560 likes | 721 Views
ELA: A Fully Distributed VPN over P2P Network. Sadanori Aoyagi, Makoto Takizawa, Masato Saito, Hiroto Aida, and Hideyuki Tokuda Keio University, Japan. Outline. Virtual Private Network (VPN) ELA Abstract Design and Implementation Evaluation of ELA Related Work
E N D
ELA: A Fully Distributed VPN over P2P Network Sadanori Aoyagi, Makoto Takizawa, Masato Saito,Hiroto Aida, and Hideyuki Tokuda Keio University, Japan
Outline • Virtual Private Network (VPN) • ELA • Abstract • Design and Implementation • Evaluation of ELA • Related Work • Future Works and Conclusion
VPN • What’s VPN. • An architecture to construct a virtual private connection across a public network. • Classification by • Site-to-Site VPN (usual) • Overlay VPN
What’s Site-to-Site VPN • What’s Site-to-Site VPN • Used for replace dedicated line. Tunnel
Overlay VPN • What’s overlay VPN. • Constructing VPN over overlay network. • Overlay VPN is independent from existing network. 論理的に等価 The Internet LAN 1 LAN 4 LAN LAN 2 LAN 3
Overlay VPN • Topology • Client/Server • Problem • Require server • Cost, single point of failure, bottleneck. Branches The Internet The Internet Company Company LAN VPN LAN VPN VPN VPN VPN VPN LAN Outside
The Issue • Can we satisfy both of the following issues? • To secure connection between nodes directly. • Easy setting if there are many applications.
Proposal • System that constructs a secure base between user nodes extemporarily. • ELA (Everywhere Local Area network)
Abstract of ELA • Purpose • To construct a secure base between user nodes • Method • ELA constructs an overlay VPN between user nodes extemporarily. The Internet VPN
Example of the Utility • Use applications that user nodes connect each other directly • Instant Messenger, Video Chat • Use applications for LAN • Groupware • Windows Network, NFS • Some network games • Assumption • All user of nodes are acquaintance • Under 30 nodes.
The reason ELA constructs Overlay VPN • There are 3 reasons. • No modification of existing applications. • Little risk of security. • Independent network from unknown users.
Protocol Issue • Transport Protocol used by VPN • Nodes in NAT connects other node with TCP easily. • UDP is more simple protocol than TCP.
Remarkable Points of ELA • Network of ELA • Overlay VPN • P2P Topology • ↑ ELA creates automatically. • Tunneling Protocol • Use 2 protocols as a restrict of network. • UDP if there is no restrict by NAT or firewall. • TCP if node cannot use UDP.
Image of ELA • ELA constructs a virtual network. ↑Define this as ELA-VPN ELA-VPN
Position of ELA • ELA relays a data over ELA-VPN • Users can use application like in LAN. • ELA replays a data via other node if necessary 10.0.0.1 10.0.0.2 10.0.0.3 Application Application ELA ELA ELA The Internet Data flow by ELA
Example of how ELA is used • Starting ELA • Type “ela”, and ELA requires user authorization. • “ela0” network interface is created. • Communication using IP address of ELA-VPN • For example, a node uses samba and fetches the PDF file from other node. # ela # ifconfig ela0 ela0 Link encap:Point-to-Point Protocol inet addr:10.0.0.1 P-t-P:10.0.0.1 Mask:255.255.255.0 UP POINTOPOINT RUNNING NOARP MTU:1400 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) # smbclient \\\\10.0.0.3\\home -U sada Smb: \> get thesis.pdf Step 1 Step 2
Sequence of Start inside ELA • Preparation • Constructing ELA-VPN • Using ELA-VPN
1. Preparation • Look up other node. • ELA doesn’t have this future. • Look up other node of ELA-VPN by using WWW or E-mail • User Authentication • Nodes of ELA-VPN share list of users. • Nodes authenticate a new node with list of users.
1. Preparation • ELA assigns private IP address on ELA - VPN. • New node can use IP address not used by the other nodes. • ELA classifies into 2 types. • Core node (CN): • The node can send and receive a data with UDP. • The node can be connected from other nodes with TCP. • Edge node (EN): • Except CN. • The node can connect to other nodes with TCP.
2.Constructing ELA-VPN • Clockwise rotation by ID • ID = hash(IP address) • CN: • Inside of P2P network. • CNs make full mesh topology, and connects each other with UDP. • EN: • Outside of P2P network. • Each EN connects to CN whose ID is next of the EN.
3. Connection Over ELA-VPN • All core nodes share the routing table. • Key: ID • Value: • If CN, IP address on the Internet. • If EN, IP address on the Internet of Core Node that EN connects to.
Example of Relay • Node 27→14 • Node 27 : relay to 3 • Node 3:search from routing table → relay to 16 • Node 16: relay to 14 • Number of maximum relay is 3.
Required Futures • Constructing P2P network • Constructing topology • Routing • Using as VPN • Network Pseudo Device • Capsulating • Sending, Receiving
Structure of modules Application Send IP packet Receiving IP packet ELA Constructing Topology Send CapsulatedIP packet Update Send Message Routing Table Routing Search Receive Capsulated IP packet NO Is to me? YES Message Capsulating Sending Recieving User layer Recive data Kernel layer Network PseudoDevice
When sending a data • Application • Sending a data • Network Pseudo Device • Getting an IP packet. • Capsulating Module • Capsulating • Routing Module • Searching the node to relay • Sending Module • Relaying to other node.
When relaying a data • Receiving Module • Receiving a data which is not to me. • Routing Module • Searching the node to relay • Sending Module • Relaying to other node.
When receiving a data • Receiving Module • Receiving a data which is to me • Capsulating Module • Encapsulating • Network Pseudo Device • Application • Getting a data
Proto-type Implementation • Environment • Red Hat Linux 7.2 (Kernel 2.4.18) • Implementation Method • C Language • NPD is implemented at Kernel layer • The others are implemented at User layers
Implemented Modules • Finished • NPD, Capsulating Module, Sending Module, Receiving Module
Evaluation • Qualitative Evaluation • How easy to construct between many user nodes? • Quantitative Evaluation • Overhead of ELA • Relation between relay count and delay
Qualiative Evaluation • Comparing with … • Point-to-Point VPN • Client/Server VPN
Qualiative Evaluation • ELA is most suitable when many nodes construct VPN each other!
Quantitive Evaluation • Evaluation Environment • Constructin on VMware • PC (CPU Pentium4 EE 3.6GHz, Memory 2.0GB) • Host OS: Windows XP (SP1) • Guest OS: Knoppix 3.1 for VMware TCPUDP VMware VMware ① ② ELA-VPN ① ② CN10.0.0.2 CN10.0.0.1 192.168.88.128 192.168.88.132 ③ ④ ③ ④ EN10.0.0.3 EN10.0.0.4 192.168.88.133 192.168.88.134
Overhead of ELA • Measuring RTT by using Ping • No ELA (①⇔②) • ELA, tunneling protocol is UDP(①⇔②) • ELA, tunneling protocol is TCP(①⇔③) UDPTCP VMware VMware ① ② ① ② ELA-VPN 1 2 3 CN CN ③ ④ ③ ④ EN EN
Result of Overhead of ELA • There is overhead by ELA. • There is more overhead when TCP than when UDP.
Relation betweenrelay count and delay • Mesuaring RTT by using ping • 1 relay (③⇔①) • 2 relays (③⇔① ⇔② ) • 3 relays (③⇔① ⇔② ⇔④) • ※ There is no case of more than 4 relays. UDPTCP VMware ① ② ELA-VPN CN CN 1 2 ③ ④ 3 EN EN
Result of betweenrelay count and delay • More relay counts, more delay. • But they are a little delay.
Related Work • IVGMP (Internet VPN Group Management Protocol) • One VPN System • Every nodes connects to other with IPSec. • VNOC provides a policy. • No mention to detail of VNOC and topology.
Future Works • Implementation • Constructing Topology Module • Routing Module • Evaluation • Use ELA at an actual environment • How scalable? How robust? • Improvement of Design • Supports QoS, Improvement of scalability.
Conclusion • Proposal of ELA • Purpose is to construct secure base. • Design • ELA constructs VPN over P2P network. • Evaluation • ELA is most suitable when constructing VPN between many user nodes. • Overhead is little
Thank you. • Thank you for your kind attention!
トポロジ構築モジュール • P2Pネットワークの形成&維持 • ノードの参加処理(認証、IPアドレス割当など) • ノードの種類に基づくP2Pネットワークの形成 • ノードの参加・離脱に応じてルーティングテーブルを更新