Transcript phd_proposal_presentation

On
Proxy Server based
Multipath Connections
(PSMC)
PhD Proposal
Yu Cai
10/2003
University of Colorado at Colorado Springs
Presentation outline

Introduction

Related work

Algorithms for PSMC proxy server selection.

Protocols for PSMC packets handling.

PSMC applications

Security issues of PSMC.

Conclusion
Introduction

The connections between two network nodes are mostly
single path connections in today’s network
environment.

Multipath connections provide potentially multiple
paths between network nodes, so that the traffic from a
source can be spread over multiple paths and
transmitted in parallel through the network.
Single path connection vs. multipath connections
The benefits of multipath connections

Utilize the network resources more efficiently,

Improve the effective bandwidth of network nodes,

Increase the packet delivery liability,

Provide quality-of-service guarantee,

Cope well with network congestion, link breakage and
burst traffic.
Related works on multipath connections

The IBM Systems Network Architecture (SNA)
network in 1974.

N. F. Maxemchuk in 1975 (dispersity routing). The
research was extended to virtual circuit networks and
ATM network.

Categories of multipath connections based on OSI
network 7 layer model
1. Physical layer: One is Multipath Interference, causes
FM radio sounds staticy.
2. Data link layer: Link Aggregation, defined in IEEE
802.3ad.
Related works on multipath connections
3. Network layer: been studied extensively as multipath
routing.
a. Wired network:
Table-driven routing (link state or distance vector),
Source Routing,
MultiProtocol Label Switching (MPLS).
b. Wireless ad hoc network
Table-driven routing (link state or distance vector),
Source Routing,
4. Transport layer: Linux multipath connections for
multiple ISP connections
Proxy Server based Multipath Connections (PSMC)

We propose to study proxy servers based multipath
connections (PSMC). It is a cross-layer implementation.

The key idea of PSMC is as followings.

By using a set of connection relay proxy servers, we could set
up indirect routes via the proxy servers, and transport packets
over the network through the indirect routes.

By enhancing existing TCP/IP protocols, we could efficiently
distribute and reassemble packets among multiple paths at two
end nodes, and increase end-to-end TCP throughput.

The approach offers applications the ability to increase the
network performance, efficiency, stability, availability and
security.
PSMC diagram
Why PSMC

PSMC has advantages like other multipath connections approaches

Flexibility: PSMC can be more conveniently and adaptively
deployed in various network environments. PSMC don’t require
changes on physical network infrastructure, but only feasible
changes on network software and protocols. PSMC also give the end
users more control on setting up multipath connections.

Compatibility: PSMC utilizes existing TCP/IP protocols and network
infrastructure. This ensures the compatibility with current Internet.
It also ensures the performance, efficiency, reliability, and hides the
complexity from end-users.

Applications: A large number of applications in various categories
could benefit from utilizing PSMC. For example, secure collective
defense network (SCOLD), providing additional bandwidth based on
operational requirement, or providing QoS for video streaming.
Three components in PSMC

The multipath sender is responsible to efficiently and
adaptively distribute packets over the selected multiple
paths. Some of the packets will go through the normal
direct route, other packets will go through the indirect
routes via the proxy servers.

The intermediate connection relay proxy servers,
examine the incoming packets and forward them to the
destinations through the selected path.

The multipath receiver, collects the packets arrived
from multiple paths, reassemble them in order and
deliver them to the user.
Algorithms for PSMC


Proxy servers selection is a critical part in PSMC.
Different proxy server selections result in different
performance.
We have developed heuristic algorithms to choose best
mirror sites for parallel download from multiple mirror
sites, which can be viewed as a sub problem of PSMC.
Server Location Problem

Needs to solve the following two proxy servers selection
problems.
1) Server Selection Problem. Given the target server location and a
set of proxy servers, choose the best proxy server(s) for a client or
for a group of client, to achieve best performance, in terms of
bandwidth.
2) Server Placement Problem. Given the target server location and a
set of nodes, choose the best node(s) to place the proxy servers, for
certain connection requirements, like maximize the network
aggregated bandwidth.

Likely NP problems. Heuristic algorithms, or loosing the
optimal constrains to simplify the problem
Diagram of sever selection/placement problem
Sever selection problem
Sever placement problem
Related work on algorithms


Mirror servers and web cache servers selection
problem has been studied recent years.
Two types of approaches.
1) Formal approach: based on graphic theory.
Common assumptions of getting network graph are:
a) network topology pre-known,
b) path cost pre-known,
c) single and static connection.
Algorithms including:
a) random algorithm,
b) greedy algorithm,
c) tree-based algorithm,
d) k-min algorithm.
2) Practical approach: no assumption, for real world.
a) IDMap,
b) Client clustering.
Why PSMC algorithms?



Even though there are various sever selection
algorithms and approaches, the ad hoc selection is still
the main approaches used in practice.
Existing server selection algorithms only study the
cases for mirror servers and cache servers. But the
proxy servers in PSMC have several uniqueness, this
will result in different optimal constrains and optimal
goals.
Further study on algorithms needs to be done.
PSMC Protocols: packets handling

Protocols need to be designed to distribute, reassemble
and transmit packets.

Packets distribution and reassembling: add a thin layer
between TCP/UDP and IP. Linux kernel enhancement.
Linux Virtual Server packet handling. ATCP packet
handling.

Why adding a thin layer?
a) Utilize existing TCP/IP protocols, particularly the
packets re-sequencing and re-sending mechanism.
b) Hide the complexity of multipath connections from
upper layer users
c) Maintain the high end-to-end TCP throughput.
PSMC Protocols: packet transmission

Packets transmission: after investigate various
approaches, like SOCKS proxy server, Zebedee, we
proposed to use IP Tunnel or IPSec to enable indirect
routes via proxy servers.

IP Tunneling is well developed and widely available. It
is a layer 2 protocol, transparent to higher layer. IP
Tunneling performance is acceptable.

Tunneling protocols enhancement for PSMC. Like
tunnel handshake, host authentication, security
mechanism. VPN tunneling protocols.
Special issues on PSMC Protocols

Two special issues for PSMC protocols
 Fail-over, packets resend and packet re-sequencing
mechanism when packets are lost or connections are
broken.
 Sticky-connection mechanism when packets need to
be sent through a particular route, like http keep
alive.

Inside cooperate environment, alternate solutions for
setting up multipath connections include:
 Modify the routing table in the router
 MPLS
 Source routing
PSMC prototypes and applications

Secure Collective Defense (SCOLD) network. SCOLD
tolerates the DDoS attacks through indirect routes via
proxy servers, and improves network performance by
spreading packets through multiple indirect routes.
SCOLD incorporates various cyber security
techniques, like secure DNS update, Autonomous AntiDDoS network, IDIP protocols.

We have finished the prototype of SCOLD system. We
plan to enhance SCOLD for better scalability,
reliability, performance and security.
Intrusion defense mechanism

Intrusion Prevention



Intrusion Detection





General Security Policy
Ingress/Egress Filtering
Honey pot
Host-based IDS Tripwire
Anomaly Detection
Misuse Detection
Intrusion Response


Identification/Trace back/Pushback
Intrusion Tolerance: SCOLD
SCOLD: victim under DDoS attacks
A.com
a
a
A
a ... a
DNS1
B.com
b
b
B
C.com
b ... b
c
DNS2
C
c
c ... c
DNS3
DDoS Attack Traffic
Client Traffic
R
DNS
R3
Victim
R2
R1
Back door: Alternate
Gateways
target.com
Main gateway R under attacks, we want to inform Clients to go through the “back door” - alternate gateways R1R3. We needs to hide IPs of R1-R3, otherwise they are subject to potential attacks too.
how to inform Clients? how to hide IPs of R1-R3?
SCOLD: raise alarm (1) and inform clients (2)
A.com
a
a
A
a ... a
DNS1
B.com
b
b
B
C.com
b ... b
c
DNS2
C
c
c ... c
DNS3
2: inform clients
Proxy1
Reroute
Coordinator
R
1: raise alarm
DNS
R3
target.com
R2
R1
Victim
1. IDS on gateway R detects intrusion, raise alarm to Reroute Coordinator.
2. Coordinator informs clients for new route:
a) inform clients’ DNS; b) inform clients’ network proxy server; c) inform clients directly;
d) inform the proxy servers and ask the proxy server do (a – c).
SCOLD: set up new indirect route (3)
A.com
a
a
A
B.com
a ... a
b
DNS1
b
b ... b
c
DNS2
C
B
Proxy1
C.com
Proxy2
R
R3
R2
R1
target.com
Victim
3. Clients set up new indirect route to target via proxy servers.
c
3: new route
c ... c
DNS3
Proxy3
Reroute
Coordinator
DNS
Proxy servers: equipped with IDS to defend attacks; hide alternate gateway and reroute coordinator; provide potential multiple paths.
SCOLD Testbed
Performance of SCOLD
Table 1: Ping Response Time (on 3 hop route)
No DDoS attack
direct route
DDoS attack
direct route
0.49 ms
225 ms
No DDoS attack
indirect route
DDoS attack
indirect route
0.65 ms
0.65 ms
Table 2: SCOLD FTP/HTTP download Test (from client to target)
No DDoS attack,
Doc FTP
HTTP
direct route
100k
Size 0.11 s 3.8 s
250k 0.28 s 11.3 s
500k 0.65 s 30.8 s
1000k 1.16 s 62.5 s
2000k 2.34 s 121 s
DDoS attack,
FTP
HTTP
direct route
8.6 s
9.1 s
19.5 s 13.3 s
39 s
59 s
86 s
106 s
167 s 232 s
No DDoS attack,
FTP
HTTP
indirect route
0.14 s 4.6 s
0.31 s 11.6 s
0.66 s 31.1 s
1.15 s 59 s
2.34 s 122 s
with DDoS attack
FTP
HTTP
indirect route
0.14 s 4.6 s
0.31 s 11.6 s
0.67 s 31.1 s
1.15 s 59 s
2.34 s 123 s
Other PSMC applications

Other PSMC applications includes:

PSMC in wireless ad hoc network: good test for PSMC’s
ability to adapt to dynamic environment, packets resending
and re-sequencing.

Indirect route upon operational requests: provides additional
bandwidth and backup route based on operational
requirements.

Providing QoS for video streaming: send different portion of
stream through different paths.

Parallel download from multiple mirror sites: sever selection
algorithm implementation.
PSMC applications evaluation

We will evaluate the overhead of multipath
connections, including tunneling overhead, handshake
overhead, packets distribution/reassembling overhead.

We will evaluate the performance of multipath
connections in terms of response time, throughput and
bandwidth.

We will also compare PSMC with other multipath
connections approaches, like source routing, or Linux
multipath connections.

We will conduct extensive simulation study on PSMC
applications in virtual network, real network, small
scale network and large scale network.
Security issues related to PSMC

Potential security issues raised by misusing of PSMC:
how to control aggressive clients?

Potential attacks against PSMC: Tunneling to death?
(similar to ping to death).

Detect comprised nodes in PSMC network (through
dynamic IP ?).

Study the collective defend mechanism to tie different
organizations with better cooperation and
collaboration.
Contributions:

Systematically study the proxy server based multipath
connections (PSMC), including

Algorithms for server selections,

Protocols for packet handling,

Applications and prototypes

Security issues.
Conclusion

PSMC offers applications the ability to increase the
network performance, efficiency, stability, availability
and security.

In addition, PSMC offers more flexibility, compatibility
and usability than other type of multipath connections.

Study on PSMC could have boarder impact on today’s
Internet topology and security.