Incentives-Compatible P2P Multicast Tsuen-Wan “Jonny” Ngan, Dan S.Wallach, Peter Druschel Presenter: Jianming Zhou
Motivation P2P Multicast System Freeloader: Peers not follow the protocol Refuse to forward stream Refuse to accept any children Tit-for-tat strategy for other P2P system is not clearly mapping onto Multicast System Because ALM static trees are constructed once and used forever Need a way to detect misbehaving peers and refuse to grant them service
Idea Basic Idea The peers make judgments by observing the behaviors of their upstream peers Peers periodically reverse relationship by reconstructing tree to detect freeloader General enough to be applied to almost any tree-based multicast systems This paper uses SplitStream as a concrete example
Model SplitStream Based on Pastry + Scribe Key idea: Split the original content stream into k stripes Multicast each stripe using a separate multicast tree Nodes subscribes to k different trees while roots uniformly spread around the Pastry ring Every node will (most likely) be an interior node in exactly one tree and will be leaf node in the remaining k-1 trees Objective: Fairness to node load: every node has k parent and k children
Assumptions Not address malicious behavior Many techniques limits the damage of malicious node in P2P network [Castro et al..] Freeloading behaviors Falsely claims it bandwidth and refuses to accept new child Only join as leaf node but refuse to be interior node Nodes can form a conspiracy to be freeloader …
Designs Naïve approach Require every node to forward at least same size of data as it received Nodes will prefer to forward “correct data” Problems Waste of bandwidth Legitimate traffic drops Can not prevent nodes false claiming its bandwidth and refuse to accept child Hard to differentiate good luck and freeloading
Fairness mechanisms 1 Debt maintenance When A forwards data to B, both nodes track B owes A a debt of a packet When debt exceeds some threshold, A might refuse to send further data to B Ancestor rating Extension of Debt maintenance Apply debt to all ancestor in stead of immediate parent When a node receives[does not receive] a packet, it increments[decreases] its confidence value of each node in the path to the root When trees are reconstructed, any blame assigned falsely or due to lost packets would be average out while freeloaders will be pinpointed eventually.
Fairness mechanisms 2 Periodic tree reconstruction Every node will benefit or suffer for at most a fixed time period New trees can be built concurrently while existing trees are in use New tree should be sufficiently different from the old one Trade-off between bandwidth overhead of tree reconstruction and the fairness
Fairness mechanisms 3 Parental availability Measure whether the prospective parent can finally be parent Hard to differentiate false claim from the fact of genuinely out of capacity Protocol dependent But a node consistently refuse to accept a child is highly likely to be a freeloader
Fairness mechanisms 4 Reciprocal requests Two well-behaved nodes have equal chance of being parent or child Need a way to judge When A requests B to be parent B occasionally attempts to make A its parent by requesting joining directly under A for a tree where A is supposed to be an interior node If A refuses consistently, A is likely to be a freeloader
Enforcement techniques Previous mechanisms rely on the knowledge of ancestor Selfish nodes have no incentive to provide correct information Solution: data and path authentication => hash chain Sybil Attack Poor reputation nodes can quit and join using new ID Node with multiple-ID Solution: Certificated node ID/High maintenance overhead of node ID Put new node into probation with low Quality of Service A new node will not be able to join a tree until it is being reconstructed, i.e. a node will receive stripes step by step Nodes will suffer if it contributes nothing Nodes have to contribute to gain better service gradually
Hash Chain 1 Generate value x n (sufficiently large n) Iteratively compute x n-1,…,x 0 by x i = h(x i+1 ), h: one-way hash, eg. MD5,SHA-1 x 0 is known by all nodes Source computes MD(message digest) for i th packet : d i = h(data i, x i )
Hash Chain 2 F B A S Compute: d i = h(data i, x i ) Send: h(d i,A) + hash chain value x i-1 Receive: h(d i,A) + hash chain value x i-1 Send: h(h(d i,A),B) + hash chain value x i-1 to B h(h(d i,A),F) + hash chain value x i-1 to F i+1 th packet contain x i, upon receipt of x i, confirm x i-1 = h(x i ) verify integrity of previous packet by reconstructing the message digest using x i and the path i th Packet
Hash chain 3 How it works: Lost Packet? Multi-hash till match last seen x i New node? Multi-hash till x 0 Use up x n ? regenerate new chain Fake path? Impossible without knowing x i which would not be revealed after its obsolete! But node can still lie about their children!
Performance Study 1 Setup: SplitStream Stochastic model for node proximity 500 nodes randomly distributed on a plane Each node subscribe to 16 trees Good nodes accept up to 16 children
Tree Reconstruction Cost 16 msgs for 500 nodes 64 byte/msg, reconstruct 16 trees every 2 min, 128Kbps stream 1.71% overhead
Parental Availability (PA) Prob. the prospective parent becomes (in)direct parent PA can be very low!!!
Debt Level Debt / Expected debt Cannot distinguish selfish Nodes from normal nodes!!!
Confidence 5% selfish nodes refusing to forward data Effectively distinguish selfish nodes!!!
Overall effectiveness Experiment Setup: 500 nodes with 4 selfish nodes Two types of selfish nodes Node will forward data unless its child: Confidence value < -2 or PA < 0.44 and Confidence value < 0.2 Reciprocal requests are used when a child attempts to contact a parent at least a factor of 8 times more often than their roles are reversed
Results
Conclusion Mechanism effective by tracking only first- hand observed behavior Low network and computation overhead Future work: Robustness against more freeloaders Study dependence on multicast application, p2p substrate, and network topology