ELA: A Fully Distributed VPN over P2P Network Sadanori Aoyagi, Makoto Takizawa, Masato Saito, Hiroto Aida, and Hideyuki Tokuda Keio University, Japan I am going to talk about “ELA ~~~~”.
Outline VPN ELA Evaluation of ELA Related Work Future Works and Conclusion
Background
× ○ Background There are many applications for LAN. Windows Network Some Groupware Some Network Games Individual users cannot use these applications over the Internet. There are many application for LAN, such as ~~~~. These applications are designed for using in LAN, So individual users cannot use these applications over the Internet. Application ○ Application Application × The Internet
○ Background VPN Users can use application for LAN via VPN. A private communications network. Traffic is carried on public network infrastructure. Users can use application for LAN via VPN. Application Application The Internet Application ○ VPN
× The Issue Issue of Existing VPN ? ? Duplication of Private IP Addresses Node not using that application. Application The Internet Application × 192.168.0.1 192.168.0.1 VPN The nodes not using application receive discarded traffic like the lower figure. Application The Internet Application ? VPN ?
Proposal System that constructs an overlay VPN extemporarily. ELA (Everywhere Local Area network)
ELA ~Abstract~
Abstract of ELA Purpose Method To construct a secure base between user nodes Method ELA constructs an overlay VPN between user nodes extemporarily. The Internet VPN
Example of the Utility Use applications that user nodes connect each other directly Instant Messenger, Video Chat Use applications for LAN Groupware Windows Network, NFS Some network games Assumption All user of nodes are acquaintance Under 30 nodes.
Overlay VPN What’s overlay VPN. Constructing VPN over overlay network. Overlay VPN is independent from existing network. VPN Overlay Network Physical Network The Internet LAN 1 LAN 3 LAN 4 LAN 2
The reason ELA constructs Overlay VPN There are two reasons. Independent private IP address assign Only specific nodes can communicate each other by using VPN.
Overlay VPN ~Issue 1~ Topology Problem Client/Server Require server Cost, single point of failure, bottleneck. Server The Internet LAN 1 LAN 4 LAN 2 LAN 3
Overlay VPN ~Issue 2~ Transport Protocol used by VPN Nodes in NAT connects other node with TCP easily. UDP is more simple protocol than TCP. Protocol Merit Demerit TCP Node in NAT connects other node easily TCP over TCP UDP Simple and Fast Requirement of port forward setting in NAT トンネリングプロコトルの簡単な説明も入れる
Remarkable Points of ELA Network of ELA Overlay VPN P2P Topology ↑ ELA creates automatically. Tunneling Protocol Use 2 protocols as a restrict of network. UDP if there is no restrict by NAT or firewall. TCP if node cannot use UDP.
ELA ~Design~
↑Define this as ELA-VPN Image of ELA ELA constructs a virtual network. ↑Define this as ELA-VPN ELA-VPN This is a image of a virtual network constructed by ELA. We define this virtual network as ELA-VPN. Each nodes deploys at various locations on the Internet like the image of below. These nodes construct ELA-VPN with together like the image of below. ELA assigns these nodes unique private IP address such as 10.0.0.1. The node deployed at network restrict such as NAT or firewall becomes Edge Node. The other node become Core Node.
Position of ELA ELA relays a data over ELA-VPN Users can use application like in LAN. ELA replays a data via other node if necessary 10.0.0.1 10.0.0.2 10.0.0.3 This figure shows the position of ELA. あとは読み上げる。 Application Application ELA ELA ELA The Internet Data flow by ELA
Example of how ELA is used Starting ELA Type “ela”, and ELA requires user authorization. “ela0” network interface is created. Communication using IP address of ELA-VPN For example, a node uses samba and fetches the PDF file from other node. # ela # ifconfig ela0 ela0 Link encap:Point-to-Point Protocol inet addr:10.0.0.1 P-t-P:10.0.0.1 Mask:255.255.255.0 UP POINTOPOINT RUNNING NOARP MTU:1400 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) This slide shows an example of how ELA is used. First, user starts ELA. User types “ela”, and ELA requires user authorization. When starting ELA, “ela0” network interface is created. User can confirm “ela0” network interface by using “ifconfig” command. After that, user can communicate over ELA-VPN. The right square shows an example that a node uses samba and fetches the PDF file from other node. # smbclient \\\\10.0.0.3\\home -U sada Smb: \> get thesis.pdf Step 1 Step 2
Sequence of Start inside ELA Preparation Constructing ELA-VPN Using ELA-VPN これもそのまま読み上げ
1. Preparation Look up other node. User Authentication ELA doesn’t have this future. Look up other node of ELA-VPN by using WWW or E-mail User Authentication Nodes of ELA-VPN share list of users. Nodes authenticate a new node with list of users.
1. Preparation ELA assigns private IP address on ELA - VPN. New node can use IP address not used by the other nodes. ELA classifies into 2 types. Core node (CN): The node can send and receive a data with UDP. The node can be connected from other nodes with TCP. Edge node (EN): Except CN. The node can connect to other nodes with TCP.
2.Constructing ELA-VPN Clockwise rotation by ID ID = hash(IP address) CN: Inside of P2P network. CNs make full mesh topology, and connects each other with UDP. EN: Outside of P2P network. Each EN connects to CN whose ID is next of the EN.
3. Connection Over ELA-VPN All core nodes share the routing table. Key: ID Value: If CN, IP address on the Internet. If EN, IP address on the Internet of Core Node that EN connects to.
Example of Relay Node 27→14 Number of maximum relay is 3. Node 27 : relay to 3 Node 3:search from routing table → relay to 16 Node 16: relay to 14 Number of maximum relay is 3.
Required Futures Constructing P2P network Using as VPN Constructing topology Routing Using as VPN Network Pseudo Device Capsulating Sending, Receiving
ELA ~Implementation~
Constructing Topology Structure of modules Application Send IP packet Receiving IP packet ELA Constructing Topology Send Capsulated IP packet Update Send Message Routing Table Routing Search Receive Capsulated IP packet NO Is to me? This figure shows a structure of ELA modules. ELA includes 8 modules. YES Message Capsulating Sending Recieving User layer Recive data Kernel layer Network Pseudo Device
When sending a data Application Sending a data Network Pseudo Device Getting an IP packet. Capsulating Module Capsulating Routing Module Searching the node to relay Sending Module Relaying to other node.
When relaying a data Receiving Module Receiving a data which is not to me. Routing Module Searching the node to relay Sending Module Relaying to other node.
When receiving a data Receiving Module Receiving a data which is to me Capsulating Module Encapsulating Network Pseudo Device Application Getting a data
Proto-type Implementation Environment Red Hat Linux 7.2 (Kernel 2.4.18) Implementation Method C Language NPD is implemented at Kernel layer The others are implemented at User layers We have implemented a proto-type of ELA on Red Hat Linux 7.2 with C language. NPD is implemented at Kernel layer, and the other modules are implemented at User layers.
Implemented Modules Finished NPD, Capsulating Module, Sending Module, Receiving Module We have implemented only ~~読み上げる
ELA ~Evaluation~ 実際の例があったほうがいい!
Evaluation Qualitative Evaluation Quantitative Evaluation How easy to construct between many user nodes? Quantitative Evaluation Overhead of ELA Relation between relay count and delay We have evaluated ELA.
Qualitative Evaluation Comparing with … Point-to-Point VPN Client/Server VPN
Qualitative Evaluation Point-to-Point VPN Client/Server VPN ELA Cost ○ × Saving work of users △ Automatic selection of Tunneling Protocol Many nodes This table shows the result of qualitative evaluation. ELA is most suitable when many nodes construct VPN each other!
Quantitative Evaluation Evaluation Environment Constructed on VMware PC (CPU Pentium 4 EE 3.6 GHz, Memory 2.0 GB) Host OS: Windows XP (SP1) Guest OS: Knoppix 3.1 for VMware TCP UDP VMware VMware ① ② ELA-VPN This slide shows the environment of quantitative evaluation. ① ② CN 10.0.0.2 CN 10.0.0.1 192.168.88.128 192.168.88.132 ③ ④ ③ ④ EN 10.0.0.3 EN 10.0.0.4 192.168.88.133 192.168.88.134
Overhead of ELA Measuring RTT by using Ping No ELA (①⇔②) ELA, tunneling protocol is UDP(①⇔②) ELA, tunneling protocol is TCP(①⇔③) UDP TCP VMware VMware First, for evaluating an overhead of ELA, We have measured RTT by using Ping. ① ② ① ② ELA-VPN 1 3 2 CN CN ③ ④ ③ ④ EN EN
Result of Overhead of ELA なぜオーバヘッドがあるのか! モジュール図を再掲するのも手 There is overhead by ELA. There is more overhead when TCP than when UDP.
Relation between relay count and delay Mesuaring RTT by using ping 1 relay (③⇔①) 2 relays (③⇔① ⇔② ) 3 relays (③⇔① ⇔② ⇔④) ※ There is no case of more than 4 relays. UDP TCP VMware 最大3ホップであることを言っていない →逆にそれ以上のホップはしない ① ② ELA-VPN CN CN 1 2 ③ ④ 3 EN EN
Result of between relay count and delay 図をでかく タイトル More relay counts, more delay. But they are a little delay.
Related Work
Related Work IVGMP (Internet VPN Group Management Protocol) One VPN System Every nodes connects to other with IPSec. VNOC provides a policy. No mention to detail of VNOC and topology.
Future Works and Conclusion
Future Works Implementation Evaluation Improvement of Design Constructing Topology Module Routing Module Evaluation Use ELA at an actual environment How scalable? How robust? Improvement of Design Supports QoS, Improvement of scalability.
Conclusion Proposal of ELA Design Evaluation Purpose is to construct secure base. Design ELA constructs VPN over P2P network. Evaluation ELA is most suitable when constructing VPN between many user nodes. Overhead is little
Thank you. Thank you for your kind attention!
トポロジ構築モジュール P2Pネットワークの形成&維持 ノードの参加処理(認証、IPアドレス割当など) ノードの参加・離脱に応じてルーティングテーブルを更新
ルーティングモジュール コアノードの場合 エッジノードの場合 通信内容の転送先を、ルーティングテーブルを参照して決定 常に親のコアノードに転送指示
NPD (Network Pseudo Device) 仮想ネットワークデバイス アプリケーションがELA-VPN上のノードと通信する際に利用 ELA-VPNにおけるIPアドレスやネットマスクを割当て
カプセリングモジュール 送信時 受信時 IPパケットのカプセリング(ELA独自のヘッダの付加、ペイロードの暗号化)
送信モジュール ルーティングテーブルの指示に従い、データを送信
受信モジュール 他ノードからデータを受信 メッセージ:トポロジ構築モジュールへ 自分宛のIPパケット:カプセリングモジュールへ
Related work (2) IPv6 P2P VPN システム 株式会社DITが開発 IPv6 のIPsecを用いたVPN End-to-Endの通信 管理が煩雑化 IPv6 の導入が必要
VPN What’s VPN. Classification by An architecture to construct a virtual private connection across a public network. Classification by Site-to-Site VPN (usual) Overlay VPN
What’s Site-to-Site VPN Used for replace dedicated line. Tunneling Protocol:IPsec Tunnel
Existing VPN Systems Classification by how to operate. Point-to-Point VPN Client/Server VPN
Point-to-Point VPN Topology Problem 1-to-1 If there are many user nodes, users must construct many VPNs. The Internet The Internet Company Branch Home LAN LAN LAN VPN VPN Outside