xensource

In this second part of our exclusive video interview recorded at VMworld2008 in Las Vegas, the Citrix XenSource CTO denies that there is more than a ‘fabulous partnership’ between Microsoft and Citrix. In his typical outspoken style, Simon Crosby does not see his competitor VMware take of into the clouds with vaporware. He remains an advocate for open standards and shines his light on Virtualization security issues (aka VirtSec by the insiders).

.
A full transcript of the interview is below and the  first part of our interview can be viewed here.

(00:00) Simon, in the blogosphere there are these ever mounting rumors about Microsoft and Citrix. What can you comment on that relationship. Add Cisco, VMware and you’ve got a complicated puzzle.

It is.

(00:10) It’s intriguing though.  Many people see a lot of interesting things going on there, what can you say about that?

So our partnership with Microsoft is great.  I mean fabulous.  Microsoft makes a ton out of everything of what Citrix does and they give us scale and we basically take the platform, extend its features set. We’ve done this for years.  It turned out to what XenSource was doing in Virtualization with Microsoft, very similar to the traditional Citrix model of working closely with Microsoft to extend the platform and deliver a bunch of features.  So we do that today and so we’re partner in Virtualization for XenDesktop and runs great on Hyper-V, runs great on XenServer and you know, that’s a terrific partnership.  We’ve partnered also in the area of Virtualization generally and interoperability is key. But XenServer in the platinum edition, not generally known, has the ability to run VMs on VMware or Hyper-V or Xen or even bare metal. Okay, so once you’ve taken your VMs and centralized them into a central repository, we can boot them and run them on anything, right?  Which allows us to extend the concept of Virtualization beyond just Xen, to other hypervisors and even bare metal.

(01:23) If we go back to the cloud concept, because that has been buzzing this industry for a few months now.  What I find quite intriguing is that there’s no standards.  Every cloud has its own APIs and with VMware launching its newest product line (vCloud).  It’s not very clear what those APIs are going to look like, nor when we’re going to have them.  Xen is also moving in that direction with CCC or C3 (Citrix Cloud Center).

Yeah, though not from an API perspective. I agree with you that the APIs are an important one and the ABI.  That is compatibility between the enterprises that counts a big deal. The VMware announcement yesterday, the demonstration around the clouds, the big bullet point on Paul Maritz slide was compatibility, okay? Which basically says that every cloud is going to have to buy by VMware.  You know what?  It’s just not going to happen, okay?  So compatibility is an important concern.  It’s really important that enterprise that  adopt Virtualization know that their VMs will run great in their enterprise but also in the cloud and if the only way we can achieve that is if everybody buys VMware, I can tell you the industry is sunk.  That’s not going to happen.  So compatibility is an important consideration.  OVF is a great component of that and I think it gives us a good way of migrating that whole process.

(02:43)  Do you think that the DMTF is a good standards body to also look into APIs that the vendors agree upon from Amazon to Citrix?

(02:50) Simon Crosby:  I’m not so sure about the Amazon guys. You should go out and speak to Werner on that. But in general, you know Amazon is very open to moving towards standard based APIs, kind of an innovator out there. But VMware, to give them credit, is doing a great job in the DMTF.  They really are.  So, I got to tell you that I’m not a fan of LibVirt you know in the Linux world, it doesn’t have strong semantics.  It doesn’t have like a well-defined API or ABI but the DMTF world is moving forward terrifically, yeah very good.

(03:24) Virtualization was a way of abstracting. Now clouds are another way of abstracting?

They are just another hypervisor platform for me.

(03:34) What about an OS.  What would be your definition, VMware is calling it an OS? 

Oh, the data center OS?

(03:42) Interviewer:  How do you define such an OS?  Do you consider it an OS, a framework or an API set?

You know what?  I think it’s vaporware, right?  So let’s be real for a bit, there are several key things that people want to achieve.  They want to achieve greater agility, greater dynamism, and greater security. There are a lot of ways to get there. But defining a data center OS based on a product which has got a single point of failure, isn’t the way to get there.  There are very interesting technologies that one can bring to solve that problem. In general, I don’t think they (VMware) have them.  Now, it differs between enterprises and clouds on how you want to do this. Enterprise IT runs in a very different way than the cloud.  So we know today that NetScalers drives automatically very large files, that is we can use NetScalers sitting in the application hard drive to dynamically move traffic between machines whenever machine fails, between data center whenever data center fails and on the fly bring up new VMs and servers on the basis of need. Because we can watch the application response times and drive the data center in that way.  That is in particular like a kind of cloud architecture. There are some enterprise adopting it. But at data center OS which is built in the management domain out of a bunch of stuff which is really just managing software.  I don’t buy the concept.  It’s an important concept that people start to think about, that is agility and dynamism and data center reintroduce a whole bunch of complexities but it isn’t here yet.

(05:14) Maybe to finish off, you mentioned security?

Yeah.

(05:18) How do you see that involve, it’s one of the major concern of these people.  How do you secure Virtual issues?  How do you make absolutely sure that they can’t break out?

There are three things here, one of them is how do you secure the guests?  How do you secure the hypervisor?  And how do you virtualize the security function generally, okay?  So let’s start. How do you secure the guest?  You know, the basic capabilities of inspecting the traffic, block an I/O, everybody can do that.  That’s straightforward.  VMware took a one step further with VMsafe which allows their plug-in security appliances to inspect the memory of running guests.  The black hat folks just don’t like this approach, okay?  We have an equivalent thing in open source that the big scary moment is if you compromise that interface, you can get hold of any memory of any guest.  It’s really, really scary.  So you have to do better than that, you know. 

But in general, virtualizing the security function is thought very open area and Chris Hoff has a perfect take on this, you know it’s very, very early days and has a ton of work to do.  Moreover is I/O starts to go back into hardware so we just get IOV devices coming.  None of those security appliance gets to look at the traffic anymore, so it’s going to be very interesting.  So all has to get down again.  Securing a hypervisor, we’re absolutely concerned about that.  That is one of our key focuses, I guess VMware is concerned about it.  They have a big code base.  I think one of their big things that they do is they went from you know ESX to ESXi was to ditch the console OS which is a major headache for them.  You know we’re down onto tens of megabytes in software now, generally written onto read-only flash and we focus manically on securing our box, right?  That’s absolutely what we have to do.  Now can we make guest more secured?  Absolutely we can do that and that’s the next big one which is how you can use the Virtualization platform itself and Virtualization to provide greater security for the workload while it’s running and through its life cycle.  So once you separated the software from the server, can I take a guest to walk out of the building without a memory stick?  That’s an interesting question.

(07:31) Simon, I’d like to thank you for the time you’ve given us and for the straight talk and your views on Virtualization and everything around it.  See you.

Below is the first part of our exclusive video interview recorded at VMworld2008 in Las Vegas, where Citrix XenSource CTO Simon Crosby tells us where he sees Virtualization going in general and shares his view on the future of security, networking and I/O virtualization in particular.

.
Feel free to check on the I/O Virtualization vendors we covered in the past, such as 3Leaf, Neterion, NextIO, VertenSys with Neterion or Xsigo.

A full transcript of the interview is below. you might want to check on our previous chat with Simon at VMworld Europe 2008 in Cannes to see if what he claims is consistent on both sides of the atlantic.

(00:11) Simon Crosby, you’re the CTO, Virtualization and Management Division at Citrix.  What are the next challenges you see coming up in Virtualization?

Simon Crosby: So Virtualization today is server only, right?  So in fact the question to me is “where does Virtualization go generally”?  The technology works superbly for clients.  It applies in terms of virtualizing the client device and it works great in PDAs and various other mobile internet devices and so on.  So Virtualization is going down that path.  Xen already runs on all machines of that category and does so with great performance.  So now we can expose real devices, models, straight up to Windows and so on and we can get terrific performance.  So Virtualization technology will go much more broadly into the execution environments.  Virtualization adoption by enterprise It’s a big, big change, right?  Because everything changes.  So just to get beyond 10% or 12 or whatever adoption percentage we are at right now, the whole of the enterprise IT process has to be rethought.

(01:13) Where do you see the real challenges when it comes to security and virtualization and how can you organize those?

Today, I think you know we do a pretty good job of pulling in the storage and the compute side of it, that is we dynamically drive storage for virtualization.  Networking is still way out there.  I mean because the security folks want to know exactly where the bump in the wire is. Arguably as you move the virtual machines around in the data center because of those network security policies you got to follow them.  That doesn’t happen yet.  So, all of that has  to change but as you start to do this, people who got a very rational concern for knowing where things are, that they are secured, that they die when they should and all that sort of stuff, right?  And so, the general complexity that virtual machines bring is that our appetite for computers have not gone down.  There are more VMs than there are physical servers.  They live some place you don’t generally know where.  At any point in time, you need to find the darn thing.  Check if it’s secured.  Check if it’s updated.  Manage it through its life cycle and then throw it away securely.  So it actually complicates things.  So the great thing by Virtualization is we now get as a bunch of IT vendors, to go and redo it all and do it right and do it better and that’s the opportunity.

(02:34) Now Simon, one of the major announcements here at VMworld was that, VMware together with Cisco, they’ve launched VN-link which is a new standard for networks to become virtual machine aware.  What’s your point of view on that, on this merging of virtual network solutions and standards in that field?

The fundamental driver here is Moore’s law., So we get more and more and more VMs per server.  That means that the switch technology that we use in the virtualized platform in general, has to become more and more like a network based switch.
So that’s a good observation.  Therefore, all of the separation and other policies that you want to have in a network have got to follow your VMs, right?  So there is an interesting question of what you do there?  Now the VMware virtual switch (indeed there is one in XenServer too) are based on the bridge code that came out of Linux. We modified  so it can support VLANs and everything else, but that’s where it came from.  So there’s a very rational question as to how this evolves over the time?  Now, the technology that’s coming down the wire is essentially IOV. If you do SRIOV..

03:35 Could you quickly explain what IOV and SRIOV stand for?
SRIOV stands for single root I/O virtualization.  It’s the I/O Virtualization standard coming out of the PCI SIG and with that, essentially you introduce the ability for a NIC-card to have a full layer 2 switch on it.  So what’s going to happen is that it’ll all move to hardware. And those layer 2 switches will look like existing real physical switches in your Ethernet, okay?  And so, in general, you know we have to have the same ability to control those and manage them as we do with our physical network infrastructure today.