Download Overlay Networks and Tunneling  Reading: 4.5, 9.4 Mike Freedman

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
Document related concepts

RapidIO wikipedia , lookup

Wireless security wikipedia , lookup

CAN bus wikipedia , lookup

Net bias wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Network tap wikipedia , lookup

Distributed firewall wikipedia , lookup

Asynchronous Transfer Mode wikipedia , lookup

Internet protocol suite wikipedia , lookup

Wake-on-LAN wikipedia , lookup

IEEE 1355 wikipedia , lookup

Airborne Networking wikipedia , lookup

Computer network wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

IEEE 802.1aq wikipedia , lookup

Peering wikipedia , lookup

Deep packet inspection wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Peer-to-peer wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Quality of service wikipedia , lookup

Multiprotocol Label Switching wikipedia , lookup

Transcript 
Overlay Networks and Tunneling Reading: 4.5, 9.4
COS 461: Computer Networks Spring 2009 (MW 1:30‐2:50 in COS 105) Mike Freedman Teaching Assistants: WyaN Lloyd and Jeff Terrace hNp://www.cs.princeton.edu/courses/archive/spring09/cos461/ 1
Goals of Today’s Lecture •  MoVvaVons for overlay networks –  Incremental deployment of new protocols –  Customized rouVng and forwarding soluVons •  Overlays for parVal deployments –  6Bone, Mbone, security, mobility, … •  Resilient Overlay Network (RON) –  AdapVve rouVng through intermediate node •  MulV‐protocol label switching (MPLS) –  Tunneling at L2.5 2
Overlay Networks 3
Overlay Networks 4
Overlay Networks Focus at the application level
5
IP Tunneling to Build Overlay Links •  IP tunnel is a virtual point‐to‐point link –  Illusion of a direct link between two separated nodes Logical view:
Physical view:
A
B
A
B
tunnel
E
F
E
F
•  EncapsulaVon of the packet inside an IP datagram –  Node B sends a packet to node E –  … containing another packet as the payload 6
Tunnels Between End Hosts B
Src: A
Dest: B
Src: C
Dest: B
Src: A
Dest: B
A
C
Src: A
Dest: C
Src: A
Dest: B
7
Overlay Networks •  A logical network built on top of a physical network –  Overlay links are tunnels through the underlying network •  Many logical networks may coexist at once –  Over the same underlying network –  And providing its own parVcular service •  Nodes are o`en end hosts –  AcVng as intermediate nodes that forward traffic –  Providing a service, such as access to files •  Who controls the nodes providing service? –  The party providing the service –  Distributed collecVon of end users 8
Overlays for Incremental Deployment 9
Using Overlays to Evolve the Internet •  Internet needs to evolve –  IPv6 –  Security –  Mobility –  MulVcast •  But, global change is hard –  CoordinaVon with many ASes –  “Flag day” to deploy and enable the technology •  Instead, beNer to incrementally deploy –  And find ways to bridge deployment gaps 10
6Bone: Deploying IPv6 over IP4 Logical view:
Physical view:
A
B
IPv6
IPv6
A
B
C
IPv6
IPv6
IPv4
Flow: X
Src: A
Dest: F
data
A-to-B:
IPv6
E
F
IPv6
IPv6
D
E
F
IPv4
IPv6
IPv6
tunnel
Src:B
Dest: E
Src:B
Dest: E
Flow: X
Src: A
Dest: F
Flow: X
Src: A
Dest: F
data
data
B-to-C:
IPv6 inside
IPv4
B-to-C:
IPv6 inside
IPv4
Flow: X
Src: A
Dest: F
data
E-to-F:
IPv6
11
Secure CommunicaVon Over Insecure Links •  Encrypt packets at entry and decrypt at exit •  Eavesdropper cannot snoop the data •  … or determine the real source and desVnaVon 12
CommunicaVng With Mobile Users •  A mobile user changes locaVons frequently –  So, the IP address of the machine changes o`en •  The user wants applicaVons to conVnue running –  So, the change in IP address needs to be hidden •  SoluVon: fixed gateway forwards packets –  Gateway has a fixed IP address –  … and keeps track of the mobile’s address changes www.cnn.com
gateway
13
IP MulVcast •  MulVcast –  Delivering the same data to many receivers –  Avoiding sending the same data many Vmes unicast
multicast
•  IP mulVcast –  Special addressing, forwarding, and rouVng schemes 14
MBone: MulVcast Backbone •  A catch‐22 for deploying mulVcast –  Router vendors wouldn’t support IP mulVcast –  … since they weren’t sure anyone would use it –  And, since it didn’t exist, nobody was using it •  Idea: so`ware implemenVng mulVcast protocols –  And unicast tunnels to traverse non‐parVcipants 15
MulVcast Today •  Mbone applicaVons starVng in early 1990s –  Primarily video conferencing, but no longer operaVonal •  SVll many challenges to deploying IP mulVcast –  Security vulnerabiliVes, business models, … •  ApplicaVon‐layer mulVcast is more prevalent –  Tree of servers delivering the content –  CollecVon of end hosts cooperaVng to delivery video •  Some mulVcast within individual ASes –  Financial sector: stock Vckers –  Within campuses or broadband networks: TV shows –  Backbone networks: IPTV 16
Case Study: Resilient Overlay Networks 17
RON: Resilient Overlay Networks Premise: by building applicaVon overlay network, can increase performance and reliability of rouVng Princeton
app-layer
router
Yale
Two-hop (app-level)
Berkeley-to-Princeton
route
Berkeley
http://nms.csail.mit.edu/ron/
18
RON Circumvents Policy RestricVons •  IP rouVng depends on AS rouVng policies –  But hosts may pick paths that circumvent policies USLEC
me
ISP
PU
Patriot
My home computer
19
RON Adapts to Network CondiVons B
A
C
•  Start experiencing bad performance –  Then, start forwarding through intermediate host 20
RON Customizes to ApplicaVons B
A
bulk transfer
C
•  VoIP traffic: low‐latency path •  Bulk transfer: high‐bandwidth path 21
How Does RON Work? •  Keeping it small to avoid scaling problems –  A few friends who want beNer service –  Just for their communicaVon with each other –  E.g., VoIP, gaming, collaboraVve work, etc. •  Send probes between each pair of hosts B
A
C
22
How Does RON Work? •  Exchange the results of the probes –  Each host shares results with every other host –  EssenVally running a link‐state protocol! –  So, every host knows the performance properVes •  Forward through intermediate host when needed BB
A
C
23
RON Works in PracVce •  Faster reacVon to failure –  RON reacts in a few seconds –  BGP someVmes takes a few minutes •  Single‐hop indirect rouVng –  No need to go through many intermediate hosts –  One extra hop circumvents the problems •  BeNer end‐to‐end paths –  CircumvenVng rouVng policy restricVons –  SomeVmes the RON paths are actually shorter 24
RON Limited to Small Deployments •  Extra latency through intermediate hops –  So`ware delays for packet forwarding –  PropagaVon delay across the access link •  Overhead on the intermediate node –  Imposing CPU and I/O load on the host –  Consuming bandwidth on the access link •  Overhead for probing the virtual links –  Bandwidth consumed by frequent probes –  Trade‐off between probe overhead and detecVon speed •  Possibility of causing instability –  Moving traffic in response to poor performance –  May lead to congesVon on the new paths 25
We saw tunneling “on top of” IP. What about tunneling “below” IP? Introducing MulV‐Protocol Label Switching (MPLS) 26
Why Tunnel? •  Reliability –  Fast Reroute, Resilient Overlay Networks (Akamai SureRoute) •  Flexibility –  Topology, protocol •  Stability (“path pinning”) –  E.g., for performance guarantees •  Security –  E.g., Virtual Private Networks (VPNs) •  Bypassing local network engineers –  Censoring regimes: China, Pakistan, … 27
MPLS Overview •  Main idea: Virtual circuit –  Packets forwarded based only on circuit idenVfier Source 1
Destination
Source 2
Router can forward traffic to the same
destination on different interfaces/paths.
28
MPLS Overview •  Main idea: Virtual circuit –  Packets forwarded based only on circuit idenVfier Source 1
Destination
Source 2
Router can forward traffic to the same
destination on different interfaces/paths.
29
Circuit AbstracVon: Label Swapping A
1
Tag Out New
A
2
2
D
3
D
•  Label‐switched paths (LSPs): Paths are “named” by the label at the path’s entry point •  At each hop, MPLS routers: –  Use label to determine outgoing interface, new label –  Thus, push/pop/swap MPLS headers that encapsulate IP •  Label distribu9on protocol: responsible for disseminaVng signalling informaVon 30
Reconsider security problem 31
Layer 3 Virtual Private Networks •  Private communicaVons over a public network •  A set of sites that are allowed to communicate with each other •  Defined by a set of administraVve policies –  Determine both connecVvity and QoS among sites –  Established by VPN customers –  One way to implement: BGP/MPLS VPN (RFC 2547) Layer 2 vs. Layer 3 VPNs •  Layer 2 VPNs can carry traffic for many different protocols, whereas Layer 3 is “IP only” •  More complicated to provision a Layer 2 VPN •  Layer 3 VPNs: potenVally more flexibility, fewer configuraVon headaches 33
Layer 3 BGP/MPLS VPNs VPN A/Site 2
10.2/16
VPN B/Site 1
10.1/16
P1
2
CE B1
10.2/16
CEA2
CE1B1
PE2
PE3
P3
MPLS to forward traffic
CEA3
10.3/16
CEB3
10.1/16
VPN A/Site 1
VPN B/Site 2
BGP to exchange routes
P2
PE1
CEA1
CEB2
VPN A/Site 3
10.4/16
VPN B/Site 3
•  Isola9on: MulVple logical networks over a single, shared physical infrastructure •  Tunneling: Keeping routes out of the core 34
High‐Level Overview of OperaVon •  IP packets arrive at PE •  DesVnaVon IP address is looked up in forwarding table PE2
PE1
PE3
•  Datagram sent to customer’s network using tunneling (i.e., an MPLS label‐switched path) 35
BGP/MPLS VPN key components •  Forwarding in the core: MPLS •  DistribuVng routes between PEs: BGP •  IsolaVon: Keeping different VPNs from rouVng traffic over one another –  Constrained distribuVon of rouVng informaVon –  MulVple “virtual” forwarding tables •  Unique Addresses: VPN‐IPv4 extensions –  RFC 2547: Route DisVnguishers 36
Virtual RouVng and Forwarding •  Separate tables per customer at each router Customer 1
10.0.1.0/24
10.0.1.0/24
RD: Purple
Customer 1
Customer 2
10.0.1.0/24
Customer 2
10.0.1.0/24
RD: Blue
37
Forwarding •  PE and P routers have BGP next‐hop reachability through the backbone IGP •  Labels are distributed through LDP (hop‐by‐hop) corresponding to BGP Next‐Hops •  Two‐Label Stack is used for packet forwarding •  Top label indicates Next‐Hop (interior label) •  Second label indicates outgoing interface / VRF (exterior label) Corresponds to VRF/
interface at exit
Corresponds to LSP of
BGP next-hop (PE)
Layer 2
Header
Label
1
Label
2
IP Datagram
38
Forwarding in BGP/MPLS VPNs •  Step 1: Packet arrives at incoming interface –  Site VRF determines BGP next‐hop and Label #2 Label
2
IP Datagram
•  Step 2: BGP next‐hop lookup, add corresponding LSP (also at site VRF) Label
1
Label
2
IP Datagram
39
Layer 3 BGP/MPLS VPNs VPN A/Site 2
10.2/16
VPN B/Site 1
10.1/16
P1
2
CE B1
10.2/16
CEA2
CE1B1
PE2
PE3
P3
CEA3
10.3/16
CEB3
10.1/16
VPN A/Site 1
VPN B/Site 2
P2
PE1
CEA1
CEB2
VPN A/Site 3
10.4/16
VPN B/Site 3
BGP to exchange routes
MPLS to forward traffic
40
Conclusions •  Overlay networks –  Tunnels between host computers –  Build networks “on top” of the Internet –  Deploy new protocols and services –  Provide beNer control, flexibility, QoS, isolaVon, … •  Underlay tunnels –  Across routers within AS –  Build networks “below” IP route –  Provide beNer control, flexibility, QoS, isolaVon, … •  Next Vme –  Peer‐to‐peer applicaVons 41
Related documents
Mullvad Barnprogram
Mullvad Barnprogram
514-25-Wrap
514-25-Wrap
Overlay Networks
Overlay Networks
MPLS
MPLS
BUS 352 Week 4 Discussion 2 (Security components)
BUS 352 Week 4 Discussion 2 (Security components)
MPLS-based Virtual Private Networks
MPLS-based Virtual Private Networks
Internet Traffic Engineering
Internet Traffic Engineering
level 3sm secure access - Level 3 Communications
level 3sm secure access - Level 3 Communications
IP / MPLS - IDG Communications
IP / MPLS - IDG Communications
PPT - Microsoft Research
PPT - Microsoft Research