joe touch usc/isi july 10, 2003 1 the x-bone icb meeting july 10, 2003 joe touch director, postel...
TRANSCRIPT
Joe Touch USC/ISIJuly 10, 2003 1
The X-BoneICB MeetingJuly 10, 2003
Joe TouchDirector, Postel Center for Experimental NetworkingComputer Networks DivisionUSC/ISI
July 10, 2003 2Joe Touch USC/ISI
X-Bone IP Overlays
Web GUI
X-Bone system
Multiple views
Automatedmonitoring
link
xd GUIxd GUI
OverlayManager
OverlayManager
ResourceDaemon
ResourceDaemon
ResourceDaemon
ResourceDaemonResource
Daemon
ResourceDaemon
routerhost
ring-ovl
IP Base
A
B
DC
A
B
DC
star-ovl
A
B
DC
Star Overlay
Base IPv4Network
Ring Overlay
July 10, 2003 3Joe Touch USC/ISI
What is the X-Bone?
Virtual Internet Architecture Consistent with dynamic routing, existing
Internet applications and services Distributed VPN Manager
SNMP-like client/server Multicast invites
Interfaces Overlay Language GUI front-end
July 10, 2003 4Joe Touch USC/ISI
Virtual Internet Arch.
VHs & VRs connected by tunnels VHs add/delete headers VRs transit only
Completely virtual Revisitation Recursion
Network-as-router recursion Control Recursion (compile-time)
Rename unbound inner network VR interfaces Network Recursion (run-time)
Phantom VHs at unbound inner network VR interfaces
July 10, 2003 5Joe Touch USC/ISI
X-Bone View of VPN
E2E Closed set of participants More controlled than PE-based Support ALL Internet apps Network, not a full mesh
(supports use of an internal AS structure)
IP over IP Current deployment assumes mcastIP NO OTHER ASSUMPTIONS Can use any tunnel to get IP in IP, but uses explicit
key distribution (interoperability)
July 10, 2003 6Joe Touch USC/ISI
Software Architecture
OM runs the overlay Control or network
recursion
RD configures nodes SNMP-like transactions
Multicast invites RD privacy
Security ACLs, resource counts S/MIME invites SSL configuration
July 10, 2003 7Joe Touch USC/ISI
Interfaces
Overlay Joe Node apple
(OS=BSD) (iface a b c) Node pear
(CPU=P4) (iface p) Ring r3
(BW=2M) (mac,gran,gold=apple, one,two,three=pear),(one.p <L> mac.a>)(two.p <M> gran.a>)(three.p <N> gold.a>)(mac.b <X> gran.c)(gran.b <Y> gold.c)(gold.b <Z> mac.c)
July 10, 2003 8Joe Touch USC/ISI
Capabilities
Revisitation Recursion (scalability, multilayer) Dynamic routing Integration with DNS Application deployment
July 10, 2003 9Joe Touch USC/ISI
Revisitation
A B C D F
X Y ZA
F
B CD
E
E
July 10, 2003 10Joe Touch USC/ISI
Recursion
Hierarchy w/connected sub-overlays Sub-overlays look like routers
Base networkBase network
Primary overlayPrimary overlay
Sub-1Sub-1 Sub-2
Sub-2
July 10, 2003 11Joe Touch USC/ISI
Application deployment
(User Input)App-Instance
Specific Params
ApplicationGenerator
Script
1
2
(XBone-Auto)Overlay/Node Specific:Ovl Name, IPs, Topol
ring-ovl
A
B
DC
OM
edit
Action FileGenerator
Script34
RD
RDRD
RD
NodeAction
File
5
July 10, 2003 12Joe Touch USC/ISI
Project Status
DynaBone (DARPA) 10/03 {04? ☺} Multilayer overlays for dynamic defense Adding native recursion
X-Tend (NSF) 12/05 Augmenting X-Bone for education &
research Add features based on need Add documentation, instruction examples Green-box install
July 10, 2003 13Joe Touch USC/ISI
X-Tensions ☺
Due Aug 2003 Net list topology Divide-and-conquer
control Layered VPNs Revised API & code Dynamic & secure DNS
+1 yr Layered restoration Incremental add/delete Ad-hoc mgt Application ‘jails’, process
policy (MAC)
Due within 6 mos. IPv6 Cisco Linux IPsec (?) Dynamic routing Proximity topology Revisitation Specific host list, find-and-
select, directory discovery (LDAP)
Apple OS-X Symbolic hostnames OM fault tolerance (hot
backup, state-full recovery)
Monitor link performance
July 10, 2003 14Joe Touch USC/ISI
2 Header FAQ
Why two headers? Inet needs net and link ARP Revisitation
Why overlap inside X-Bone, not outside? Innerlays never reuse interfaces:
by construction
July 10, 2003 15Joe Touch USC/ISI
Outerlay
DynaBone architecture
Spread-Spectrum Multilayer Internet Overlays
Innerlays
Base networkBase network
3DES encrypt / Linkstate3DES encrypt / Linkstate
RC5 encrypt / RIPRC5 encrypt / RIP
MD5 auth / staticMD5 auth / staticMD5 auth / staticMD5 auth / staticXPRM
PRM
July 10, 2003 16Joe Touch USC/ISI
Performance issues
Nesting: 800+ parallel innerlays 15 layers of recursion
Bandwidth as 1/N for recursion
July 10, 2003 17Joe Touch USC/ISI
Demo configuration
OuterlayOuterlay
50#50#50#50#50#50#50#50#50#50
#50#50#50
#50
TCP S/F – 3DES
TCP S/F – 3DES
Others – MD5Others – MD5
UDP – SHA1UDP – SHA1
Base networkBase network
80800
Innerlays
July 10, 2003 18Joe Touch USC/ISI
Monitor & Control GUI
July 10, 2003 19Joe Touch USC/ISI
Issue Positions
Optimization Pathchar, proximity, node – OK Not for link
QoS Upper-bound, increase delay – OK No guarantees
IP for simplicity Any IP encapsulation tunnel Esp. if it looks like an interface
July 10, 2003 20Joe Touch USC/ISI
URLs
All at www.isi.edu/touch www.isi.edu/xbone www.isi.edu/xtend www.isi.edu/dynabone www.isi.edu/tethernet