8/7/2019 2 - Challenges for Enabling Cloud Computing Over Optical Networks
1/21
Scuola Superiore SantAnna
Challenges for enabling Cloud
Piero Castoldi, Barbara Martini, Fabio Baroncelli
Workshop Grid vs Cloud Computing and Why This Should
OFC/NFOEC 2009 March 22-26, 2009 - San Diego, USA
8/7/2019 2 - Challenges for Enabling Cloud Computing Over Optical Networks
2/21
Outline
Challenges Resource virtualization
erv ce s rac on User-driven service deliver
Security
Conclusion
2009 Scuola Superiore SantAnna
2/20
8/7/2019 2 - Challenges for Enabling Cloud Computing Over Optical Networks
3/21
The network as a service paradigm
Cloud Computing is a general paradigm ofoperat on w ere t e capa t es o an
infrastructure (e.g., computation, storage, servers,
.
Users are able to access ICT capabilities from the
n erne .e., e c ou w ou now e ge o ancontrol over the technology infrastructure that.
According to the network-as-a-service (NaaS), -
oriented capabilities
2009 Scuola Superiore SantAnna
3/20
8/7/2019 2 - Challenges for Enabling Cloud Computing Over Optical Networks
4/21
User-oriented network capabilities
Cloud computing will require dynamic complex service set-up and tear down withstrict requirements (e.g. content streaming are with adequate bandwidth, delayan er an per ormance o s ream ng server
Tri erin of network services in
User
ClientRequestFormat:
Disney,WallE (Session,ServerLocation)
HDMovie (Bandwidth)
transport network is available vianetwork technology-dependentinterfaces (e.g. the User to Network
GoodQuality (QoS) ,
network has a different grain inservice description with respect to an
Edge
?? ??NetworkDirectivesFormat:
mpls{
trafficengineeringbgpigpbothribs;
nocspf;
intimate knowledge of the networktechnology is required
no mechanism is available fore
to10.20.0.1;
install10.20.12.0/24active;
bandwidth10m;
}
coordinating set-up of complex privatenetworks
2009 Scuola Superiore SantAnna
4/204
What is needed: a provisioningframework operating at a level of abstraction suitable for being invoked
8/7/2019 2 - Challenges for Enabling Cloud Computing Over Optical Networks
5/21
Concepts (1)
Network resource a network ca abilit of su ortin set-u confi ure monitor tear-
down) the forwarding of data, possibly across multiple nodes,
according to a certain encapsulation (e.g. a MPLS L2 LSP)- a data processing capability over the payload of a data flow, realized
in software or in hardware in a network node (e.g. a random access
Network service a service, described in a technology-independent way that,
leveraging on network resources, offers connectivity capabilities,directly or indirectly, to the customers applications (e.g. a L2 VPN)
Non-network service a service, described in a technology-independent way, that
leveraging on an IT resources offers a data manipulation capabilitye. . a stora e service .
2009 Scuola Superiore SantAnna
5/20
8/7/2019 2 - Challenges for Enabling Cloud Computing Over Optical Networks
6/21
Concepts (2)
Virtualization of resources
application
Service abstraction capability to map the set of high-level parameters specified by an
application, into a set of specific parameters used by the networkfor the provisioning of that service.
The process of service abstraction requires virtualization ofresources:
services that can be accessed without knowledge of theirunderlying technical implementation.
their composition.
Semantic rules can be defined to compose or orchestrate services
2009 Scuola Superiore SantAnna
6/20
8/7/2019 2 - Challenges for Enabling Cloud Computing Over Optical Networks
7/21
Cloud computing and optical networks
Cloud Computing can benefit from ultra high-capacity,
adapted to support user-oriented capabilities:
, . .,session control among end-user applicationsincludin messa e exchan e for session state
monitoring, resource negotiation and mediatransfer control.
Resource control signaling, i.e., signaling for
resource control for the purpose of a consistent- -the Control Plane, serving for:
2009 Scuola Superiore SantAnna
7/20
network attachment functions (e.g., auto-discovery ofborder network topology)
8/7/2019 2 - Challenges for Enabling Cloud Computing Over Optical Networks
8/21
Challenges
Resource virtualization
Network resource discovery and virtualization at
Service abstraction:
erv ce expos on or r g ng app ca ons anCP-enabled Optical Network
-
On-demand service triggering Security
AAA in multi-operator scenario and distributed
2009 Scuola Superiore SantAnna
8/20environment Advanced mechanisms for user access control
8/7/2019 2 - Challenges for Enabling Cloud Computing Over Optical Networks
9/21
Network resources
Grid computing Cloud computing
Service concept Capability to transfer a specific type ofdata traffic generated by a customer
network:
Capacity to match application requestto network resource availability and
accordingly affect network resource
QoS support
Advanced mesh connectivity (e.g.L1/L2/L3 VPN, VPLS)
Traffic enforcement on per-flow basis
QoS guarantees
End-to-end resource control
Requesting
application
E-science applications
TE/Management application (OSS)
Multimedia applications
Virtual terminal applications
- -WAN context
-hosts
Service Coarse rain GB u to TB Fine rain 100s MBgranularity
2009 Scuola Superiore SantAnna
9/20
8/7/2019 2 - Challenges for Enabling Cloud Computing Over Optical Networks
10/21
Non-network (IT) resources
IT Resources are more difficult to be described thannetwork resources
IT resources are more heterogeneous and may
lack of a relation of hierarch Some virtualization efforts exist but solutions are
heterogeneous (e.g. naming for addressing:
Universal Unique Identifier, Universal ResourceIdentifier, etc)
n a equate, typ ca y comp ex, n ormat onmodel is needed to handle IT resource (discover,
,
Some applications, e.g. grid, already have a well
2009 Scuola Superiore SantAnna
10/20
that do not involve provider networks at all.
8/7/2019 2 - Challenges for Enabling Cloud Computing Over Optical Networks
11/21
Virtualization of resources and service abstraction1
Control Plane-enabled optical transport networks Approach based on the introduction of a Service Plane:
t e n ormat ona -gap etween t e pp cat on- ayer erv ce ontroFunction) and the Network-Layer
Decouples network technologies from future evolution of the network services
boundary of the Transport Network via CMI (Control-Plane ManagementInterface)
Defines a technology-independent network service definition at a level ofa s rac on su a e or e ng nvo e y an app ca on v a ser- o-
Service Interface).F. Baroncelli, B. Martini, V. Martini, P.
Castoldi, "A distributed si nalin or the
provisioning of on-demand VPN services in
transport networks" Proc. of IM 2007, May
2007, Munich, Germany.
. , . , . , .
Torkman, P. Castoldi, Application-driven
Resource Management in Multi-Service Optical
Networks, Journal of Optical Communications
and Networking, June 2009, to appear
2009 Scuola Superiore SantAnna
11/20
8/7/2019 2 - Challenges for Enabling Cloud Computing Over Optical Networks
12/21
Virtualization of resources and serviceabstraction (2)
Fully distributed and technology-independent approach based on a Service Plane thatsupports on-the-fly invocation of services
Po ulated b a set of distributed entities that inter-communicate via dedicate si nallin usin
The Service Control Function (SCF)
Acts as a gateway
XML messages
Request Network services
The Centralized Service Element (CSE)
Verifies the SCF identity (Client
Controls the access (Service Authorization);The Distributed Service Element (DSE)
Handles multiple service requests
Composes the Network-Services
Performs technology-specific configurationson controlled PEs using the BNS module
Performs configuration of devices viaControl Plane Management Interface (CMI)
Two main procedures are envisioned:
2009 Scuola Superiore SantAnna
12/20
The Background Signalling
The Service Provisioning Signalling
8/7/2019 2 - Challenges for Enabling Cloud Computing Over Optical Networks
13/21
Network topology virtualization
Background Signalling:
Collects and abstracts Network status
Update the NR-DB within the DSEs
Is Continuously repeated in background at regular intervals
1 - Network Resource Discovery phasearrow 1 2 : DSEs athers at re ular intervals
the information
2 - Service Abstraction phase: DSEs map- -
independent information and stores it in theNR-DB
3 - Information Distribution phase (arrow3, 4): DSEs distribute information to CSE
module(CSE acts as a Database Reflector of the
2009 Scuola Superiore SantAnna
13/20
overall knowledge of Network)
8/7/2019 2 - Challenges for Enabling Cloud Computing Over Optical Networks
14/21
On-demand service triggering
The Service Provisioning Signalling
is responsible of the actual service provisioning
is triggered by a service request issued by a SCF to aDSE
1 - The DSE-master receives a Network-Service re uest from an SCF
[Authorization] A messages exchangeoccurs between DSE and CSE
2 - The DSE elaborates and distributesdirectives to the relevant DSEs
[*] DSEs-slave execute service commandscoming from a DSE-master.
3 - Each DSE map directive in a set of CMINetwork primitives to its controlled PEs(3).
response from the PE
[Ack] DSEs-slave send a reply-message toreport the established service
2009 Scuola Superiore SantAnna
14/20[Ack] to SCF
8/7/2019 2 - Challenges for Enabling Cloud Computing Over Optical Networks
15/21
Security
security at application layer pro ec on aga ns unau or ze access o app ca on p a orms e.g.,
server, data base or web portal) for corruption of information,
interruption of service
security at service (control) layer protection against unauthorized access to service control element (e.g.,
SIP rox HSS to subscriber information e. . user and service
profiles for identity theft), network provider information (e.g., repositorywith routing, numbering and addressing information)
protection against unauthorized access to network elements (e.g., IP
routers, MPLS nodes), to transport control information (e.g., OSPF,e , to transport user pro e n ormat on e.g., su scr pt on atarepository, user location information)
2009 Scuola Superiore SantAnna
15/20
8/7/2019 2 - Challenges for Enabling Cloud Computing Over Optical Networks
16/21
Authorization
Authorization mechanisms are categorized as: Authentication-based mechanisms which assi n a set of ri hts
based on the (authenticated) user identity
Credentials-based (a.k.a. role-based) mechanisms, which. .,credentials) being held by the user
Role-based Authorization process is composed of twop ases: Based on user credentials, the resource provider deduce the
level of trust it can place in him and consequently assign a (setof) role(s)
Based on the role, the authorization engine identifies and
enforces a policy determine the set of actions the user is allowed to perform
verify if the user is allowed to perform the required action on theresource
2009 Scuola Superiore SantAnna
16/20
8/7/2019 2 - Challenges for Enabling Cloud Computing Over Optical Networks
17/21
Traditional vs. advanced access control
In traditional access control The decision process is based on the identity or the role of users
t at are reg stere w t t e m n strat ve oma n
The policy rules are static, i.e., changed only through administrative
actions, typically performed by human operator
In a multi-domain scenario the user may be unknown in the Administrative Domain of the
resource access rights may be revoked or may expire
Role-based Access Control Traditionaltechniques
Role-basedUsa e CONtrol
Advancedtechni ues
2009 Scuola Superiore SantAnna
17/20
8/7/2019 2 - Challenges for Enabling Cloud Computing Over Optical Networks
18/21
Trust management
Trust definition:
Trust of a art A in a art B for a service X is the measurablebelief of A in B behaving dependably for a specified period within
a specified context in relation to X... [Dimitrakos, 2001] rus anagemen e n on:
Technique to make decisions about the dependability of
Role-Based Trust Management: A sub ect has a set of roles in each Administrative Domain to
which he belongs
A set of access rules define the relations among Administrative
roles for the same subject in Administrative Domain to which hedoes not belong.
2009 Scuola Superiore SantAnna
18/20[Blaze96] M. Blaze, J. Feigenbaum, J. Lacy. Decentralized Trust Management. In 17th
Symposium on Security and Privacy (pp. 164-173). IEEE Computer Society. 2006
8/7/2019 2 - Challenges for Enabling Cloud Computing Over Optical Networks
19/21
Usage Control Model
The decision process is based on:
Authorizations
Subjects: entities that perform actions onObjects
Obligations
Conditions
after checking subject/object
Identity; Role; Reputation; Credits;
Objects: entities that are used by Subjects.attributes
Value; Role permission;
pre-decision ongoing-decisions
before usage ongoing usage after usage
pre-updates ongoing updates post-updates
Mutability of attributes time
2009 Scuola Superiore SantAnna
19/20
J. Park, R. Sandhu. The UCON Usage Control Model,ACM Trans. On Information and System
Security, 7(1), 2004.
8/7/2019 2 - Challenges for Enabling Cloud Computing Over Optical Networks
20/21
Conclusion
Re-use of many concepts coming from grid for
enabling cloud computing
cloud computing
Optical networks can be good candidatebecause the are CP-enabled
From security to trustworthiness
2009 Scuola Superiore SantAnna
20/20
8/7/2019 2 - Challenges for Enabling Cloud Computing Over Optical Networks
21/21
Thank you
- .
2009 Scuola Superiore SantAnna
21/20
ola Superiore SantAnna, CNR research area, Via Moruzzi 1, 56124 Pisa, Italy