ELA: A Fully Distributed VPN over P2P Network Sadanori Aoyagi, Makoto Takizawa, Masato Saito, Hiroto Aida, and Hideyuki Tokuda Keio University, Japan
Outline ﻪVirtual Private Network (VPN) ﻪELA ﻩAbstract ﻩDesign and Implementation ﻩEvaluation of ELA ﻪRelated Work ﻪFuture Works and Conclusion
Background
VPN ﻪWhat ’ s VPN. ﻩAn architecture to construct a virtual private connection across a public network. ﻪClassification by ﻩSite-to-Site VPN (usual) ﻩOverlay VPN
What ’ s Site-to-Site VPN ﻪWhat ’ s Site-to-Site VPN ﻩUsed for replace dedicated line. Tunnel
LAN LAN 2LAN 3 LAN 4 LAN 1 Overlay VPN ﻪWhat ’ s overlay VPN. ﻩConstructing VPN over overlay network. ﻩOverlay VPN is independent from existing network. 論理的に 等価 The Internet
Overlay VPN ﻪTopology ﻩClient/Server ﻪProblem ﻩRequire server ﻯCost, single point of failure, bottleneck. LAN The Internet LAN VPN The Internet VPN Company Branches Company Outside
The Issue ﻪCan we satisfy both of the following issues? 1.To secure connection between nodes directly. 2.Easy setting if there are many applications.
Proposal ﻪSystem that constructs a secure base between user nodes extemporarily. ﻪELA (Everywhere Local Area network)
ELA ~ Abstract ~
Abstract of ELA ﻪPurpose ﻩTo construct a secure base between user nodes ﻪMethod ﻩELA constructs an overlay VPN between user nodes extemporarily. VPN The Internet
Example of the Utility ﻪUse applications that user nodes connect each other directly ﻩInstant Messenger, Video Chat ﻪUse applications for LAN ﻩGroupware ﻩWindows Network, NFS ﻩSome network games ﻪAssumption ﻩAll user of nodes are acquaintance ﻩUnder 30 nodes.
The reason ELA constructs Overlay VPN ﻪThere are 3 reasons. ﻩNo modification of existing applications. ﻩLittle risk of security. ﻩIndependent network from unknown users.
Protocol Issue ﻪTransport Protocol used by VPN ﻩNodes in NAT connects other node with TCP easily. ﻩUDP is more simple protocol than TCP. ProtocolMeritDemerit TCPNode in NAT connects other node easily TCP over TCP UDPSimple and FastRequirement of port forward setting in NAT
Remarkable Points of ELA ﻪNetwork of ELA ﻩOverlay VPN ﻩP2P Topology ﻯ↑ ELA creates automatically. ﻪTunneling Protocol ﻩUse 2 protocols as a restrict of network. ﻯUDP if there is no restrict by NAT or firewall. ﻯTCP if node cannot use UDP.
ELA ~ Design ~
Image of ELA ﻪELA constructs a virtual network. ELA-VPN ↑Define this as ELA-VPN
Position of ELA ﻪELA relays a data over ELA-VPN ﻩUsers can use application like in LAN. ﻩELA replays a data via other node if necessary ELA Application The Internet ELA Data flow by ELA
Example of how ELA is used 1.Starting ELA ﻩType “ ela ”, and ELA requires user authorization. ﻩ “ ela0 ” network interface is created. 2.Communication using IP address of ELA-VPN ﻪFor example, a node uses samba and fetches the PDF file from other node. # smbclient \\\\ \\home -U sada Smb: \> get thesis.pdf # ela # ifconfig ela0 ela0 Link encap:Point-to-Point Protocol inet addr: P-t-P: Mask: UP POINTOPOINT RUNNING NOARP MTU:1400 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Step 1Step 2
Sequence of Start inside ELA 1.Preparation 2.Constructing ELA-VPN 3.Using ELA-VPN
1. Preparation 1.Look up other node. ELA doesn ’ t have this future. Look up other node of ELA-VPN by using WWW or 2.User Authentication Nodes of ELA-VPN share list of users. Nodes authenticate a new node with list of users.
1. Preparation 3.ELA assigns private IP address on ELA - VPN. New node can use IP address not used by the other nodes. 4.ELA classifies into 2 types. Core node (CN) : The node can send and receive a data with UDP. The node can be connected from other nodes with TCP. Edge node (EN) : Except CN. The node can connect to other nodes with TCP.
2. Constructing ELA-VPN ﻪClockwise rotation by ID ﻩID = hash(IP address) ﻪCN: ﻩInside of P2P network. ﻩCNs make full mesh topology, and connects each other with UDP. ﻪEN: ﻩOutside of P2P network. ﻩEach EN connects to CN whose ID is next of the EN.
3. Connection Over ELA-VPN ﻪAll core nodes share the routing table. ﻩKey: ID ﻩValue: ﻯIf CN, IP address on the Internet. ﻯIf EN, IP address on the Internet of Core Node that EN connects to.
Example of Relay ﻪNode 27→14 ﻩNode 27 : relay to 3 ﻩNode 3:search from routing table → relay to 16 ﻩNode 16: relay to 14 ﻪNumber of maximum relay is 3.
Required Futures ﻪConstructing P2P network ﻩConstructing topology ﻩRouting ﻪUsing as VPN ﻩNetwork Pseudo Device ﻩCapsulating ﻩSending, Receiving
ELA ~ Implementation ~
Structure of modules Send Message Message Search Update Is to me? NO YES Constructing Topology SendingRecieving Routing Table Routing Network Pseudo Device Capsulating Send IP packetReceiving IP packet Send Capsulated IP packet Receive Capsulated IP packet Recive data Application User layer Kernel layer ELA
When sending a data ﻪApplication ﻩSending a data ﻪNetwork Pseudo Device ﻩGetting an IP packet. ﻪCapsulating Module ﻩCapsulating ﻪRouting Module ﻩSearching the node to relay ﻪSending Module ﻩRelaying to other node.
When relaying a data ﻪReceiving Module ﻩReceiving a data which is not to me. ﻪRouting Module ﻩSearching the node to relay ﻪSending Module ﻩRelaying to other node.
When receiving a data ﻪReceiving Module ﻩReceiving a data which is to me ﻪCapsulating Module ﻩEncapsulating ﻪNetwork Pseudo Device ﻪApplication ﻩGetting a data
Proto-type Implementation ﻪEnvironment ﻩRed Hat Linux 7.2 (Kernel ) ﻪImplementation Method ﻩC Language ﻩNPD is implemented at Kernel layer ﻩThe others are implemented at User layers
Implemented Modules ﻪFinished ﻩNPD, Capsulating Module, Sending Module, Receiving Module
ELA ~ Evaluation ~
Evaluation ﻪQualitative Evaluation ﻩHow easy to construct between many user nodes? ﻪQuantitative Evaluation ﻩOverhead of ELA ﻩRelation between relay count and delay
Qualiative Evaluation ﻪComparing with … ﻩPoint-to-Point VPN ﻩClient/Server VPN
Qualiative Evaluation ﻪELA is most suitable when many nodes construct VPN each other! Point-to-Point 型 Client/Server 型 ELA Cost ○ × ○ Saving work of users △ ○ △ Automatic selection of Tunneling Protocol ×× ○ Many nodes × ○○
VMware Quantitive Evaluation ﻪEvaluation Environment ﻩConstructin on VMware ﻯPC (CPU Pentium4 EE 3.6GHz, Memory 2.0GB) ﻩHost OS: Windows XP (SP1) ﻩGuest OS: Knoppix 3.1 for VMware ELA-VPN CN CN EN EN TCP UDP ①② ④③ ①② ④③
VMware Overhead of ELA ﻪMeasuring RTT by using Ping 1.No ELA (①⇔②) 2.ELA, tunneling protocol is UDP (①⇔②) 3.ELA, tunneling protocol is TCP (①⇔③) ELA-VPN CN EN UDP TCP ①② ④③ ①② ④③ 12 3
Result of Overhead of ELA ﻪThere is overhead by ELA. ﻪThere is more overhead when TCP than when UDP.
VMware Relation between relay count and delay ﻪMesuaring RTT by using ping ﻩ1 relay (③⇔①) ﻩ2 relays (③⇔① ⇔② ) ﻩ3 relays (③⇔① ⇔② ⇔④) ﻩ ※ There is no case of more than 4 relays. ELA-VPN CN EN UDP TCP ①② ④③ 2 1 3 CN
Result of between relay count and delay ﻪMore relay counts, more delay. ﻪBut they are a little delay.
Related Work
ﻪIVGMP (Internet VPN Group Management Protocol) ﻩOne VPN System ﻩEvery nodes connects to other with IPSec. ﻩVNOC provides a policy. ﻩNo mention to detail of VNOC and topology.
Future Works and Conclusion
Future Works ﻪImplementation ﻩConstructing Topology Module ﻩRouting Module ﻪEvaluation ﻩUse ELA at an actual environment ﻯHow scalable? How robust? ﻪImprovement of Design ﻩSupports QoS, Improvement of scalability.
Conclusion ﻪProposal of ELA ﻩPurpose is to construct secure base. ﻪDesign ﻩELA constructs VPN over P2P network. ﻪEvaluation ﻩELA is most suitable when constructing VPN between many user nodes. ﻩOverhead is little
Thank you. ﻪThank you for your kind attention!
トポロジ構築モジュール ﻪP2P ネットワークの形成&維持 ﻩ ノードの参加処理(認証、 IP アドレス割当 など) ﻩ ノードの種類に基づく P2P ネットワークの 形成 ﻩ ノードの参加・離脱に応じてルーティング テーブルを更新
ルーティングモジュール ﻪ コアノードの場合 ﻩ 通信内容の転送先を、ルーティングテーブルを参 照して決定 ﻪ エッジノードの場合 ﻩ 常に親のコアノードに転送指示
NPD (Network Pseudo Device) ﻪ 仮想ネットワークデバイス ﻩ アプリケーションが ELA-VPN 上のノード と通信する際に利用 ﻩELA-VPN における IP アドレスやネットマス クを割当て
カプセリングモジュール ﻪ 送信時 ﻩIP パケットのカプセリング( ELA 独自のヘッダの 付加、ペイロードの暗号化) ﻪ 受信時 ﻩIP パケットのカプセリング除去
送信モジュール ﻪ ルーティングテーブルの指示に従い、 データを送信
受信モジュール ﻪ 他ノードからデータを受信 ﻩ メッセージ:トポロジ構築モジュールへ ﻩ 自分宛の IP パケット:カプセリングモジュールへ ﻩ 他ノード宛の IP パケット:ルーティングモジュー ルへ
Related work (2) ﻪIPv6 P2P VPN システム ﻩ 株式会社 DIT が開発 ﻩIPv6 の IPsec を用いた VPN ﻩEnd-to-End の通信 ﻯ 管理が煩雑化 ﻩIPv6 の導入が必要