Robust Mixing for Structured Overlay Networks Christian Scheideler Institut für Informatik Technische Universität München

Motivation Peer-to-peer systems have attracted a lot of attention in recent years Many scientific peer-to-peer systems use overlay networks based on virtual space

Motivation V: set of peers, U: virtual space Each v 2 V mapped to region R(v) ½ U Family F of functions f:U ! U {v,w} edge, [F(R(v)) Å R(w)] [ [F(R(w)) Å R(v)] = ;

Example Let U=[0,1). Region selection: [Karger et al. 97] - nodes v 2 V ! random points x v 2 U - R(v) = [x v, succ(x v )) (regions form partition of U) Family F of functions: [Naor & Wieder 03] - f 0 : x ! x/2 - f 1 : x ! (x+1)/2 01 R 01 f0f0 f1f1

Scalability and Robustness Scalability: Network has (poly-)logarithmic diameter Peers have (poly-)logarithmic degree Robustness: Network can handle large fraction of adversarial peers (i.e. honest peers form single connected component) ! join-leave attacks

Join-Leave Model n honest peers  n adversarial peers,  <1 Operations: Join(v): peer v joins the system Leave(v): peer v leaves the system Goal: maintain scalability and robustness for any sequence of polynomially many adversarial rejoin (leave+join) requests

More specific goal n honest peers,  n adversarial peers U=[0,1), region selection via Karger et al. ( R(v) = [x v, succ(x v )) ) For any interval I ½ [0,1) of size (c log n)/n: Balancing condition:  (log n) peers in I Majority condition: honest peers in majority

How to satisfy conditions? Chord: uses cryptographic hash function to map peers to points in [0,1) randomly distributes honest peers does not randomly distribute adversarial peers

How to satisfy conditions? CAN: map peers to random points in [0,1)

How to satisfy conditions? Group spreading [AS04]: Map peers to random points in [0,1) Limit lifetime of peers Too expensive!

How to satisfy conditions? Rule that works: k-cuckoo rule evict k/n-region n honest  n adversarial   < 1-1/k Rejoin: leave and join via k-cuckoo rule

Analysis of k-cuckoo rule k-region: region of size k/n starting at integer multiple of k/n R: fixed set of c log n consec. k-regions New node: not yet replaced after joining  >0: small constant Lemma: R has at most c log n new nodes. Lemma: Sum of ages of k-regions in R in (1 §  ) (c log n)n/k, w.h.p.

Analyis of k-cuckoo rule R: fixed set of c log n consecutive k-regions T=(  /  )log 3 n  >0: small constant Lemma: In any time interval of size T, (1§  )kT honest nodes and (1§  )  kT adv. nodes evicted, w.h.p. Lemma: R has (1§  )(c log n)k old honest and <(1+  )(c log n)  k old adv. nodes, w.h.p.

Analysis of k-cuckoo rule # honest nodes in R: >(1-  )(c log n)k # adversarial nodes in R: <(1+  )(c log n)  k + (c log n) Theorem: When using the k-cuckoo rule with  <1-1/k, the balancing and majority conditions are satisfied for poly many adversarial rejoin requests, w.h.p.

Limitation of k-cuckoo rule Only works for any sequence of rejoin requests of adversarial peers. Does not work for any sequence of rejoin requests. Example: adversary orders all peers in a region of size O(log n / n) to leave

k-flip&evict rule Join: as before (k-cuckoo rule) Leave: choose random k-region among c log n neighboring k-regions, flip it with random k region n honest  n adversarial flip

k-flip&evict rule Leave: why flip neighboring k-region??? Any k-region: O(log n)-region may lose too many peers O(log n)-region k-region

k-flip&evict rule Leave: why flip neighboring k-region??? k-region of leaving peer: k-regions in O(log n)-region may become too young Age distribution: O(log n) attempts to replace k-region with k-region of age O(n/log n) # O(log n)-regions age

k-flip&evict rule Leave: why flip neighboring k-region??? Focus on region R of c log n k-regions At most c log n new nodes in R <(1+  )c log n nodes left k-regions before they joined R, w.h.p. <(1+  )c log n nodes left k-regions after they joined R, w.h.p. Total age of k-regions > (1-  )(c log n)(n/k)

Analysis of k-flip&evict rule # honest nodes in R: >(1-  )(c log n)k – (1+  )(c log n)2 # adversarial nodes in R: <(1+  )(c log n)  k + (c log n) Theorem: When using the k-flip&evict rule with  <1-3/k, the balancing and majority conditions are satisfied for poly many rejoin requests, w.h.p.

Conclusion Light-weight perturbation rules against join-leave attacks possible Recent paper at SPAA 06 Problems in real world: DoS-attacks, random number generation RNG: to appear at OPODIS 06 DoS: ???

Questions?