1. ELA: A Fully Distributed VPN over P2P Network Sadanori Aoyagi, Makoto Takizawa, Masato Saito, Hiroto Aida, and Hideyuki Tokuda Keio University, Japan

2. Outline ﻪBackground ﻪELA ﻩAbstract ﻩDesign and Implementation ﻩEvaluation of ELA ﻪRelated Work ﻪFuture Works and Conclusion

3. Background

4. ﻪThe Internet becomes widely used! ﻩNot only for researchers. ﻪThe Internet is used for communication. ﻩMainly connection among a server. ﻯE-mail ﻯInternet discussion board ﻩThe application which uses connections between nodes is appeared. ﻯInstant Messenger ﻯVideo Chat

5. Background ﻪThe application which uses connections between nodes ﻩThere is risks of security. ﻯSuch as Wiretap … ﻩRequest of Users ﻯ “ No risks of security! ” ﻯ “ But setting for security is bother …” Conflicting!

6. The Issue ﻪCan we satisfy both of the following issues? 1.To secure connection between nodes directly. 2.Easy setting if there are many applications.

7. Proposal ﻪSystem that constructs a secure base between user nodes extemporarily. ﻪELA (Everywhere Local Area network)

8. ELA ～ Abstract ～

9. Abstract of ELA ﻪPurpose ﻩTo construct a secure base between user nodes ﻪMethod ﻩELA constructs an overlay VPN between user nodes extemporarily. VPN The Internet

10. Example of the Utility ﻪUse applications that user nodes connect each other directly ﻩInstant Messenger, Video Chat ﻪUse applications for LAN ﻩGroupware ﻩWindows Network, NFS ﻩSome network games ﻪAssumption ﻩAll user of nodes are acquaintance ﻩUnder 30 nodes.

11. VPN ﻪWhat ’ s VPN. ﻩAn architecture to construct a virtual private connection across a public network. ﻪClassification by ﻩSite-to-Site VPN (usual) ﻩOverlay VPN

12. What ’ s Site-to-Site VPN ﻪWhat ’ s Site-to-Site VPN ﻩUsed for replace dedicated line. ﻩTunneling Protocol ： IPsec Tunnel

13. LAN LAN 2LAN 3 LAN 4 LAN 1 Overlay VPN ﻪWhat ’ s overlay VPN. ﻩConstructing VPN over overlay network. ﻩOverlay VPN is independent from existing network. ﻩTunneling Protocol ： TCP 、 UDP 論理的に 等価 The Internet

14. The reason ELA constructs Overlay VPN ﻪThere are 3 reasons. ﻩNo modification of existing applications. ﻩLittle risk of security. ﻩIndependent network from unknown users.

15. Existing VPN Systems ﻪClassification by how to operate. ﻩPoint-to-Point VPN ﻩClient/Server VPN

16. Point-to-Point VPN ﻪTopology ﻩ1-to-1 ﻪProblem ﻩIf there are many user nodes, users must construct many VPNs. LAN The Internet VPN LAN The Internet VPN CompanyBranchHome Outside

17. Client/Server VPN ﻪTopology ﻩ1-to-many ﻪProblem ﻩRequire server ﻯCost, single point of failure, bottleneck. LAN The Internet LAN VPN The Internet VPN Company Branches Company Outside

18. All VPN Systems ﻪVarious Tunnneling Protocol ProtocolMeritDemerit IPSecStandard Protocol of VPN 付加ヘッダが多く、処理が重い NAT 内ではルータの対応が必要 GREUsed for Windows standard VPN system Need to TCPStandard Protocol of many network applications NAT 内からでも利用しやすい TCP over TCP UDPStandard Protocol of many network applications Simple and Fast Requirement of port forward setting in NAT TCP 、 UDP は OS やルータに標準搭載 TCP は NAT 内からの接続容易、 UDP は転送性能高

19. Remarkable Points of ELA ﻪNetwork of ELA ﻩOverlay VPN ﻩP2P Topology ﻯ↑ ELA creates automatically. ﻪTunneling Protocol ﻩUse 2 protocols as a restrict of network. ﻯUDP if there is no restrict by NAT or firewall. ﻯTCP if node cannot use UDP.

20. ELA ～ Design ～

21. Image of ELA ﻪELA constructs a virtual network. ELA-VPN ↑Define this as ELA-VPN

22. Position of ELA ﻪELA relays a data over ELA-VPN ﻩUsers can use application like in LAN. ﻩELA replays a data via other node if necessary ELA Application The Internet ELA Data flow by ELA 10.0.0.110.0.0.210.0.0.3

23. Example of how ELA is used 1.Starting ELA ﻩType “ ela ”, and ELA requires user authorization. ﻩ “ ela0 ” network interface is created. 2.Communication using IP address of ELA-VPN ﻪFor example, a node uses samba and fetches the PDF file from other node. # smbclient \\\\10.0.0.3\\home -U sada Smb: \> get thesis.pdf # ela # ifconfig ela0 ela0 Link encap:Point-to-Point Protocol inet addr:10.0.0.1 P-t-P:10.0.0.1 Mask:255.255.255.0 UP POINTOPOINT RUNNING NOARP MTU:1400 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Step 1Step 2

24. Sequence of Start inside ELA 1.Preparation 2.Constructing ELA-VPN 3.Using ELA-VPN

25. 1. Preparation 1.Look up other node. ELA doesn ’ t have this future. Look up other node of ELA-VPN by using WWW or E-mail 2.User Authentication Nodes of ELA-VPN share list of users. Nodes authenticate a new node with list of users.

26. 1. Preparation 3.ELA assigns private IP address on ELA - VPN. New node can use IP address not used by the other nodes. 4.ELA classifies into 2 types. Core node (CN) ： The node can send and receive a data with UDP. The node can be connected from other nodes with TCP. Edge node (EN) ： Except CN. The node can connect to other nodes with TCP.

27. ２． Constructing ELA-VPN ﻪClockwise rotation by ID ﻩID = hash(IP address) ﻪCN: ﻩInside of P2P network. ﻩCNs make full mesh topology, and connects each other with UDP. ﻪEN: ﻩOutside of P2P network. ﻩEach EN connects to CN whose ID is next of the EN.

28. 3. Connection Over ELA-VPN ﻪAll core nodes share the routing table. ﻩKey: ID ﻩValue: ﻯIf CN, IP address on the Internet. ﻯIf EN, IP address on the Internet of Core Node that EN connects to.

29. Example of Relay ﻪNode 27→14 ﻩNode 27 : relay to 3 ﻩNode 3:search from routing table → relay to 16 ﻩNode 16: relay to 14 ﻪNumber of maximum relay is 3.

30. Required Futures ﻪConstructing P2P network ﻩConstructing topology ﻩRouting ﻪUsing as VPN ﻩNetwork Pseudo Device ﻩCapsulating ﻩSending, Receiving

31. ELA ～ Implementation ～

32. Structure of modules Send Message Message Search Update Is to me? NO YES Constructing Topology SendingRecieving Routing Table Routing Network Pseudo Device Capsulating Send IP packetReceiving IP packet Send Capsulated IP packet Receive Capsulated IP packet Recive data Application User layer Kernel layer ELA

33. When sending a data ﻪApplication ﻩSending a data ﻪNetwork Pseudo Device ﻩGetting an IP packet. ﻪCapsulating Module ﻩCapsulating ﻪRouting Module ﻩSearching the node to relay ﻪSending Module ﻩRelaying to other node.

34. When relaying a data ﻪReceiving Module ﻩReceiving a data which is not to me. ﻪRouting Module ﻩSearching the node to relay ﻪSending Module ﻩRelaying to other node.

35. When receiving a data ﻪReceiving Module ﻩReceiving a data which is to me ﻪCapsulating Module ﻩEncapsulating ﻪNetwork Pseudo Device ﻪApplication ﻩGetting a data

36. Proto-type Implementation ﻪEnvironment ﻩRed Hat Linux 7.2 (Kernel 2.4.18) ﻪImplementation Method ﻩC Language ﻩNPD is implemented at Kernel layer ﻩThe others are implemented at User layers

37. Implemented Modules ﻪFinished ﻩNPD, Capsulating Module, Sending Module, Receiving Module

38. ELA ～ Evaluation ～

39. Evaluation ﻪQualitative Evaluation ﻩHow easy to construct between many user nodes? ﻪQuantitative Evaluation ﻩOverhead of ELA ﻩRelation between relay count and delay

40. Qualiative Evaluation ﻪComparing with … ﻩPoint-to-Point VPN ﻩClient/Server VPN

41. Qualiative Evaluation ﻪELA is most suitable when many nodes construct VPN each other! Point-to-Point 型 Client/Server 型 ELA Cost ○ × ○ Saving work of users △ ○ △ Automatic selection of Tunneling Protocol ×× ○ Many nodes × ○○

42. VMware Quantitive Evaluation ﻪEvaluation Environment ﻩConstructin on VMware ﻯPC (CPU Pentium4 EE 3.6GHz, Memory 2.0GB) ﻩHost OS: Windows XP (SP1) ﻩGuest OS: Knoppix 3.1 for VMware 192.168.88.128192.168.88.132 192.168.88.133192.168.88.134 ELA-VPN CN 10.0.0.1 CN 10.0.0.2 EN 10.0.0.3 EN 10.0.0.4 TCP UDP ①② ④③ ①② ④③

43. VMware Overhead of ELA ﻪMeasuring RTT by using Ping 1.No ELA （①⇔②） 2.ELA, tunneling protocol is UDP （①⇔②） 3.ELA, tunneling protocol is TCP （①⇔③） ELA-VPN CN EN UDP TCP ①② ④③ ①② ④③ １２ ３

44. Result of Overhead of ELA ﻪThere is overhead by ELA. ﻪThere is more overhead when TCP than when UDP.

45. VMware Relation between relay count and delay ﻪMesuaring RTT by using ping ﻩ1 relay （③⇔①） ﻩ2 relays （③⇔① ⇔② ） ﻩ3 relays （③⇔① ⇔② ⇔④） ﻩ ※ There is no case of more than 4 relays. ELA-VPN CN EN UDP TCP ①② ④③ ２ １ ３ CN

46. Result of between relay count and delay ﻪMore relay counts, more delay. ﻪBut they are a little delay.

47. Related Work

48. ﻪIVGMP (Internet VPN Group Management Protocol) ﻩOne VPN System ﻩEvery nodes connects to other with IPSec. ﻩVNOC provides a policy. ﻩNo mention to detail of VNOC and topology.

49. Future Works and Conclusion

50. Future Works ﻪImplementation ﻩConstructing Topology Module ﻩRouting Module ﻪEvaluation ﻩUse ELA at an actual environment ﻯHow scalable? How robust? ﻪImprovement of Design ﻩSupports QoS, Improvement of scalability.

51. Conclusion ﻪProposal of ELA ﻩPurpose is to construct secure base. ﻪDesign ﻩELA constructs VPN over P2P network. ﻪEvaluation ﻩELA is most suitable when constructing VPN between many user nodes. ﻩOverhead is little

52. Thank you. ﻪThank you for your kind attention!

54. トポロジ構築モジュール ﻪP2P ネットワークの形成＆維持 ﻩ ノードの参加処理（認証、 IP アドレス割当 など） ﻩ ノードの種類に基づく P2P ネットワークの 形成 ﻩ ノードの参加・離脱に応じてルーティング テーブルを更新

55. ルーティングモジュール ﻪ コアノードの場合 ﻩ 通信内容の転送先を、ルーティングテーブルを参 照して決定 ﻪ エッジノードの場合 ﻩ 常に親のコアノードに転送指示

56. NPD (Network Pseudo Device) ﻪ 仮想ネットワークデバイス ﻩ アプリケーションが ELA-VPN 上のノード と通信する際に利用 ﻩELA-VPN における IP アドレスやネットマス クを割当て

57. カプセリングモジュール ﻪ 送信時 ﻩIP パケットのカプセリング（ ELA 独自のヘッダの 付加、ペイロードの暗号化） ﻪ 受信時 ﻩIP パケットのカプセリング除去

58. 送信モジュール ﻪ ルーティングテーブルの指示に従い、 データを送信

59. 受信モジュール ﻪ 他ノードからデータを受信 ﻩ メッセージ：トポロジ構築モジュールへ ﻩ 自分宛の IP パケット：カプセリングモジュールへ ﻩ 他ノード宛の IP パケット：ルーティングモジュー ルへ

60. Related work (2) ﻪIPv6 P2P VPN システム ﻩ 株式会社 DIT が開発 ﻩIPv6 の IPsec を用いた VPN ﻩEnd-to-End の通信 ﻯ 管理が煩雑化 ﻩIPv6 の導入が必要