Presentation is loading. Please wait.

Presentation is loading. Please wait.

High Performance Networking with the SSH Protocol Chris Rapier Vancouver Joint Techs July 19, 2005.

Published byAlexandrina Kennedy Modified over 9 years ago

Similar presentations

Presentation on theme: "High Performance Networking with the SSH Protocol Chris Rapier Vancouver Joint Techs July 19, 2005."— Presentation transcript:

1 High Performance Networking with the SSH Protocol Chris Rapier rapier@psc.edu Vancouver Joint Techs July 19, 2005

2 Pittsburgh Supercomputing Center Defining the Problem Transferring data over insecure networks requires cryptographically secure authentication –Recent history has highlighted the need for this. RCP and FTP are no longer viable options It should be fast, easy to use, and cheap to install/maintain. Pick two. Sometimes only one.

3 Pittsburgh Supercomputing Center First Solution: GridFTP Pros –Cryptographically secure authentication –High transfer rates for bulk data Cons –Difficult to install and maintain –Key distribution requires additional infrastructure –Often out of reach of smaller organizations –Limited distribution

4 Pittsburgh Supercomputing Center Next Solution: Kerberos Pros –Relatively widely used protocol –Familiar interfaces (ftp, web, etc) –Fast transfer rates Cons –Maintenance and configuration beyond some organizations –Insecure data transfers

5 Pittsburgh Supercomputing Center Another Solution: SCP/SSH Pros –Strong cryptographic security of authentication and data –Easy to install and maintain –Ubiquitous Cons –Astoundingly slow –Somewhat less secure than kerberos or globus (no signed certs, expiring tokens)

6 Pittsburgh Supercomputing Center Using SCP/SSH Anyway In spite of faults SCP/SHH ends up being the default for most people. This can be a *bad* thing –Security depends on universal compliance. –People will ‘drift’ to using the easiest solution. SSH is the easiest *security* solution but the speed is frustrating. Some people will, eventually, resort to insecure but fast methods ‘just this once’ Improve SSH performance and the security environment as a whole is enhanced and we’ll have fast, cheap, secure - pick three. So why is SSH so slow?

7 Pittsburgh Supercomputing Center The Real Problem With SSH It is *NOT* the encryption process! –If it was: Faster computers would give faster throughput. Which doesn’t happen. Transfer rates would be constant in local and wide area network. Which they aren’t. In fact transfer rates seem dependent on RTT, the farther away the slower the transfer. Any time rates are strongly linked to RTT it implies a receive buffer problem

8 Pittsburgh Supercomputing Center SSH is RWIN Limited Analysis of the code reveals –SSH Protocol V2 is multiplexed Multiple channels over one TCP connection –Must implement a flow control mechanism per channel Essentially the same as the TCP receive window –This application level RWIN is effectively set to 64KB. So real connection RWIN is MIN(TCP rwin, SSH rwin ) Thus TPUT max = 64KB/RTT

9 Pittsburgh Supercomputing Center Solving the Problem Use getsockopt() to get TCP rwin and dynamically set SSH rwin –Performed several times throughout transfer to handle autotuning kernels Results in 10x to 50x faster throughput depending on cipher used on well tuned system.

10 Pittsburgh Supercomputing Center HPN-SSH v. SSH

11 Pittsburgh Supercomputing Center Advantages Speed is comparable to GridFTP and Kerberized FTP No need for separate key infrastructure or realm administration Provides authentication and data security Can be used with other applications such as rsync, svn, SFTP, ssh port forwarding & more

12 Pittsburgh Supercomputing Center What’s involved? Get the source code from www.openssh.org www.openssh.org Get the patch from www.psc.eduwww.psc.edu tar -zxf openssh-3.9p1.tgz cd openssh-3.9p1 patch < openssh-3.9p1-hpn.diff configure make install or make install-nokeys Time elapsed: < 5 minutes

13 Pittsburgh Supercomputing Center So what does that get you? Speed increase in direction of HPN –No need to have HPN-SSH on both sides Can set TCP rwin on the command line –To maximum buffer size allowed by system configuration None cipher re-enabled –Using mid stream cipher switching authentication is still secure.

14 Pittsburgh Supercomputing Center New SSH Tool - PMVPN The Poor Man’s VPN –Use ld_preload to load a custom library that captures all network open calls. If it matches a rule then tunnel the connection through SSH Requires ssh keys to be installed on remote host Transparent. Secure. Most things ‘just work’ –Caveat: FTP has to run in passive mode.

15 Pittsburgh Supercomputing Center That’s a Neat Trick Use PMVPN to secure ‘coffeehouse connections’ –Designate all outgoing connections to use ssh tunnels back to ‘home’ machine. –Every packet on wireless network is now encrypted without WEP or WAP Always use the same SMTP server –Connections to SMTP are intercepted and tunneled back to your network. Use as a secure proxy. –Web browsing can be effectively anonymized.

16 Pittsburgh Supercomputing Center It’s Not Perfect FTP must be in passive mode –Even then it fails if using a redirect Establishes a new connection each time –So browsing the web means a new SSH handshake for each new http connection Other applications may or may not work as expected - we’re still testing EVEN SO –Its easy to use, works reasonably well, and provides security here and now *without* additional infrastructure.

17 Pittsburgh Supercomputing Center Big Picture Ideas Impact of hpn-ssh work will obscure packet contents –Multiple apps using port 22, no way to determine which is doing what, payload inspection methods can be easily circumvented. Overall security of network environments will improve. –People will *invariably* circumvent security if its inconvenient - especially in academic environments. Make the lowest acceptable level of security equivalent to insecure methods in terms of ease of use and performance. Remember, most people will *not* strictly follow security guidelines unless they are pressured to or its easy. So make it easy.

18 Pittsburgh Supercomputing Center Availability Source: http://www.openssh.org/ http://www.openssh.org/ Patch: http://www.psc.edu/networking/projects/hpn- ssh/ http://www.psc.edu/networking/projects/hpn- ssh/ Other: FreeBSD ports security/hpn-ssh/

19 Pittsburgh Supercomputing Center Thanks! Questions? Business cards with URL available

Download ppt "High Performance Networking with the SSH Protocol Chris Rapier Vancouver Joint Techs July 19, 2005."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
SSH Operation and Techniques - © 2001-2006 William Stearns 1 SSH Operation and Techniques The Swiss Army Knife of encryption tools…

SSH Operation and Techniques - © William Stearns 1 SSH Operation and Techniques The Swiss Army Knife of encryption tools…
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.

Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.
1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The Internet offers no inherent security services to its users; the data transmitted.

1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The Internet offers no inherent security services to its users; the data transmitted.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.
Technical Brief v1.0. Communication tools that broadcast visual content directly onto the screens of computers, using multiple channels and formats Easy.

Technical Brief v1.0. Communication tools that broadcast visual content directly onto the screens of computers, using multiple channels and formats Easy.
COS 420 DAY 25. Agenda Assignment 5 posted Chap 22-26 Due May 4 Final exam will be take home and handed out May 4 and Due May 10 Latest version of Protocol.

COS 420 DAY 25. Agenda Assignment 5 posted Chap Due May 4 Final exam will be take home and handed out May 4 and Due May 10 Latest version of Protocol.
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking Beyond Security Noam Rathaus CTO Sunday, July 11, 2004 Presentation on.

Beyond Security Ltd. Port Knocking Beyond Security Noam Rathaus CTO Sunday, July 11, 2004 Presentation on.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
John Degenhart Joseph Allen.  What is FTP?  Communication over Control connection  Communication over Data Connection  File Type  Data Structure.

John Degenhart Joseph Allen.  What is FTP?  Communication over Control connection  Communication over Data Connection  File Type  Data Structure.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Similar presentations

Ads by Google