1 / 39

IF-MAP and GENI Richard Kagan – Infoblox

IF-MAP and GENI Richard Kagan – Infoblox. Recurring Metadata Exchange Challenges in GENI. Define data models for objects Devices, aggregates, slices, experiments, measurements, … Create associated schemas Enable data sharing at varying levels of scale

gella
Download Presentation

IF-MAP and GENI Richard Kagan – Infoblox

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. IF-MAP and GENIRichard Kagan – Infoblox

  2. Recurring Metadata Exchange Challenges in GENI • Define data models for objects • Devices, aggregates, slices, experiments, measurements, … • Create associated schemas • Enable data sharing at varying levels of scale • Within & across slices, aggregates, control frameworks, etc. • Accommodate a number of desired characteristics, e.g.: • Expressive, extensible modeling language • Frequent/rapid schema changes • Scalable and real-time • Message bus and database services • Multi-layer security (authentication, authorization, transport security, etc.) • Easy to implement & debug, available/tested code, supported, …

  3. IF-MAP Can Address Many GENI Requirements • IF-MAP = “Interface to Metadata Access Point” • Open standard published by the Trusted Computing Group (TCG) • Version 1.0 released in 2008, 1.1 in 2009, 2.0 in 2010 • Key features: • Client/server protocol, very lightweight client • Pub/sub paradigm, with or without persistence (e.g. bus and database) • All objects & metadata expressed as XML documents • Current binding is to SOAP/HTTPS; Other bindings supported (e.g. SOAPless) • Graph database with no pre-defined global schema • Automatic correlation • Federation, authorization, … • Available in open-source and commercial implementations • Used in production today (Boeing, LANL, Deutsche Bank, etc.)

  4. A Network Security Use Case: Dynamic, Policy-Based Access Control for Unmanaged Endpoints MAP Database 192.0.2.7 10- Endpoint requests DHCP identity = John MAC = 00:11:22:33:44:55 1- Endpoint plugs-in 2- SW sends EAP Start 14- Endpoint generates traffic 3- Supplicant sends credentials Juniper IC 4000 UAC Access-request-mac 11-DHCP sends MAC-IP metadata to MAP 9- SW opens port Infobox HA Pair DHCP/DNS Appliance IP-MAC 8- UAC sends RADIUS accept to SW Authenticated-as 4- SW sends RADIUS Credential to UAC Infobox HA Pair MAP Server 6- UAC publishes To MAP Juniper SSG Firewall IP= 192.0.2.7 13- UAC activates L3 access on FW. 7- UAC subscribes to MAP AAA 12-MAP sends IP-MAC to UAC Cisco 3750 Switch Access-request = 113:3 CHANGE? CHANGE! 5- UAC does Auth. Lookup User= John Windows 802.1X Client 00:11:22:33:44:55 Capability = access-private-applications Private Applications IF-MAP

  5. IF-MAP Federation for Next Gen EDUROAM Service • EDUROAM enables students/faculty/researchers to get network access away from home • JANET (UK ISP for .edu) needs to track roaming activity without direct access to .edu AAA systems • -Local RADSEC servers publish user/location data to local MAP server • -JANET’s central MAP server subscribes to changes on university MAP servers Univ A Univ B JANET RADSEC RADSEC Jjames, Roaming from University B OK! Local IF-MAP Server Jjames@univB.edu Jjames@univB.edu IF-MAP Client RADSEC RADSEC Local IF-MAP Server Local IF-MAP Server Central IF-MAP Server Univ D Univ C Federation Subscriptions

  6. Optical Bandwidth Provisioning GENI Use Case (#1): MDOD Repository for I&M Project sponsored by IF-MAP I&M WG Experimenter Use case Open protocol standard published by the Trusted Computing Group Pub/sub database - Like Facebook for IP devices and systems ION Measurement Information Service Mobility SwitchesRouters protoGENI Routing MAP client Internet2 RENCI/ BEN MAP server IF-MAP Protocol (Publish, Subscribe, Search) Experimenter Security LEARN ORCA Measurement Point Services PlanetLab Researcher Data Transfer GENI Aggregates Control Frameworks Slice Experiments Operator Components Components Components Automatically aggregates, correlates, and distributes data to and from different systems, in real time Aggregate C Metro Wireless Aggregate A Computer Cluster Aggregate B Backbone Net IF-MAP Server may be: GENI Clearinghouse / Measurement Information Service / Measurement Data Archive Service / Measurement Analysis and Presentation Service …many more Experimenter Operator researcher MDOD measurement_data_object_descriptor identifiers identifier [required] rank=primary|secondary=primary type=urn|variable|key|token=urn source=holderid_n=holderid_1 value=text =urn =domain:subdomain+object_type+object_name =geni.net:holder_1.org+object_type+object_name identifier [optional] rank=primary|secondary=secondary title=text [optional] abstract=text [optional] subject=text [optional] keywords=text [optional] annotation [optional] user_id=text date_time=text entry=text annotation [optional] …… Subscribe and/or search MDOD IF-MAP Server Start experiment, publish initial MDOD on MAP server Modify MDOD schema: extend attributes and metadata Persistent query on MDOD updates Update/Publish MDOD by Measurement Point Service to MAP server Subscribe to MDOD Modify MDOD schema: add any number of attributes Search MDOD with filter options Delete all MD at MAP server

  7. IF-MAP Could Have Many Uses in GENI • Registry • Clearinghouse • Rendezvous • Cross-domain federation (GPO, GNOC, .edu, .gov, etc.)

  8. Questions? • rkagan@infoblox.com • bwarren@infoblox.com • www.if-map.org

  9. IF-MAP Technology Overview

  10. Optical Bandwidth Provisioning IF-MAP Could Address a Number of GENI Use Cases Project sponsored by ION Mobility SwitchesRouters protoGENI Routing IF-MAP Protocol (Publish, Subscribe, Search) Internet2 RENCI/ BEN Security LEARN ORCA PlanetLab Data Transfer GENI Aggregates Control Frameworks IF-MAP Protocol (Publish, Subscribe, Search) Experiments IF-MAP Server Possible Use Cases: GENI Clearinghouse, Measurement Information Service , GMOC Interface …many more

  11. employee-attribute = active User Name = John Doe distinguished-name = C=US, O=myco, OU=people, CN=12534 Department = Sales failed-login-attempts = 3, login-status = allowed role = access-finance-server-allowed IF-MAP Components IF-MAP Client(s) IF-MAP Server IF-MAP Client Operations: Publish Subscribe Search MAP Server Objects: Identifiers Links Metadata

  12. IF-MAP Access Operations Tell others that…<metadata…> • Publish: • Clients store metadata into MAP for others to see • Example: Authentication server publishes when a user logs in (or out) • Search: • Clients retrieve published metadata associated with a particular identifier and linked identifiers • Example: An application can request the current physical location of the user • Subscribe: • Clients request asynchronous results for searches that match when others publish new metadata • Example: Tell me when any user’s status goes from “employee” to “terminated” • *Notify (a special case of ‘Publish’): • Clients publish metadata, usually transient events, that are not stored in the MAP database (but they trigger subscriptions – like a message bus) Tell me if…match(metadata pattern) Tell me when…match(metadata pattern)

  13. IF-MAP Server: Identifiers, Links, and Metadata Identifiers Metadata Link

  14. Today, Systems Share the IP Network, But Don’t Share Data Physical Security Network Location Network Security … Provisioning, Visualization & Analytics (Management) Decisions (Control) Sensors & Actuators

  15. IF-MAP Doesn’t Replace Existing Systems & Applications – It Enables Them to Easily Share Data Physical Security Network Location Network Security … Provisioning, Visualization & Analytics (Management) IF-MAP Server Decisions (Control) Sensors & Actuators

  16. Vendor and Open Source Support for IF-MAP is Growing Additional vendors are working with IF-MAP (e.g. Arista, Aruba, …) CONFIDENTIAL

  17. Dynamic Network Security Use Cases in Fed, Finance and Manufacturing Verticals are Driving Adoption

  18. IF-MAP is Being Actively Pursued in Key Academic & Commercial Research Programs

  19. employee-attribute = active User Name = John Doe distinguished-name = C=US, O=myco, OU=people, CN=12534 Department = Sales failed-login-attempts = 3, login-status = allowed role = access-finance-server-allowed IF-MAP Components IF-MAP Client(s) IF-MAP Server IF-MAP Client Operations: Publish Subscribe Search MAP Server Objects: Identifiers Links Metadata

  20. IF-MAP Access Operations Tell others that…<metadata…> • Publish: • Clients store metadata into MAP for others to see • Example: Authentication server publishes when a user logs in (or out) • Search: • Clients retrieve published metadata associated with a particular identifier and linked identifiers • Example: An application can request the current physical location of the user • Subscribe: • Clients request asynchronous results for searches that match when others publish new metadata • Example: Tell me when any user’s status goes from “employee” to “terminated” • *Notify (a special case of ‘Publish’): • Clients publish metadata, usually transient events, that are not stored in the MAP database (but they trigger subscriptions – like a message bus) Tell me if…match(metadata pattern) Tell me when…match(metadata pattern)

  21. IF-MAP Server: Identifiers, Links, and Metadata Identifiers Metadata Link

  22. The IF-MAP Standard has Multiple Parts • The official TCG standard is divided into two categories: • IF-MAP “Base Protocol” (only one spec) • IF-MAP Metadata for <XXX> (where XXX=some industry or use case) • The Base Protocol specifies basic IF-MAP operations: • Publish, Subscribe, Search, Session Management, etc. • Also defines the 5 standard Identifier Types: • Identity (i.e User – 12 different possibilities including email address, FQDN, Kerberos principal, etc.) • IP Address (v4 or v6) • MAC address (AA:BB:CC:DD:EE) • Access Request (Authenticator ID, Flow ID) • Device (ASCII String) • Metadata specs are published independently from the Base Protocol • Today, one spec has been published: IF-MAP Metadata for Network Security 1.0 • Others are in process: • IF-MAP Metadata for Industrial Control Systems • IF-MAP Metadata for Trusted Multitenant Infrastructure (i.e. Clouds) • Any vendor, customer or industry group can define their own metadata

  23. Users and Vendors can Define Metadata at Runtime • Any compliant IF-MAP server will accept user-defined metadata • All that is required is a unique name within a specified namespace, and conformance with a few simple rules (number of attributes, length, etc.) • IF-MAP server will support all operations: publish, subscribe, search, notify • No need to configure IF-MAP server to support custom metadata • Some examples of user and industry-defined metadata • Student ID (for University XYZ) • Asset tag number (for company ABC) • Software Version # (for vendor PQR) • Operating Parameters 1,2,3,4,…. (for product PPP) • If an industry group agrees, they can submit metadata definitions to the TCG for publication as “IF-MAP Metadata for <My Industry> • No need to wait for TCG ratification to use custom metdata • This is a VERY powerful feature of IF-MAP

  24. IF-MAP Sample Use Cases

  25. Use Case – Integrated Network / Physical Security Solution Secure Zone 1 Zone 2 MAP Database Juniper IC 4000 UAC Appliance location = Zone 2 location = Zone 1 Hirsch System (Physical Sensor) authenticated identity = John Publish: John in Zone 1 Access Request Publish: John in Zone 2 Infoblox MAP Server Cisco 3750 Switch CHANGE? CHANGE! Grants Access Request Publish: John is Authenticated; Session ID 113:3 Subscribe: Changes to Session 113:3 Policy Violation: Access Cut Off Access-request = 113:3 Juniper SSG Firewall Subscription Update: John in Zone 2 Publish (delete): John is Authenticated Classified Network 11- UAC updates firewall policy to block access 10- MAP updates UAC about the location change 9- Card reader publishes the update to the MAP 8- Employee leaves Zone 1, while still logged in 7- Employee connects to the classified network 4- UAC publishes to the MAP server 5- UAC Subscribes to the MAP server 2- Hirsch system publishes to the MAP server 12- UAC publishes the update to the MAP 6- UAC grants access to the corporate network 3- Employee requests for access to the network 1- Employee (John) enters zone 1

  26. Use Case: Real-Time CMDB MAC = 00:11:22:33:44:55 MANAGED NETWORK IP-MAC 10.0.1.57 Discover IP IP= 10.0.1.17 IP= 10.0.1.57 Infoblox DHCP Server Publish IP-MAC DISCOVERY SENSORS / AGENTS Infoblox MAP Server Discovery Results MAP Subscription Discovery Engine Invoke Discovery Update MAC = 00:11:11:33:44:55 MAP Client Topology Builder Update CMDB MAP Database CMDB MAC = 00:11:AA:33:44:55 IP= 10.0.1.55 INFOBLOX NETMRI IP-MAC

  27. Inter-Cloud Registry Helps Cloud Providers and Users to Match Workload Needs with Cloud Assets member of member of Cloud Virtual Network Virtual Network member of member of assigned to assigned to Virtual Machine Virtual Machine assigned to MAC Address runs on MAC Address assigned to Virtual Machine assigned to IP Address IP Address assigned to IP Address MAC Address

  28. 9-Asks for some MDOD or MD file 2-Assigns Slice Identity = experimenter A owns 1-Request for slice Username= Experimenter X Username= Researcher Y Clearing House Runs_in identity = experiment identity = slice 3-Starts Experiment 10-Fetches Authorized info and gives it to the Experimenter identity = Researcher X 4-Invokes MO service identity = MDOD-id Global MAP Server 5-Registers initial copy of MDOD Transaction sharing ECS service Holder Typr value . . . . . .. Locator Collection_policy . . . . . . Descriptor Collection_geographic_start_date_time . . . . Type value 8-Register final MDOD copy Meas. Orches. service Experimenter’s Slice 6-Invokes MP service 7-Probes the slice & gathers MD Meas. Point service I&M Service Events MAP DATABASE

  29. Enables login at remote universities / research centers using home login credentials Serves 1.9 million users across 850 locations Enabled today using RADIUS Proxy Service provider (JANET) maintains database of roaming activity Use Case: Federated IF-MAP Servers for UK EDUROAM Service Univ A Univ B JANET Radius Server Radius Server Radius proxy OK! Bbaker, Roaming from University D Radius Server Radius Server Univ C Univ D Roaming Users Jsmith@univB.edu Bbaker@univD.edu

  30. Infoblox IF-MAP Products

  31. IF-MAP is Being Supported Across the DDI and NCCM Products – Delivering Integrated Solutions Real-Time Network Automation Innovation increases network visibility and control Infoblox IBOS Infoblox NetMRI Infoblox Grid AUTOMATION AUTOMATION Core Services Infrastructure Network Infrastructure DNS DHCP IPAM 31

  32. Infoblox NIOS Appliances Support IF-MAP Infoblox NIOS Appliance (DNS, DHCP, IPAM) IP-MAC Metadata (IP, MAC, Start, Duration, etc.) MAC = 00:11:AA:33:44:55 IP= 10.0.1.55 IF-MAP Server IP-MAC • NIOS DHCP server dynamically updates IF-MAP server when IPs are allocated, renewed, or released • Config Options • Publish data at Grid/Member level for selected Networks/Ranges • Cert based authentication • Delete previously published data • Publish IPv6 data (NIOS release) • DUIDs • MAC addresses extracted from DUIDs • IPv6 addresses

  33. Infoblox Orchestration Server (IBOS™) is the World’s First Commercial MAP Server Appliance Infoblox Orchestration Server … Network Security Physical Security Network Location IF-MAP Client Systems • Sold as a series of hardware appliances • Also available as VMware software appliances • Unique Infoblox capabilities far outstrip any other offerings • 2 patents in process • Deployed in production today, numerous POCs in process CONFIDENTIAL

  34. Infoblox IF-MAP Server Offers Significant Advantages

  35. Triggered Discovery and Triggered Jobs with Infoblox NIOS™, NetMRI and IBOS™ IF-MAP Server • NIOS is configured to publish IP/MAC metadata to IBOS • NetMRI is configured to subscribe to the “All IPs” Global Identifier in IBOS • Device connects to network (today, endpoint device only), gets IP via DHCP from NIOS • NIOS DHCP server publishes IP/MAC metadata to IBOS • IBOS updates NetMRI susbcription, sends new IP/MAC metadata to NetMRI • NetMRI initiates discovery at new IP • After discovery, NetMRI can trigger a job: • -Check MAC address against a set of predefined lists (blacklist, whitelist, etc.) and take appropriate action, e.g. make an API call to NIOS to delete the DHCP lease, initiate a script, etc. • -Bare metal provisioning of infrastructure devices • -…….. Infoblox IBOS Infoblox NetMRI Infoblox Grid AUTOMATION AUTOMATION Core Services Infrastructure Network Infrastructure DNS DHCP IPAM 35

  36. Today: Automation in Silos AUTOMATION AUTOMATION Security Automation Server/Applications Infrastructure Security Infrastructure Infoblox NetMRI Infoblox Grid AUTOMATION AUTOMATION Core Services Infrastructure Network Infrastructure DNS DHCP IPAM 36

  37. Orchestration is a Key Element of Network Automation AUTOMATION AUTOMATION Security Automation Server/Applications Infrastructure Security Infrastructure ORCHESTRATION Infoblox NetMRI Infoblox Grid AUTOMATION AUTOMATION Core Services Infrastructure Network Infrastructure DNS DHCP IPAM 37

  38. Open Interfaces Support Rich Orchestration – IF-MAP Provides Standardization AUTOMATION AUTOMATION Security Automation 3rd Party RBA Server/Applications Infrastructure Security Infrastructure ORCHESTRATION CMDB Service Desk & Change mgmt Infoblox NetMRI Infoblox Grid AUTOMATION AUTOMATION Service Catalog Core Services Infrastructure Network Infrastructure Performance Mgmt DNS DHCP IPAM 38

  39. Resources – Documentation & Freeware 3 minute video on IF-MAP on Orchestration/IF-MAP Solutions page on infoblox.com http://www.infoblox.com/en/solutions/technology-solutions/orchestration-if-map.html www.if-map.org IF-MAP community Web site Includes links to open source IF-MAP servers and other resources www.trustedcomputinggroup.org Complete protocol specs, information on TPM, TNC, Trusted Storage and related topics Infoblox IF-MAP Starter Kit: Free for 90 days, $995 in the US for perpetual license, 18% annual support VMware IF-MAP appliance Client simulator Open-source client stacks (PERL, java, C++) Open-source SNMP-MAP Bridge Open-source connector to VMware (August, 2011)

More Related