200 likes | 297 Views
Recovering Internet Symmetry in Distributed Computing. Sechang Son, Miron Livny [sschang, miron]@cs.wisc.edu. Contents. Introduction Dynamic Port Forwarding Architecture Implementation Analysis Generic Connection Brokering Architecture Implementation Analysis Conclusion.
E N D
Recovering Internet Symmetry in Distributed Computing Sechang Son, Miron Livny [sschang, miron]@cs.wisc.edu
Contents • Introduction • Dynamic Port Forwarding • Architecture • Implementation • Analysis • Generic Connection Brokering • Architecture • Implementation • Analysis • Conclusion
Fate of Private Network • Introduced as a short term solution to IPv4 address shortage problem until the full deployment of IPv6 • May be not disappeared • Easy network planning and maintenance • Cost nothing • Grid is a big supporter of private network
B : A X B : X : A X : A NAT, Masquerading, and Port Forwarding Private network NAT A B B : X
Condor/Grid Requirements • No change to public side: interoperable with (existing) regular sockets • Minimum changes to network components and no change to kernel or having system-wide impact • Easy deployment is one of key factor of Grid system • Highly scalable • Clusters with hundreds or thousands machines must be supported • High performance • Representative requirements of any Grid System
Previous Works • Global Approaches • TRIAD, IPNL, AVES • Local/Fill-the-gap Approaches • Napster, Gnutella: Application specific connection brokering • SOCKS • Realm Specific IP (RSIP) • No system meets Grid requirements
Central Manager X X X A Add DPF Server NAT Ack(X) A X ? X *:X:A C Dynamic Port Forwarding (DPF) Private network B
Implementation of DPF • Client • molded into the communication library of Condor • Creates and deletes forwarding rule on the fly • Server • Uses NAT library to add/list/delete port forwarding rule • Maintains 3 different representations of forwarding rules for fault tolerance and updates/synchronizes those in a careful way • Periodically polls clients for garbage collection
Analysis of DPF • Highly Interoperable • Highly scalable • The number of proxy addresses leased to clients is only limiting factor • DPF with multiple ip addresses is supported • Very deployable • No changes to OS, network component, or NAT required • DPF server runs as privileged user • Security • Opens holes under administrator’s permission and as long as necessary
Analysis of DPF • Performance: Private-to-public
Central Manager P P N A T P A Add Contact B P P ? P ? P Passive Active P GCB Server Generic Connection Brokering (GCB) Private network B
ACK N A T Dummy A Contact B P ? P Passive GCB Server Generic Connection Brokering (GCB) Private network UDP UDP B
A P GCB Server Generic Connection Brokering (GCB) Private network Regular socket B
Active Proxy addr Real addr … Conn_Q Rcv_Buf … B C Data Implementation of GCB client socket bind accept connect … dup … fork execve fd = 0 fd = i fd = k socket bind accept connect … dup … fork execve
Implementation of GCB server • Composed of Broker and RelayServer • Broker in charge of arranging the direction of connection • RelayServer creates proxy sockets and handles relay between two sockets • Broker forks new RelayServer on the fly • Stale status due to server crash or machine reboot is handled by reregistration
Reliable UDP • Used for communication between clients and server • Reliable and in-order delivery • Simple congestion control • Connected and unconnected UDP • Time-wait state
Analysis of GCB • Very interoperable • Public node needs to be a GCB client to get brokered • Regular sockets can talk to GCB nodes through relay service • Highly deployable • No changes to OS, network component, or NAT • No requirement for NAT and GCB server runs as a normal user • Very scalable • Logically as scalable as DPF, but performance can be a limiting factor • Security • Opens no hole • May increase the chance of misuse of organization’s policy
Analysis of GCB • Performance: Private-to-public
Firewall • Both firewalls and private networks damage Internet connectivity • Connections blocked • Firewall: intentional • Private network: side-effect • Condor’s mechanism to restrict the range of ports that sockets can bind to can be used with either DPF or GCB to support firewalls that block some outbound connections too
Conclusion • DPF for dedicated and large cluster • GCB for medium and non-dedicated cluster