Mihai Cristea

On-demand provisioning of Cloud and Grid based infrastructure services for collaborative projects and groups

Effective use of existing network and IT infrastructure can be achieved by providing combined network and IT resources on-demand as infrastructure services that are capable of supporting complex technological processes, scientific experiments, and collaborative groups of researchers and applications. This paper provides a short overview of existing standards and technologies and refers to ongoing projects. We also describe experiences in developing an architectural framework and tools for combined on-demand network and Grid/Cloud service provisioning. The paper proposes an architectural framework for on-demand infrastructure service provisioning comprising of three main components: the Composable Services Architecture (CSA) that intends to provide a conceptual and methodological framework for developing dynamically configurable virtualised infrastructure services; the Infrastructure Services Modeling Framework (ISMF) that provides a basis for the infrastructure resources virtualisation and management, including description, discovery, modeling, composition and monitoring; and the Service Delivery Framework (SDF) that provides a basis for defining the whole composable services life cycle management and supporting infrastructure services. We discuss implementation suggestions for the defined architectural components and provides information about the ongoing developments of the GEMBus which is considered as a middleware framework for CSA.

XACML Policy Profile for Multidomain Network Resource Provisioning and Supporting Authorisation Infrastructure

Policy definition is an important component of the consistent authorisation service infrastructure that could be effectively integrated with the general resource provisioning workflow and network control and management plane. The paper describes the proposed XACML-NRP policy and attributes profile for Network Resource Provisioning. In addition to specifying a set of subject, resource, action attributes that are required for consistent XACML policy definition, the proposed profile allows also handling network path information what is especially important for QoS enforcement. To overcome stateless character of XACML policies, the proposed authorisation infrastructure provides a number of security mechanisms to support such important for NRP functionality as authorisation session and interdomain security context management, simple delegation, conditional authorisation decisions, and policy obligations handling.

Authorisation infrastructure for on-demand network resource provisioning

High performance Grid applications require high speed network infrastructure that should be capable to provide network connectivity service on-demand. This paper presents results of the development of the Authorisation (AuthZ) infrastructure for on-demand multidomain network resource provisioning (NRP). We propose a general Complex Resource Provisioning (CRP) model that can be used as a basis for AuthZ infrastructure development providing a common abstraction for provisioning both network and Grid resources. This model allows common policy expressions, using single user sign-on credentials when requesting and accessing complex Grid-Network resources. The implementation described is based on the generic AAA Authorisation Framework (GAAA-AuthZ) and suggests a number of security mechanisms and components that extends GAAA-AuthZ to achieve consistent policy enforcement and security context management: Token Validation Service (TVS), AuthZ ticket used for AuthZ session management, a special XACML profile for NRP, reference model for policy obligations handling (OHRM). The proposed infrastructure and solutions are being implemented in the framework of the EU project Phosphorus and use authors experiences gained from the major Grid based and Grid oriented projects.

Multi-domain lightpath authorization, using tokens

This paper highlights the concepts and results of our research, leading to demonstrations during the period 2005-2007 to develop a flexible and simple access control model, and corresponding support tools to provision multi-domain optical network resources on demand. We introduce the general network resources provisioning model that extends the Generic AAA Authorisation sequences for multi-domain scenarios, and explain how token based access control and policy enforcement can be used during the provisioned resource access. To build a solid conceptual foundation for the proposed token, based access control, the paper revisits existing token definition and proposes a new definition in the context of our research. We subsequently show the use of tokens during different stages of the lightpath provisioning process. The paper identifies and describes two major scenarios in multidomain lightpath provisioning: the chain and tree approaches. The proposed token concept allows a simple combination of access control enforcement at different networking layers: the packet layer, the path layer, and the service layer. We end with a brief description of a few demonstrations that proves the proposed concepts and illustrates its acceptance by a wider networking community.

Interactive Control over a Programmable Computer Network Using a Multi-touch Surface

This article introduces the Interactive Network concept and describes the design and implementation of the first prototype. In an Interactive Network humans become an integral part of the control system to manage programmable networks and grid networks. The implementation consists of a multi-touch table that allows multiple persons to manage and monitor a programmable network simultaneously. The amount of interactive control of the multi-touch interface is illustrated by the ability to create and manipulate paths, which are either end-to-end, multicast or paths that contain loops. First experiences with the multi-touch table show its potential for collaborative management of large-scale infrastructures.

Application Framework for Programmable Network Control

We present a framework that enables application developers to create complex and application specific network services. The essence of our approach is to utilize programmable network elements to create a software representation of network elements in the application. We show that the typical pattern of an application specific network service is a control loop in which topology, paths, and services are continuously monitored and adjusted to match application specific qualities. We present a platform in which network control applications can be developed and illustrate possible use cases. Based on these use cases, new research questions are identified.

Network Resource Control for Grid Workflow Management Systems

Grid workflow management systems automate the orchestration of scientific applications with large computational and data processing needs, but lack control over network resources. Consequently, the management system cannot prevent multiple communication intensive applications to compete for network resources, which leads to unpredictable performance. Currently, the lack of control over network resources may prevent certain applications, i.e. applications that need high capacity and Quality of Service, to utilize Grids. Hence, such applications would use dedicated infrastructures. Because the costs to build dedicated infrastructures may far exceed the cost of using existing Grids, the Grid needs to support mechanisms to optimize the interworking between networks and applications. In this paper, we present the architecture and proof of concept to control network resources from Grid workflow management system and to manage network resources from workflow-enabled applications at run-time. Depending on the current network infrastructure capabilities or future advances, applications may employ existing QoS mechanisms or use application-specific ones to provide the desired network service. We believe that our approach leads to performance improvements in communication intensive applications and enables novel Grid applications, which require optimal interworking between networks and applications.

Supporting communities in programmable grid networks: gTBN

This paper presents the generalised Token Based Networking (gTBN) architecture, which enables dynamic binding of communities and their applications to specialised network services. gTBN uses protocol independent tokens to provide decoupling of authorisation from time of usage as well as identification of network traffic. The tokenised traffic allows specialised software components uploaded into network elements to execute services specific to communities. A reference implementation of gTBN over IPv4 is proposed as well as the presentation of our experiments. These experiments include validation tests of our test bed with common grid applications such as GridFTP, OpenMPI, and VLC. In addition, we present a firewalling use case based on gTBN.