End to end arguments in Virtualised System Design
We've come a long way in virtualisation (some would say around in a big circle, but that's a different blog entry). Now we have routine cloud services (commercial, public and private) based on VMs all over the place. We also have routine VPNs, at least in most layer 2 net setups, and (at much greater expense) as commercial offerings between large corporate sites.
What virtualisation does is combine two properties - statistical multiplexing (resource pooling) together with isolation (privacy). Some VMs and VPNs allow you to tune the amount of resource pooling (for a price) that you are prepared to tolerate.
What seems to be lacking is a seamless integration of VM and VPN, and it seems that it is not a trivial thing to solve in a clean way. Obviously, one can simply map a service (e.g. a large Skywriting app running on a set of data centers) to a VPN. But that isn't terribly useful in general. More typically if there are resource pooling design goals, they are more likely, in the network layer to lie in having a wide set of user demands from outside of the VPN (e.g. a hose or sink tree).
So what should virtualised host+net look like as a building block, and what should the tools be to "provision" such things in an expressive, checkable, and simple way?
Seems like this is a good current challenge... ...
March 30th, 2011 - 18:23
Relevant paper at NSDI 2011 on moving network management tasks into end-hosts (rather than central management). Example apps are NAT, IDS, web cache, bandwidth allocation. Downside: needs trusted computing chip…
http://www.cs.umass.edu/~hardeep/ettm-nsdi.pdf