View
223
Download
5
Tags:
Embed Size (px)
Citation preview
On On Proxy Server based Proxy Server based
Multipath Connections Multipath Connections (PSMC)(PSMC)
PhD Proposal PhD Proposal
Yu CaiYu Cai10/200310/2003
University of Colorado at Colorado SpringsUniversity of Colorado at Colorado Springs
Presentation outlinePresentation outline
IntroductionIntroduction
Related workRelated work
Algorithms for PSMC proxy server selection. Algorithms for PSMC proxy server selection.
Protocols for PSMC packets handling. Protocols for PSMC packets handling.
PSMC applicationsPSMC applications
Security issues of PSMC. Security issues of PSMC.
Conclusion Conclusion
IntroductionIntroduction
Single path connection vs. multipath connections
The connections between two network nodes are mostly The connections between two network nodes are mostly single path connections in today’s network single path connections in today’s network environment. environment.
Multipath connections provide potentially multiple Multipath connections provide potentially multiple paths between network nodes, so that the traffic from a paths between network nodes, so that the traffic from a source can be spread over multiple paths and source can be spread over multiple paths and transmitted in parallel through the network.transmitted in parallel through the network.
The benefits of multipath connectionsThe benefits of multipath connections
Utilize the network resources more efficiently, Utilize the network resources more efficiently,
Improve the effective bandwidth of network nodes, Improve the effective bandwidth of network nodes,
Increase the packet delivery liability, Increase the packet delivery liability,
Provide quality-of-service guarantee, Provide quality-of-service guarantee,
Cope well with network congestion, link breakage and Cope well with network congestion, link breakage and
burst traffic. burst traffic.
Related works on multipath connectionsRelated works on multipath connections
The IBM Systems Network Architecture (SNA) The IBM Systems Network Architecture (SNA) network in 1974. network in 1974.
N. F. Maxemchuk in 1975 (dispersity routing). The N. F. Maxemchuk in 1975 (dispersity routing). The research was extended to virtual circuit networks and research was extended to virtual circuit networks and ATM network.ATM network.
Categories of multipath connections based on OSI Categories of multipath connections based on OSI network 7 layer modelnetwork 7 layer model
1. Physical layer: One is Multipath Interference, causes 1. Physical layer: One is Multipath Interference, causes FM radio sounds staticy. FM radio sounds staticy.
2. Data link layer: Link Aggregation, defined in IEEE 2. Data link layer: Link Aggregation, defined in IEEE 802.3ad. 802.3ad.
Related works on multipath connectionsRelated works on multipath connections
3. Network layer: been studied extensively as multipath 3. Network layer: been studied extensively as multipath routing. routing.
a. Wired network: a. Wired network: Table-driven routing (link state or distance vector), Table-driven routing (link state or distance vector), Source Routing, Source Routing, MultiProtocol Label Switching (MPLS).MultiProtocol Label Switching (MPLS).
b. Wireless ad hoc network b. Wireless ad hoc network Table-driven routing (link state or distance vector), Table-driven routing (link state or distance vector), Source Routing, Source Routing,
4. Transport layer: Linux multipath connections for 4. Transport layer: Linux multipath connections for multiple ISP connectionsmultiple ISP connections
Proxy Server based Multipath Connections (PSMC)Proxy Server based Multipath Connections (PSMC)
We propose to study proxy servers based multipath We propose to study proxy servers based multipath connections (PSMC). It is a cross-layer connections (PSMC). It is a cross-layer implementation. implementation.
The The key ideakey idea of PSMC is as followings. of PSMC is as followings. By using a set of connection relay By using a set of connection relay proxy serversproxy servers, we could set , we could set
up up indirect routesindirect routes via the proxy servers, and transport packets via the proxy servers, and transport packets
over the network through the indirect routes. over the network through the indirect routes.
By enhancing existing TCP/IP protocols, we could efficiently By enhancing existing TCP/IP protocols, we could efficiently
distribute and reassemble packetsdistribute and reassemble packets among multiple paths at among multiple paths at
two end nodes, and increase end-to-end TCP throughput. two end nodes, and increase end-to-end TCP throughput.
The approach offers applications the ability to increase the The approach offers applications the ability to increase the
network performance, efficiency, stability, availability and network performance, efficiency, stability, availability and
security.security.
Why PSMCWhy PSMC
PSMC has advantages like other multipath connections approachesPSMC has advantages like other multipath connections approaches
Flexibility:Flexibility: PSMC can be more conveniently and adaptively PSMC can be more conveniently and adaptively
deployed in various network environments. PSMC don’t require deployed in various network environments. PSMC don’t require
changes on physical network infrastructure, but only feasible changes on physical network infrastructure, but only feasible
changes on network software and protocols. PSMC also give the end changes on network software and protocols. PSMC also give the end
users more control on setting up multipath connections.users more control on setting up multipath connections.
Compatibility:Compatibility: PSMC utilizes existing TCP/IP protocols and PSMC utilizes existing TCP/IP protocols and
network infrastructure. This ensures the compatibility with current network infrastructure. This ensures the compatibility with current
Internet. It also ensures the performance, efficiency, reliability, and Internet. It also ensures the performance, efficiency, reliability, and
hides the complexity from end-users. hides the complexity from end-users.
Applications:Applications: A large number of applications in various categories A large number of applications in various categories
could benefit from utilizing PSMC. For example, secure collective could benefit from utilizing PSMC. For example, secure collective
defense network (SCOLD), providing additional bandwidth based defense network (SCOLD), providing additional bandwidth based
on operational requirement, or providing QoS for video streaming.on operational requirement, or providing QoS for video streaming.
Three components in PSMC Three components in PSMC
The multipath The multipath sendersender is responsible to efficiently and is responsible to efficiently and
adaptively distribute packets over the selected multiple adaptively distribute packets over the selected multiple
paths. Some of the packets will go through the normal paths. Some of the packets will go through the normal
direct route, other packets will go through the indirect direct route, other packets will go through the indirect
routes via the proxy servers. routes via the proxy servers.
The intermediate connection relay The intermediate connection relay proxy serversproxy servers, ,
examine the incoming packets and forward them to the examine the incoming packets and forward them to the
destinations through the selected path. destinations through the selected path.
The multipath The multipath receiverreceiver, collects the packets arrived , collects the packets arrived
from multiple paths, reassemble them in order and from multiple paths, reassemble them in order and
deliver them to the user.deliver them to the user.
Algorithms for PSMCAlgorithms for PSMC
Proxy servers selection is a critical part in PSMC. Proxy servers selection is a critical part in PSMC. Different proxy server selections result in different Different proxy server selections result in different performance.performance.
We have developed heuristic algorithms to choose best We have developed heuristic algorithms to choose best mirror sites for parallel download from multiple mirror mirror sites for parallel download from multiple mirror sites, which can be viewed as a sub problem of PSMC. sites, which can be viewed as a sub problem of PSMC.
Server Location ProblemServer Location Problem
Needs to solve the following two proxy servers selection Needs to solve the following two proxy servers selection
problems.problems.
1) 1) Server Selection ProblemServer Selection Problem. Given the target server location and a . Given the target server location and a
set of proxy servers, choose the best proxy server(s) for a client or set of proxy servers, choose the best proxy server(s) for a client or
for a group of client, to achieve best performance, in terms of for a group of client, to achieve best performance, in terms of
bandwidth.bandwidth.
2) 2) Server Placement ProblemServer Placement Problem. Given the target server location and . Given the target server location and
a set of nodes, choose the best node(s) to place the proxy servers, for a set of nodes, choose the best node(s) to place the proxy servers, for
certain connection requirements, like maximize the network certain connection requirements, like maximize the network
aggregated bandwidth.aggregated bandwidth.
Likely NP problems. Heuristic algorithms, or loosing the Likely NP problems. Heuristic algorithms, or loosing the
optimal constrains to simplify the problemoptimal constrains to simplify the problem
Diagram of sever selection/placement problemDiagram of sever selection/placement problem
Sever selection problemSever placement problem
Related work on algorithmsRelated work on algorithms
Mirror servers and web cache servers selection Mirror servers and web cache servers selection problem has been studied recent years.problem has been studied recent years.
Two types of approaches.Two types of approaches.
1) Formal approach: based on graphic theory.1) Formal approach: based on graphic theory.Common assumptions of getting network graph are: Common assumptions of getting network graph are:
a) network topology pre-known, a) network topology pre-known,
b) path cost pre-known, b) path cost pre-known,
c) single and static connection.c) single and static connection.
Algorithms including: Algorithms including:
a) random algorithm, a) random algorithm, b) greedy algorithm, b) greedy algorithm,
c) tree-based algorithm, c) tree-based algorithm, d) k-min algorithm.d) k-min algorithm.
2) Practical approach: no assumption, for real world. 2) Practical approach: no assumption, for real world. a) IDMap, a) IDMap, b) Client clustering.b) Client clustering.
Why PSMC algorithms?Why PSMC algorithms?
Even though there are various sever selection Even though there are various sever selection algorithms and approaches, the ad hoc selection is still algorithms and approaches, the ad hoc selection is still the main approaches used in practice.the main approaches used in practice.
Existing server selection algorithms only study the Existing server selection algorithms only study the cases for mirror servers and cache servers. But the cases for mirror servers and cache servers. But the proxy servers in PSMC have several uniqueness, this proxy servers in PSMC have several uniqueness, this will result in different optimal constrains and optimal will result in different optimal constrains and optimal goals.goals.
Further study on algorithms needs to be done.Further study on algorithms needs to be done.
PSMC Protocols: packets handling PSMC Protocols: packets handling
Protocols need to be designed to distribute, reassemble Protocols need to be designed to distribute, reassemble and transmit packets. and transmit packets.
Packets distribution and reassembling: add a thin layer Packets distribution and reassembling: add a thin layer between TCP/UDP and IP. Linux kernel enhancement. between TCP/UDP and IP. Linux kernel enhancement. Linux Virtual Server packet handling. ATCP packet Linux Virtual Server packet handling. ATCP packet handling.handling.
Why adding a thin layer?Why adding a thin layer?a) Utilize existing TCP/IP protocols, particularly the a) Utilize existing TCP/IP protocols, particularly the packets re-sequencing and re-sending mechanism.packets re-sequencing and re-sending mechanism.b) Hide the complexity of multipath connections from b) Hide the complexity of multipath connections from upper layer usersupper layer usersc) Maintain the high end-to-end TCP throughput. c) Maintain the high end-to-end TCP throughput.
PSMC Protocols: packet transmissionPSMC Protocols: packet transmission
Packets transmission: after investigate various Packets transmission: after investigate various approaches, like SOCKS proxy server, Zebedee, we approaches, like SOCKS proxy server, Zebedee, we proposed to use IP Tunnel or IPSec to enable indirect proposed to use IP Tunnel or IPSec to enable indirect routes via proxy servers. routes via proxy servers.
IP Tunneling is well developed and widely available. It IP Tunneling is well developed and widely available. It is a layer 2 protocol, transparent to higher layer. IP is a layer 2 protocol, transparent to higher layer. IP Tunneling performance is acceptable. Tunneling performance is acceptable.
Tunneling protocols enhancement for PSMC. Like Tunneling protocols enhancement for PSMC. Like tunnel handshake, host authentication, security tunnel handshake, host authentication, security mechanism. VPN tunneling protocols.mechanism. VPN tunneling protocols.
Special issues on PSMC ProtocolsSpecial issues on PSMC Protocols
Two special issues for PSMC protocolsTwo special issues for PSMC protocols Fail-over, packets resend and packet re-sequencing Fail-over, packets resend and packet re-sequencing
mechanism when packets are lost or connections are mechanism when packets are lost or connections are broken. broken.
Sticky-connection mechanism when packets need to Sticky-connection mechanism when packets need to be sent through a particular route, like http keep be sent through a particular route, like http keep alive.alive.
Inside cooperate environment, alternate solutions for Inside cooperate environment, alternate solutions for setting up multipath connections include:setting up multipath connections include: Modify the routing table in the routerModify the routing table in the router MPLSMPLS Source routingSource routing
PSMC prototypes and applications PSMC prototypes and applications
Secure Collective Defense (SCOLD) networkSecure Collective Defense (SCOLD) network. SCOLD . SCOLD
toleratestolerates the DDoS attacks through indirect routes via the DDoS attacks through indirect routes via
proxy servers, and improves network performance by proxy servers, and improves network performance by
spreading packets through multiple indirect routes. spreading packets through multiple indirect routes.
SCOLD incorporates various cyber security SCOLD incorporates various cyber security
techniques, like secure DNS update, Autonomous Anti-techniques, like secure DNS update, Autonomous Anti-
DDoS network, IDIP protocols. DDoS network, IDIP protocols.
We have finished the prototype of SCOLD system. We We have finished the prototype of SCOLD system. We
plan to enhance SCOLD for better scalability, plan to enhance SCOLD for better scalability,
reliability, performance and security.reliability, performance and security.
Intrusion defense mechanismIntrusion defense mechanism
Intrusion PreventionIntrusion Prevention General Security PolicyGeneral Security Policy Ingress/Egress FilteringIngress/Egress Filtering
Intrusion DetectionIntrusion Detection Honey potHoney pot Host-based IDS Tripwire Host-based IDS Tripwire Anomaly DetectionAnomaly Detection Misuse DetectionMisuse Detection
Intrusion ResponseIntrusion Response Identification/Trace back/PushbackIdentification/Trace back/Pushback Intrusion Tolerance: SCOLDIntrusion Tolerance: SCOLD
SCOLD: victim under DDoS attacksSCOLD: victim under DDoS attacks
Victim
aa a a b b b b c c c c
A.com B.com C.com
... ......
A B C
R
R2 R1R3
Back door: Alternate Gateways
DNS
DDoS Attack Traffic
Client Traffic
Main gateway R under attacks, we want to inform Clients to go through the “back door” - alternate gateways R1- R3. We needs to hide IPs of R1-R3, otherwise they are subject to potential attacks too. how to inform Clients? how to hide IPs of R1-R3?
target.com
DNS1 DNS2 DNS3
SCOLD: raise alarm (1) and inform clients (2)SCOLD: raise alarm (1) and inform clients (2)
1. IDS on gateway R detects intrusion, raise alarm to Reroute Coordinator.2. Coordinator informs clients for new route:a) inform clients’ DNS; b) inform clients’ network proxy server; c) inform clients directly; d) inform the proxy servers and ask the proxy server do (a – c).
Victim
aa a a b b b b c c c c
A.com B.com C.com
... ......
A B C
R
R2 R1R3
DNS
target.com
DNS1 DNS2 DNS3
RerouteCoordinato
r1: raise alarm
2: inform clientsProxy1
SCOLD: set up new indirect route (3)SCOLD: set up new indirect route (3)
Victim
aa a a b b b b c c c c
A.com B.com C.com
... ......
A B C
R
R2 R1R3
DNStarget.com
DNS1 DNS2 DNS3
RerouteCoordinato
r
3: new routeProxy1 Proxy2
3. Clients set up new indirect route to target via proxy servers. Proxy servers: equipped with IDS to defend attacks; hide alternate gateway and reroute coordinator; provide potential multiple paths.
Proxy3
No DDoS attack, direct route
DDoS attack, direct route
No DDoS attack, indirect route
with DDoS attack indirect route Doc
Size
FTP HTTP FTP HTTP FTP HTTP FTP HTTP 100k 0.11 s 3.8 s 8.6 s 9.1 s 0.14 s 4.6 s 0.14 s 4.6 s 250k 0.28 s 11.3 s 19.5 s 13.3 s 0.31 s 11.6 s 0.31 s 11.6 s 500k 0.65 s 30.8 s 39 s 59 s 0.66 s 31.1 s 0.67 s 31.1 s 1000k 1.16 s 62.5 s 86 s 106 s 1.15 s 59 s 1.15 s 59 s 2000k 2.34 s 121 s 167 s 232 s 2.34 s 122 s 2.34 s 123 s
No DDoS attack direct route
DDoS attackdirect route
No DDoS attack indirect route
DDoS attack indirect route
0.49 ms 225 ms 0.65 ms 0.65 ms
Performance of SCOLD
Table 1: Ping Response Time (on 3 hop route)Table 1: Ping Response Time (on 3 hop route)
Table 2: SCOLD FTP/HTTP download Test (from client to target)Table 2: SCOLD FTP/HTTP download Test (from client to target)
Other PSMC applicationsOther PSMC applications
Other PSMC applications includes: Other PSMC applications includes: PSMC in wireless ad hoc network: good test for PSMC’s PSMC in wireless ad hoc network: good test for PSMC’s
ability to adapt to dynamic environment, packets resending ability to adapt to dynamic environment, packets resending and re-sequencing.and re-sequencing.
Indirect route upon operational requests: provides additional Indirect route upon operational requests: provides additional bandwidth and backup route based on operational bandwidth and backup route based on operational requirements. requirements.
Providing QoS for video streaming: send different portion of Providing QoS for video streaming: send different portion of stream through different paths.stream through different paths.
Parallel download from multiple mirror sites: sever selection Parallel download from multiple mirror sites: sever selection algorithm implementation.algorithm implementation.
PSMC applications evaluationPSMC applications evaluation
We will evaluate the overhead of multipath We will evaluate the overhead of multipath connections, including tunneling overhead, handshake connections, including tunneling overhead, handshake overhead, packets distribution/reassembling overhead. overhead, packets distribution/reassembling overhead.
We will evaluate the performance of multipath We will evaluate the performance of multipath connections in terms of response time, throughput and connections in terms of response time, throughput and bandwidth. bandwidth.
We will also compare PSMC with other multipath We will also compare PSMC with other multipath connections approaches, like source routing, or Linux connections approaches, like source routing, or Linux multipath connections.multipath connections.
We will conduct extensive simulation study on PSMC We will conduct extensive simulation study on PSMC applications in virtual network, real network, small applications in virtual network, real network, small scale network and large scale network.scale network and large scale network.
Security issues related to PSMC Security issues related to PSMC
Potential security issues raised by misusing of PSMC: Potential security issues raised by misusing of PSMC: how to control aggressive clients?how to control aggressive clients?
Potential attacks against PSMC: Tunneling to death? Potential attacks against PSMC: Tunneling to death? (similar to ping to death).(similar to ping to death).
Detect comprised nodes in PSMC network (through Detect comprised nodes in PSMC network (through dynamic IP ?).dynamic IP ?).
Study the collective defend mechanism to tie different Study the collective defend mechanism to tie different organizations with better cooperation and organizations with better cooperation and collaboration.collaboration.
Contributions:Contributions:
Systematically study the proxy server based multipath Systematically study the proxy server based multipath connections (PSMC), including connections (PSMC), including
Algorithms for server selections, Algorithms for server selections,
Protocols for packet handling, Protocols for packet handling,
Applications and prototypes Applications and prototypes
Security issues.Security issues.
ConclusionConclusion
PSMC offers applications the ability to increase the PSMC offers applications the ability to increase the
network performance, efficiency, stability, availability network performance, efficiency, stability, availability
and security.and security.
In addition, PSMC offers more flexibility, compatibility In addition, PSMC offers more flexibility, compatibility
and usability than other type of multipath connections. and usability than other type of multipath connections.
Study on PSMC could have boarder impact on today’s Study on PSMC could have boarder impact on today’s
Internet topology and security.Internet topology and security.