Download presentation
Presentation is loading. Please wait.
1
On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 10/2003 University of Colorado at Colorado Springs
2
Presentation outline Introduction Introduction Related work Related work Algorithms for PSMC proxy server selection. Algorithms for PSMC proxy server selection. Protocols for PSMC packets handling. Protocols for PSMC packets handling. PSMC applications PSMC applications Security issues of PSMC. Security issues of PSMC. Conclusion Conclusion
3
Introduction Single path connection vs. multipath connections The connections between two network nodes are mostly single path connections in today’s network environment. The connections between two network nodes are mostly single path connections in today’s network environment. Multipath connections provide potentially multiple paths between network nodes, so that the traffic from a source can be spread over multiple paths and transmitted in parallel through the network. Multipath connections provide potentially multiple paths between network nodes, so that the traffic from a source can be spread over multiple paths and transmitted in parallel through the network.
4
The benefits of multipath connections Utilize the network resources more efficiently, Utilize the network resources more efficiently, Improve the effective bandwidth of network nodes, Improve the effective bandwidth of network nodes, Increase the packet delivery liability, Increase the packet delivery liability, Provide quality-of-service guarantee, Provide quality-of-service guarantee, Cope well with network congestion, link breakage and burst traffic. Cope well with network congestion, link breakage and burst traffic.
5
Related works on multipath connections The IBM Systems Network Architecture (SNA) network in 1974. The IBM Systems Network Architecture (SNA) network in 1974. N. F. Maxemchuk in 1975 (dispersity routing). The research was extended to virtual circuit networks and ATM network. N. F. Maxemchuk in 1975 (dispersity routing). The research was extended to virtual circuit networks and ATM network. Categories of multipath connections based on OSI network 7 layer model Categories of multipath connections based on OSI network 7 layer model 1. Physical layer: One is Multipath Interference, causes FM radio sounds staticy. 2. Data link layer: Link Aggregation, defined in IEEE 802.3ad.
6
Related works on multipath connections 3. Network layer: been studied extensively as multipath routing. a. Wired network: Table-driven routing (link state or distance vector), Source Routing, MultiProtocol Label Switching (MPLS). b. Wireless ad hoc network Table-driven routing (link state or distance vector), Source Routing, 4. Transport layer: Linux multipath connections for multiple ISP connections
7
Proxy Server based Multipath Connections (PSMC) We propose to study proxy servers based multipath connections (PSMC). It is a cross-layer implementation. We propose to study proxy servers based multipath connections (PSMC). It is a cross-layer implementation. The key idea of PSMC is as followings. The key idea of PSMC is as followings. By using a set of connection relay proxy servers, we could set up indirect routes via the proxy servers, and transport packets over the network through the indirect routes. By using a set of connection relay proxy servers, we could set up indirect routes via the proxy servers, and transport packets over the network through the indirect routes. By enhancing existing TCP/IP protocols, we could efficiently distribute and reassemble packets among multiple paths at two end nodes, and increase end-to-end TCP throughput. By enhancing existing TCP/IP protocols, we could efficiently distribute and reassemble packets among multiple paths at two end nodes, and increase end-to-end TCP throughput. The approach offers applications the ability to increase the network performance, efficiency, stability, availability and security. The approach offers applications the ability to increase the network performance, efficiency, stability, availability and security.
8
PSMC diagram
9
Why PSMC PSMC has advantages like other multipath connections approaches PSMC has advantages like other multipath connections approaches Flexibility: PSMC can be more conveniently and adaptively deployed in various network environments. PSMC don’t require changes on physical network infrastructure, but only feasible changes on network software and protocols. PSMC also give the end users more control on setting up multipath connections. Flexibility: PSMC can be more conveniently and adaptively deployed in various network environments. PSMC don’t require changes on physical network infrastructure, but only feasible changes on network software and protocols. PSMC also give the end users more control on setting up multipath connections. Compatibility: PSMC utilizes existing TCP/IP protocols and network infrastructure. This ensures the compatibility with current Internet. It also ensures the performance, efficiency, reliability, and hides the complexity from end-users. Compatibility: PSMC utilizes existing TCP/IP protocols and network infrastructure. This ensures the compatibility with current Internet. It also ensures the performance, efficiency, reliability, and hides the complexity from end-users. Applications: A large number of applications in various categories could benefit from utilizing PSMC. For example, secure collective defense network (SCOLD), providing additional bandwidth based on operational requirement, or providing QoS for video streaming. Applications: A large number of applications in various categories could benefit from utilizing PSMC. For example, secure collective defense network (SCOLD), providing additional bandwidth based on operational requirement, or providing QoS for video streaming.
10
Three components in PSMC The multipath sender is responsible to efficiently and adaptively distribute packets over the selected multiple paths. Some of the packets will go through the normal direct route, other packets will go through the indirect routes via the proxy servers. The multipath sender is responsible to efficiently and adaptively distribute packets over the selected multiple paths. Some of the packets will go through the normal direct route, other packets will go through the indirect routes via the proxy servers. The intermediate connection relay proxy servers, examine the incoming packets and forward them to the destinations through the selected path. The intermediate connection relay proxy servers, examine the incoming packets and forward them to the destinations through the selected path. The multipath receiver, collects the packets arrived from multiple paths, reassemble them in order and deliver them to the user. The multipath receiver, collects the packets arrived from multiple paths, reassemble them in order and deliver them to the user.
11
Algorithms for PSMC Proxy servers selection is a critical part in PSMC. Different proxy server selections result in different performance. Proxy servers selection is a critical part in PSMC. Different proxy server selections result in different performance. We have developed heuristic algorithms to choose best mirror sites for parallel download from multiple mirror sites, which can be viewed as a sub problem of PSMC. We have developed heuristic algorithms to choose best mirror sites for parallel download from multiple mirror sites, which can be viewed as a sub problem of PSMC.
12
Server Location Problem Needs to solve the following two proxy servers selection problems. Needs to solve the following two proxy servers selection problems. 1) Server Selection Problem. Given the target server location and a set of proxy servers, choose the best proxy server(s) for a client or for a group of client, to achieve best performance, in terms of bandwidth. 2) Server Placement Problem. Given the target server location and a set of nodes, choose the best node(s) to place the proxy servers, for certain connection requirements, like maximize the network aggregated bandwidth. Likely NP problems. Heuristic algorithms, or loosing the optimal constrains to simplify the problem Likely NP problems. Heuristic algorithms, or loosing the optimal constrains to simplify the problem
13
Diagram of sever selection/placement problem Sever selection problem Sever placement problem
14
Related work on algorithms Mirror servers and web cache servers selection problem has been studied recent years. Mirror servers and web cache servers selection problem has been studied recent years. Two types of approaches. Two types of approaches. 1) Formal approach: based on graphic theory. Common assumptions of getting network graph are: a) network topology pre-known, b) path cost pre-known, c) single and static connection. Algorithms including: a) random algorithm, b) greedy algorithm, c) tree-based algorithm, d) k-min algorithm. 2) Practical approach: no assumption, for real world. a) IDMap, b) Client clustering.
15
Why PSMC algorithms? Even though there are various sever selection algorithms and approaches, the ad hoc selection is still the main approaches used in practice. Even though there are various sever selection algorithms and approaches, the ad hoc selection is still the main approaches used in practice. Existing server selection algorithms only study the cases for mirror servers and cache servers. But the proxy servers in PSMC have several uniqueness, this will result in different optimal constrains and optimal goals. Existing server selection algorithms only study the cases for mirror servers and cache servers. But the proxy servers in PSMC have several uniqueness, this will result in different optimal constrains and optimal goals. Further study on algorithms needs to be done. Further study on algorithms needs to be done.
16
PSMC Protocols: packets handling Protocols need to be designed to distribute, reassemble and transmit packets. Protocols need to be designed to distribute, reassemble and transmit packets. Packets distribution and reassembling: add a thin layer between TCP/UDP and IP. Linux kernel enhancement. Linux Virtual Server packet handling. ATCP packet handling. Packets distribution and reassembling: add a thin layer between TCP/UDP and IP. Linux kernel enhancement. Linux Virtual Server packet handling. ATCP packet handling. Why adding a thin layer? Why adding a thin layer? a) Utilize existing TCP/IP protocols, particularly the packets re-sequencing and re-sending mechanism. b) Hide the complexity of multipath connections from upper layer users c) Maintain the high end-to-end TCP throughput.
17
PSMC Protocols: packet transmission Packets transmission: after investigate various approaches, like SOCKS proxy server, Zebedee, we proposed to use IP Tunnel or IPSec to enable indirect routes via proxy servers. Packets transmission: after investigate various approaches, like SOCKS proxy server, Zebedee, we proposed to use IP Tunnel or IPSec to enable indirect routes via proxy servers. IP Tunneling is well developed and widely available. It is a layer 2 protocol, transparent to higher layer. IP Tunneling performance is acceptable. IP Tunneling is well developed and widely available. It is a layer 2 protocol, transparent to higher layer. IP Tunneling performance is acceptable. Tunneling protocols enhancement for PSMC. Like tunnel handshake, host authentication, security mechanism. VPN tunneling protocols. Tunneling protocols enhancement for PSMC. Like tunnel handshake, host authentication, security mechanism. VPN tunneling protocols.
18
Special issues on PSMC Protocols Two special issues for PSMC protocols Two special issues for PSMC protocols Fail-over, packets resend and packet re-sequencing mechanism when packets are lost or connections are broken. Fail-over, packets resend and packet re-sequencing mechanism when packets are lost or connections are broken. Sticky-connection mechanism when packets need to be sent through a particular route, like http keep alive. Sticky-connection mechanism when packets need to be sent through a particular route, like http keep alive. Inside cooperate environment, alternate solutions for setting up multipath connections include: Inside cooperate environment, alternate solutions for setting up multipath connections include: Modify the routing table in the router Modify the routing table in the router MPLS MPLS Source routing Source routing
19
PSMC prototypes and applications Secure Collective Defense (SCOLD) network. SCOLD tolerates the DDoS attacks through indirect routes via proxy servers, and improves network performance by spreading packets through multiple indirect routes. SCOLD incorporates various cyber security techniques, like secure DNS update, Autonomous Anti- DDoS network, IDIP protocols. Secure Collective Defense (SCOLD) network. SCOLD tolerates the DDoS attacks through indirect routes via proxy servers, and improves network performance by spreading packets through multiple indirect routes. SCOLD incorporates various cyber security techniques, like secure DNS update, Autonomous Anti- DDoS network, IDIP protocols. We have finished the prototype of SCOLD system. We plan to enhance SCOLD for better scalability, reliability, performance and security. We have finished the prototype of SCOLD system. We plan to enhance SCOLD for better scalability, reliability, performance and security.
20
Intrusion defense mechanism Intrusion Prevention Intrusion Prevention General Security Policy General Security Policy Ingress/Egress Filtering Ingress/Egress Filtering Intrusion Detection Intrusion Detection Honey pot Honey pot Host-based IDS Tripwire Host-based IDS Tripwire Anomaly Detection Anomaly Detection Misuse Detection Misuse Detection Intrusion Response Intrusion Response Identification/Trace back/Pushback Identification/Trace back/Pushback Intrusion Tolerance: SCOLD Intrusion Tolerance: SCOLD
21
SCOLD: victim under DDoS attacks Victim aaaabbbbcccc A.comB.comC.com... A B C R R2 R1R3 Back door: Alternate Gateways DNS DDoS Attack Traffic Client Traffic Main gateway R under attacks, we want to inform Clients to go through the “back door” - alternate gateways R1- R3. We needs to hide IPs of R1-R3, otherwise they are subject to potential attacks too. how to inform Clients? how to hide IPs of R1-R3? target.com DNS1 DNS2DNS3
22
SCOLD: raise alarm (1) and inform clients (2) 1. IDS on gateway R detects intrusion, raise alarm to Reroute Coordinator. 2. Coordinator informs clients for new route: a) inform clients’ DNS; b) inform clients’ network proxy server; c) inform clients directly; d) inform the proxy servers and ask the proxy server do (a – c). Victim aaaabbbbcccc A.comB.comC.com... A B C R R2 R1 R3 DNS target.com DNS1 DNS2DNS3 Reroute Coordinator 1: raise alarm 2: inform clients Proxy1
23
SCOLD: set up new indirect route (3) Victim aaaabbbbcccc A.comB.comC.com... A B C R R2 R1R3 DNS target.com DNS1 DNS2DNS3 Reroute Coordinator 3: new route Proxy1Proxy2 3. Clients set up new indirect route to target via proxy servers. Proxy servers: equipped with IDS to defend attacks; hide alternate gateway and reroute coordinator; provide potential multiple paths. Proxy3
24
SCOLD Testbed
25
No DDoS attack direct route DDoS attack direct route No DDoS attack indirect route DDoS attack indirect route 0.49 ms225 ms0.65 ms Performance of SCOLD Table 1: Ping Response Time (on 3 hop route) Table 2: SCOLD FTP/HTTP download Test (from client to target)
26
Other PSMC applications Other PSMC applications includes: Other PSMC applications includes: PSMC in wireless ad hoc network: good test for PSMC’s ability to adapt to dynamic environment, packets resending and re-sequencing. PSMC in wireless ad hoc network: good test for PSMC’s ability to adapt to dynamic environment, packets resending and re-sequencing. Indirect route upon operational requests: provides additional bandwidth and backup route based on operational requirements. Indirect route upon operational requests: provides additional bandwidth and backup route based on operational requirements. Providing QoS for video streaming: send different portion of stream through different paths. Providing QoS for video streaming: send different portion of stream through different paths. Parallel download from multiple mirror sites: sever selection algorithm implementation. Parallel download from multiple mirror sites: sever selection algorithm implementation.
27
PSMC applications evaluation We will evaluate the overhead of multipath connections, including tunneling overhead, handshake overhead, packets distribution/reassembling overhead. We will evaluate the overhead of multipath connections, including tunneling overhead, handshake overhead, packets distribution/reassembling overhead. We will evaluate the performance of multipath connections in terms of response time, throughput and bandwidth. We will evaluate the performance of multipath connections in terms of response time, throughput and bandwidth. We will also compare PSMC with other multipath connections approaches, like source routing, or Linux multipath connections. We will also compare PSMC with other multipath connections approaches, like source routing, or Linux multipath connections. We will conduct extensive simulation study on PSMC applications in virtual network, real network, small scale network and large scale network. We will conduct extensive simulation study on PSMC applications in virtual network, real network, small scale network and large scale network.
28
Security issues related to PSMC Potential security issues raised by misusing of PSMC: how to control aggressive clients? Potential security issues raised by misusing of PSMC: how to control aggressive clients? Potential attacks against PSMC: Tunneling to death? (similar to ping to death). Potential attacks against PSMC: Tunneling to death? (similar to ping to death). Detect comprised nodes in PSMC network (through dynamic IP ?). Detect comprised nodes in PSMC network (through dynamic IP ?). Study the collective defend mechanism to tie different organizations with better cooperation and collaboration. Study the collective defend mechanism to tie different organizations with better cooperation and collaboration.
29
Contributions: Systematically study the proxy server based multipath connections (PSMC), including Systematically study the proxy server based multipath connections (PSMC), including Algorithms for server selections, Algorithms for server selections, Protocols for packet handling, Protocols for packet handling, Applications and prototypes Applications and prototypes Security issues. Security issues.
30
Conclusion PSMC offers applications the ability to increase the network performance, efficiency, stability, availability and security. PSMC offers applications the ability to increase the network performance, efficiency, stability, availability and security. In addition, PSMC offers more flexibility, compatibility and usability than other type of multipath connections. In addition, PSMC offers more flexibility, compatibility and usability than other type of multipath connections. Study on PSMC could have boarder impact on today’s Internet topology and security. Study on PSMC could have boarder impact on today’s Internet topology and security.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.