[Openstack] Instance IDs and Multiple Zones

Eric Day eday at oddments.org
Tue Mar 22 18:38:05 UTC 2011

On Tue, Mar 22, 2011 at 10:48:09AM -0700, Justin Santa Barbara wrote:
>    We can square the circle however - if we want numbers, let's use UUIDs -
>    they're 128 bit numbers, and won't in practice collide.  I'd still prefer
>    strings though...

If we use a number/uuid without a zone prefix, then they can
collide. What happens when I want to burst to my private cloud and
I've fixed my UUIDs to intentionally collide just to cause trouble?

Through peering and bursting we have potentially malicious users
for some deployments and we need to be sure resource ID spoofing and
poisoning is not possible. The simplest way is to have a namespace for
every zone, and the most obvious namespace is the zone name. We'll
of course need a mechanism to detect authenticity of zone names too
(signed certs, etc).

Oh, and all this discussion should not be limited to just instance
IDs, networks and volumes need to be globally addressed as well and
should follow the same mechanism.


More information about the Openstack mailing list