Research and Technological development for a TransAtlantic Grid

The DataTAG project produced an advance reservation system based on an extension of the GARA toolkit, which supports a novel network resource abstraction called “Path” and implements network resource allocation in a layered fashion by including the possibility to also allocate MPLS Label Switched Paths and Optical Light Paths, besides the existing IP Differentiated Services. The “Path” is a network resource that can be requested and/or used by an application in a number of ways. It can be static or dynamic, per-domain or end-to-end and can be shared by a collection of streams or used by a single flow. The MPLS Manager gives the possibility to dynamically allocate an MPLS Label Switched Path (LSP). The MPLS LSP supports the configuration of remote VLANs spanning remote network domains, so that traffic between elements of the VLAN can be associated to a user-specified Class of Service, e.g. IP Premium or Less than Best Effort. On the other hand, the Light Path Manager is a prototype tool that configures on-demand bidirectional Light paths crossing a chain of optical cross-connects. It can work in single domain as well as with multiple domains thanks to the inter-domain facilities offered by the AAA Architecture. The authentication and authorization of user requests are performed by AAA servers, but the DataTAG system interoperates with both the Globus Gatekeeper, adopted with the code released by the DataGrid project, and with the DataGrid User Interface. The advance reservation is the mechanism that allows the user to request the exclusive access to a set of resources that satisfy some user requirements in a future time span. An advance reservation request contains the full specification of the resources needed through a set of resource-specific attributes, and it supplies run-time information at a later stage through a binding operation. Then, the user who issues an advance reservation request has to be authenticated and authorized on the basis of a set of policy rules. An authorized request can only be granted if a resource, that satisfies the user’s requirements, is available in the specified time slot. The actual resource allocation is performed by a resource manager that hides the complexity of the resource-specific allocation tasks. During the reservation lifecycle the Grid Information System (GIS) provides vital information in a number of reservation phases. In particular, during the resource discovery it provides the list of resource instances that satisfy the user’s requirements, and for each instance, the information about its properties and its corresponding authentication/authorization server. The Generic Advance Reservation Architecture (GARA) adheres to the conceptual model above and implements an excellent prototype. The DataTAG advance reservation system takes GARA as its fundamental starting point and extends it in a number of ways. We have adopted a layered approach to resource management by adding new types of resource managers that are based on a variety of network technologies: the Light Path Manager, which works at the physical layer, and the MPLS Manager, which can provide both layer 2 and layer 3 services. In addition, we have extended the number of Per Domain Behaviours supported by the existing GARA Diffserv Manager. Grid users typically belong to a Virtual Organization (VO). VO members are recognized by Grid resources based on their identity or role within a VO. This deliverable describes how a network path is able to recognize VO members. The architecture develops the authentication and authorization component by including the use of the Virtual Organization Management Service (VOMS) and of the Generic AAA servers. Thus, authentication and authorization can be performed in two alternative ways: either through a Generic AAA server or through GRAM (Grid Resource Acquisition and Management) a component of the Globus Toolkit, by interfacing the Gatekeeper according to the mechanism supported in GARA. The authentication and authorization approach to be adopted in each case depends on the resource and this information is provided by the Grid Information System (GIS). If a co-allocation is requested, i.e. multiple path elements belonging to different administrative domains have to be allocated in a coordinated fashion, the GIS specifies for each resource instance the authentication and authorization approach of choice. The dynamic set-up of a network path that crosses several transit domains is a network-specific example of co-allocation. In this case, the end-to-end path is a chain of per-domain path elements and its configuration requires an intervention in each transit domain. Two solutions can be adopted: the central approach with a single resource manager, and the distributed approach, where each resource manager is only responsible of configuration in its specific domain and the inter-domain communication protocol is implemented by the AAA servers.

Thanks to the availability of a unique 2.5Gb/s then 10Gb/s transatlantic testbed and the strong support of Internet2/Abilene, the DataTAG partners together with their US colleagues quickly established themselves as a leader in very high speed networking. Most of the accumulated knowledge is available from the DataTAG Web site (e.g. "How to tune TCP for gigabit networks", Linux kernel map, various Linux patches, etc). DataTAG has collaborated widely within the community and, with partners, has won several well-recognised awards in the field of high-speed networks. This includes winning the Internet2 Land Speed Record in both IPv4 and IPv6 categories for both single and multiple stream operations in October 2003 and February 2004 when previously established DataTAG records were beaten. DataTAG was a member of the consortium that won the SuperComputing 2003 Bandwidth Challenge, Sustained Bandwidth Award when a record bandwidth mark of 23.2 Gbps was achieved. This latter was exceptional not only for the absolute bandwidth demonstrated but also because of its reliance on the implementations of new TCP stacks that have been a feature of the DataTAG WP2 work. Since November 2002, 9 new Internet2 landspeed record has already been established by DataTAG in close collaboration with Caltech. The IPv4 record, established on February 27th-28th 2003 by a team from Caltech, CERN, LANL and SLAC with a single 2.38Gbps stream over a 10000km path between Geneva and Sunnyvale through Chicago, has been entered in the Science and Technology section of the Guinness book of records. Likewise, a new IPv6 record was established on May 6th 2003 by a team from Caltech and CERN with a single 983Mbps stream over a 7067 km path between Geneva and Chicago. Thanks to the availability of the 10Gb/s DataTAG circuit in September 2003, new IPv4 and IPv6 records were almost immediately established, between Geneva and Chicago first, then between Geneva, California and Arizona. Indeed, a new IPv4 record was established on October 1 2003 by a team from Caltech and CERN with a single 5.44Gbps stream over the 7073 km path between Geneva and Chicago thus achieving the amazing result of 38.42 petabit-meters/second using Internet2 landspeed record (I2LSR) metrics (i.e. throughput x distance). This corresponds to the transfer of one 680MB CD in one second. This new record was homologated by Internet2 on October 8, just in time for public announcement and award during the Internet2 Fall member meeting in Indianapolis and the Telecom World 2003 exhibition in Geneva. Following the availability of a longer 10Gb/s path to Los Angeles (California) and Phoenix (Arizona) through Abilene, the US Universities backbone, and CALREN, the California Research and Education Network, the IPv4 and IPv6 records were substantially improved again with: - 5.64Gb/s IPv4 over a 10949Km path between CERN and Los Angeles (CENIC PoP), i.e. 61.7 petabit-meters/second, established on November 62003 and officially awarded on November 20, 2003. - 4 Gb/s IPv6 over a 11’539 Km path between CERN and Phoenix (Caltech booth at SC2003) through Chicago and Los Angeles, i.e. 46.15 petabit-meters/second established on November 11, 2003 and officially awarded on December 19, 2003. - 6.25Gb/s IPv4 multiple streams (8) over a 10’949 Km path between CERN and Los Angeles (CENIC PoP), i.e. 68.431 petabit-meters/second, established on February 22, 2004 and officially awarded on March 6, 2004. - 6.63Gbps IPv4 multiple streams (8) over a 15'776Km path between CERN and Los Angeles (CENIC PoP), i.e. 104529 petabit-meters/second, established on June 25, 2004 and officially awarded on July 8, 2004.

One of the main objectives of DataTAG was to ease interoperability between, Globus based, EU and US Grid projects, such as DataGrid, GriPhyN, PPDG. The companion US project is iVDGL and the coordination has been performed under the auspices of the High Energy and Nuclear Physics InterGrid Coordination Board (HICB) whose flagship activity GLUE (Grid Laboratory Uniform Environment) led to the establishment of a new common Grid Information Services schema for computing elements, storage elements and network elements. GLUE has been an exemplary collaboration between DataTAG and iVDGL. As a result interoperability issues between US and EU Grid projects are now much better understood. The GLUE middleware has been integrated into the EU DataGrid middleware, which is also used by the LHC Computing Grid project (LCG). The Virtual Organization Membership Services (VOMS) and Local Community Authorization Services (LCAS) made by DataTAG attracted lot of interest from our US colleagues through the iVDGL project. The first transtalantic Grid interoperability Demos and presentations promoting the DataTAG project and the GLUE testbed with cross-submission of jobs from EU to US and vice versa have been successfully organized in collaboration with Gridstart and DataGrid at the IST2002 conference (4-6 November, Copenhagen), and iVDGL at the SC2002 conference (16-22 November, Baltimore. Besides the Grid Information Service, allowing resource discovery and resource selection through specific parameters describing characteristics and state of the resources, a monitoring system collecting resource state information and reacting to critical resource conditions is fundamental for Grid management and control. The users need to monitor their jobs, check the Grid computing resource where their jobs are run and control the disks where their data are read or written. Without this 'eye' over the Grid, not only the Grid manager cannot control the Grid behaviour, but also the user is lost and has difficulty to trust the Grid. For this reason, it has been decided within the DataTAG project to develop GridICE, a new monitoring system that is easy to integrate in the existing middleware, based on the Globus MDS information service and relying on the GLUE Schema information model. Specifically for GridICE, the ‘Host class’ of the Computing element schema has been extended with a richer set of attributes. In particular, a Host can play zero or more different roles; each role is supported by a set of processes and ‘Summary info’ for each process type is modeled. This enables the monitoring of all vital Grid services. GridICE is structured in five layers, from producers of monitoring data to final consumer of monitoring information. The dynamic nature of sharing relationships means that we require mechanisms for discovering and characterizing them at any given time. For example, a new participant joining a Virtual Organization (VO) must be able to determine what resources he is able to access, the “quality” of these resources, and the policies that govern access to them. This implies that VO services are needed to specify users’ identifiers for Authentication and Authorization (AA) mechanisms, Grid-access policies, data and metadata file catalogues, etc. DataTAG-WP4 and DataGrid developed a Virtual Organization Membership Service focused on user authorization and supporting VO-based management that is available at: http://cvs.infn.it/cgi-bin/cvsweb.cgi/Auth/