tom Anderson, Ken Birman, Robert Broberg, Matthew Caesar, Douglas Comer, Chase Cotton, Michael J. Freedman, Andreas Haeberlen, Zachary G. Ives, Arvind Krishnamurthy, William Lehr, Boon Thau Loo, David Mazières, Antonio Nicolosi, Jonathan M. Smith, Ion Stoica, Robbert van Renesse, Michael Walfish, Hakim Weatherspoon, and Christopher S. Yoo. The NEBULA Future Internet Architecture, volume 7858 of LNCS. Springer Verlag, 2013.

• NEBULA project web page - http://nebula-fia.org/.

• Douglas Comer. A future Internet architecture that supports Cloud Computing. In Proc. 6th International Conference on Future Internet Technologies (CFI), June 2011.

• Andrei Agapi, Ken Birman, Robert M. Broberg, Chase Cotton, Thilo Kielmann, Martin Millnert, Rick Payne, Robert Surton, and Robbert van Renesse. Routers for the Cloud: Can the Internet achieve 5-nines availability? IEEE Internet Computing, 15(5):72–77, 2011.

ACKNOWLEDGEMENTS

• Birman, K.P., Huang, Q., Freedman, D.: Overcoming the “D” in CAP: Using Isis2 to build locally responsive cloud services. IEEE Internet Computing 12, 50–58 (2012)Aditya, P., Zhao, M., Lin, Y., Haeberlen, A., Druschel, P., Maggs, B., Wishon, B.Reliable client accounting for hybrid contentdistribution networks. In: Proc. NSDI(April 2012)

• Wenchao Zhou, Qiong Fei, Arjun Narayan, Andreas Haeberlen, Boon Thau Loo, and Micah Sherr. 23rd ACM Symposium on Operating Systems Principles (SOSP '11), Cascais, Portugal, Oct 2011. DOI 10.1145/2043556.2043584.

• Setty, S., McPherson, R., Blumberg, A.J., Walfish, M.: Making argument systemsfor outsourced computation practical (sometimes). In: Proc. NDSS (February 2012)

• Zhou,W., Fei, Q., Narayan, A., Haeberlen, A., Loo, B.T., Sherr, M.: Secure network provenance. In: Proc. SOSP (October 2011)

ACKNOWLEDGEMENTS

QUESTIONS ?

THANK YOU