Brief-out: Isolation Working Group - PowerPoint PPT Presentation

1 / 11
About This Presentation
Title:

Brief-out: Isolation Working Group

Description:

Title: PowerPoint Presentation Last modified by: Kenneth P. Birman Created Date: 1/1/1601 12:00:00 AM Document presentation format: On-screen Show – PowerPoint PPT presentation

Number of Views:46
Avg rating:3.0/5.0
Slides: 12
Provided by: researchM122
Category:

less

Transcript and Presenter's Notes

Title: Brief-out: Isolation Working Group


1
Brief-out Isolation Working Group
  • Topic discussion leader Ken Birman

2
Isolation
  • Right now we have firewalls, VPNs, networks that
    are physically disjoint
  • Question Could we invent some new architectural
    abstraction to make it easier to isolate a subnet
    and yet have it also be part of the larger
    Internet?
  • Success enables a federation of subnets a
    heirarchy of domains operated using distinct
    policies and perhaps even incompatible
    technologies

3
Basic Understanding
  • Isolation has boundary, physical and even
    application-level ramifications
  • This recognition leads us to a multi-edged goal
  • Even in current networks, we need new and more
    flexible options for isolating systems and
    resources from undesired influences
  • We are also seeing emerging needs to isolate
    subnets for purposes such as security, QoS,
    sensitive data, special AUPs, etc. Existing
    options (like firewalls) are inadequate
  • In the limit, a kind of multiverse with
    multiple side-by-side networks connected by
    controlled tunnels

4
Value proposition
  • Fault-containment seen as an irresistible draw
    for many potential enterprise users
  • Such users would also benefit from improvement
    options for specifying desired management policy
  • Value may be measurable by enumerating cases
    where lack of isolation technology resulted in
    costly failures.
  • Potentially huge new opportunity for QoS and
    multimedia-enabled applications frustrated by
    current IP networks, which have poor isolation
  • Microsoft has invested billions on such
    applications

5
Research Challenges
  1. How to express, store and implement properties of
    networks and applications, specify desired
    policy, verify that policy is being adhered to
  2. Composition and tunneling between otherwise
    isolated subnets
  3. Network admission control policies for isolated
    subsystems, with the usual issues of
    authentication, authorization, enforcement
  4. Are there unimplementable forms of isolation?
  5. Are there forms of isolation that can only be
    supported on bare-bones hardware (as opposed to
    overlays on existing IP networks)?

6
Research Challenges
  1. What sorts of client-side or O/S mechanisms are
    required in support of a new generation of
    networks offering isolation for network traffic?
  2. What are ramifications of isolation in hosts,
    infrastructure components? Network is not just
    wires
  3. Could we improve the behavior of wireless
    networks to improve isolation (in the sense of
    fair sharing, security, non-interference)?
  4. Isolation evokes a future world of hierarchical
    administration, provisioning, administration
    tools how to build these?

7
Research Challenges (cont)
  • How to strike appropriate balance between need
    for trust, authorization, resource control and
    management, enforcement of scoped AUPs
  • Isolation could be a powerful architecture tool
    for those who design and manage networks today.
    But we lack the needed architectural abstractions
    and need to invent them
  • Can a system offering interesting isolation
    properties scale as well as the Internet does?
    (Would it need to? Perhaps isolated subnetworks
    are usually more limited in scope and more
    homogeneous)

8
Research Challenges (cont)
  1. Are there automated ways to discover and assemble
    policy information in a decentralized world where
    each scope might define its own policies?
  2. How would one implement exception handling in a
    hierarchical world where isolated subnetworks
    might view the same event in different ways
    (your exception is my bread-and-butter)
  3. Theory of isolation Formally characterize
    conditions under which isolation is compatible
    with sharing resources (Recall that isolation is
    trivial if we dont share anything)

9
Can it be done?
  • Question is too broad depends what it means.
    We concluded that at least some of these goals
    can definitely be achieved
  • Even an architectural building block would
    represent a valuable step forward
  • Need to separate concept of isolation from
    question of what those isolated subnets might be
    doing one can imagine many behaviors subnets
    could possibly implement

10
Enablers for Progress, Partnering
  • Two technical enablers
  • Need a standard way to partition traffic and
    route relevant traffic (only) into appropriate
    subset
  • Possible O/S requirement Might VMMs be required
    for an O/S to enable isolation in multi-homed
    setups?
  • NSF GENI initiative seen as very promising, could
    bring a community together with a focus on this
    issue (if this issue emerges as a key priority)
  • Industry/academic partnership could try to
    articulate value proposition in ways that will
    motivate government to act.

11
Conclusions
  • Our breakout group believes this topic is quite
    promising
  • It would be hard to do, but seems feasible
  • Has ramifications in many dimensions
  • Impact of success could be very significant
Write a Comment
User Comments (0)
About PowerShow.com