Dealing with Internet Connectivity in Distributed Computing

1. Dealing with Internet Connectivity in Distributed Computing

2. Firewalls & Private Networks • Firewalls • provide cheap and good way to protect networks • becoming headquarters of integrated security systems • Private networks • A solution to IPv4 address shortage problem • Easy network management and easy address planning • We have many firewalls and private networks deployed and will continue to have them in the future

3. Problems • Non-universal connectivity • Asymmetric connectivity • Collaboration becomes difficult or impossible • Resources are wasted

4. Agenda • Introduction • DPF (Dynamic Port Forwarding) • GCB (Generic Connection Brokering) • eGCB (extended GCB) • Conclusion

5. B A X BIND (B) X X A  X A  B Dynamic Port Forwarding B = socket(); bind(B, ANY); getsockname(B, X); Server app A = socket(); DPF agent connect(A, X); NAT Client DPF lib X  B

6. DPF • Basic Idea: On-demand open/close • Supporting Environments • Headnode: Linux NAT box • DPFnized private application • Regular public application

7. DPF • DPF can be used with any firewall that allows you to control opening/closing through the following APIs: • open (local, remote, sec) • timeout (sec), where sec may be 0 to close the opening • list • Confirms MIDCOM specification at semantics level

8. X Server Client BIND (B) B A X X GCB: socket registration B = socket(); bind(B, ANY); getsockname(B, X) GCB lib GCB lib Broker

9. X Server Client B A CONNECT (X) CONTACT (A) PASSIVE GCB: passive connection connect(A, X) GCB lib GCB lib Broker

10. X Y Server Client B A CONNECT (X) CONTACT (Y) ACTIVE (X) GCB: relay connection connect(A, X) GCB lib GCB lib Broker

11. GCB • Basic Idea: reversing the direction underneath the application • Supporting Environments • No requirement to firewalls • Outbound connections are allowed • Broker is placed either on the edge or outside of the private network

12. eGCB (extended GCB) • Support for multiple connection mechanisms • Integration of DPF & GCB • Security to protect the Broker • Extension to DPF • On-demand open/close for outbound connections

13. submit site communication via relay direct connection communication via a punched hole execution site execution site execution site execution site … reversed connection … Support for Multiple Methods

14. 4) connection setup 3) negotiation F/W F/W 2) open for outbound connector listener outagent 1) registration Connection Setup inagent

15. Conclusions • DPF requires administrative and technical control on headnodes but it is fast and scalable • GCB is a little slower than DPF but requires no control on headnodes • The combination of DPF and GCB supports wider range of network setting than any other system • GCB and eGCB are generic mechanisms and can be used any application

16. Thank you!Sonny (Sechang) SonRm# 3387sschang@cs.wisc.edu

17. Ways to handle • Manual opening • Same effect as not having firewall for the range of addresses • Impossible for administrator to know how many and how long addresses must be opened • Deceiving firewalls • War between firewalls and ‘firewall-friendly’ software • We need a cooperative way!

18. F/W F/W connector listener outagent Security Enforcement Security Enforcement Sec. Req. inagent Sec. Req.