Transcript Document

ELA: A Fully Distributed VPN
over P2P Network
Sadanori Aoyagi, Makoto Takizawa, Masato Saito,
Hiroto Aida, and Hideyuki Tokuda
Keio University, Japan
Outline
‫ ﻪ‬Virtual Private Network (VPN)
‫ ﻪ‬ELA
‫ ﻩ‬Abstract
‫ ﻩ‬Design and Implementation
‫ ﻩ‬Evaluation of ELA
‫ ﻪ‬Related Work
‫ ﻪ‬Future Works and Conclusion
Background
VPN
‫ ﻪ‬What’s VPN.
‫ ﻩ‬An architecture to construct a virtual private
connection across a public network.
‫ ﻪ‬Classification by
‫ ﻩ‬Site-to-Site VPN (usual)
‫ ﻩ‬Overlay VPN
What’s Site-to-Site VPN
‫ ﻪ‬What’s Site-to-Site VPN
‫ ﻩ‬Used for replace dedicated line.
Tunnel
Overlay VPN
‫ ﻪ‬What’s overlay VPN.
‫ ﻩ‬Constructing VPN over overlay network.
‫ ﻩ‬Overlay VPN is independent from existing
network.
論理的に
等価
The Internet
LAN 1
LAN 2
LAN 3
LAN 4
LAN
Overlay VPN
‫ ﻪ‬Topology
‫ ﻩ‬Client/Server
‫ ﻪ‬Problem
‫ ﻩ‬Require server
‫ ﻯ‬Cost, single point of failure, bottleneck.
Company
The Internet
Branches
Company
VPN
The Internet
VPN
LAN
LAN
LAN
Outside
The Issue
‫ﻪ‬
Can we satisfy both of the following
issues?
1. To secure connection between nodes directly.
2. Easy setting if there are many applications.
Proposal
‫ ﻪ‬System that constructs a secure base
between user nodes extemporarily.
‫ ﻪ‬ELA (Everywhere Local Area network)
ELA ～Abstract～
Abstract of ELA
‫ ﻪ‬Purpose
‫ ﻩ‬To construct a secure base between user nodes
‫ ﻪ‬Method
‫ ﻩ‬ELA constructs an overlay VPN between user
nodes extemporarily.
The Internet
VPN
Example of the Utility
‫ ﻪ‬Use applications that user nodes connect each
other directly
‫ ﻩ‬Instant Messenger, Video Chat
‫ ﻪ‬Use applications for LAN
‫ ﻩ‬Groupware
‫ ﻩ‬Windows Network, NFS
‫ ﻩ‬Some network games
‫ ﻪ‬Assumption
‫ ﻩ‬All user of nodes are acquaintance
‫ ﻩ‬Under 30 nodes.
The reason ELA constructs
Overlay VPN
‫ ﻪ‬There are 3 reasons.
‫ ﻩ‬No modification of existing applications.
‫ ﻩ‬Little risk of security.
‫ ﻩ‬Independent network from unknown users.
Protocol Issue
‫ ﻪ‬Transport Protocol used by VPN
‫ ﻩ‬Nodes in NAT connects other node with TCP easily.
‫ ﻩ‬UDP is more simple protocol than TCP.
Protocol
Merit
Demerit
TCP
Node in NAT connects other node
easily
TCP over TCP
UDP
Simple and Fast
Requirement of port forward setting in
NAT
Remarkable Points of ELA
‫ ﻪ‬Network of ELA
‫ ﻩ‬Overlay VPN
‫ ﻩ‬P2P Topology
‫ ↑ ﻯ‬ELA creates automatically.
‫ ﻪ‬Tunneling Protocol
‫ ﻩ‬Use 2 protocols as a restrict of network.
‫ ﻯ‬UDP if there is no restrict by NAT or firewall.
‫ ﻯ‬TCP if node cannot use UDP.
ELA ～Design～
Image of ELA
‫ ﻪ‬ELA constructs a virtual network.
↑Define this as ELA-VPN
ELA-VPN
Position of ELA
‫ ﻪ‬ELA relays a data over ELA-VPN
‫ ﻩ‬Users can use application like in LAN.
‫ ﻩ‬ELA replays a data via other node if necessary
10.0.0.1
Application
10.0.0.2
ELA
ELA
Data flow by ELA
10.0.0.3
Application
ELA
The Internet
Example of how ELA is used
1. Starting ELA
‫ﻩ‬
‫ﻩ‬
Type “ela”, and ELA requires user authorization.
“ela0” network interface is created.
2. Communication using IP address of ELA-VPN
‫ﻪ‬
For example, a node uses samba and fetches the PDF
file from other node.
# ela
# ifconfig ela0
ela0
Link encap:Point-to-Point Protocol
inet addr:10.0.0.1 P-t-P:10.0.0.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MTU:1400
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Step 1
# smbclient \\\\10.0.0.3\\home -U sada
Smb: \> get thesis.pdf
Step 2
Sequence of Start inside ELA
1. Preparation
2. Constructing ELA-VPN
3. Using ELA-VPN
1. Preparation
1. Look up other node.
•
•
ELA doesn’t have this future.
Look up other node of ELA-VPN by using WWW or
E-mail
2. User Authentication
•
•
Nodes of ELA-VPN share list of users.
Nodes authenticate a new node with list of users.
1. Preparation
3. ELA assigns private IP address on ELA - VPN.
•
New node can use IP address not used by the other
nodes.
4. ELA classifies into 2 types.
•
Core node (CN)：
•
•
•
The node can send and receive a data with UDP.
The node can be connected from other nodes with TCP.
Edge node (EN)：
•
•
Except CN.
The node can connect to other nodes with TCP.
２．Constructing ELA-VPN
‫ ﻪ‬Clockwise rotation by ID
‫ ﻩ‬ID = hash(IP address)
‫ ﻪ‬CN:
‫ ﻩ‬Inside of P2P network.
‫ ﻩ‬CNs make full mesh topology,
and connects each other with
UDP.
‫ ﻪ‬EN:
‫ ﻩ‬Outside of P2P network.
‫ ﻩ‬Each EN connects to CN
whose ID is next of the EN.
3. Connection Over ELA-VPN
‫ ﻪ‬All core nodes share
the routing table.
‫ ﻩ‬Key: ID
‫ ﻩ‬Value:
‫ ﻯ‬If CN, IP address on the
Internet.
‫ ﻯ‬If EN, IP address on the
Internet of Core Node
that EN connects to.
Example of Relay
‫ ﻪ‬Node 27→14
‫ ﻩ‬Node 27 : relay to 3
‫ ﻩ‬Node 3:search from routing
table → relay to 16
‫ ﻩ‬Node 16: relay to 14
‫ ﻪ‬Number of maximum relay
is 3.
Required Futures
‫ ﻪ‬Constructing P2P network
‫ ﻩ‬Constructing topology
‫ ﻩ‬Routing
‫ ﻪ‬Using as VPN
‫ ﻩ‬Network Pseudo Device
‫ ﻩ‬Capsulating
‫ ﻩ‬Sending, Receiving
ELA ～Implementation～
Structure of modules
Application
Send IP packet
Receiving IP packet
ELA
Constructing Topology
Send Capsulated
IP packet
Update
Send Message
Search
Routing
Receive Capsulated
IP packet
Routing Table
NO
Is to me?
YES
Capsulating
User layer
Sending
Message
Recieving
Recive data
Kernel layer
Network Pseudo
Device
When sending a data
‫ ﻪ‬Application
‫ ﻩ‬Sending a data
‫ ﻪ‬Network Pseudo Device
‫ ﻩ‬Getting an IP packet.
‫ ﻪ‬Capsulating Module
‫ ﻩ‬Capsulating
‫ ﻪ‬Routing Module
‫ ﻩ‬Searching the node to
relay
‫ ﻪ‬Sending Module
‫ ﻩ‬Relaying to other node.
When relaying a data
‫ ﻪ‬Receiving Module
‫ ﻩ‬Receiving a data
which is not to me.
‫ ﻪ‬Routing Module
‫ ﻩ‬Searching the node to
relay
‫ ﻪ‬Sending Module
‫ ﻩ‬Relaying to other
node.
When receiving a data
‫ ﻪ‬Receiving Module
‫ ﻩ‬Receiving a data
which is to me
‫ ﻪ‬Capsulating Module
‫ ﻩ‬Encapsulating
‫ ﻪ‬Network Pseudo Device
‫ ﻪ‬Application
‫ ﻩ‬Getting a data
Proto-type Implementation
‫ ﻪ‬Environment
‫ ﻩ‬Red Hat Linux 7.2 (Kernel 2.4.18)
‫ ﻪ‬Implementation Method
‫ ﻩ‬C Language
‫ ﻩ‬NPD is implemented at Kernel layer
‫ ﻩ‬The others are implemented at User layers
Implemented Modules
‫ ﻪ‬Finished
‫ ﻩ‬NPD, Capsulating Module, Sending
Module, Receiving Module
ELA ～Evaluation～
Evaluation
‫ ﻪ‬Qualitative Evaluation
‫ ﻩ‬How easy to construct between many user
nodes?
‫ ﻪ‬Quantitative Evaluation
‫ ﻩ‬Overhead of ELA
‫ ﻩ‬Relation between relay count and delay
Qualiative Evaluation
‫ ﻪ‬Comparing with …
‫ ﻩ‬Point-to-Point VPN
‫ ﻩ‬Client/Server VPN
Qualiative Evaluation
Cost
Saving work of users
Automatic selection
of Tunneling Protocol
Many nodes
Point-to-Point型
Client/Server型
○
△
×
×
○
×
ELA
○
△
○
×
○
○
‫ ﻪ‬ELA is most suitable when many nodes
construct VPN each other!
Quantitive Evaluation
‫ ﻪ‬Evaluation Environment
‫ ﻩ‬Constructin on VMware
‫ ﻯ‬PC (CPU Pentium4 EE 3.6GHz, Memory 2.0GB)
‫ ﻩ‬Host OS: Windows XP (SP1)
‫ ﻩ‬Guest OS: Knoppix 3.1 for VMware
VMware
①
VMware
①
②
②
192.168.88.128 192.168.88.132
③
192.168.88.133
TCP
UDP
④
192.168.88.134
③
EN
10.0.0.3
CN
10.0.0.1
CN
10.0.0.2
ELA-VPN
④
EN
10.0.0.4
Overhead of ELA
‫ﻪ‬
Measuring RTT by using Ping
1. No ELA （①⇔②）
2. ELA, tunneling protocol is UDP（①⇔②）
3. ELA, tunneling protocol is TCP（①⇔③）
VMware
①
②
１
VMware
①
②
２
CN
③
UDP
TCP
④
③
EN
CN
ELA-VPN
④
EN
Result of Overhead of ELA
1.4
1.219
RTT (msec)
1.2
1
0.892
0.8
0.6
0.4
0.304
0.2
0
Without ELA
With ELA （UDP)
With ELA （TCP)
With/Without ELA
‫ ﻪ‬There is overhead by ELA.
‫ ﻪ‬There is more overhead when TCP than when UDP.
Relation between
relay count and delay
‫ ﻪ‬Mesuaring RTT by using ping
‫ﻩ‬
‫ﻩ‬
‫ﻩ‬
‫ﻩ‬
1 relay （③⇔①）
2 relays （③⇔① ⇔② ）
3 relays （③⇔① ⇔② ⇔④）
※ There is no case of more than 4 relays.
CN
③
EN
VMware
①
②
３
ELA-VPN
UDP
TCP
CN
④
EN
Result of between
relay count
and
delay
3
2.453
RTT (msec)
2.5
1.799
2
1.5
1.219
1
0.5
0
1 hop
2 hops
‫ ﻪ‬More relay counts, more delay.
‫ ﻪ‬But they are a little delay.
3 hops
Related Work
Related Work
‫ ﻪ‬IVGMP (Internet VPN
Group Management
Protocol)
‫ ﻩ‬One VPN System
‫ ﻩ‬Every nodes connects to
other with IPSec.
‫ ﻩ‬VNOC provides a policy.
‫ ﻩ‬No mention to detail of
VNOC and topology.
Future Works and Conclusion
Future Works
‫ ﻪ‬Implementation
‫ ﻩ‬Constructing Topology Module
‫ ﻩ‬Routing Module
‫ ﻪ‬Evaluation
‫ ﻩ‬Use ELA at an actual environment
‫ ﻯ‬How scalable? How robust?
‫ ﻪ‬Improvement of Design
‫ ﻩ‬Supports QoS, Improvement of scalability.
Conclusion
‫ ﻪ‬Proposal of ELA
‫ ﻩ‬Purpose is to construct secure base.
‫ ﻪ‬Design
‫ ﻩ‬ELA constructs VPN over P2P network.
‫ ﻪ‬Evaluation
‫ ﻩ‬ELA is most suitable when constructing VPN
between many user nodes.
‫ ﻩ‬Overhead is little
Thank you.
‫ ﻪ‬Thank you for your kind attention!
トポロジ構築モジュール
‫ ﻪ‬P2Pネットワークの形成＆維持
‫ ﻩ‬ノードの参加処理（認証、IPアドレス割当など）
‫ ﻩ‬ノードの種類に基づくP2Pネットワークの形成
‫ ﻩ‬ノードの参加・離脱に応じてルーティングテー
ブルを更新
ルーティングモジュール
‫ ﻪ‬コアノードの場合
‫ ﻩ‬通信内容の転送先を、ルーティングテーブルを参照し
て決定
‫ ﻪ‬エッジノードの場合
‫ ﻩ‬常に親のコアノードに転送指示
NPD (Network Pseudo Device)
‫ ﻪ‬仮想ネットワークデバイス
‫ ﻩ‬アプリケーションがELA-VPN上のノードと通信
する際に利用
‫ ﻩ‬ELA-VPNにおけるIPアドレスやネットマスクを
割当て
カプセリングモジュール
‫ ﻪ‬送信時
‫ ﻩ‬IPパケットのカプセリング（ELA独自のヘッダの付加、
ペイロードの暗号化）
‫ ﻪ‬受信時
‫ ﻩ‬IPパケットのカプセリング除去
送信モジュール
‫ ﻪ‬ルーティングテーブルの指示に従い、デー
タを送信
受信モジュール
‫ ﻪ‬他ノードからデータを受信
‫ ﻩ‬メッセージ：トポロジ構築モジュールへ
‫ ﻩ‬自分宛のIPパケット：カプセリングモジュールへ
‫ ﻩ‬他ノード宛のIPパケット：ルーティングモジュールへ
Related work (2)
‫ ﻪ‬IPv6 P2P VPN システム
‫ ﻩ‬株式会社DITが開発
‫ ﻩ‬IPv6 のIPsecを用いたVPN
‫ ﻩ‬End-to-Endの通信
‫ ﻯ‬管理が煩雑化
‫ ﻩ‬IPv6 の導入が必要