* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Overlay Networks and Tunneling Reading: 4.5, 9.4 Mike Freedman
Survey
Document related concepts
Wireless security wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Network tap wikipedia , lookup
Distributed firewall wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Internet protocol suite wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Airborne Networking wikipedia , lookup
Computer network wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
IEEE 802.1aq wikipedia , lookup
Deep packet inspection wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Peer-to-peer wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Transcript
Overlay Networks and Tunneling Reading: 4.5, 9.4 COS 461: Computer Networks Spring 2009 (MW 1:30‐2:50 in COS 105) Mike Freedman Teaching Assistants: WyaN Lloyd and Jeff Terrace hNp://www.cs.princeton.edu/courses/archive/spring09/cos461/ 1 Goals of Today’s Lecture • MoVvaVons for overlay networks – Incremental deployment of new protocols – Customized rouVng and forwarding soluVons • Overlays for parVal deployments – 6Bone, Mbone, security, mobility, … • Resilient Overlay Network (RON) – AdapVve rouVng through intermediate node • MulV‐protocol label switching (MPLS) – Tunneling at L2.5 2 Overlay Networks 3 Overlay Networks 4 Overlay Networks Focus at the application level 5 IP Tunneling to Build Overlay Links • IP tunnel is a virtual point‐to‐point link – Illusion of a direct link between two separated nodes Logical view: Physical view: A B A B tunnel E F E F • EncapsulaVon of the packet inside an IP datagram – Node B sends a packet to node E – … containing another packet as the payload 6 Tunnels Between End Hosts B Src: A Dest: B Src: C Dest: B Src: A Dest: B A C Src: A Dest: C Src: A Dest: B 7 Overlay Networks • A logical network built on top of a physical network – Overlay links are tunnels through the underlying network • Many logical networks may coexist at once – Over the same underlying network – And providing its own parVcular service • Nodes are o`en end hosts – AcVng as intermediate nodes that forward traffic – Providing a service, such as access to files • Who controls the nodes providing service? – The party providing the service – Distributed collecVon of end users 8 Overlays for Incremental Deployment 9 Using Overlays to Evolve the Internet • Internet needs to evolve – IPv6 – Security – Mobility – MulVcast • But, global change is hard – CoordinaVon with many ASes – “Flag day” to deploy and enable the technology • Instead, beNer to incrementally deploy – And find ways to bridge deployment gaps 10 6Bone: Deploying IPv6 over IP4 Logical view: Physical view: A B IPv6 IPv6 A B C IPv6 IPv6 IPv4 Flow: X Src: A Dest: F data A-to-B: IPv6 E F IPv6 IPv6 D E F IPv4 IPv6 IPv6 tunnel Src:B Dest: E Src:B Dest: E Flow: X Src: A Dest: F Flow: X Src: A Dest: F data data B-to-C: IPv6 inside IPv4 B-to-C: IPv6 inside IPv4 Flow: X Src: A Dest: F data E-to-F: IPv6 11 Secure CommunicaVon Over Insecure Links • Encrypt packets at entry and decrypt at exit • Eavesdropper cannot snoop the data • … or determine the real source and desVnaVon 12 CommunicaVng With Mobile Users • A mobile user changes locaVons frequently – So, the IP address of the machine changes o`en • The user wants applicaVons to conVnue running – So, the change in IP address needs to be hidden • SoluVon: fixed gateway forwards packets – Gateway has a fixed IP address – … and keeps track of the mobile’s address changes www.cnn.com gateway 13 IP MulVcast • MulVcast – Delivering the same data to many receivers – Avoiding sending the same data many Vmes unicast multicast • IP mulVcast – Special addressing, forwarding, and rouVng schemes 14 MBone: MulVcast Backbone • A catch‐22 for deploying mulVcast – Router vendors wouldn’t support IP mulVcast – … since they weren’t sure anyone would use it – And, since it didn’t exist, nobody was using it • Idea: so`ware implemenVng mulVcast protocols – And unicast tunnels to traverse non‐parVcipants 15 MulVcast Today • Mbone applicaVons starVng in early 1990s – Primarily video conferencing, but no longer operaVonal • SVll many challenges to deploying IP mulVcast – Security vulnerabiliVes, business models, … • ApplicaVon‐layer mulVcast is more prevalent – Tree of servers delivering the content – CollecVon of end hosts cooperaVng to delivery video • Some mulVcast within individual ASes – Financial sector: stock Vckers – Within campuses or broadband networks: TV shows – Backbone networks: IPTV 16 Case Study: Resilient Overlay Networks 17 RON: Resilient Overlay Networks Premise: by building applicaVon overlay network, can increase performance and reliability of rouVng Princeton app-layer router Yale Two-hop (app-level) Berkeley-to-Princeton route Berkeley http://nms.csail.mit.edu/ron/ 18 RON Circumvents Policy RestricVons • IP rouVng depends on AS rouVng policies – But hosts may pick paths that circumvent policies USLEC me ISP PU Patriot My home computer 19 RON Adapts to Network CondiVons B A C • Start experiencing bad performance – Then, start forwarding through intermediate host 20 RON Customizes to ApplicaVons B A bulk transfer C • VoIP traffic: low‐latency path • Bulk transfer: high‐bandwidth path 21 How Does RON Work? • Keeping it small to avoid scaling problems – A few friends who want beNer service – Just for their communicaVon with each other – E.g., VoIP, gaming, collaboraVve work, etc. • Send probes between each pair of hosts B A C 22 How Does RON Work? • Exchange the results of the probes – Each host shares results with every other host – EssenVally running a link‐state protocol! – So, every host knows the performance properVes • Forward through intermediate host when needed BB A C 23 RON Works in PracVce • Faster reacVon to failure – RON reacts in a few seconds – BGP someVmes takes a few minutes • Single‐hop indirect rouVng – No need to go through many intermediate hosts – One extra hop circumvents the problems • BeNer end‐to‐end paths – CircumvenVng rouVng policy restricVons – SomeVmes the RON paths are actually shorter 24 RON Limited to Small Deployments • Extra latency through intermediate hops – So`ware delays for packet forwarding – PropagaVon delay across the access link • Overhead on the intermediate node – Imposing CPU and I/O load on the host – Consuming bandwidth on the access link • Overhead for probing the virtual links – Bandwidth consumed by frequent probes – Trade‐off between probe overhead and detecVon speed • Possibility of causing instability – Moving traffic in response to poor performance – May lead to congesVon on the new paths 25 We saw tunneling “on top of” IP. What about tunneling “below” IP? Introducing MulV‐Protocol Label Switching (MPLS) 26 Why Tunnel? • Reliability – Fast Reroute, Resilient Overlay Networks (Akamai SureRoute) • Flexibility – Topology, protocol • Stability (“path pinning”) – E.g., for performance guarantees • Security – E.g., Virtual Private Networks (VPNs) • Bypassing local network engineers – Censoring regimes: China, Pakistan, … 27 MPLS Overview • Main idea: Virtual circuit – Packets forwarded based only on circuit idenVfier Source 1 Destination Source 2 Router can forward traffic to the same destination on different interfaces/paths. 28 MPLS Overview • Main idea: Virtual circuit – Packets forwarded based only on circuit idenVfier Source 1 Destination Source 2 Router can forward traffic to the same destination on different interfaces/paths. 29 Circuit AbstracVon: Label Swapping A 1 Tag Out New A 2 2 D 3 D • Label‐switched paths (LSPs): Paths are “named” by the label at the path’s entry point • At each hop, MPLS routers: – Use label to determine outgoing interface, new label – Thus, push/pop/swap MPLS headers that encapsulate IP • Label distribu9on protocol: responsible for disseminaVng signalling informaVon 30 Reconsider security problem 31 Layer 3 Virtual Private Networks • Private communicaVons over a public network • A set of sites that are allowed to communicate with each other • Defined by a set of administraVve policies – Determine both connecVvity and QoS among sites – Established by VPN customers – One way to implement: BGP/MPLS VPN (RFC 2547) Layer 2 vs. Layer 3 VPNs • Layer 2 VPNs can carry traffic for many different protocols, whereas Layer 3 is “IP only” • More complicated to provision a Layer 2 VPN • Layer 3 VPNs: potenVally more flexibility, fewer configuraVon headaches 33 Layer 3 BGP/MPLS VPNs VPN A/Site 2 10.2/16 VPN B/Site 1 10.1/16 P1 2 CE B1 10.2/16 CEA2 CE1B1 PE2 PE3 P3 MPLS to forward traffic CEA3 10.3/16 CEB3 10.1/16 VPN A/Site 1 VPN B/Site 2 BGP to exchange routes P2 PE1 CEA1 CEB2 VPN A/Site 3 10.4/16 VPN B/Site 3 • Isola9on: MulVple logical networks over a single, shared physical infrastructure • Tunneling: Keeping routes out of the core 34 High‐Level Overview of OperaVon • IP packets arrive at PE • DesVnaVon IP address is looked up in forwarding table PE2 PE1 PE3 • Datagram sent to customer’s network using tunneling (i.e., an MPLS label‐switched path) 35 BGP/MPLS VPN key components • Forwarding in the core: MPLS • DistribuVng routes between PEs: BGP • IsolaVon: Keeping different VPNs from rouVng traffic over one another – Constrained distribuVon of rouVng informaVon – MulVple “virtual” forwarding tables • Unique Addresses: VPN‐IPv4 extensions – RFC 2547: Route DisVnguishers 36 Virtual RouVng and Forwarding • Separate tables per customer at each router Customer 1 10.0.1.0/24 10.0.1.0/24 RD: Purple Customer 1 Customer 2 10.0.1.0/24 Customer 2 10.0.1.0/24 RD: Blue 37 Forwarding • PE and P routers have BGP next‐hop reachability through the backbone IGP • Labels are distributed through LDP (hop‐by‐hop) corresponding to BGP Next‐Hops • Two‐Label Stack is used for packet forwarding • Top label indicates Next‐Hop (interior label) • Second label indicates outgoing interface / VRF (exterior label) Corresponds to VRF/ interface at exit Corresponds to LSP of BGP next-hop (PE) Layer 2 Header Label 1 Label 2 IP Datagram 38 Forwarding in BGP/MPLS VPNs • Step 1: Packet arrives at incoming interface – Site VRF determines BGP next‐hop and Label #2 Label 2 IP Datagram • Step 2: BGP next‐hop lookup, add corresponding LSP (also at site VRF) Label 1 Label 2 IP Datagram 39 Layer 3 BGP/MPLS VPNs VPN A/Site 2 10.2/16 VPN B/Site 1 10.1/16 P1 2 CE B1 10.2/16 CEA2 CE1B1 PE2 PE3 P3 CEA3 10.3/16 CEB3 10.1/16 VPN A/Site 1 VPN B/Site 2 P2 PE1 CEA1 CEB2 VPN A/Site 3 10.4/16 VPN B/Site 3 BGP to exchange routes MPLS to forward traffic 40 Conclusions • Overlay networks – Tunnels between host computers – Build networks “on top” of the Internet – Deploy new protocols and services – Provide beNer control, flexibility, QoS, isolaVon, … • Underlay tunnels – Across routers within AS – Build networks “below” IP route – Provide beNer control, flexibility, QoS, isolaVon, … • Next Vme – Peer‐to‐peer applicaVons 41