![Page 1: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/1.jpg)
Peer-to-peer Virtual Private Networks and Applications
Renato Jansen Figueiredo
Associate Professor
Cloud and Autonomic Computing Center/ACIS Lab
University of Florida
Visiting Researcher at VU
![Page 2: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/2.jpg)
2
Backdrop
Virtual machines in cloud computing
On-demand, pay-per-use, user-configurable
Federated environments
End-to-end Internet connectivity hindered by address
space and presence of NATs, firewalls
Network virtualization – seamlessly connecting
virtual machines across multiple providers
![Page 3: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/3.jpg)
3
Rationale
Virtualization techniques for decoupling,
isolation, multiplexing also apply to networking
E.g. VLANs, VPNs
However, there are challenges in configuration,
deployment, and management
Peer-to-peer techniques provide a basis for
scalable routing, and self-management
Software routers, integration at network end-points
enables deployment over existing infrastructure
Architecture, design needs to account for
connectivity constraints, and support TCP/IP
efficiently; optimize for common cases
![Page 4: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/4.jpg)
Application Examples
Cloud-bursting
Run additional worker VMs on a cloud provider
Extending enterprise LAN to cloud VMs – seamless
scheduling, data transfers
Federated “Inter-cloud” environments
Multiple private clouds across various institutions
Virtual machines can be deployed on different sites
and form a distributed virtual private cluster
Connecting devices of social network peers
Media streaming, file sharing, gaming, …
4
![Page 5: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/5.jpg)
5
Talk - Outlook
Background
Architecting self-organizing virtual networks
Topology, routing, tunneling, addressing, NAT
traversal, performance
Uses in Grid/cloud and end-user environments
Virtual Private Clusters
Social VPNs
Applications
FutureGrid – high-throughput computing virtual
appliances
ConPaaS
![Page 6: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/6.jpg)
6
Resource Virtualization
Virtual machines (Xen, VMware, KVM) paved
the way to Infrastructure-as-a-Service (IaaS)
Computing environment decoupled from physical
infrastructure
Pay-as-you-go for computing cycles
Virtual networks complement virtual machines
for increased flexibility and isolation in IaaS
VMs must communicate seamlessly – regardless of
where they are provisioned
Traffic isolation; security, resource control
![Page 7: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/7.jpg)
7
VMM +
VN
Virtual Machines and Networks
WAN
Domain A Domain C
Domain B
V1
V2
V3
Physical
Infrastructure
Virtual
Infrastructure
![Page 8: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/8.jpg)
Virtual Networks
Single infrastructure, many virtual networks
E.g. one per user, application, project, social
network…
Each isolated and independently configured
Addressing, protocols; authentication, encryption
Multiplexing physical network resources
Network interfaces, links, switches, routers
8
![Page 9: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/9.jpg)
Network Virtualization – Where?
9
Network Device
Network Device
Network Fabric
(Virtual) machine
(Virtual) machine
Software Software Virtualized endpoints
Virtualized Fabric (e.g VLAN, OpenSwitch)
![Page 10: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/10.jpg)
10
Landscape
Peer-wise Internet connectivity constrained
IPv4 address space limitations; NATs, firewalls
Challenges - shared environment
Lack of control of networking resources
Cannot program routers, switches
Public networks – privacy is important
Often, lack privileged access to underlying resources
May be “root” within a VM, but lacking hypervisor privileges
Dynamic creation, configuration and tear-down
Complexity of management
![Page 11: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/11.jpg)
Technologies and Techniques
Amazon VPC:
Virtual private network extending from enterprise to resources at
a major IaaS commercial cloud
OpenFlow:
Open switching specification allowing programmable network
devices through a forwarding instruction set
OpenStack Quantum:
Virtual private networking within a private cloud offered by a
major open-source IaaS stack
ViNe:
Inter-cloud, high-performance user-level managed virtual
network
IP-over-P2P (IPOP)
Peer-to-peer, inter-cloud, self-organizing virtual network
11
![Page 12: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/12.jpg)
Example: OpenFlow
Towards an open platform foundation
supporting “Software-Defined Networks” (SDN)
Interface standardized by Open Networking
Foundation (ONF)
Board members (as of 6/12): Google, Microsoft,
Facebook, Yahoo!, Deutsche Telekom, NTT, Verizon
Dozens of members: Citrix, Huawei, Orange, IBM,
Dell, HP, Oracle, Goldman-Sachs, …
Current (as of 6/12): OpenFlow Switch 1.3.0
12
![Page 13: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/13.jpg)
OpenFlow Switch and Controller
13
Controller
Secure Channel
Group Table
Flow Table
Flow Table Pipeline
OpenFlow Protocol
Add, update, delete
Match flow table entry
Table miss
OpenFlow ingress port
OpenFlow output port
![Page 14: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/14.jpg)
14
Peer-to-Peer Virtual Networks
Overview
User-level IP overlays deployable on Internet end
resources (software routers, virtual NICs)
Why virtual?
Hide complexities associated with NAT traversal,
IPv4 address space constraints from applications
Support unmodified applications
Why peer-to-peer?
Self-organizing - reduce management complexity
and cost
Decentralized architecture for scalability and
robustness
![Page 15: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/15.jpg)
15
The IP-over-P2P (IPOP) Approach
Isolation Virtual address space decoupled from Internet
Packets picked, encapsulated, tunneled and delivered within the scope of virtual network
Self-organization Overlay topology, routing tables
Autonomously deals with joins, leaves, failures
Decentralized P2P messaging architecture No global state, no central point of failure
Tunnels (UDP, TCP, …), routing
Decentralized NAT traversal No need for STUN server infrastructure
[IPDPS 2006, Ganguly et al]
![Page 16: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/16.jpg)
Application
VNIC
Virtual Router
Virtual Router
VNIC
Application Wide-area Overlay network
Isolated, private virtual address space
10.10.1.2
10.10.1.1
Unmodified applications Connect(10.10.1.2,80)
Capture/tunnel, scalable, resilient, self-configuring Routing; object store
IPOP: Architecture Overview
![Page 17: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/17.jpg)
n1 n7
Bi-directional ring ordered by 160-bit IPOPid’s
Structured connections:
• “Near”: with neighbors
• “Far”: across the ring
Near
Far
Multi-hop path
between n1 and n7
n5
n6 n2
n3 n4
n8
n9
n10
n11
n12
n1 < n2 < n3 <……. < n13 < n14
P2P Overlay (Brunet)
IPOPid
![Page 18: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/18.jpg)
18
Overlay: Edges and Routing
Overlay edges
Multiple transports: UDP, TCP, TLS
NAT traversal (UDP hole-punching)
Greedy routing
Deliver to peer closest to destination IPOPid
Constant # of edges per node (average k)
O((1/k)log2(n)) overlay hops
On-demand edges
Created/trimmed down based on IP communication
![Page 19: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/19.jpg)
19
Creating Overlay Edges
• A sends a Connect-to-me (CTM) request to B’s IPOPid
• Contains all its URIs (UDP/TCP IP:port endpoints)
• Routed over P2P overlay to B
A B
CTM request
Overlay path
CTM reply
• B sends CTM reply with its URIs – overlay routed
Link request
• B initiates “linking” with A
• Attempts linking with parallel requests to A’s URIs
A’s endpoint URIs: tcp://10.5.1.1:3000 (local) udp://128.227.56.9:4433 (NAT – learned)
B’s endpoint URIs: tcp://172.16.2.1:5000 udp://129.15.56.9:6000
![Page 20: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/20.jpg)
20
NAT Traversal
A B
Direct edge between A
and B
Technique for “cone” UDP NATs: A’s link request message to B creates ephemeral state in A’s NAT allowing messages from B to pass through NAT (and vice-versa) Overlay: manage keep-alives so NAT mapping “holes” stay open; re-link if NAT mappings expire
![Page 21: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/21.jpg)
21
Naming and Multiplexing
One P2P overlay can multiplex multiple VNs E.g. multiple virtual clusters from different projects
IP routing within the scope of a namespace
User-provided string identifies IPOP namespace Each IPOP node is configured with a namespace
IP-to-P2P address resolution: DHT-Get(namespace:IP) -> IPOPid
![Page 22: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/22.jpg)
22
Managing Virtual IP Addresses
Address assignment: static, or dynamic Supports DHCP
Store configuration (including base address, mask) on DHT entry bound to namespace
DHCP proxy runs on each IPOP node Pick DHCP request
Lookup DHCP configuration for namespace
Guess an IP address at random within range
Attempt to store in DHT; wait for majority to acknowledge; retry upon failure
![Page 23: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/23.jpg)
23
At each node:
Count IP-over-P2P packets to other nodes
When number of packets within an interval
exceeds threshold:
Initiate connection setup; create edge
Trimming on-demand edges no longer in use
Overhead involved in connection maintenance
Optimization: On-demand edges
![Page 24: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/24.jpg)
24
Optimization: Tunnel Edges
Peers X, Y may not be able to communicate
directly if they are behind symmetric NATs
X, Y exchange list of neighbor URIs
Each attempts to create edge to common
intermediary Z to serve as proxy
Routing – abstracted as regular overlay edge
X-Y connected by virtual edge
Useful to maintain ring topology in the face of failures
(routing outages, symmetric NATs)
![Page 25: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/25.jpg)
25
Implementation
IPOP open-source system
C# user-level router
Tap virtual network device
Performance
1GbE physical LAN
Latency (ms) Bwidth (Mb/s) Mem (KB)
Host 0.27 941 n/a
IPOP 0.52 284 38312
IPOP+sec 0.75 55 50976
![Page 26: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/26.jpg)
Performance (WAN)
EC2/UF EC2GoGrid UF/GoGrid
Netperf stream
native (Mbps)
89.2 35.9 30.2
Netperf stream
IPOP (Mbps)
75.3 19.2 25.7
Netperf RR
trans/s native
13.4 11.1 10.0
Netperf RR
trans/s IPOP
13.3 10.7 9.8
![Page 27: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/27.jpg)
27
IPOP provides core primitives for packet
capture/injection and overlay routing
How to control which nodes connect to a
particular IP namespace?
Focus on two approaches:
Each peer decides the peers they connect with –
SocialVPN
Peers join groups and agree on a trusted third party
as mediator – GroupVPN
Access Control
![Page 28: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/28.jpg)
28
Users now commonly manage relationships to
social peers through Online Social Networks
Facebook, Google+
Communication hindered by OSN provider
APIs, privacy concerns
A generic IP network can enable existing and
new social network applications
But users don’t have public IPs, don’t want to
necessarily open NATs/firewalls to all users
Users don’t want to configure and discover network
services manually
SocialVPN
![Page 29: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/29.jpg)
Bob Alice
Alice's Compute Node Alice's Friend's Compute Node
Carl
Bob's Compute
Node on EC2
Social VPNs
OSN
XMPP
IP-over-P2P Tunnel
![Page 30: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/30.jpg)
30
Social VPNs
From a user’s perspective: it’s simple
My computer gets a virtual network card
It connects me directly to my social peers
All IP packets: authenticated, encrypted, end-to-end
Leverage well-known PKI techniques
No configuration besides establishing social links
All I need to do to is log in to a web based social network
Applications, middleware work as if the
computers were on the same local-area network
Including multicast-based resource discovery –
UPnP, mDNS
![Page 31: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/31.jpg)
31
Applications
Social VPN is not the application
It is not tied to an application either
It enables applications that are of interest for collaboration
Security – needed beyond network layer
Authenticated end-to-end private IP tunnels provide a
foundation
Traditional applications
Media streaming, desktop sharing, file sharing, cycle
sharing
Platform for decentralized social network
applications
Fault-tolerant micro-blogging, private file sharing, ..
![Page 32: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/32.jpg)
32
Social VPN Internals
IPOP
NAT traversal and routing core
Private end-to-end tunnels
Peer discovery and certificate exchange
XMPP – Jabber, Google
Facebook APIs (was in first prototype; no longer in the code)
Dynamic IP address assignment
Facebook: more users than IPv4 24-bit private space
Also must avoid conflicts with local private networks, and
support mobility
![Page 33: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/33.jpg)
Addressing and Mapping
160-bit P2P IDs used for overlay routing
Each node generates random P2P ID
Node issues a self-signed public key certificate with
its P2P identifier; publishes through OSN APIs
Certificates of friends’ nodes are discovered,
retrieved, revoked through OSN APIs
IPv4 addresses seen by applications
Dynamically-generated non-conflicting private subnet
Local node and friends’ nodes are mapped
dynamically to addresses within range
Naming possible through SocialDNS
IP src/dest addresses translated (ports are not)
[COPS 2008]
![Page 34: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/34.jpg)
Alice
Alice's Compute Node Alice's Friend's Compute Node Bob's Compute
Node on EC2
Address Translation
Send-to BobP2P
SVPN: 192.168.0.0/16 Alice: 192.168.0.1 Bob: 192.168.2.2 -> BobP2P
SVPN: 172.16.0.0/16 Bob: 172.16.0.1 Alice: 172.16.3.4 -> AliceP2P
0.1 2.2 3.4 0.1 Recv-from AliceP2P
![Page 35: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/35.jpg)
35
Group-oriented VPNs
Well-suited for collaborative environments for
cluster computing
Nodes who join a group have peer-wise
connectivity to all other nodes
Based on public key cryptography
Owner of a group is a certificate authority signing
GroupVPN certificates
Centralized Web-based interface hides low-
level management from users
Users create groups, determine who can join group
Certificate signing automated; group membership
Certificate revocation lists disseminated via P2P
![Page 36: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/36.jpg)
36
Grid appliance clusters
Virtual appliances
Encapsulate software environment in image
Virtual disk file(s) and virtual hardware configuration
The Grid appliance
Encapsulates cluster software environments
Current examples: Condor, MPI, Hadoop
Homogeneous images at each node
IPOP/GroupVPN connecting nodes forms a cluster
Deploy within or across domains
![Page 37: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/37.jpg)
37
Grid appliance - virtual clusters
Same image, per-group VPNs
copy
instantiate
Condor
+
Virtual
Network A Condor worker Another Condor worker
Repeat…
Virtual
machine
Group
VPN
GroupVPN
Credentials
(from
Web site) Virtual IP - DHCP
10.10.1.1 Virtual IP - DHCP
10.10.1.2
![Page 38: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/38.jpg)
38
Grid appliance configuration
At the end of GroupVPN initialization: Each node of a private virtual cluster gets a DHCP
address on virtual tap interface
A barebones cluster
Additional configuration required depending on middleware Which node is the Condor negotiator? Hadoop front-end?
Which nodes are in the MPI ring?
Leverage P2P/IPOP primitives: Distributed hash table
Advertise (put namespace,managerIP); discover (get namespace)
IP multicast discovery over GroupVPN
![Page 39: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/39.jpg)
39
Applications in FutureGrid
FutureGrid testbed
DAS-like system distributed across US institutions
Research, education, development, testing of Grid
and cloud computing middleware, applications
IaaS partitions: Nimbus, OpenStack, Eucalyptus
Virtual networks: ViNe and IPOP
Virtual appliances
Lower barrier to entry – pre-configured environments
![Page 40: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/40.jpg)
40
IPOP + ConPaaS at VU
ConPaaS – framework/runtime to manage platform-as-
a-service environments
Examples: Web service, task farming service
Build upon IaaS primitives to create VMs
Integration with IPOP
Allow deployments to span across multiple providers
(federation; bursting; fault-tolerance)
Within VMs - no changes to IaaS stack
Isolate “data plane” communications from public Internet
Thilo Kielmann, Guillaume Pierre, Contrail/ConPaaS teams
![Page 41: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/41.jpg)
41
IPOP + ConPaaS
WAN Private
Cloud
EC2
Zone
DAS
site
N1
N2
N3
IaaS
Providers
ConPaaS applications,
IPOP namespaces
172.16.10.10 172.16.10.20
172.16.10.20
![Page 42: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/42.jpg)
PlanetLab bootstrap overlays
Grid appliance deployments:
Archer - ~700-CPU cluster
SocialVPN deployments:
Thousands of downloads, hundreds of
deployed nodes
Deployed Systems
![Page 43: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/43.jpg)
43
Integration of IPOP with IPsec for dynamically-
provisioned cloud virtual networks
Contrail, ConPaaS
Overlay by-pass, integration with OpenFlow
software-defined networks
IPv6/IPv4 overlays, virtual clusters for high-
throughput computing, education
Archer (computer architecture)
FutureGrid (virtual appliances for education)
PRAGMA (Pacific Rim Grid)
Unstructured P2P SocialVPN
Discover, bootstrap, route through friends
On-going Work
![Page 44: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/44.jpg)
44
Acknowledgments
ACIS P2P group (IPOP) Over the years: P. O. Boykin, Heungsik Eom, Arijit Ganguly,
Pierre St. Juste, Kyungyong Lee, Yonggang Liu, Girish
Venkatasubramanian, David Wolinsky, Jiangyan Xu
Vrije Universiteit,
ConPaaS team
FutureGrid, National Science Foundation
Awards 0751112, 0758596, 0910812
![Page 45: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/45.jpg)
45
Thank you
For more information and downloads:
http://ipop-project.org
http://socialvpn.org
http://futuregrid.org
http://grid-appliance.org
![Page 46: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/46.jpg)
46
![Page 47: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/47.jpg)
Related Work
There exist several VPN technologies:
Enterprise VPNs (e.g. Cisco); Open-source (e.g
OpenVPN); Consumer/gaming/SMB (e.g. Hamachi)
Not easily applicable to federating cloud resources
Proprietary code; difficulty in configuration/management
Research work in the context of Grid/cloud
computing
VNET (Northwestern University), VIOLIN (Purdue
University), Private Virtual Cluster (INRIA), ViNe
(Tsugawa, Fortes @ UF)
Smartsockets @ VU
47
![Page 48: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/48.jpg)
48
Bootstrapping a New Node
MyIPOPid
Forms a “leaf” connection with a public node - forwarder
Selected at random from list of “bootstrap” nodes
Sends CTM request addressed to its own IPOPid
Received by nearest neighbors
Creates structured connections; trims leaf connection
Forwarder
CTM (MyIPOPid)
Received by left and
right neighbors
![Page 49: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/49.jpg)
(c) Renato Figueiredo 49
B2
IPOP Namespaces
N1
Namespace N1: 10.128.0.0/255.192.0.0
A1: 10.129.6.83
C1
B1: 10.129.6.71
D1
N1:10.129.6.71→
IPOPid x1
x1 x2
x4
x3
x5 x6 x7
x8
N2
A2
C2 D2
DHTLookup(N1:B1)
x1 IPOPid
“ARP cache”
IPOP packet DHTCreate(N2, 10.128.0.0/255.192.0.0)
N2:10.129.6.71→
IPOPid x2
DHTCreate(N2:A2,x2)
![Page 50: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/50.jpg)
50
Social DNS
Motivation: • Users cannot define domain names used to access
their services in VPN settings
• Dynamic private networks; difficult to keep track of services by IP addresses
Objective: • A decentralized, naming service that gives
individuals the ability to select and share the domain names for their resources with SocialVPN peers
Approach: • Short names within social context
• Decentralized architecture where each node runs a local DNS server and communicates via SocialVPN
• Rank-based name conflict resolution
![Page 51: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/51.jpg)
51
Security
End-to-end authentication and encryption IPsec tunneling over IPOP
Reuse existing software stack
End-to-end security implemented in IPOP RSA priv/pub keys
X.509 certificates
Point-to-point authentication and encryption TLS edges have been implemented
Difficulty to deal with NAT traversal
Point-to-point security in IPOP: ongoing work Reuses framework and code base from end-to-end
Avoid double-traversal of security stack for performance (e.g. shortcut connections based on IP traffic inspection)
![Page 52: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/52.jpg)
52
Security
Appliance firewall Block outgoing packets to physical net
Except DHCP, DNS, IPOP’s UDP port
Confine traffic to within WOW and host-only
IPsec or IPOP security With IPsec, kernel/user tools reused – unmodified
Network routing is P2P, however: Trust can be managed by central CA
All intra-WOW communication authenticated and end-to-end encrypted using X.509-based PKI
Private net/netmask 10 lines of IPsec configuration for entire WOW
![Page 53: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/53.jpg)
53
Linking and NAT traversal
Src = R:A
Dst = N:Y
Src = N:Y
Dst = M:X
R:A M:X N:Y S:B
Outgoing packet to M:X
(hole punched)
Src = S:B
Dst = M:X
Src = M:X
Dst = N:Y
Outgoing packet to N:Y
(hole punched)
Src = M:X
Dst = S:B
Exchange each other’s NAT assigned IP:port
M:X N:Y
NAT N 128.139.156.90
NAT M 128.227.56.83
S:B R:A Allow
Dropped
![Page 54: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/54.jpg)
VNIC
Virtual Router
Virtual Router
VNIC
Application
Wide-area Overlay network
Local Interface
LAN Router
NIC
Application
NIC
Application
Avoiding LAN overheads
![Page 55: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/55.jpg)
Supporting IPOP Routers
● Single IPOP router for a
(V)LAN
● Avoid need for IPOP
software stack on end
host
● Avoid IPOP overhead on
LAN communication
IP=10.1.1.2
Eth=A:B:C:D:E:0
IP=10.1.1.3
Eth=A:B:C:D:E:1
IP=10.1.1.4
Eth=A:B:C:D:E:2
TAP
Device
VPN
SoftwareNIC0
NIC1
Virtual Router
Internet
![Page 56: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/56.jpg)
DHCP
● Provides address allocation and DNS settings
● IPOP router keeps a history of allocations and
ignores packets destined for them sent within the
(V)LAN
IP=10.1.1.2
Eth=A:B:C:D:E:0
IP=10.1.1.3
Eth=A:B:C:D:E:1
IP=10.1.1.4
Eth=A:B:C:D:E:2
TAP
Device
VPN
SoftwareNIC0
NIC1
Virtual Router
Internet
DHT
DHCP request
![Page 57: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/57.jpg)
ARP
● Lookup Ethernet address from IP address
● IPOP router ignores ARP if IP in (V)LAN
● If destination is not on the LAN, check if such a
peer exists in the overlay
● Reply IPOP router addr.
IP=10.1.1.2
Eth=A:B:C:D:E:0
IP=10.1.1.3
Eth=A:B:C:D:E:1
IP=10.1.1.4
Eth=A:B:C:D:E:2
TAP
Device
VPN
SoftwareNIC0
NIC1
Virtual Router
Internet
ARP
not in router table? DHT
Local reply
![Page 58: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/58.jpg)
Connectivity
Each node is given an IP
address and domain name
Access Control
The user locally decides to
allow or block another user
Trust
Use current social networking
systems (XMPP) to bootstrap
secure connections with
friends
Social VPN Prototype
![Page 59: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/59.jpg)
Bob Alice
Alice's Compute Node Alice's Friend's Compute Node
Better QoS by leveraging
proximity or social trust
Flexibility in selecting
from a collection of
trusted compute nodes Alice can leverage
Her own resources
to add more
computational
power to her device
and save energy
Carl
Bob's Compute
Node on EC2
Cloud provider is now just
one more compute node
Computation offloading
![Page 60: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/60.jpg)
Example: Resource discovery
Service discovery time
100 UPnP servers over WAN
U. Chicago, UC San Diego, and U. Texas
UPnP client located at U. Florida
Servers connected to PlanetLab SocialVPN overlay
![Page 61: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/61.jpg)
Resource Discovery
Service discovery time
U. Texas U. Chicago UC San Diego
Service discovery time
(ms)
min max min max min max
27.0 29.4 45.4 47.6 54.6 57.0
• SocialVPN supports
unmodified UPnP applications
with service discovery time
commensurable to WAN
latency
• Wi-Fi setup has longer service
discovery time than wired LAN
(figure)
![Page 62: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/62.jpg)
Offloading
Offloading to PC and EC2
Energy consumption
• The benefits are compelling at large image sizes
• Higher power consumption of offloading to Amazon EC2 than
offloading to local workstation due to network latency
![Page 63: Peer-to-peer Virtual Private Networks and Applications · Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing](https://reader030.vdocuments.site/reader030/viewer/2022021617/5b5091e17f8b9a206e8ed9af/html5/thumbnails/63.jpg)
Grid Appliance / Archer
2. Boot appliance:
automatically
joins Archer pool
Free pre-packaged Archer
Virtual appliances - run
on free VMMs (VMware,
VirtualBox, KVM)
Portal and Wiki:
Community-contributed
content: applications,
datasets, tutorials
Archer seed resources
300+ cores – Fall 2008
Archer Global
Virtual Network
System software:
Condor scheduler
NFS file systems
Simulators:
Simics, SESC,
Simplescalar
1: Download
appliance
3. Run architecture
simulation jobs on the
Archer pool through Condor
2. Boot appliance:
automatically
joins Archer pool
Free pre-packaged Archer
Virtual appliances - run
on free VMMs (VMware,
VirtualBox, KVM)
Portal and Wiki:
Community-contributed
content: applications,
datasets, tutorials
Archer seed resources
300+ cores – Fall 2008
Archer Global
Virtual Network
System software:
Condor scheduler
NFS file systems
Simulators:
Simics, SESC,
Simplescalar
1: Download
appliance
3. Run architecture
simulation jobs on the
Archer pool through Condor