Top Banner
On Proxy Server based On Proxy Server based Multipath Connections Multipath Connections (PSMC) (PSMC) PhD Proposal PhD Proposal Yu Cai Yu Cai 12/2003 12/2003 University of Colorado at Colorado Springs University of Colorado at Colorado Springs
32

On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

Apr 01, 2015

Download

Documents

Kirk Dennington
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

On Proxy Server based On Proxy Server based Multipath Connections Multipath Connections

(PSMC)(PSMC)

PhD Proposal PhD Proposal

Yu CaiYu Cai12/200312/2003

University of Colorado at Colorado SpringsUniversity of Colorado at Colorado Springs

Page 2: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

OutlineOutline

1. Introduction 1. Introduction

2. Related work2. Related work

3. PSMC algorithms 3. PSMC algorithms

4. PSMC protocols4. PSMC protocols

5. PSMC applications5. PSMC applications

6. PSMC security6. PSMC security

7. Conclusion7. Conclusion

Page 3: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

IntroductionIntroduction

Single path connection vs. multipath connections

Single path connectionSingle path connection: most commonly-used : most commonly-used network connection model in today’s network network connection model in today’s network environment. environment.

Multipath connectionsMultipath connections: provide potentially multiple : provide potentially multiple paths between network nodes. The traffic from a paths between network nodes. The traffic from a source can be spread over multiple paths and source can be spread over multiple paths and transmitted in parallel through the network.transmitted in parallel through the network.

Page 4: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

Why Multipath ConnectionsWhy Multipath Connections

Improve the network Improve the network securitysecurity by providing alternate paths by providing alternate paths

Improve the network Improve the network reliabilityreliability, stability and availability, stability and availability

Improve the network Improve the network performanceperformance by increasing the by increasing the

aggregate bandwidth between network nodesaggregate bandwidth between network nodes

Utilize the network resources more efficiently Utilize the network resources more efficiently

Cope well with network congestion, link breakage, burst Cope well with network congestion, link breakage, burst

traffic and potential attacks traffic and potential attacks

Provide better quality-of-service Provide better quality-of-service

Page 5: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

Related Works on Multipath ConnectionsRelated Works on Multipath Connections

Multipath connections have been studied since 70s.Multipath connections have been studied since 70s. The IBM Systems Network Architecture (SNA) in 1974 The IBM Systems Network Architecture (SNA) in 1974 Nicholas F. Maxemchuk in 1975, the dispersity routing Nicholas F. Maxemchuk in 1975, the dispersity routing

Classification of multipath connections based on OSI Classification of multipath connections based on OSI 7-layer model.7-layer model. Physical layer: Multipath Interference; APhysical layer: Multipath Interference; Antenna Arrayntenna Array. . Data link layer: Link Aggregation, defined in IEEE 802.3ad. Data link layer: Link Aggregation, defined in IEEE 802.3ad.

(requires additional hardware support)(requires additional hardware support)

Page 6: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

Related Works on Multipath ConnectionsRelated Works on Multipath Connections

Network layer: studied extensively as multipath Network layer: studied extensively as multipath routing. routing. Wired network. Wired network. (requires changes on routers) (requires changes on routers)

Table-driven routing (link state or distance vector). Table-driven routing (link state or distance vector). MDVA(Multipath distance vector algorithm ) [VG01];MDVA(Multipath distance vector algorithm ) [VG01];[Chen98][Chen98]

Wireless ad hoc network. Wireless ad hoc network. (only for ad hoc network)(only for ad hoc network) On-demand routing. On-demand routing.

SMR(Split Multipath Routing ) [LG00], SMR(Split Multipath Routing ) [LG00], Source Routing. Source Routing.

MSR(Multipath Source Routing ) [ZZS+02]MSR(Multipath Source Routing ) [ZZS+02]

Transport layer: Linux multipath connections for Transport layer: Linux multipath connections for multiple ISP connections. multiple ISP connections. (no fail-over mechanism).(no fail-over mechanism).

Page 7: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

Proxy Server based Multipath Connections (PSMC)Proxy Server based Multipath Connections (PSMC)

Existing multipath connection approaches have Existing multipath connection approaches have various limitations and drawbacks. various limitations and drawbacks.

We want new solution: We want new solution: Must be compatible with current network and don’t require Must be compatible with current network and don’t require

changes on network infrastructure; changes on network infrastructure; Must be robust and reliable with high performance; Must be robust and reliable with high performance; Must be flexible when deployed so more applications can Must be flexible when deployed so more applications can

benefit from it.benefit from it.

We propose to study a new multipath connection We propose to study a new multipath connection approach: proxy servers based multipath connections approach: proxy servers based multipath connections (PSMC). (PSMC).

Page 8: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

The Key Idea of PSMCThe Key Idea of PSMC

The key ideas of PSMC is as followings. The key ideas of PSMC is as followings. By using a set of connection relay By using a set of connection relay proxy serversproxy servers, we could , we could

set up set up indirect routesindirect routes via the proxy servers, and transport via the proxy servers, and transport

packets over the network through the indirect routes. packets over the network through the indirect routes.

By enhancing existing TCP/IP By enhancing existing TCP/IP protocolsprotocols, we could efficiently , we could efficiently

distribute and reassemble packetsdistribute and reassemble packets among multiple paths at among multiple paths at

two end nodes, and increase end-to-end TCP throughput. two end nodes, and increase end-to-end TCP throughput.

The approach offers applications the ability to improve The approach offers applications the ability to improve

network network securitysecurity, , reliabilityreliability, , performance,performance, stability, stability,

availability and efficiency.availability and efficiency.

Page 9: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

PSMC DiagramPSMC Diagram

Page 10: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

Three Key Parts in PSMC Three Key Parts in PSMC

The multipath The multipath sender:sender: distributes packets over the distributes packets over the

selected multiple paths efficiently and adaptively. selected multiple paths efficiently and adaptively.

The intermediate connection relay The intermediate connection relay proxy servers:proxy servers:

examine the incoming packets and forward them to examine the incoming packets and forward them to

the end server. the end server.

The multipath The multipath receiver:receiver: collects the packets from collects the packets from

multiple paths, reassembles them in order and multiple paths, reassembles them in order and

delivers them to the user.delivers them to the user.

Page 11: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

Why PSMCWhy PSMC

Compatibility:Compatibility: Utilizes existing TCP/IP protocols and Utilizes existing TCP/IP protocols and

network infrastructure. Don’t require changes on network infrastructure. Don’t require changes on

physical network infrastructure.physical network infrastructure.

Flexibility:Flexibility: Can be more conveniently and adaptively Can be more conveniently and adaptively

deployed in various network environments. deployed in various network environments.

Usability:Usability: A large number of applications in various A large number of applications in various

categories could benefit from utilizing PSMC. categories could benefit from utilizing PSMC.

Reliability:Reliability: Reliable and robust protocol with high end- Reliable and robust protocol with high end-

to-end performance.to-end performance.

Page 12: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

Algorithms for PSMCAlgorithms for PSMC

Proxy server selection is a critical decision in PSMC. Proxy server selection is a critical decision in PSMC. Different server selections result in different Different server selections result in different performance.performance.

Needs to solve the following two proxy server Needs to solve the following two proxy server

selection problems.selection problems.

1) 1) Server Selection ProblemServer Selection Problem. .

Given the target server and a set of proxy servers, choose the Given the target server and a set of proxy servers, choose the

best proxy server or servers for a client or for a group of clients, best proxy server or servers for a client or for a group of clients,

to achieve the maximum aggregate bandwidth.to achieve the maximum aggregate bandwidth.

2) 2) Server Placement ProblemServer Placement Problem. .

Given the target server and a set of network nodes, choose the Given the target server and a set of network nodes, choose the

best node(s) to place the proxy servers, to maximize the best node(s) to place the proxy servers, to maximize the

aggregate bandwidth.aggregate bandwidth.

Page 13: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

Diagram of Sever Selection / Placement ProblemDiagram of Sever Selection / Placement Problem

How to avoid joint paths when selecting proxy servers? (joint path might become potential bottleneck)

How to select geographically diverse proxy servers?

Server selection problem Server placement problem

Page 14: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

Related Work on AlgorithmsRelated Work on Algorithms

Mirror server and cache server selection problem has Mirror server and cache server selection problem has been studied recent years.been studied recent years.

Formal approach: abstract network model; use graph Formal approach: abstract network model; use graph theory.theory.

Common assumptions when getting network model: Common assumptions when getting network model: a) network topology is known, a) network topology is known,

b) the cost associated with each path is known, b) the cost associated with each path is known,

c) single and static network connections.c) single and static network connections. Algorithms include [QPV01]: Algorithms include [QPV01]:

(selecting M replicas among N potential sites)(selecting M replicas among N potential sites)

tree-basedtree-based greedygreedy randomrandom hot spothot spot

O(N3M2) O(N2M) O(NM) N2 + min (NlogN, NM)

Page 15: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

Algorithms for Parallel Download ProblemAlgorithms for Parallel Download Problem

NP-hard problem. We plan to develop heuristic NP-hard problem. We plan to develop heuristic algorithms, or by loosing the optimal constrains to algorithms, or by loosing the optimal constrains to simplify the problem to make it solvable in P-time.simplify the problem to make it solvable in P-time.

We have developed genetic algorithms to choose best We have developed genetic algorithms to choose best mirror sites for parallel download from multiple mirror mirror sites for parallel download from multiple mirror sites. The problem can be viewed as a sub problem of sites. The problem can be viewed as a sub problem of PSMC. PSMC.

Page 16: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

Parallel Download Algorithm PerformanceParallel Download Algorithm Performance

algorithm execution time vs. simulated network size

0

5

10

15

20

25

30

35

20(10) 114(11) 150(20) 200(20) 300(30) 500(50) 800(100) 1000(100) 1000(200)

number of simulated network nodes

BF

alg

ori

thm

execu

tio

n t

ime

(min

ute

)

0

5

10

15

20

25

30

35

40

45

50

GA

alg

ori

thm

execu

tio

n t

ime

(seco

nd

)

BF-pds BF-k-pds GA-k-pds GA-pds

Performance result of the parallel download algorithms Performance result of the parallel download algorithms tested on the simulated network and real-world network tested on the simulated network and real-world network looks promising.looks promising.

Page 17: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

PSMC Protocols: Packets Handling PSMC Protocols: Packets Handling

Protocols need to be designed for packets handling: Protocols need to be designed for packets handling: Distribute / reassemble Distribute / reassemble packets: add a thin layer between packets: add a thin layer between

TCP and IP. Modify the Linux kernel. TCP and IP. Modify the Linux kernel. TransmitTransmit packets: use IP Tunnel or IPSec to enable indirect packets: use IP Tunnel or IPSec to enable indirect

routes.routes.

Why adding a thin layer for packets distribution and Why adding a thin layer for packets distribution and reassembling?reassembling? Utilize existing TCP protocols, particularly the packets re-Utilize existing TCP protocols, particularly the packets re-

sequencing and re-sending mechanism.sequencing and re-sending mechanism. Hide the complexity of multipath connections from end user.Hide the complexity of multipath connections from end user. Maintain the high end-to-end TCP throughput. Maintain the high end-to-end TCP throughput.

Page 18: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

PSMC Protocols: IP TunnelPSMC Protocols: IP Tunnel

IP tunnel is a technique to encapsulate IP datagram IP tunnel is a technique to encapsulate IP datagram within IP datagram. This allows datagram destined within IP datagram. This allows datagram destined for one IP address to be wrapped and redirected to for one IP address to be wrapped and redirected to another IP address.another IP address.

IPSec is an extension to the IP protocol which IPSec is an extension to the IP protocol which provides security to the IP and the upper-layer provides security to the IP and the upper-layer protocols. The IPSec architecture is described in the protocols. The IPSec architecture is described in the RFC2401.RFC2401.

Why IP Tunnel: Why IP Tunnel: IP Tunneling is well developed and widely available. IP Tunneling is well developed and widely available. It is a layer 2 protocol, transparent to higher layer. It is a layer 2 protocol, transparent to higher layer. IP Tunneling performance is acceptable. IP Tunneling performance is acceptable. We have investigated other approaches including SOCKS We have investigated other approaches including SOCKS

proxy server and Zebedee, which don’t fit our needs. proxy server and Zebedee, which don’t fit our needs.

Page 19: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

Special Issues for PSMC ProtocolsSpecial Issues for PSMC Protocols

Several special issues for PSMC protocols:Several special issues for PSMC protocols: Based on the feedback from end server, dynamically adjust Based on the feedback from end server, dynamically adjust

packets distribution. packets distribution. Outgoing packets might contain redundant information and/or Outgoing packets might contain redundant information and/or

probing message.probing message. Fail-over mechanism, packets resend and re-sequencing Fail-over mechanism, packets resend and re-sequencing

mechanism, when packets are lost or connections are mechanism, when packets are lost or connections are broken. broken.

Sticky-connection mechanism: when some packets need to Sticky-connection mechanism: when some packets need to be sent through a particular path.be sent through a particular path.

Related work: Related work: ATCP (ad hoc TCP) [LS01].ATCP (ad hoc TCP) [LS01]. Linux Virtual Server (LVS). Linux Virtual Server (LVS). Virtual Private Network (VPN)Virtual Private Network (VPN)

Page 20: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

IP Tunnel and IPSecIP Tunnel and IPSec

Page 21: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

PSMC DiagramPSMC Diagram

Page 22: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

PSMC ApplicationsPSMC Applications

Secure Collective Defense (SCOLD) networkSecure Collective Defense (SCOLD) network

PSMC in wireless ad hoc network.PSMC in wireless ad hoc network.

Indirect route / additional bandwidth upon operational Indirect route / additional bandwidth upon operational requests.requests.

QoS for video streaming.QoS for video streaming.

Parallel download from multiple mirror sites.Parallel download from multiple mirror sites.

Page 23: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

Secure Collective Defense (SCOLD) networkSecure Collective Defense (SCOLD) network

SCOLD tolerates the DDoS attacks through indirect SCOLD tolerates the DDoS attacks through indirect

routes via proxy servers, and improves network routes via proxy servers, and improves network

performance by spreading packets through multiple performance by spreading packets through multiple

indirect routes. indirect routes.

SCOLD will incorporate various cyber security SCOLD will incorporate various cyber security

techniques, like secure DNS update, Autonomous techniques, like secure DNS update, Autonomous

Anti-DDoS network, IDIP(Intrusion Detection and Anti-DDoS network, IDIP(Intrusion Detection and

Isolation Protocol) protocols. Isolation Protocol) protocols.

The prototype of SCOLD system version 1.0 is The prototype of SCOLD system version 1.0 is

finished with secure DNS update and indirect route. finished with secure DNS update and indirect route.

We plan to enhance SCOLD for better scalability, We plan to enhance SCOLD for better scalability,

reliability, performance and security.reliability, performance and security.

Page 24: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

SCOLD: victim under DDoS attacksSCOLD: victim under DDoS attacks

Victim

aa a a b b b b c c c c

A.com B.com C.com

... ......

A B C

R

R2 R1R3

Back door: Alternate Gateways

DNS

DDoS Attack Traffic

Client Traffic

Main gateway R under attacks, we want to inform Clients to go through the “back door” - alternate gateways R1- R3. We needs to hide IPs of R1-R3, otherwise they are subject to potential attacks too. how to inform Clients? how to hide IPs of R1-R3?

target.com

DNS1 DNS2 DNS3

Page 25: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

SCOLD: raise alarm (1) and inform clients (2)SCOLD: raise alarm (1) and inform clients (2)

1. IDS on gateway R detects intrusion, raise alarm to Reroute Coordinator.2. Coordinator informs clients for new route:a) inform clients’ DNS; b) inform clients’ network proxy server; c) inform clients directly; d) inform the proxy servers and ask the proxy server do (a – c).

Victim

aa a a b b b b c c c c

A.com B.com C.com

... ......

A B C

R

R2 R1R3

DNS

target.com

DNS1 DNS2 DNS3

RerouteCoordinato

r1: raise alarm

2: inform clients

Proxy1

Page 26: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

SCOLD: set up new indirect route (3)SCOLD: set up new indirect route (3)

Victim

aa a a b b b b c c c c

A.com B.com C.com

... ......

A B C

R

R2 R1R3

DNStarget.com

DNS1 DNS2 DNS3

RerouteCoordinato

r

3: new routeProxy1 Proxy2

3. Clients set up new indirect route to target via proxy servers. Proxy servers: equipped with IDS to defend attacks; hide alternate gateway and reroute coordinator; provide potential multiple paths.

Proxy3

Page 27: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

SCOLD TestbedSCOLD Testbed

Page 28: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

No DDoS attack, direct route

DDoS attack, direct route

No DDoS attack, indirect route

with DDoS attack indirect route Doc

Size

FTP HTTP FTP HTTP FTP HTTP FTP HTTP 100k 0.11 s 3.8 s 8.6 s 9.1 s 0.14 s 4.6 s 0.14 s 4.6 s 250k 0.28 s 11.3 s 19.5 s 13.3 s 0.31 s 11.6 s 0.31 s 11.6 s 500k 0.65 s 30.8 s 39 s 59 s 0.66 s 31.1 s 0.67 s 31.1 s 1000k 1.16 s 62.5 s 86 s 106 s 1.15 s 59 s 1.15 s 59 s 2000k 2.34 s 121 s 167 s 232 s 2.34 s 122 s 2.34 s 123 s

No DDoS attack direct route

DDoS attackdirect route

No DDoS attack indirect route

DDoS attack indirect route

0.49 ms 225 ms 0.65 ms 0.65 ms

Preliminary result of SCOLD

Table 1: Ping Response Time (on 3 hop route)Table 1: Ping Response Time (on 3 hop route)

Table 2: SCOLD FTP/HTTP download Test (from client to target)Table 2: SCOLD FTP/HTTP download Test (from client to target)

Table 3: Table 3: Time to Set up Indirect Route in SCOLDTime to Set up Indirect Route in SCOLD

Ping Less than 1 s

HTTP Less than 1 s

FTP Less than 1 s

Page 29: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

PSMC Applications EvaluationPSMC Applications Evaluation

The performance and overhead of multipath The performance and overhead of multipath connections will be evaluated. connections will be evaluated.

PSMC will be compared with other multipath PSMC will be compared with other multipath connection approaches, like source routing, and connection approaches, like source routing, and Linux multipath connections.Linux multipath connections.

Extensive simulation study on PSMC applications in Extensive simulation study on PSMC applications in virtual network, real network, small scale network and virtual network, real network, small scale network and large scale network will be conducted.large scale network will be conducted.

Page 30: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

Security Issues Related to PSMC Security Issues Related to PSMC

Potential security issues raised by misusing of Potential security issues raised by misusing of PSMC: how to control aggressive clients?PSMC: how to control aggressive clients?

Potential attacks against PSMC: Tunneling to death? Potential attacks against PSMC: Tunneling to death? (similar to ping to death).(similar to ping to death).

How to detect and deal with comprised nodes in How to detect and deal with comprised nodes in PSMC network?PSMC network?

Study the collective defend mechanism to tie different Study the collective defend mechanism to tie different organizations with better cooperation and organizations with better cooperation and collaboration.collaboration.

Page 31: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

Research PlanResearch Plan

Will systematically study PSMC in the following Will systematically study PSMC in the following areas:areas: Algorithms for server selections Algorithms for server selections Protocols for packet handlingProtocols for packet handling ApplicationsApplications Security issuesSecurity issues

Page 32: On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

Thank you!Thank you!