Survey
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project
Download Virtual Internet Research, January 2004
Document related concepts
no text concepts found
Transcript
Virtual Internet Research at the Postel Center Joe Touch Postel Center Computer Networks Division USC/ISI January 2004 Joe Touch USC/ISI 1 Outline: VIs: definition & architecture Using VIs: X-Bone – deploying VIs DynaBone – multilayer VIs for fault tolerance, security, and performance Supporting VIs: NetFS – OS support for VIs DataRouter – app.-directed net-layer forwarding January 2004 Joe Touch USC/ISI 2 VI Definition VI is a network composed of: Virt. hosts, virt. routers, virt. links (tunnels) Provides at least the same services as IA In a virtual context First-principles extension More than a patch More than interim January 2004 Joe Touch USC/ISI 3 Motivation Unified, consistent virtual architecture VPNs, overlay nets, peer nets Incremental deployment of new services Ongoing experiments Topology-based services DHTs, geographic forwarding [GeoNet], string-rewriter forwarding [DataRouter] Layer-based services Contained dynamic routing, fault tolerance (FEC), security (traffic hiding), multi-algorithm [DynaBone], Plutarch’s subnet composition January 2004 Joe Touch USC/ISI 4 Extra Constraints Internet-like Routing (link up) vs. provisioning (link add) …one header to bind them all… (use IP, provide IP recursion) Complete E2E system All VNs are E2E VN “Turing Test” A net can’t tell it’s virtual Use existing protocols, OSs, apps. January 2004 Joe Touch USC/ISI 5 Principles TENET 1. Internet-like VIs = VRs + VHs + tunnels Emulating the Internet TENET 2. All-Virtual Decoupled from their base network TENET 3. Recursion-as-router Some of VRs are VI networks January 2004 Joe Touch USC/ISI 6 Recursion-as-Router Hierarchy w/connected sub-overlays Sub-overlays look like routers Primary overlay Sub-1 Sub2 Base network January 2004 Joe Touch USC/ISI 7 Corollaries Behavior: VH adds/deletes headers VRs transit (constant # headers) Structure: VIs support concurrence VIs support revisitation Each VI has own names, addresses Address indicates overlay context January 2004 Joe Touch USC/ISI 8 Detailed Architecture Components: VH hidden router VL 2 layers (strong link, weak net) VR partitioned forwarding Capabilities: Revisitation multihoming Recursion router as network, BARP RUNNING CODE (FreeBSD, Linux, Cisco) January 2004 Joe Touch USC/ISI 9 Architecture Use: New Concepts Recursion, revisitation BARP Control / deployment Network Service to deploy & manage VIs Language for describing VIs January 2004 Joe Touch USC/ISI 10 More Concepts: Service composition Compose: X-Bone, DTN, Plutarch Primary overlay Sub -2 Sub-1 Base network Alternate: Outerlay DynaBone, Control Plane, FEC, Boosters Sub-1 Sub-2 Sub-3 Base network January 2004 Joe Touch USC/ISI 11 More Architecture Uses: Correct/explain anomalies Multihoming Phantom router in all hosts Input context for forwarding/binding Revisitation Two-level tunnels Input context sets IPsec tunnel mode & dynamic routing January 2004 Joe Touch USC/ISI 12 Typical Q’s Why not VPNs/Peer, etc.? Most net-level are incremental, partial, etc. App. Level recapitulates network & won’t compose Isn’t this more complex? AS-like management encapsulation (multi-level) Can make application view simpler (per-app. networks) Isn’t this suboptimal/non-diverse? So is VM; like VM, OOB info. & direct measurements can help Layering implies increasing coarseness Wasn’t this done in (X) before? VIA is uniform, consistent, & implemented What’s so hard? See “uses” & “anomalies” January 2004 Joe Touch USC/ISI 13 Performance Impact 1/N performance 200 175 Netgraph GIF 150 Host-host K pkts/sec Host-router-host 125 100 75 50 25 0 1 10 100 encapsulations January 2004 Joe Touch USC/ISI 14 Prior & Related Work Service/new protocols Cronus, M/6/Q/A-Bone Multi/other layer Cronus, Supranet, MorphNet, VANs Partial VPN, VNS, RON, Detour, PPVPN, SOS Virtualization, Revistation, Recursion X-Bone, Spawning, DynaBone, NetFS, Netlab January 2004 Joe Touch USC/ISI 15 VI analogy to VM Protection For concurrency, separation Simpler configuration Run over simpler topologies Decouple from physical Emulate larger/different nets Automation Generic, external mechanism January 2004 Joe Touch USC/ISI 16 Why 2 layers? Network E2E IDs, routing Link ICMP, ARP, forwarding Reasons: Revisitation Separate link-layer IPsec keys Allows separate interfaces – thus dynamic routing Issues Overlap for efficiency Strong vs. weak X Y Joe Touch USC/ISI Y Strong January 2004 X Weak 17 X-Bone Web GUI Multiple views IP Base Star Overlay B A C D ring-ovl star-ovl B A Ring Overlay B A C D C D xd GUI Overlay Manager Base IPv4 Network Resource Daemon Resource Daemon Resource Daemon link router host X-Bone system January 2004 Automated monitoring Joe Touch USC/ISI 18 The X-Bone is… A system for automated overlay deployment Among a closed set of trusted hosts and routers Pprovide coordination, configuration, management Many details are plug-replaceable New tricks for overlays (use of overlays) Overlays on overlays on overlays on … Fault tolerance, service deployment Member in multiple overlays, in single multiple times New tricks for old dogs (extend net arch.) Use existing stacks and applications January 2004 Joe Touch USC/ISI 19 What We Don’t Do… Optimize the overlay topology We use a plug-in module (AI folk can provide) It requires network status (emerging now) Fault tolerance only via ground truth (admin. issue) X-Bone is capability more than performance (now) Non-IP overlays IP is the interoperability layer IP recurses / stacks nicely January 2004 Joe Touch USC/ISI 20 Creating a Ring Ovl. Request Result sin OM eql udel cos Ring Ovl. div sec isipc2 bbn Internet January 2004 Joe Touch USC/ISI 21 Potential Uses Test new protocols Test denial-of-service solutions Deploy new services incrementally Dynamic routing, proxylets, security Increase lab & testbed utility Overlapping nets, add delay & loss Scale to 10,000 nodes Simplify view of topology Support fault tolerance Added level of recovery January 2004 Joe Touch USC/ISI 22 Features Secure X.509 certs, SSL control, ACLs Resilient Heartbeats with auto-dismantle Crash recovery/restore Detects/avoids replays; idempotent actions w/rollback Overlay features Dummynet, IPsec Application deployment ABone Squid proxy system (U. Catalonia) PlanetLab-like slice of vservers January 2004 Joe Touch USC/ISI 23 Recent Additions In 3.0 (1/2004): IPv6 Dynamic DNS/DNSsec Cisco via buddy host Zebra dynamic routing User-specified topology XML-based API Coming soon Revisitation (using network stacks) Recursion January 2004 Joe Touch USC/ISI 24 Architecture issues Core (PP) VPNs need stub assistance All transport is E2E Inject routes via BGP/RIP or redirect default Often assumes one VPN Boundary control Typical VPN O(N) tunnels & routes / O(N) firewall rules Separate routing and firewalls O(1) routes / O(N) firewall rules Firewall via groups O(1) routes / O(1) firewall rules January 2004 Joe Touch USC/ISI 25 Relation to: NetLab (net EmuLab) Focuses on L2-VPNs Incorporating X-Bone concepts Revisitation, IPsec tun over IPIP/GRE PlanetLab Focuses on OS Primitive networking Reinventing net. configuration mech. January 2004 Joe Touch USC/ISI 26 Availability (and not)… http://www.isi.edu/xbone Platforms FreeBSD 4.x/5.x (IPv4/6 IPsec) Linux RedHat (IPv4/IPsec only) Cisco via buddy host (IPv4 IPsec, IPv6) Under development/test: NetBSD (tested only) MacOS X (prelim. testing) Platforms not capable of VIs: Windows 2K/XP Linux FreeS/WAN Vxworks, Janos PlanetLab inside vserver January 2004 Joe Touch USC/ISI 27 DynaBone Innerlays Outerlay P R M 3DES encrypt / Linkstate RC5 encrypt / RIP X P R M MD5 auth / static Base network Spread-Spectrum Multilayer Internet Overlays January 2004 Joe Touch USC/ISI 28 Goals Auto platform for spread-spectrum Architecture in which to use … (see BASF) Closed-group communication E2E, E2(gateway), etc. Enable multilayer defense (IP addr, SPI, decrypts) Platform for muggles Transparent to applications, protocols, OS’s Auto-deploy January 2004 Joe Touch USC/ISI 29 DynaBone via X-Bones Parallel innerlays Coordinate use via PRMs Outerlay Sub-1 Sub-2 Sub-3 Base network January 2004 Joe Touch USC/ISI 30 Layered Overlays Innerlays A network you can gracefully disconnect Attacker-like parallelsim as a defense Outerlay Hides the Innerlays from OS, applications Allows transparent restoration Automated deployment via X-Bone User deployed, trans-AS, no new protocols Integrates heterogeneous net-level security January 2004 Joe Touch USC/ISI 31 PRM Detail DDOS Attack Detection Mux P R M per packet? per TCP? M Monitor inject measure Demux reorder? drop dups? Performance Metrics (pathchar) January 2004 Joe Touch USC/ISI 32 Monitor & Control GUI January 2004 Joe Touch USC/ISI 33 NetGraph PRM Module PRM MUX BARP RR SS B-table Rand Copy API IFACE Web January 2004 Joe Touch USC/ISI /data [format] /policy(?value) /stop?innerlay /go?innerlay 34 PRM Performance 100% 90% 80% 70% Gbps Kpps 60% 50% 40% 30% 20% 10% 0% 1 January 2004 10 100 Joe Touch USC/ISI 1000 10000 35 NetFS File System /netfs iface lo ether fxp0 ip default alias1 alias2 route default 10.0.0.1 0 proto tcp 1 ipfw ipsec udp 25 26 addr mask 10.3.0.0 255.255.0.0 mask addr 255.0.0.0 January 2004 Joe Touch USC/ISI 36 Goals Simple, standard interface Across different OS’s File system API and semantics Fine-grained security User, group, world, etc. Per instance of each resource Context-dependent views Limits “ifconfig –a” response January 2004 Joe Touch USC/ISI 37 Intertwined Vontrol NetFS File API Socket API interfaces sockopt routes ioctl sysctl communication channels January 2004 In-band API Joe Touch USC/ISI 38 Per-process Context Process A Process B ~netfs ~netfs iface route iface /netfs iface A January 2004 B route route X Joe Touch USC/ISI Y Z 39 Related Work Linux’s /procfs Processes Jail(fbsd) & vserver(linux) Limits root access to 1 IP addr per partition Plan 9’s /net Sockets FreeBSD extensions (underway) Add naming (kernel hack) to interfaces January 2004 Joe Touch USC/ISI 40 DataRouter S D1 P bird #55fea3 isi.edu s/(bird)(.*)(isi.edu)/(D2)($2)(usc.edu)/ D1 D1 S January 2004 D2 D2 P D1 Joe Touch USC/ISI #55fea3 usc.edu 41 Motivation Application-level networks are ‘bad’ Recapitulate the network layer Require additional E2E transport protocols Hard to compose Network-level overlays not enough Application-level info. is hidden IP forwarding is not sufficient January 2004 Joe Touch USC/ISI 42 Goal = peer/DHT support: Useful: Supports application-directed forwarding Enables composition/integration of app. svcs. Clean: Avoids reinventing the network layer Avoids reinventing the transport layer Appropriate: Forwards fast Supports IPsec Is somewhat safe January 2004 Joe Touch USC/ISI 43 DataRouter IS: Header = IP Loose Source Route Network layer option Works as an encapsulation header (ala IPsec) Entry = string Explicit application context Forwarding via string rewriting String (IP address, string’) pair January 2004 Joe Touch USC/ISI 44 DataRouter ISN’T: Routing protocol IP doesn’t force OSPF, BGP, etc. Overlay configuration IP doesn’t force particular topology January 2004 Joe Touch USC/ISI 45 Enabled Capabilities App. forwarding via network svc. Late-binding integration One packet: TCP/SYN w/ Google as DR Google DNS IP Anycast services First DR hop = anycast server Further hops added by appending January 2004 Joe Touch USC/ISI 46 Quick FAQ: This is forwarding; who does routing? Application that would have done forwarding (Chord, CAN, Napster, Google, DNS) Can transport handle unbound dests? Use HIP to decouple TCP/UDP from IP What is the API? DR strings via SOCKOPT Forwarding entries via droute command Why use REs? Sufficient, efficient, complete How does it avoid breaking E2E? By allowing E2E TCP Why use a LSR IP option? Integrates w/existing ICMP, IPsec; allows ‘overlays’; transparent January 2004 Joe Touch USC/ISI 47 Example Uses All in a parsed string: Class:string metric:string Escape “:” Select largest metric DNS URL Longest suffix DNS Exact URL Napster Google IPv4 Exact MP3 Hash(title) Closest WebDB “Harry Potter movie” Longest prefix IPv4 10.0.0.4 January 2004 Joe Touch USC/ISI Joe.com Joe.com/apple 48 Related Work Application-directed forwarding DHTs, web proxies… Google, DNS Alternate network forwarding Dbase index [Carzaniga03] Linda [Carriero86] Data manipilation lang. [Chandranmenon95] Catanet, TRIAD, I3, IPNL, Heaps, Net Ptrs… Electronic control January 2004 Joe Touch USC/ISI 49 Performance K packets/sec 400 300 200 100 0 IP/reg January 2004 IP/RER Hash/RER RE/RER Joe Touch USC/ISI UDP TCP 50 TetherNet Complete Internet IP connectivity Works behind NATs Works behind short-lease DHCP January 2004 Joe Touch USC/ISI 51 Subnet Rental January 2004 Joe Touch USC/ISI 52 Optical Internets Optical recapitulates electronic WDM = VCs Burst switching = MPLS/label switching Jump ahead to packet-based Router Queue-free architecture Forwarding via partial filters TTL decrement IP checksum LAN Protocols OCDMA MAC design January 2004 Joe Touch USC/ISI 53 Forward via Filters Bit-subset groups share next-hops Remainder to helper router “1” bits correlator “1” “1” “0” “1” R = 0% Input 1 1 0 1 Match = ‘high’ Threshold = 3 AND “1” R = 0% Threshold = 0 “1” “0” R = 0% Match = ‘low’ “1” ‘MATCH’ Signal R = 0% NOT “0” bits correlator January 2004 Joe Touch USC/ISI 54 TTL Decrementer LSB-first: Invert until 1 Stop @ 1st “1 (delete if no “1”) Signal inversion 10 Gbit/s NRZ l1 l11 SOA SOA (CW) (CW) MOD MOD “databar” lp “data” MOD MOD lp TTL start PD PD MOD MOD Q Q DD PPLN PPLN PPLN PPLN l 2 packet out w/updated TTL Q Q D-flip flop Electronic control January 2004 Joe Touch USC/ISI 55 Internet Checksum Serial 1-bit full-adder Xi S Yi Co Ci k1*16 bit delay k2*16 bit delay January 2004 Joe Touch USC/ISI 56 http://www.isi.edu/ xbone Greg Finn, Steve Hotz, Amy Hughes, Lars Eggert, YuShun Wang, Nimish Kasat, Osama Dosary, Ankur Sheth, Shitanshu Shah, Wei-Chun Chou, Stephen Suryaputra, Savas Guven dynabone Venkata Pingali, Runfang Zhou netfs Josh Train (datarouter) Venkata Pingali tethernet Lars Eggert, YuShun Wang pow / ocdma Joseph Bannister, Puroshutham Kamath, Michelle Hauer, Dinez Gurkin, John McGeehan January 2004 Joe Touch USC/ISI 57
Related documents