Center for Autonomic ComputingIntel Portland, April 30, 2010

Autonomic Virtual Networks and Applications in Cloud and

Collaborative Computing Environments

Renato FigueiredoAssociate Professor

Center for Autonomic ComputingACIS Lab

University of Florida

2

Outlook Architecting autonomic virtual networks

Isolation, security, encapsulation, dynamic configuration, migration

Self-configuration, self-healing, self-optimization

Applications in cloud and collaborative environments Virtual Private Clusters Social VPNs

Archer: a collaborative environment for computer architecture simulation

Ongoing/future work

3

Social VPNs Focus on usability of security

VPNs: can recover Internet end-to-end connectivity From a user’s perspective: it needs to be simple

My computer gets a virtual network card It connects me directly to my social peers All IP packets: authenticated, encrypted, end-to-end

Leverage well-known PKI techniques No configuration besides establishing social links

All I need to do to is log in to a web based social network Applications, middleware work as if the

computers were on the same local-area network

4

Social VPN Overview

Alice

CarolBob

SocialNetworkWeb interface

Social network(e.g. Google chat)

Overlay network(IPOP)

carol.facebook.ipop10.10.0.2

node0.alice.facebook.ipop10.10.0.3

SocialNetwork API

Social network Information system

Alice’s public key certificateBob’s public key certificateCarol’s public key certificate

Social relationships web-based profiles, email/chat networks. Public key certificates retrieved through social API or XMPP

Symmetric keys exchanged and point-to-point private tunnels created on demand;

Multicast-based resource discovery

Bob: browses Alice’s SMB shareAlice’s services:

Samba shareRDP serverVoIP, ChatAdvertise to Bob, Carol

5

SocialVPN Control Plane Use APIs of well-established social networks for

peer discovery and certificate exchange Centralized user identity and data store for certificate

exchange Facebook APIs and data store

Federated user identities and peer-to-peer messaging for synchronous certificate exchange

XMPP online chat protocol (Google chat, Jabber.org; Facebook has partial support)

May use DHT for asynchronous certificate exchange

6

SocialVPN Data Plane IPOP core, with end-to-end security Dynamic IP address assignment

Key to supporting IPv4 in large social networks Facebook has more users than there are class A private IPs!

Avoid conflicts with local private networks Dynamic IP translation; supports mobility Key: while whole social network is huge, my social

network fits in a subnet

[Figueiredo et al, COPS 2008]

7

SocialVPN dynamic IP translation

Non-conflicting private network

Alice

10.10.x.yAlice: 10.10.1.1Bob: 10.10.1.2Ann: 10.10.1.3 Ann

172.16.x.yAnn: 172.16.1.1

Alice: 172.16.1.10Src: 10.10.1.1Dst: 10.10.1.3

VNIC

VNIC

Src: 172.16.1.10Dst: 172.16.1.1

Src: AliceOverlayIDDst: AnnOverlayID

Bill: 172.16.1.2

8

SocialVPN Connection times

128 nodes on Amazon EC2, 450 nodes on PlanetLab

- Majority of links formed in less than a second- DHT lookup, symmetric key exchange- Few additional seconds for NAT traversal

9

Per-node Bandwidth

Small cost of maintaining overlay connections- 1KByte/s for 128 peers

10

Trust relationships I manage who I trust - SocialVPN

Alice friend of Bob, Bob friend of Carol Social VPN links: Alice <-> Bob, Bob <-> Carol

No direct connection between Alice and Carol Self-signed certificates Small-scale, ad-hoc; social VPN is not all-to-all connected

I delegate trust to a third party - GroupVPN Alice, Bob and Carol trust Trent, a group moderator Social VPN links: A<->B, B<->C, A<->C

Trent acts as CA, signing as a side-effect of approving user GroupVPN is all-to-all connected

11

GroupVPN security management

IPOP creates VPN links autonomously But who decides on VPN membership? How to multiplex many virtual private IP overlays over

the same P2P overlay? Key approaches:

Namespaces: separation of virtual IP address spaces VPN configuration: Web-based group front-end to

manage certificates, automatic signing and configuration Centralized user and certificate management,

decentralized VPN routing Users create, configure VPN groups, namespaces

Group owner manages joining/leaving of a group Certificate signing/revocation is automated

PKI infrastructure, simple usage model for virtual clusters