Proposal skelteon

12 Network Storage Services

The client-server model for storage systems has two drawbacks. The reliability and availability of the server machines rests heavily on the ability and honesty of the system administrators that manage the storage servers. An incompetent or malicious system administrator can discard all the data stored by a server or corrupt the data in ways that are hard to detect. Ironically, system administration is increasingly outsourced or handled by temporary employees. Additionally, the model relies on expensive server machines with high bandwidth network connections. Administering these machines to achieve high-availability is also expensive.

Recent research on large-scale peer-to-peer storage attempts to address both issues. The basic idea behind this research is to harness the aggregate storage capacity and bandwidth of a large number of inexpensive machines to eliminate the reliance on a small number of system administrators and reduce hardware and maintenance costs. These can be infrastructure machines placed strategically in the network to implement a large-scale storage utility or, in the extreme, it is possible to eliminate servers completely and implement algorithms that coordinate the client machines to provide the storage service.

There are several interesting research issues that need to be addressed to implement a usable peer-to-peer storage system: fault-tolerance, security, self-management, and scalability. Since peers are inexpensive machines without dedicated system administration, the reliability, availability, and security of individual peers is significantly lower than what can be achieved with a well-managed storage server. Therefore, it is necessary to develop appropriate replication algorithms to achieve the desired levels of reliability and availability, and to secure these algorithms against incompetent or malicious users. Additionally, these systems must be self-organizing to keep administration costs down. They must be able to work with machines joining and leaving the system continuously. Finally, these systems must be able to store very large amounts of data on behalf of a very large number of users. This scalability is necessary when implementing an Internet-scale storage utility or a storage system for a large corporation.

There have been a large number of projects on peer-to-peer storage systems over the last three years. Examples of such systems include OceanStore [Kubiatowicz et al 2000], Farsite [Bolosky et al 2000][Adya et al 2002], CFS [Dabek et al 2001], PAST [Rowstron and Druschel 2001b], Mnemosyne [Hand and Roscoe 2002] and XenoStore (see Pasta [Moreton et al 2002]). This chapter provides an overview of two CaberNet projects: Farsite and Past. These projects illustrate two interesting points in the design space: Farsite provides full file system semantics with shared mutable files and directories, while Past only provides storage for immutable objects but scales to larger systems.

Farsite [Bolosky et al 2000][Adya et al 2002] was designed to eliminate the need for storage servers in a large corporation. It coordinates the machines in the corporation to implement a reliable, highly available, and secure storage system. It is designed to scale up to 100,000 machines.

Any authorized user can publish a traditional hierarchical file system namespace in Farsite. It does this by choosing a set of nodes from the pool of available machines to implement the root directory. These nodes join a replica group that runs a practical Byzantine fault tolerant state machine replication algorithm (BFT [Castro and Liskov 2002]). This algorithm allows a group with 3f+1 replicas to work as a single correct machine provided at most f of replicas fail or are compromised by an attacker. The group maintains directory data for the namespace it manages but it does not store file contents, which represent the bulk of file system data. Instead, the group stores secure digests (e.g., SHA-1³²) of the latest versions of files and the identity of f+1 machines that store copies of the file. The machines that store copies of the file are chosen by the group from the pool of available machines.

To achieve scalability, a replica group can delegate a portion of the namespace that it manages to a new replica group when the old group becomes overloaded. The new group is selected by the members of the old group from the pool of available machines. Both groups maintain pointers to each other to enable navigation in the directory structure and cross-directory operations. Additionally, scalability is achieved by using leases and client caching of directory and file data.

[Rowstron and Druschel 2001b] describe a peer-to-peer archival storage utility called PAST that was designed to scale to the Internet. Files in PAST are immutable and can be shared at the discretion of their owner. PAST is built on top of Pastry [Rowstron and Druschel 2001a], which is a structured overlay that maps application keys to overlay nodes. Nodes have identifiers that are selected randomly from the same numeric space as keys. Pastry provides applications with a primitive to send a message to a destination key. The message is delivered to the node whose identifier is numerically closest to the key. Messages are delivered in O(log N) hops and nodes maintain only O(log N) routing state. Additionally, Pastry balances the key management and routing load evenly over all the nodes in the overlay.

PAST derives the key that identifies a file from the file contents using a secure hash function. It uses Pastry's routing primitive to store a file on the node that is responsible for its key. Additionally, the file is replicated on the set of k live nodes with identifiers numerically closest to the key. Pastry maintains information about these nodes and notifies applications when they change. PAST uses these notifications to move replicas to new nodes when nodes fail or new nodes join the system. Copies of the file are retrieved by sending a retrieve request to the file's key using Pastry's routing primitive. This provides reliability and high-availability and distributes storage load evenly over all nodes.

Pastry enables applications to intercept messages at each overlay hop. PAST uses this functionality to implement a dynamic caching mechanism to handle hotspots. Popular files are cached along Pastry routes towards the file's key to shield the nodes responsible for storing the replicas from excessive load. Security is achieved by using public-key cryptography and there has also been recent work on securing Pastry's routing mechanism and enabling the storage of mutable objects in PAST [Castro et al 2002].

There is also work on network attached storage devices that replace servers by a large number of less expensive devices connected by a very fast network in a cluster. This work does not address the issue of trust on system administrators but it reduces hardware costs and maintenance costs because it enables incremental scalability and repair. Ongoing work to correctly define the interfaces to network-attached storage is taking place mainly in the industrial arena through the auspices of the National Storage Industry Consortium (NSIC). Network storage interfaces can be classified by the amount of functionality provided by the device. High-level file interfaces such as NFS [NFS 1989] and CIFS [CIFS 1996] provide most of the functionality of file systems, and hence provide protection; low-level block-based interfaces such as iSCSI [Satran] provide the functionality of disks, because of their flexibility any file or database system can use them; it is intermediate-level interfaces that have been the subject of more recent research. Such interfaces attempt to combine the safety of high-level interfaces with the flexibility of low-level ones. Object-based interfaces [Gibson and van Meter 2000][Mesnier 2002] provide a middle ground between the two extremes, but they still provide such a high-level interface that devices must implement many functions which can benefit from application-specific policies. Commercial offerings of Storage Area Networks (SANs) also abound, with vendors such as IBM and HP shipping mature products.

A parallel research direction in the Network Storage Service area investigates architectures and techniques to improve the so-called “Quality of Experience” (QoE) [CacheFlow] that is the user satisfaction in accessing the content. Today the Content Delivery Networks (CDNs) are considered to be one of the most promising technologies in this area. The CDNs key approach to decreasing the user response time (the parameter that mainly contributes to the QoE) is to distribute content over servers (called surrogates) located close to the users. When a request for accessing content (e.g., an HTTP request) arrives, the CDN Request-Routing System (RRS) redirects it to the best surrogate, which provides a fast delivery of the content required. In general, the more surrogates are present, the better access and delivery service a CDN can provide. However, increasing the number of surrogates may imply high costs and requires a careful estimation of the number of resources necessary to provide a given delivery service. A different solution for a more flexible architecture consists in renting the resources on-demand. The idea of using federations of CDNs, also named Content Distribution Internetwork (CDIs) [Green et al 2002][Day et al 2003] was born to this end. A CDI allows different CDNs to share resources so as to enable each CDN to employ a large number of surrogates.

The CDI technology is a new research domain and the main ideas in this field are outlined in the RFCs and Internet drafts produced by the IETF CDI Working Group [IETF]. A number of aspects in this area should be investigated further to make this approach useful. Specifically, issues related to the Request-Routing Internetworking System (RRIS) [Cain et al 2002], i.e., the system responsible for redirecting the client request to the best CDN, have been recently analysed. The RRIS bases its decision on the performance data that are collected from the other CDNs. Such data represent the performance (e.g., response time, network delay, etc.) a CDN is able to deliver a given content in a given region in a given moment.

Due to the importance of the performance data, RIEPS (Routing Information Exchange Protocol for a Star Topology) [Turrini and Ghini 2003], a protocol that allows performance data to be exchanged among CDNs, has been implemented. The critical point of this type of protocol is to find out the right trade-off between the freshness of the information and the network load. The first parameter is quite important, as the performance data is totally useless if it does not reflect the real situation. On the other hand, the performance data that are usually considered in making forwarding decisions have a high variability. Thus maintaining the data performance coherent with the real situation may be quite expensive. To investigate the RIEPS behaviour, an experimental evaluation is needed. Moreover, since RIEPS is a protocol that allows the information necessary for each CDNs to perform request forwarding to be exchanged, it will be evaluated taking into consideration the effectiveness of the forwarding decisions based on the performance data that it exchanges. The RIEPS evaluation will also be performed with a larger scale approach. This means, in particular, that more than two CDNs will be considered. If a source CDN interacts with more than one destination, CDNs it may need different information from different CDNs. For instance, if the source CDN in a given moment realises that destination CDN A is providing much better performance compared with destination CDN B, it can ask CDN B to send performance data only if they are similar to the ones of the CDN A.

An issue that needs to be addressed for peer-to-peer network storage to be viable is the design of an incentive mechanism for peers to cooperate. Studies of Gnutella found that a large fraction of the peers are freeloaders, i.e., they use resources from the common pool without ever contributing any resources [Adar and Huberman 2000]. This is not a problem for storage systems inside a corporation or on infrastructure machines but it must be addressed when peers are random machines in the Internet. Additionally, more work is needed on systems that support mutable shared objects at Internet scale. Finally, it is necessary to deploy these systems and evaluate them in real everyday use. A detailed comparative analysis between peer-2-peer systems and traditional client-server architecture is necessary in order to outline the real potentialities of both systems and foresee their future development. This comparison should be done considering both the different nature of the two systems (goals, content managed, architecture) and also the performance provided (user response time, usability and resource availability).

In the CDI area many research directions are possible; specifically since RIEPS represents one of the first attempts of research in the CDI scenario, the interaction between RIEPS and other CDI components would be worth investigating.

More generally, we can expect to see the commoditization of storage, and more precisely the integration of storage services into the network model. Some initial work here should focus on logistical networking, that is, considering storage and communication as tightly coupled problems and designing solutions accordingly. Other challenges for the future include building effective personal storage networks, enhancing data availability in times of network outage or partition, increasing information security, and raising the semantic level of access interfaces.