Скачать презентацию Virtual Internet Research at the Postel Center Joe Скачать презентацию Virtual Internet Research at the Postel Center Joe

6cbae072ebc008418b9f25f9abc7cc4f.ppt

  • Количество слайдов: 57

Virtual Internet Research at the Postel Center Joe Touch Postel Center Computer Networks Division Virtual Internet Research at the Postel Center Joe Touch Postel Center Computer Networks Division USC/ISI January 2004 Joe Touch USC/ISI 1

Outline: ¬ VIs: definition & architecture ¬ Using VIs: ¬ X-Bone – deploying VIs Outline: ¬ VIs: definition & architecture ¬ Using VIs: ¬ X-Bone – deploying VIs ¬ Dyna. Bone – multilayer VIs for fault tolerance, security, and performance ¬ Supporting VIs: ¬ Net. FS – OS support for VIs ¬ Data. Router – app. -directed net-layer forwarding January 2004 Joe Touch USC/ISI 2

VI Definition ¬ VI is a network composed of: ¬ Virt. hosts, virt. routers, VI Definition ¬ VI is a network composed of: ¬ Virt. hosts, virt. routers, virt. links (tunnels) ¬ Provides at least the same services as IA ¬ In a virtual context ¬ First-principles extension ¬ More than a patch ¬ More than interim January 2004 Joe Touch USC/ISI 3

Motivation ¬ Unified, consistent virtual architecture ¬ VPNs, overlay nets, peer nets ¬ Incremental Motivation ¬ Unified, consistent virtual architecture ¬ VPNs, overlay nets, peer nets ¬ Incremental deployment of new services ¬ Ongoing experiments ¬ Topology-based services ¬ DHTs, geographic forwarding [Geo. Net], string-rewriter forwarding [Data. Router] ¬ Layer-based services ¬ Contained dynamic routing, fault tolerance (FEC), security (traffic hiding), multi-algorithm [Dyna. Bone], Plutarch’s subnet composition January 2004 Joe Touch USC/ISI 4

Extra Constraints ¬ Internet-like ¬ Routing (link up) vs. provisioning (link add) ¬ …one Extra Constraints ¬ Internet-like ¬ Routing (link up) vs. provisioning (link add) ¬ …one header to bind them all… (use IP, provide IP recursion) ¬ Complete E 2 E system ¬ All VNs are E 2 E ¬ VN “Turing Test” ¬ A net can’t tell it’s virtual ¬ Use existing protocols, OSs, apps. January 2004 Joe Touch USC/ISI 5

Principles ¬ TENET 1. Internet-like ¬ VIs = VRs + VHs + tunnels ¬ Principles ¬ TENET 1. Internet-like ¬ VIs = VRs + VHs + tunnels ¬ Emulating the Internet ¬ TENET 2. All-Virtual ¬ Decoupled from their base network ¬ TENET 3. Recursion-as-router ¬ Some of VRs are VI networks January 2004 Joe Touch USC/ISI 6

Recursion-as-Router ¬ Hierarchy w/connected sub-overlays ¬ Sub-overlays look like routers Primary overlay Sub-1 Sub Recursion-as-Router ¬ Hierarchy w/connected sub-overlays ¬ Sub-overlays look like routers Primary overlay Sub-1 Sub 2 Base network January 2004 Joe Touch USC/ISI 7

Corollaries ¬ Behavior: ¬ VH adds/deletes headers ¬ VRs transit (constant # headers) ¬ Corollaries ¬ Behavior: ¬ VH adds/deletes headers ¬ VRs transit (constant # headers) ¬ Structure: ¬ VIs support concurrence ¬ VIs support revisitation ¬ Each VI has own names, addresses ¬ Address indicates overlay context January 2004 Joe Touch USC/ISI 8

Detailed Architecture ¬ Components: ¬ VH hidden router ¬ VL 2 layers (strong link, Detailed Architecture ¬ Components: ¬ VH hidden router ¬ VL 2 layers (strong link, weak net) ¬ VR partitioned forwarding ¬ Capabilities: ¬ Revisitation multihoming ¬ Recursion router as network, BARP RUNNING CODE (Free. BSD, Linux, Cisco) January 2004 Joe Touch USC/ISI 9

Architecture Use: New Concepts ¬ Recursion, revisitation ¬ BARP Control / deployment Network ¬ Architecture Use: New Concepts ¬ Recursion, revisitation ¬ BARP Control / deployment Network ¬ Service to deploy & manage VIs ¬ Language for describing VIs January 2004 Joe Touch USC/ISI 10

More Concepts: Service composition ¬ Compose: ¬ X-Bone, DTN, Plutarch Primary overlay Sub -2 More Concepts: Service composition ¬ Compose: ¬ X-Bone, DTN, Plutarch Primary overlay Sub -2 Sub-1 Base network ¬ Alternate: Outerlay ¬ Dyna. Bone, Control Plane, FEC, Boosters Sub-1 Sub-2 Sub-3 Base network January 2004 Joe Touch USC/ISI 11

More Architecture Uses: Correct/explain anomalies ¬ Multihoming ¬ Phantom router in all hosts ¬ More Architecture Uses: Correct/explain anomalies ¬ Multihoming ¬ Phantom router in all hosts ¬ Input context forwarding/binding ¬ Revisitation ¬ Two-level tunnels ¬ Input context sets ¬ IPsec tunnel mode & dynamic routing January 2004 Joe Touch USC/ISI 12

Typical Q’s ¬ Why not VPNs/Peer, etc. ? ¬ Most net-level are incremental, partial, Typical Q’s ¬ Why not VPNs/Peer, etc. ? ¬ Most net-level are incremental, partial, etc. ¬ App. Level recapitulates network & won’t compose ¬ Isn’t this more complex? ¬ AS-like management encapsulation (multi-level) ¬ Can make application view simpler (per-app. networks) ¬ Isn’t this suboptimal/non-diverse? ¬ So is VM; like VM, OOB info. & direct measurements can help ¬ Layering implies increasing coarseness ¬ Wasn’t this done in (X) before? ¬ VIA is uniform, consistent, & implemented ¬ What’s so hard? ¬ See “uses” & “anomalies” January 2004 Joe Touch USC/ISI 13

Performance Impact ¬ 1/N performance January 2004 Joe Touch USC/ISI 14 Performance Impact ¬ 1/N performance January 2004 Joe Touch USC/ISI 14

Prior & Related Work ¬ Service/new protocols ¬ Cronus, M/6/Q/A-Bone ¬ Multi/other layer ¬ Prior & Related Work ¬ Service/new protocols ¬ Cronus, M/6/Q/A-Bone ¬ Multi/other layer ¬ Cronus, Supranet, Morph. Net, VANs ¬ Partial ¬ VPN, VNS, RON, Detour, PPVPN, SOS ¬ Virtualization, Revistation, Recursion ¬ X-Bone, Spawning, Dyna. Bone, Net. FS, Netlab January 2004 Joe Touch USC/ISI 15

VI analogy to VM ¬ Protection ¬ For concurrency, separation ¬ Simpler configuration ¬ VI analogy to VM ¬ Protection ¬ For concurrency, separation ¬ Simpler configuration ¬ Run over simpler topologies ¬ Decouple from physical ¬ Emulate larger/different nets ¬ Automation ¬ Generic, external mechanism January 2004 Joe Touch USC/ISI 16

Why 2 layers? ¬ Network ¬ E 2 E IDs, routing ¬ Link ¬ Why 2 layers? ¬ Network ¬ E 2 E IDs, routing ¬ Link ¬ ICMP, ARP, forwarding ¬ Reasons: ¬ Revisitation ¬ Separate link-layer IPsec keys ¬ Allows separate interfaces – thus dynamic routing ¬ Issues ¬ Overlap for efficiency ¬ Strong vs. weak January 2004 Joe Touch USC/ISI to Y X Y Strong to Y X Y Weak 17

X-Bone Web GUI Multiple views IP Base Star Overlay B A C D ring-ovl X-Bone Web GUI Multiple views IP Base Star Overlay B A C D ring-ovl star-ovl B A Ring Overlay B A C D xd GUI Overlay Manager Base IPv 4 Network Resource Daemon link router host Automated monitoring X-Bone system January 2004 Joe Touch USC/ISI 18

The X-Bone is… ¬ A system for automated overlay deployment ¬ Among a closed The X-Bone is… ¬ A system for automated overlay deployment ¬ Among a closed set of trusted hosts and routers ¬ Pprovide coordination, configuration, management ¬ Many details are plug-replaceable ¬ New tricks for overlays (use of overlays) ¬ Overlays on overlays on … ¬ Fault tolerance, service deployment ¬ Member in multiple overlays, in single multiple times ¬ New tricks for old dogs (extend net arch. ) ¬ Use existing stacks and applications January 2004 Joe Touch USC/ISI 19

What We Don’t Do… ¬ Optimize the overlay topology ¬ ¬ We use a What We Don’t Do… ¬ Optimize the overlay topology ¬ ¬ We use a plug-in module (AI folk can provide) It requires network status (emerging now) Fault tolerance only via ground truth (admin. issue) X-Bone is capability more than performance (now) ¬ Non-IP overlays ¬ IP is the interoperability layer ¬ IP recurses / stacks nicely January 2004 Joe Touch USC/ISI 20

Creating a Ring Ovl. Request Result sin OM eql udel cos Ring Ovl. div Creating a Ring Ovl. Request Result sin OM eql udel cos Ring Ovl. div sec isipc 2 bbn Internet January 2004 Joe Touch USC/ISI 21

Potential Uses ¬ Test new protocols ¬ Test denial-of-service solutions ¬ Deploy new services Potential Uses ¬ Test new protocols ¬ Test denial-of-service solutions ¬ Deploy new services incrementally ¬ Dynamic routing, proxylets, security ¬ Increase lab & testbed utility ¬ Overlapping nets, add delay & loss ¬ Scale to 10, 000 nodes ¬ Simplify view of topology ¬ Support fault tolerance ¬ Added level of recovery January 2004 Joe Touch USC/ISI 22

Features ¬ Secure ¬ X. 509 certs, SSL control, ACLs ¬ Resilient ¬ Heartbeats Features ¬ Secure ¬ X. 509 certs, SSL control, ACLs ¬ Resilient ¬ Heartbeats with auto-dismantle ¬ Crash recovery/restore ¬ Detects/avoids replays; idempotent actions w/rollback ¬ Overlay features ¬ Dummynet, IPsec ¬ Application deployment ¬ ABone ¬ Squid proxy system (U. Catalonia) ¬ Planet. Lab-like slice of vservers January 2004 Joe Touch USC/ISI 23

Recent Additions ¬ In 3. 0 (1/2004): ¬ ¬ ¬ IPv 6 Dynamic DNS/DNSsec Recent Additions ¬ In 3. 0 (1/2004): ¬ ¬ ¬ IPv 6 Dynamic DNS/DNSsec Cisco via buddy host Zebra dynamic routing User-specified topology XML-based API ¬ Coming soon ¬ Revisitation (using network stacks) ¬ Recursion January 2004 Joe Touch USC/ISI 24

Architecture issues ¬ Core (PP) VPNs need stub assistance ¬ All transport is E Architecture issues ¬ Core (PP) VPNs need stub assistance ¬ All transport is E 2 E ¬ Inject routes via BGP/RIP or redirect default ¬ Often assumes one VPN ¬ Boundary control ¬ Typical VPN ¬ O(N) tunnels & routes / O(N) firewall rules ¬ Separate routing and firewalls ¬ O(1) routes / O(N) firewall rules ¬ Firewall via groups ¬ O(1) routes / O(1) firewall rules January 2004 Joe Touch USC/ISI 25

Relation to: ¬ Net. Lab (net Emu. Lab) ¬ Focuses on L 2 -VPNs Relation to: ¬ Net. Lab (net Emu. Lab) ¬ Focuses on L 2 -VPNs ¬ Incorporating X-Bone concepts ¬ Revisitation, IPsec tun over IPIP/GRE ¬ Planet. Lab ¬ Focuses on OS ¬ Primitive networking ¬ Reinventing net. configuration mech. January 2004 Joe Touch USC/ISI 26

Availability (and not)… ¬ http: //www. isi. edu/xbone ¬ Platforms ¬ ¬ Free. BSD Availability (and not)… ¬ http: //www. isi. edu/xbone ¬ Platforms ¬ ¬ Free. BSD 4. x/5. x (IPv 4/6 IPsec) Linux Red. Hat (IPv 4/IPsec only) Cisco via buddy host (IPv 4 IPsec, IPv 6) Under development/test: ¬ Net. BSD (tested only) ¬ Mac. OS X (prelim. testing) ¬ Platforms not capable of VIs: ¬ ¬ Windows 2 K/XP Linux Free. S/WAN Vxworks, Janos Planet. Lab inside vserver January 2004 Joe Touch USC/ISI 27

Dyna. Bone Innerlays Outerlay P R M 3 DES encrypt / Linkstate RC 5 Dyna. Bone Innerlays Outerlay P R M 3 DES encrypt / Linkstate RC 5 encrypt / RIP X MD 5 auth / static P R M Base network Spread-Spectrum Multilayer Internet Overlays January 2004 Joe Touch USC/ISI 28

Goals ¬ Auto platform for spread-spectrum ¬ Architecture in which to use … (see Goals ¬ Auto platform for spread-spectrum ¬ Architecture in which to use … (see BASF) ¬ Closed-group communication ¬ E 2 E, E 2(gateway), etc. ¬ Enable multilayer defense (IP addr, SPI, decrypts) ¬ Platform for muggles ¬ Transparent to applications, protocols, OS’s ¬ Auto-deploy January 2004 Joe Touch USC/ISI 29

Dyna. Bone via X-Bones ¬ Parallel innerlays ¬ Coordinate use via PRMs Outerlay Sub-1 Dyna. Bone via X-Bones ¬ Parallel innerlays ¬ Coordinate use via PRMs Outerlay Sub-1 Sub-2 Sub-3 Base network January 2004 Joe Touch USC/ISI 30

Layered Overlays ¬ Innerlays ¬ A network you can gracefully disconnect ¬ Attacker-like parallelsim Layered Overlays ¬ Innerlays ¬ A network you can gracefully disconnect ¬ Attacker-like parallelsim as a defense ¬ Outerlay ¬ Hides the Innerlays from OS, applications ¬ Allows transparent restoration ¬ Automated deployment via X-Bone ¬ User deployed, trans-AS, no new protocols ¬ Integrates heterogeneous net-level security January 2004 Joe Touch USC/ISI 31

PRM Detail DDOS Attack Detection Mux P R M per packet? per TCP? M PRM Detail DDOS Attack Detection Mux P R M per packet? per TCP? M Monitor inject measure Demux reorder? drop dups? Performance Metrics (pathchar) January 2004 Joe Touch USC/ISI 32

Monitor & Control GUI January 2004 Joe Touch USC/ISI 33 Monitor & Control GUI January 2004 Joe Touch USC/ISI 33

Net. Graph PRM Module PRM MUX BARP RR SS B-table Rand Copy API IFACE Net. Graph PRM Module PRM MUX BARP RR SS B-table Rand Copy API IFACE Web January 2004 Joe Touch USC/ISI /data [format] /policy(? value) /stop? innerlay /go? innerlay 34

PRM Performance January 2004 Joe Touch USC/ISI 35 PRM Performance January 2004 Joe Touch USC/ISI 35

Net. FS File System /netfs iface lo ether fxp 0 ip default alias 1 Net. FS File System /netfs iface lo ether fxp 0 ip default alias 1 alias 2 route default 10. 0. 0. 1 0 proto tcp 1 ipfw ipsec udp 25 26 addr mask 10. 3. 0. 0 255. 0. 0 mask addr 255. 0. 0. 0 January 2004 Joe Touch USC/ISI 36

Goals ¬ Simple, standard interface ¬ Across different OS’s ¬ File system API and Goals ¬ Simple, standard interface ¬ Across different OS’s ¬ File system API and semantics ¬ Fine-grained security ¬ User, group, world, etc. ¬ Per instance of each resource ¬ Context-dependent views ¬ Limits “ifconfig –a” response January 2004 Joe Touch USC/ISI 37

Intertwined Vontrol Net. FS File API Socket API interfaces sockopt routes ioctl sysctl communication Intertwined Vontrol Net. FS File API Socket API interfaces sockopt routes ioctl sysctl communication channels January 2004 In-band API Joe Touch USC/ISI 38

Per-process Context Process A Process B ~netfs iface route iface /netfs iface A January Per-process Context Process A Process B ~netfs iface route iface /netfs iface A January 2004 B route X Joe Touch USC/ISI Y Z 39

Related Work ¬ Linux’s /procfs ¬ Processes ¬ Jail(fbsd) & vserver(linux) ¬ Limits root Related Work ¬ Linux’s /procfs ¬ Processes ¬ Jail(fbsd) & vserver(linux) ¬ Limits root access to 1 IP addr per partition ¬ Plan 9’s /net ¬ Sockets ¬ Free. BSD extensions (underway) ¬ Add naming (kernel hack) to interfaces January 2004 Joe Touch USC/ISI 40

Data. Router S D 1 P bird #55 fea 3 isi. edu s/(bird)(. *)(isi. Data. Router S D 1 P bird #55 fea 3 isi. edu s/(bird)(. *)(isi. edu)/(D 2)($2)(usc. edu)/ D 1 S January 2004 D 1 D 2 P D 1 Joe Touch USC/ISI #55 fea 3 usc. edu 41

Motivation ¬ Application-level networks are ‘bad’ ¬ Recapitulate the network layer ¬ Require additional Motivation ¬ Application-level networks are ‘bad’ ¬ Recapitulate the network layer ¬ Require additional E 2 E transport protocols ¬ Hard to compose ¬ Network-level overlays not enough ¬ Application-level info. is hidden ¬ IP forwarding is not sufficient January 2004 Joe Touch USC/ISI 42

Goal = peer/DHT support: ¬ Useful: ¬ Supports application-directed forwarding ¬ Enables composition/integration of Goal = peer/DHT support: ¬ Useful: ¬ Supports application-directed forwarding ¬ Enables composition/integration of app. svcs. ¬ Clean: ¬ Avoids reinventing the network layer ¬ Avoids reinventing the transport layer ¬ Appropriate: ¬ Forwards fast ¬ Supports IPsec ¬ Is somewhat safe January 2004 Joe Touch USC/ISI 43

Data. Router IS: ¬ Header = IP Loose Source Route ¬ Network layer option Data. Router IS: ¬ Header = IP Loose Source Route ¬ Network layer option ¬ Works as an encapsulation header (ala IPsec) ¬ Entry = string ¬ Explicit application context ¬ Forwarding via string rewriting ¬ String (IP address, string’) pair January 2004 Joe Touch USC/ISI 44

Data. Router ISN’T: ¬ Routing protocol ¬ IP doesn’t force OSPF, BGP, etc. ¬ Data. Router ISN’T: ¬ Routing protocol ¬ IP doesn’t force OSPF, BGP, etc. ¬ Overlay configuration ¬ IP doesn’t force particular topology January 2004 Joe Touch USC/ISI 45

Enabled Capabilities ¬ App. forwarding via network svc. ¬ Late-binding integration ¬ One packet: Enabled Capabilities ¬ App. forwarding via network svc. ¬ Late-binding integration ¬ One packet: TCP/SYN w/ Google as DR ¬ Google DNS IP ¬ Anycast services ¬ First DR hop = anycast server ¬ Further hops added by appending January 2004 Joe Touch USC/ISI 46

Quick FAQ: ¬ This is forwarding; who does routing? ¬ Application that would have Quick FAQ: ¬ This is forwarding; who does routing? ¬ Application that would have done forwarding (Chord, CAN, Napster, Google, DNS) ¬ Can transport handle unbound dests? ¬ Use HIP to decouple TCP/UDP from IP ¬ What is the API? ¬ DR strings via SOCKOPT ¬ Forwarding entries via droute command ¬ Why use REs? ¬ Sufficient, efficient, complete ¬ How does it avoid breaking E 2 E? ¬ By allowing E 2 E TCP ¬ Why use a LSR IP option? ¬ Integrates w/existing ICMP, IPsec; allows ‘overlays’; transparent January 2004 Joe Touch USC/ISI 47

Example Uses ¬ All in a parsed string: ¬ Class: string metric: string ¬ Example Uses ¬ All in a parsed string: ¬ Class: string metric: string ¬ Escape “: ” ¬ Select largest metric DNS URL Napster Google Longest suffix DNS Exact URL Exact MP 3 Closest Web. DB Joe. com/apple Hash(title) “Harry Potter movie” IPv 4 Longest prefix IPv 4 10. 0. 0. 4 January 2004 Joe Touch USC/ISI 48

Related Work ¬ Application-directed forwarding ¬ DHTs, web proxies… ¬ Google, DNS ¬ Alternate Related Work ¬ Application-directed forwarding ¬ DHTs, web proxies… ¬ Google, DNS ¬ Alternate network forwarding ¬ ¬ Dbase index [Carzaniga 03] Linda [Carriero 86] Data manipilation lang. [Chandranmenon 95] Catanet, TRIAD, I 3, IPNL, Heaps, Net Ptrs… Electronic control January 2004 Joe Touch USC/ISI 49

Performance January 2004 Joe Touch USC/ISI 50 Performance January 2004 Joe Touch USC/ISI 50

Tether. Net ¬ Complete Internet IP connectivity ¬ Works behind NATs ¬ Works behind Tether. Net ¬ Complete Internet IP connectivity ¬ Works behind NATs ¬ Works behind short-lease DHCP January 2004 Joe Touch USC/ISI 51

Subnet Rental January 2004 Joe Touch USC/ISI 52 Subnet Rental January 2004 Joe Touch USC/ISI 52

Optical Internets ¬ Optical recapitulates electronic ¬ WDM = VCs ¬ Burst switching = Optical Internets ¬ Optical recapitulates electronic ¬ WDM = VCs ¬ Burst switching = MPLS/label switching ¬ Jump ahead to packet-based ¬ Router ¬ ¬ Queue-free architecture Forwarding via partial filters TTL decrement IP checksum ¬ LAN Protocols ¬ OCDMA MAC design January 2004 Joe Touch USC/ISI 53

Forward via Filters ¬ Bit-subset groups share next-hops ¬ Remainder to helper router “ Forward via Filters ¬ Bit-subset groups share next-hops ¬ Remainder to helper router “ 1” bits correlator “ 1” “ 0” “ 1” R = 0% Input 1 1 0 1 Match = ‘high’ Threshold = 3 AND “ 1” “ 0” “ 1” ‘MATCH’ Signal R = 0% Threshold = 0 R = 0% Match = ‘low’ R = 0% NOT “ 0” bits correlator January 2004 Joe Touch USC/ISI 54

TTL Decrementer ¬ LSB-first: ¬ Invert until 1 ¬ Stop @ 1 st “ TTL Decrementer ¬ LSB-first: ¬ Invert until 1 ¬ Stop @ 1 st “ 1 (delete if no “ 1”) l 1 Signal inversion 10 Gbit/s NRZ SOA ß MOD “databar” lp “data” MOD lp TTL start PD PD MOD Q Q D D l 11 (CW) PPLN l 2 packet out w/updated TTL Q Q D-flip flop Electronic control January 2004 Joe Touch USC/ISI 55

Internet Checksum ¬ Serial 1 -bit full-adder Xi S Yi Co Ci k 1*16 Internet Checksum ¬ Serial 1 -bit full-adder Xi S Yi Co Ci k 1*16 bit delay k 2*16 bit delay January 2004 Joe Touch USC/ISI 56

http: //www. isi. edu/ ¬ xbone ¬ Greg Finn, Steve Hotz, Amy Hughes, Lars http: //www. isi. edu/ ¬ xbone ¬ Greg Finn, Steve Hotz, Amy Hughes, Lars Eggert, Yu. Shun Wang, Nimish Kasat, Osama Dosary, Ankur Sheth, Shitanshu Shah, Wei-Chun Chou, Stephen Suryaputra, Savas Guven ¬ dynabone ¬ Venkata Pingali, Runfang Zhou ¬ netfs ¬ Josh Train ¬ (datarouter) ¬ Venkata Pingali ¬ tethernet ¬ Lars Eggert, Yu. Shun Wang ¬ pow / ocdma ¬ Joseph Bannister, Puroshutham Kamath, Michelle Hauer, Dinez Gurkin, John Mc. Geehan January 2004 Joe Touch USC/ISI 57