Name Service Doc
Transcript of Name Service Doc
-
8/3/2019 Name Service Doc
1/25
Distributed Name Services
Cheng Peng 3022918
Peng Fu 3086289
Ming Xie 2776847
1. Introduction
In a distributed system, names are used to refer to a wide variety of resources such as
computers, services, remote objects and files, as well as to users. Naming is an issue that
is easily overlooked but is nonetheless fundamental in distributed system design. Names
facilitate communication and resource sharing. A name is needed to request a computersystem to act upon a specific resource chosen out of many; for example, a name in the
form of a URL is needed to access a specific web page. Processes cannot share particular
resources managed by a computer system unless they can name them consistently. Users
cannot communicate with one another via a distributed system unless they can name oneanother, for example with email addresses.
Names are not the only useful means of identification: descriptive attributes are another.
Sometimes clients do not know the name of the particular entity that they seek, but theydo have some information that describes it. Or the client requires a service (rather than a
particular entity that implements it) and knows some of the characteristics that the
required service must have.
This introduces name services, which provide clients with data about named objects in
distributed systems; and the related concepts of directory and discovery services, which
provide data about objects the satisfy a given description. We describe approaches to betaken in the design and implementation of these services, using the Domain Name
Service (DNS), GNS and X500 as case studies. We begin by examining the fundamental
concepts of names and attributes.
1.1 Names, Addresses and other Attributes
1.1.1 Names
A process uses a name or an identifier visiting a definite resource. The identifier issometimes used to refer to names that are interpreted only by programs, chosen for
looking up and storing the objects by software efficiently. It is a form of names. And we
also can divide names into two types. One is Pure Names, used in simply un-interpretedbit patterns, the other one is Non-Pure Names which contain information about the object
that they name; in particular, they may contain information about the location of the
object.
-
8/3/2019 Name Service Doc
2/25
1.1.2 Addresses
Lets take a look again on the pure names. When we use it, we have to look it up firstly.In some aspects, it is inefficient. We may use Objects Address to improve it. The
objects address is a value that identifies the location of the object rather than the object
itself. But sometimes it is not adequate, when the objects relocated.
1.1.3 Attributes
In order to implement a process upon a named resource or object, firstly, it is needed to
translate its name into data that can be looked up. It is called resolving. On the contrary, aname and an object associated are called binding. In fact, the name is not associated with
the object itself, but bound to the attributes of the named object. Then, what is an
attribute? An attribute is the value of a property associated with an object. A key attribute
of an entity that is usually relevant in a distributed system is its address, which can beconsidered as another name that must be looked up, or it may contain such a name.
Here is an example of composed naming domains used to access a resource from a URL.
In this example, we can see, firstly, the domain name portion in the URL is translated
into IP address via DNS resolvation and then use the ARP to find out an Ethernet addressfor the web server. The last portion is translated into proper address that can find the
relevant file by the help of file system.
2. Name services and the Domain Name System
2.1 Name Service
We have mentioned bindings before which are the associations between textual namesand attributes for objects, for example, computers, services, users, and remote objects. A
http://www.cdk3.net:8888/WebExamples/earth.html
URL
Resource ID (IP number, port number,
Network address
2:60:8c:2:b0:5 file
55.55.55.55 WebExamples/earth.html8888
DNS lookup
Socke
Web server
-
8/3/2019 Name Service Doc
3/25
name service is a collection of the sets of this kind of bindings naming contexts. The
major function of a name service is to look up attributes form a given name name
resolution, and other aspects related to the bindings.
One service that is needed to be picking up from others is Name Management, which has
two motivations. One is Unification that it is convenient for resources managed by
different services to use the same naming scheme. The other is Integration that it isconvenient to integrate service for sharing information by a common naming service.
Name service is a simple technology used for single machine or in a small network.
When put it in the interconnected networks area, the problem comes out that is a muchlarger name-mapping problem. With the invention of multi-domain name services and the
development of the Global Name Service, it needs to some requirement of handling an
essentially arbitrary number of names and to serve an arbitrary number of administrative
organizations; a long lifetime; high availability; fault isolation function; and tolerance ofmistrust. A good example is the Internet Domain Name System is less ambitious in the
number of objects it is designed for, but it continues to be widespread use. We willdiscuss it later.
2.1.1 Name space
A Name Space is the collection of all valid names recognized by a particular service.
What kind of name is valid? A name can be looked up by the service, even though that
name may prove not to correspond to any object to be unbound. Name space requires a
syntactic definition. For example, is not acceptable as the DNS name of a computer.
In the windows, files are arranged in a tree structure. Meanwhile, names may have an
internal structure that represents their position in a hierarchic name space, or in an
organizational hierarchy, as is the case for Internet domain names; or they may be chosen
from a flat set of numeric or symbolic identifiers. And in the windows operation systemswe can easily find a file because in the hierarchic name spaces, each part of a name is
resolved relative to a separate context, and same name may be used with different
meanings in different contexts. In the case of file systems, each directory represents a
context. And different people can manage different contexts.
2.1.2 Naming domains
A naming domain is a name space for which there exists a single overall administrative
authority for assigning names within it. This authority is in overall control of whichnames may be bound within the domain. In particular, domains in DNS are collections of
domain names; syntactically, a domains name is the common suffix of the domain
names within it, but it may not be distinguished from a computer name. Whats more, theadministration of domains may be devolved to sub-domains. Responsibility for a naming
domain normally goes hand in hand with responsibility for managing and keeping up to
date the corresponding part of the database stored in an authoritative name server and
-
8/3/2019 Name Service Doc
4/25
used by the name service. Naming data belonging to different naming domains are in
general stored by distinct name servers managed by the corresponding authorities.
2.1.3 Combining and customizing name spaces
DNS provides a global and homogeneous name space in which a given name refers to the
same entity, no matter which process on which computer looks up the name. By contrast,some name services allow distinct name spaces sometimes heterogeneous name spaces
to be embedded into them; and some name services allow the name space to be
customized to suit the needs of individual groups, users or even processes.
Merging: A part of one name space is conveniently embedded in another.Although we can always merge name spaces by creating a higher-level root
context, here comes a problem of compatibility. We need to hybrid name spaces
and the inconvenience of having to translate old names between the users of thecomputers.
Heterogeneity: The Distributed Computing Environment name space allowsheterogeneous name spaces to be embedded within it. DCE names may contain
junctions. This kind of name is be made up by a cell and a junction under thejunctions principals.
Customization: uses can construct their name spaces independently rather than
sharing a single name space, or when the same name is made to refer to differentfiles on different computers. Sometimes people want to make a name space just
for his or her self. Here a good example is the spring naming service.
2.1.4 Name resolution
While IP is designed to work with the 32-bit IP addresses of the source and the
destination hosts, people who are not very good at using and remembering the IPaddresses of the computers with which they wish to communicate use computers. It is
much better at using and remembering names than IP addresses. If a name is used as analias for the IP address, there must exist a mechanism for assigning names to IP nodes to
ensure its uniqueness and resolving a name to its IP address.
The Name Resolution is an iterative process whereby a name is repeatedly presented tonaming contexts. A naming context either maps a given name onto a set of primitive
attributes directly, or a further naming context, and a derived name to be presented to thatcontext. It can also implement on the aliases.
2.2 Name Servers and Navigation
In any name services, there is a very large database supported in the backend, no matter
how big its storage capability is, it still cannot contain all the naming information that
required by the large population users. Such a server would be a bottleneck and a critical
point of failure. To solve this problem we should use replication to achieve highavailability. As far as the DNS is concerned, each subset of DNS database is replicated in
-
8/3/2019 Name Service Doc
5/25
at least two failure-independent servers. The process of locating naming data from among
more than one name server in order to resolve a name is called navigation. Here we
introduce some categories of navigation.
Iterative Navigation
In this mode, a client presents the name to the local name server, which attempts to
resolve it. If the local name server has the name, it returns the result immediately. If it
does not, it will suggest another server that will be able to help. Resolution proceeds atthe new server, with further navigation as necessary until the name is located or
discovered to be bound.
Multicast Navigation: A client multicast the name to be resolved and the required
object type to the group of name servers. Only the server that holds the namedattributes responds to the request. If the name proves to be unbound, then the
request is greeted with silence.
Non-recursive Server-control Navigation: The client may choose any name server
and this server communicates multicast or iteratively with its peers we havemention the above.
Client 1
2
3
A client iteratively contacts name servers NS1NS3 in order to resolve a
NS2
NS1
NS3
Name
Servers
-
8/3/2019 Name Service Doc
6/25
Recursive Server-control Navigation: The client once more contacts a single. If itdoes not store the name, the server contacts a peer storing a prefix of the name,
which in turn attempts to resolve it. This procedure continues recursively until the
name is resolved.
2.3 The Domain Name System
With the development of computer technology and networking technology, more and
more organization and individuals are involved in the information technologies. One ofthe conveniences of information technology is that it often remains complex interactions
under the cover of a simple human performance. Here is a good example -- the Internet.
Everyday, millions of users move from Web site to Web site by simply typing domain
names into a computer's Internet browser. But normally users cannot know that eachentry actually triggers a critical, time-sensitive process before the Web site can be
accessed.
In order for Internet users to reach a Web site, their computer must find the address of the
Web server that hosts the desired site. Each Web site on the Internet there is a unique
domain name and numeric address, known as an IP address. This number, while quiteconvenient for the computer to use, is difficult for Internet users to remember; thus the
need for domain names. The Domain Name System (DNS) is used to convert domain
names into IP addresses. Each time a user enters a domain name into a computer'sbrowser, a process translates the user-friendly name into the computer friendly IP address
needed to locate the appropriate Web server. Hierarchical partitioning of the name
database, and replication of the naming data, and cashing achieve this.
2.3.1 Domain Names
The Domain Name System is a distributed hierarchical system for resolving host names
into IP addresses. The DNS has a root domain at the top of the hierarchy and directly
1
2
3
5
1
2
34
4
A name server NS1 communicates with other name servers on behalf of a client
client client
Recursiveserver-controlled
NS2
NS1
NS3
NS2
NS1
NS3
Non-recursive
server-controlled
-
8/3/2019 Name Service Doc
7/25
under are the top-level domains. The root of the tree has no name. All siblings of a
domain must have unique names. Children of a domain are called sub-domains of the
parent.
ROOT
COM EDU GOV MIL NET ORG INT US ARPA
The information is distributed among thousands of name servers. The root name servers
only have complete information about the top-level domains. No servers have completeinformation about all domains, but the root name servers have pointers to the servers for
the second level domains. This gives them complete access to the information about all
domains by querying its list of name servers.
Descriptions of each main top-level domain that divide up the Internet Name Space are:
COM: Any commercial, for-profit business may register in the COM domain.
This is the most common type of domain being registered today.
EDU: Originally, the EDU domain was designed to be the top-level domain for alleducational institutions.
GOV: This top-level domain is reserved for certain Federal Government Agencies
and only under specific circumstances.
MIL: Any department or agency of the US military may register a name in theMIL domain.
NET: The NET domain is intended to hold only the computers of network
providers. The appropriate entity for a NET domain is an Internet ServiceProvider or an administrative organization providing Internet support functions.
ORG: The ORG domain is for non-profit organizations and other organizationsthat did not fit anywhere else. Currently, registering in the ORG domain is
restricted to only non-profit organizations.
INT: The INT domain is used only for registering organizations established by
international treaties between governments or Internet infrastructure databases.
US: This is the top-level country domain for the United States. The US Domain
currently registers hosts of businesses, individuals, federal government agencies,state government agencies, K12 schools, community colleges,
technical/vocational schools, private schools, libraries, museums, city and countygovernment agencies.
ARPA: This was originally used during the ARPANET's transition from hosttables to DNS. All ARPANET hosts originally had host names under "arpa" so
they were easy to find. Later, they moved into various sub-domains of the
organizational top-level domains.
2.3.2 DNS Queries
The Internet DNS is primarily used for simple host name resolution and for looking up
electronic mail hosts.
-
8/3/2019 Name Service Doc
8/25
Host Name Resolution: Applications use the DNS to resolve host names into IPaddresses.
Mail Host Location: Electronic mail software uses the DNS to resolve domain
names into the IP addresses of mail hosts computers that will accept mail forthose domains.
Reverse Resolution: Some software requires a domain name to be returned givenan IP address.
Host Information: The DNS can store the machine architecture type and operatingsystem against the domain names of hosts.
Well-known Services: A list of the services run by a computer and the protocol
used to obtain them can be returned, given the computers domain name, provided
that the name server supports this information.
The DNS can be used to store arbitrary attributes. A query is specified by a domain name,class and type.
2.3.3 Navigation and Query Processing
A DNS is called a resolver. Resolver is the client that access name server. Programsrunning on a host that need information from the domain namespace use the resolver to
deal with querying a name server, interpreting responses, and returning the information to
the programs that requested it.
The DNS architecture allows for recursive navigation and iterative navigation. The
resolver specifies which type navigation is required when contacting a name server.However name servers are not bound to implement recursive navigation. Recursive
navigation may tie up server threads, meaning that other requests might be delayed.
Therefore, DNS allows multiple queries to be packed into the same request message andfor name servers correspondingly to send multiple replies in their response messages.
2.3.4 The BIND implementation of the DNS
The standardized format for the resource data associated with a particular host name is
known as a resource record. DNS specifies the format of a resource record as it is passed
across the network. DNS does not specify the format of a resource record in the system
administrators local file system.
A common misconception about DNS is that the resource record formats and files that
are associated with the DNS server, Berkeley Internet Name Domain (BIND) actually
form part of the DNS protocol. This is due to the fact that BIND is the most common
implementation of DNS servers that is used on Internet hosts. Even though the BINDformat is based upon the original format that was centrally administered and then
distributed about the Internet prior to DNS, it is not specifically part of any DNS
standardized protocol. The Bind format is also used in the DNS standard as the textual
-
8/3/2019 Name Service Doc
9/25
expression of resource records. DNS servers do not necessarily use this as their storage
format.
BIND is an implementation of the Domain Name System (DNS) protocols and provides
an openly re-distributable reference implementation of the major components of the
Domain Name System, including: a Domain Name System server (named); a Domain
Name System resolver library; and tools for verifying the proper operation of the DNSserver. The BIND DNS Server is used on the vast majority of name serving machines on
the Internet, providing a robust and stable architecture on top of which an organization's
naming architecture can be built. The resolver library included in the BIND distribution
provides the standard APIs for translation between domain names and Internet addressesand is intended to be linked with applications requiring name service.
2.6 Discussion of the DNS
Under the amount of naming data and scale of the networks, The DNS implementation
achieves relatively short average response times for lookups by a combination ofpartitioning, replicating and caching naming data. The objects named are primarily
computer, name servers and mail hosts. Since the host name mapping IP address changes
not frequently, as well as the identities of name servers and mail hosts, cashing and
replication occur in a relatively clement condition. If naming data changes servers mayprovide clients with old data for periods in the order of days. This is the inconsistency of
naming data, and it is of no consequence until such time as a client attempts to use old
data. The DNS does not address itself to how staleness of addresses is detected.
General speaking, the DNS stores a limited variety of naming data, but this is sufficient.The DNS database represents the lowest common denominator of what would be
considered useful by the many user communities. In the Internet, DNS is not the only
name service. There are local name and directory services that store data most pertinent
to local needs as well. Since the rigidity with respect to changes in the structure of thename space, and the lack of ability to customize the name space to suit local need, the
DNS deal with this problem. And we will discuss the GNS for example later.
3. Directory and discovery services
3.1 directory servicesDistributed processing involves the interaction of multiple systems to do work that is
done on one system in a traditional computing environment. One challenge resultingfrom this network-wide working environment is the need for a universally consistent way
to identify and locate people and resources anywhere in the network.
The Directory Service makes it possible to contact people and to use resources such asdisks, print queues, and servers anywhere in the network without knowing their physical
location. The Directory Service is much like a telephone directory assistance service that
provides a phone number when given a person's name. The Directory Service, given theunique name of a person, server, or resource, can return the network address and other
-
8/3/2019 Name Service Doc
10/25
information associated with that name. The Directory Service stores addresses and other
relevant information as attributes of the name.
Attributes are more powerful than names as designators of objects: programs can bewritten to select objects according to precise attribute specifications where names might
not be known. Whats more, we need not to expose the structure of organizations to
outside world, as do organizationally partitioned names. However, the relative simplicity
of use of textual names makes them unlikely to be substituted by attribute based namingin many applications. X.500 is a typical example of directory service usage, and we will
discuss it latterly.
3.2 Discovery Services
A discovery service is a directory service that registers the services provided in
spontaneous networking environment. Distributed systems are very dynamic and keep
changing ceaselessly. Various components are loaded and unloaded as the necessitieskeep changing. The dynamism of such systems is further increased by component crashes,
which are inevitable in any distributed system. In such systems, it is necessary to keeptrack of components currently active. The Discovery service tracks software components
as well as persons present in an active apace. Information about currently active
components is required for diagnostics and self-healing activities that stabilize the
system by handling component failures. Information about persons present in an activeapace is required for setting user preferences and many other functions. The Discovery
service is a service that keeps track of entities present in an active apace at any time.
These entities can be services, devices and even persons. Presence and Informer services
are the two major components of Discovery service. An active apace can have a lot of
services and devices running in it at the same time.
Component failures are inevitable in any system and have to be tracked. For this reason,
the Presence service keeps track of which entities are currently running in an active space.
All service and device entities send heartbeats at regular intervals, to show that they areup and running. The presence service listens to and filters these heartbeats to know which
entities are currently running in the active space. Whenever a new entity is discovered,
presence sends a message announcing the starting of the new entity. When an existing
entity stops sending heartbeats, presence service sends a message announcing that the
entity has stopped. Thus, component crashes can be detected and action can be taken toheal the system.
While presence service keeps track of service and device entities in an active space,
Informer service keeps track of the persons present in an active space. Persons in anactive space are detected by devices. All such sensing devices send periodic updates of
which persons have been detected in the room. The Informer service listens to and filters
these information packets to know who is present in the active space. Informer servicesends messages when persons enter or exit an active space. These messages can be used
by other services that set the user preferences or space sharing attributes.
-
8/3/2019 Name Service Doc
11/25
Resent developments in this area include the Jini discovery service, the service location
protocol, the intentional naming system, the simple service discovery protocol, which is
at the heart of the universal plug and play initiative and the secure service discoveryservice.
4. Global Name Service (GNS)
4.1 Overview
A name service maps a name for an entity (an individual, organization, or facility) into a
set of labeled properties, each of which is a string. The global name service (GNS)
accomplishes name services for billions of names distributed throughout the world. Itaddresses the problems of high availability, large size, continuing evolution, fault
isolation and lack of global trust.
A Global Name Service (GNS) is designed and implemented to provide facilities forresource location, mail addressing, and authentication in a distributed computing system.
GNS can be used in an inter-network to support a naming database that may extend to
include the names of millions of computers and eventually email addressed for billions of
users. GNS also supports that the naming database is likely to have a long lifetime, that itmust continue to operate effectively while it grows from small to large scale and while
the network on which it is based evolves.
The design objectives for GNS are as following:
Large size, to handle an essentially arbitrary number of names and serve an arbitrary
number of administrative organizations.
Long life, during which many changes will occur in the organization of the name
space and the component that implement the service.
High availability, because the system cant work when the name service is broken.
Fault isolation, so that local failures dont cause the entire service to fail.
Tolerance of mistrust, since a large-scale service wont have any component which istrusted by all the clients.
GNS implies a hierarchical system to accomplish the requirements. Hierarchy is the
fundamental method for accommodating growth and isolating faults.
4.2 Name Space Architecture
Global name services can be divided into two levels. At the client level there are
hierarchical names and their values, with operations for reading and updating them, and
facilities for protection and authentication. The naming database which is distributed and
-
8/3/2019 Name Service Doc
12/25
replicated is invisible at this level. At the administrative level the copies of the database
are visible, together with the mechanisms for locating copies and keeping them
synchronized.
4.2.1 Client Level
Directory tree and value tree structure
Names in GNS have two parts: . The first part identifies adirectory; the second refers to a value tree, or some portion of a value tree. GNS manages
a naming database that is composed of a tree of directories holding names and values.
Directories are named by multi-part pathnames referred to a root, or relative to a workingdirectory, by which it can be reached from its parent. Each directory is also assigned an
integer, which serves as a unique directory identifier(DI). The arcs of the tree are called
directory references (DRs). A DR is the value of the name; it consists simply of the DIfor the child directory. Thus a directory can be named relative to a root by a path namecalled itsfull name (FN).
A directory contains a list of names and references. The values stored at the leaves of thedirectory tree are organized to into the value trees, so that the attributes associated with
names can be structured values. An arc of the value tree carries a label (L), which is just a
string, written next to the arc in the figure. A node carries a time-stamp (TS), represented
by a number, and a markwhich is eitherpresentorabsent. A path through the tree isdefined by a sequence of labels (L*). For the value of the path, there are three cases:
If the path l*/lends in a leaf that is an only child, we say that lis the value ofl*.
If the path l*/li ends in a leaf that is not an only child, and its siblings are labeled l1...ln, we say that the set {l1... ln} is the value ofl*.
If the path l* does not end in a leaf, we say that the sub-tree rooted in the node where
it ends is the value ofl*.
An update to a directory makes the node at the end of a given path present or absent. The
update is time-stamped, and a later time-stamp takes precedence over an earlier one with
the same path. The subtleties of this scheme are discussed later; its purpose is to allow the
tree to be updated concurrently from a number of places without any priorsynchronization.
Figure: GNS directory tree and value tree for user Peter.Smith
-
8/3/2019 Name Service Doc
13/25
Access Control and Authentication
Access control is based on the notion of aprincipal, which is an entity that can beauthenticated by its knowledge of some encryption key (which acts as its password). Aprincipal is identified either by a full name or, in case the root of the full name is not
trusted, by a relative name, a path through the directory tree starting at the target
directory and using .. to denote the parent. Each directory has an access control functionwhich maps a principal and a path into a set ofrights drawn from {read, write, test}.
Each of the operations provided by the name service requires the principal that invokes it
to have certain rights to the nodes involved in the operation. For the convenience of the
users, the access control function is defined by a set of triples (principal pattern, pathpattern, rights).
Authentication is based on the use of encryption to provide asecure channelbetween thecaller of an operation and its implementor. A directory has an authentication functionaf,which is a mapping from keys to principals; it accepts a message encrypted with key kas
coming from principal af(k). Each directory has a few values for which afis defined by
some external means (such as a courier). In particular, there is a secure channel for each
parent-child link; the parents afmaps this channels key to the childs name, and the
childs afmaps it to ...
The authentication function can be extended by a certificate, a message encryptedwith key k'which says, Key kauthenticates the principal whose name isNrelative to
U F
A
QMDI:
Peter.Smit
passwormailboxe
DI: 599 (EC
DI:DI:
DI:
Alph GammBet
-
8/3/2019 Name Service Doc
14/25
me. This allows af(k) to be defined as af(k')/N. A sequence of certificates can establish a
secure channel between any two directories; the relative names to which the directories
map the channel will depend on what other directories participated in setting it up.
4.2.2 Administrative Level
The client sees a single name service and is not concerned with the actual machine on
which it is implemented or the replication of the database that makes it reliable. The
administrator allocates resources to the implementation of the service and reconfigures it
to deal with long term failures. Instead of a single directory, she sees a set ofdirectory
copies (DC), each one stored on a differentserver(S) machine. A directory reference
(DR) now includes not just the DI of the directory, but also a list of the servers that store
its DCs. A lookup can try one or more of the servers to find a copy from which to read.
Replication
The directory tree is partitioned and stored in many servers, with each partition replicated
in several servers. The consistency of the tree is maintained in the face of two or more
concurrent updates - for example, two users may simultaneously attempt to create entrieswith the sane name, and only one should succeed. Replicated directories present a second
consistency problem: this is addressed by an asynchronous update distribution algorithm
that ensures eventual consistency, but with no guarantee that all copies are always current.
This level of consistency is considered satisfactory for the purpose.
The copies are kept approximately but not exactly the same. Every directory copy keeps
latest updated time stamps called lastSweep time. Each copy also has a nextTSvalue, thenext time-stamp it will assign to a new update; this value can only increase.
An update originates at one DC, and is initially recorded there. The basic method for
spreading updates to all the copies is asweep operation, which visits every DC, collects acomplete set of updates, and then writes this set back to every DC. The sweep has a time-
stampsweepTS. Before it reads from a DC it increases that DCs nextTStosweepTS; this
ensures that the sweep collects all updates earlier thansweepTS. After it writes back to a
DC, it sets that DCs lastSweep tosweepTS. In order to speed up the spreading ofupdates, any DC may send some updates to any other DC in a message.
The set of servers in the DR stored in the parent is not suitable, because it is too difficult
to ensure that the sweep gets a complete set if the directorys parent or the set of DCs ischanging during the sweep. To obtain the set of Dcs reliably, all the DCs are linked into aring, directed by arrows. Each arrow represents the name of the server to which it points.
The sweep starts at any DC and follows the arrows; if it eventually reaches the starting
point, then it has found a complete set of DCs. Of course, this operation need not be donesequentially; given a hint about the contents of the set, say from the parent DR, the sweep
can visit all the DCs and read out the ring pointers in parallel. DCs can be added or
removed by straightforward splicing of the ring.
If a server fails permanently, or if the set of servers is partitioned by a network failure
that lasts for a long time, the ringmust be reformed. In the process, an update will be lost
-
8/3/2019 Name Service Doc
15/25
if it originated in a server that is not in the new ring and has not been distributed.
Reforming the ring is done by starting a new epoch for the directory and building a new
ring from scratch, using the DR or information provided by the administrator about whichservers should be included. An epoch is identified by a time-stamp, and the most recent
epoch that has ever had a complete ring is the one that defines the contents of the
directory. Once the new epochs ring has been successfully completed, the ring pointers
for older epochs can be removed. Since starting a new epoch may change the database, itis never done automatically, but must be controlled by an administrator.
The servers are themselves named in the database, byserver names (SN) that are simply
full names. The value of a SN is a uniqueserver identifier(SI) and the network addressof the server.
4.3 Scalability of GNS
The structure of the name space may change during the time to reflect changes in
organizational structures. The service should accommodate changes in the names of theindividuals, organizations and groups that it holds; and changes in the naming structure
such as those that occur when one company is taken over by another. In this section, we
shall focus on those features of the design that enable it to accommodate such changes.
To accommodate the growth and change in the structure of the naming database, GNSadopts merging trees under new root to support the growth and moving directory trees to
restructure the name database. Although GNS successfully addresses needs for scalabilityand reconfigurability, the solution adopted for merging and moving results in a requirement for a
database (the table of well-known directories) that must be replicated at every node. In a large-scale network, reconfigurations may occur at any level, and this table could grow to a large size,conflicting with the scalability goal. Here we discuss the growth and restructuring first.
Growth
The basic mechanism for growth of the name space is its hierarchical structure. Each directory isa context within which names can be generated independently of what is going on in any otherdirectory. The growth is accommodated through extension of the directory tree in the usualmanner. We may wish to integrate the naming trees of two previous separate GNS services.Each directory can have its own administrator, and they do not have to coordinate their
actions. Since new directory names can be created as easily as new entity names, the
organization of the name space can readily be made broader or deeper.
The growth is accomplished by combining existing name services, each with its own root,and adding a new root, making the existing roots its children. The technology will affect
the clients that continue to use absolute names (beginning with the symbol for the root /)
referring to the old root before the integration, because they do not know the current newworking root (initial contexts against which names beginning with the root / are to be
lookup). A file system name is normally relative to the working directory, or to the root
of the file system. A full name begins with the DI of the root directory for that name.Thus the DIs act as names in an imaginary super-root which has all the directories as its
children; an FN behaves like a file system name relative to the superroot.
-
8/3/2019 Name Service Doc
16/25
GNS uses unique directory identifiers to solve this problem. The working root for each
program must be identified as part of its execution environment as a working directory. Auser will have a working root, which is prefixed to any name she types. When a client
uses a name, its local user agent, which is aware of the working root, prefixes the
directory identifier to produce a new name with more complete information. The user
agent passes this derived name in the lookup request to a GNS server. The user agentmay deal similar with relative names referred to working directories. Clients that are
aware of the new configuration may also supply absolute names to the GNS server,
which are referred to the conceptual super-root directory containing all directory
identifiers, finally it can get the real full name. The technology allows users and clientprograms to continue to use names that are defined relative to an old root, even when a
new real root is inserted.
At any time, an instance of the name service has a single root, and there are datastructures maintained by the administrative level that allow a copy of the root to be found
from any serve. Only full names beginning with the roots DI can be looked up, which isfine when the root is created first and growth occurs at the leaves. There is a
implementation problem: in a distributed naming database that may contain millions of
directories, how can the GNS service locate a directory given only its identifier. The
solution adopted by GNS is to list those directories that are used as working roots, in atable of well-known directories held in the current real root directory of the naming
database. Whenever the real root of the naming database changes, all GNS servers are
informed of the new location of the real root. They can then interpret names of the form
which are referred to the real root in the usual way, and they can interpret names of the
form by using the table of well-known directories to translate them to full pathnamebeginning at the real root. The table of well-known directories that maps certain DIs into
links which are full names relative to the root. When a lookup reaches the root, it can
consult the well-known table and replace the full names DI with a path that starts at the
root itself. When combining name services, it is prudent to make the old roots well-known in the new root, so that old names can still be looked up.
Figure: Merging trees under a new root
-
8/3/2019 Name Service Doc
17/25
Restructuring
GNS supports the restructuring of the database to accommodate organizational change.
When a directory A wishes to move to another directory B, the subtree rooted in the A
directory will be moved under the B directory. Moving a subtree is the only restructuringoperation; as long as it doesnt form a cycle (not allowed), it preserves the tree structure
of the service.
The obvious problem with this move is that if the subtree A is simply moved to the newdirectory, all the names that begin from the old directory will no longer work, since oldfather directory of A no longer has a child A. The solution adopted by GNS is to insert a
'symbol link' in place of the original entry. The GNS directory lookup procedure
interprets the link as redirection to the A directory in its new location.
As the figure shown, we suppose US becomes part of the European Community. GNS
moves the US subtree under EC directory, and insert a symbol link #633/EC/US in
place of the original entry to redirect US to the new location.
Figure: Restructuring the directory
EC
UK FR
DI: 599
DI: 574DI: 543
NORTH AMERICA
US
DI: 642
DI: 457DI: 732
#599 = #633/EC
#642 = #633/NORTH AMERICA
Well-known directories:
CANADA
DI: 633 (WORLD)
-
8/3/2019 Name Service Doc
18/25
4.4 Caching
Caching
The potentially large naming database and the scale of the distributed environment make
name lookup not likely to be especially cheap. Indeed, if the servers that store the name
or its parent directories are far away in the network, lookup may be quite expensive. It is
very desirable for a client to be able to cache the result of a lookup for a while, ratherthan repeating it every time the value is needed. GNS make use of caching essentially
and render it extremely difficult to maintain complete consistency between all copies of a
database entry.
Since it is impractical for the service to keep track of clients that are doing this and notify
them when there is a change, the cache consistency strategy relies on the assumption that
updates to the database will be infrequent and that slow dissemination of update is
acceptable. In other words, caching must be paid for either by enforcing a slow rate ofchange on the naming database, or by tolerating some inaccuracy in the cached
information which requires no work from the service, since clients can detect and recover
from the use of out-of-date naming data.
The enforcement mechanism is an expiration time (TX) on entries in the data base, and in
particular on parent-child arcs in the directory tree and on links. The rule is: an arc or linkmay not be changed until its TX has expired, except that an arc may be deleted by a sub-
tree move if it is replaced by a link to the moved sub-tree.
One important client for caching is the name service itself which will make use ofcaching directory names from the root to avoid access bottleneck. Authentication is
another client of caching, since key authenticates principal is the result of a name
lookup.
EC
UK FR
DI: 599
DI: 574DI: 543
NORTH AMERICA
US
DI: 642
DI: 457DI: 732
#599 = #633/EC#642 = #633/NORTH AMERICA
Well-known directories:
CANADA
DI: 633 (WORLD)
#633/EC/US
US
-
8/3/2019 Name Service Doc
19/25
5. X.500 Directory Service5.1 Overview
X.500 is a directory service. It is primarily used to satisfy descriptive queries and to
discover the names and attributes of other users or system resources. The uses for such aservice are directly analogous to the use of telephone directories, such as white pages
access to obtain a users electronic mail address or a yellow pages query aimed at
obtaining the names and telephone numbers of garages specializing in the repair of a
particular make of car, to the use of the directory to access personal details such as job
roles, dietary habits or even photographic images of the individuals.
The ITU and ISO standards organizations have defined the X.500 Directory Service as anetwork service intended to meet these requirements. The standard refers to it as a
service for access to information about hardware and software services and devices.
X.500 is specified as an application level service in the Open System Interconnection set
of standards, but its design does not depend to any significant extent on the other OSI
standards, and it can be viewed as a design for a general-purpose directory service.
5.2 X.500 Service Architecture
5.2.1 Objects and Entries
The data stored in X.500 servers is organized in a tree structure with named nodes in
which a wide range of attributes are stored at each node in the tree and access is not just
by name but also by searching for entries with any required combination attributes.
An entry holds information about an object of interest to users of the Directory. Theseobjects might typically be associated with, or be some facet of, real world things such as
information processing systems or telecommunications equipment or people. Directory
objects, and hence entries, can have a one-to-one many-to-one or one-to-manyrelationship with real world things. For example, a directory object/entry may be a
mailing list containing the names of many real people (one-to-many correspondence).
Alternatively, a real person may be represented in the directory as both a residentialperson object/entry and an organizational person object/entry (many-to-onecorrespondence). In the latter case, the organizational person directory entry would hold
information that is relevant to describing the person in their working environment,
holding their office room number, internal telephone extension number, electronic mail
address, and the department etc., the residential person directory entry would describe theperson in their residential capacity, holding their home postal address and home
telephone number etc.
5.2.2 The Structure of the DIB
-
8/3/2019 Name Service Doc
20/25
The complete set of all information held in the directory is known as the Directory
Information Base (DIB) which consists of entries. These entries held in the DIB are
structured in a hierarchical manner, using a tree structure, which is similar to a structurechart used by most hierarchical organizations. The DIB can therefore be represented as a
Directory Information Tree (DIT), in which each node in the tree represents a directory
entry.
There is intended to be a single integrated DIB containing information provided byorganizations throughout the world with portions of the DIB located in the individual
X.500 servers. As shown in the figure 1, the servers are called Directory Service Agents
(DSAs). Clients, named formally as Directory User Agents (DUAs), access the directoryby visiting any servers and issuing access requests. If the data required are not in the
segment of the DIB held by the contacted server, it will either invoke other servers or
resolve the query or redirect the client to another server.
5.2.4 Naming Entries
Each object entry known to the directory is distinguished from all other objects by itsname. Thus each entry is said to have a distinguished name (DN), the full name of an
entry corresponds to a path through the DIT from the root of the tree to the entry. In
addition to full or absolute names, a DUA can establish a context, which includes a basenode, and then use shorter relative names that give the path from the base node to thenamed entry, which is called relative distinguished name (RDN). An entry's RDN
uniquely identifies it from all of its peers. Since each RDN is guaranteed to be unique
below any particular non-leaf node, each entry is guaranteed to have a unique DN.Figure 2 shows the portion of the directory information tree that includes the University
of Gormenghast, Great Britain. An example of an entry under Pat King is shown here:
DSA
DSA
DSA
DSA
DSADSADUA
DUA
DUA
-
8/3/2019 Name Service Doc
21/25
Country=Great Britain@organization= University of Gormenghast@organizationalUnit=
Department of Computer Science@organizationalUnit= Departmental Staff@person= Pat
King
Figure 2
Figure 3 is one of the associated DIB entries. A DIB entry consists of a set of attributes,where an attribute has a type and one or more values. The type of each attribute is
denoted by a type name. New attribute types can be defined if they are required. For
each distinct type name there is a corresponding type definition, which includes a typedescription and a syntax definition in the ASN.1 Notation defining representations for all
permissible values of the type.
.. France (country) Great Britain countr Greece countr ..
BT Plc (organization) University of Gormenghast (organization)... ...
Department of Computer Science (organizationalUnit)
Com utin Service or anizationalUnit
Engineering Department (organizationalUnit)
..
..
X.500 Service (root)
Departmental Staff (organizationalUnit)
Research Students (organizationalUnit)el a licationProcess
..
..
Alice Flintstone erson Pat Kin erson James Heale erson .... Janet Papworth (person)..
-
8/3/2019 Name Service Doc
22/25
Figure 3
5.2 Access Methods in X.500
5.2.1 Read
An absolute or relative name (a domain name in X.500 terminology) for an entry is given,
together with a list of attributes to be read. The DSA locates the named entry bynavigating in the DIT, passing requests to other DSA servers where it does not hold
relevant parts of the tree. It retrieves the required attributes and returns them to the client.
5.2.2 Search
This is an attribute-based access request. A base name and a filter expression are supplied
as arguments. The base name specifies the node in the DIT from which the search is tocommence; the filter expression is a Boolean expression that is to be evaluated for every
node below the base node. The filter specifies a search criterion: a logical combination of
tests on the values of any of the attributes in an entry. The search command returns a list
of names for all of the entries below the base node for which the filter evaluates to TRUE.
5.3 X.500 and LDAP
5.3.1 Introduction
LDAP (Lightweight Directory Access Protocol) arose from initial experience with
deploying X.500 directory services on the Internet in 1989-91. The goal of the originalLDAP was to give simple lightweight access to an X.500 directory, to facilitate the
development of X.500 DUAs and use of X.500 for a wide variety of applications.
infoAlice Flintstone, Departmental Staff, Department of Computer Science,
University of Gormenghast,
commonNam
AliceA.
surnam
telephoneNumbe
+44 986 33
ui
alf
mail
roomNumbe
userClas
Research
-
8/3/2019 Name Service Doc
23/25
LDAP is 'simple', relative to X.500, because:
1. While the LDAP PDUs are based on those from X.500, elements of the protocol have
been modified to produce a protocol that is significantly simpler.
2. Names and attributes use text encoding. Names and attributes are pervasive in the
protocol. In X.500, these have a complex ASN.1 encoding, whereas in LDAP they aregiven a simple string encoding. This is particularly helpful for applications that do not
need to handle the detailed structure of names or attributes.
3. Mapping directly onto TCP/IP. LDAP maps directly onto TCP/IP (the Internet
transport layer), and removes the need for a non-trivial amount of OSI protocol.
4. LDAP relies on X.500 for the service definition and distributed operations. Because
LDAP is defined as an access protocol to X.500 and not as a complete directory service,it is possible to specify LDAP very concisely. The detailed service definitions, whileoften intuitive from the protocol, are formally specified in X.500. Where the directory
service is provided by more than one Directory Server, the procedures for doing this are
not defined by LDAP.
5.3.2 X.500 and LDAP
The most important thing to understand about X.500 and LDAP is that they have more in
common than different. The things that they have in common relate to the information
model and standard services, which are absolutely central to both X.500 and LDAP. This
section describes the common core:
1. Hierarchical Names. LDAP and X.500 both define a hierarchical directory with
hierarchical names.
2. Typed Name Components. Name components are typed. This contrasts with other
schemes which have typeless names, such as the domain name scheme. It is
straightforward to represent typeless names in a typed naming scheme.
3. Typed Objects. Objects are represented as Entries in an X.500/LDAP directory. These
entries are given a type (or types), known as the object class, by use of an Object Class
attribute. Typical object classes are People, Organizations, and Computers. X.500 andLDAP share object class definitions.
4. Typed Attributes. Information within objects is held as a set of typed attributes For
example there may be a 'telephone number' attribute with one or more values. Many
attributes are encoded as strings. Other attributes have an encoding which is inferred fromthe attribute type. This can be used for non-string data such as pictures or to handled
structured information. X.500 and LDAP share attribute type definitions.
-
8/3/2019 Name Service Doc
24/25
5. Directory Operations. X.500 and LDAP share a common set of operations to access
and manage data in the directory. These are: read; compare; search; add; delete; modify
entry; modify RDN.
5.4 Discussion of X.500
Based on D W Chadwicks report, some of the factors which were critical to the success
of the X.500 are identified. These were:
1. Integration of directory access with other applications or communications services
such as E-mail is essential if the vast majority of users are to frequently use the directory;
2. The establishment of organizational procedures, administrator commitment, andsoftware tools for gathering and updating the data in the directory are essential but time
consuming tasks, which are often underestimated;
3. Senior management support for the deployment of an electronic directory is paramount.
Other issues which can have significance to the success (or otherwise) of the X.500 were:
User involvement in the project, user interfaces, naming the entries in the DIT, technical
problems, response times, security and legal issues. However, it must be remembered thatsince a majority of these projects were not initially intended for mission critical
operational use by all users, (in other words, the directory was seen as being simply
another nice service to have) some of these issues may become more critical once this is
the case.
One thing that is evident, is that X.500 can be used in a wide variety of organizations all
over the world, for a wide variety of purposes, and that X.500 would appear to have
fulfilled its purpose of being an truly International Standard for directory services.
References
1. G. Coulouris, J. Dollimore, T. Kindberg,Distributed Systems: Concepts and Design,2001
2. B. Lampson, Designing a global name service, Proc. 4th ACM Symposium on
Principles of Distributed Computing, Minaki, Ontario, 1986, pp 1-10
3. Kendra Cooper,An Introduction to the Domain Name Service (DNS), August 2002
4. Madhavarapu Jnana Pradeep Discovery Service, January 2001
5. Damon Fenacci, The Jini Lookup Service: Introduction & Discovery Protocols,December 5., 2000
6. RFC1943, Building an X.500 Directory Service in the US, 1996
-
8/3/2019 Name Service Doc
25/25
7. D W Chadwick, Important Lessons Derived from X.500 Case Studies, University of
Salford, Salford, M5 4WT
8. D W Chadwick, Understanding X.500 - The Directory, International ThompsonPublishing, July 1996
9. Steve Kille, LDAP and X.500, Messaging Magazine, September 1996
10. ITU-T, Information technology - Open Systems Interconnection - The Directory:
Overview of concepts, models and service, Recommendation X.500, International
Telecommunications Union, Geneva, 1993.