Joe Touch USC/ISI January 2004 1 Virtual Internet Research at the Postel Center Joe Touch Postel Center Computer Networks Division USC/ISI
Jan 08, 2016
Joe Touch USC/ISIJanuary 2004 1
Virtual Internet Research at the Postel Center
Joe TouchPostel CenterComputer Networks DivisionUSC/ISI
January 2004 2Joe Touch USC/ISI
Outline:
VIs: definition & architecture Using VIs:
X-Bone – deploying VIs DynaBone – multilayer VIs for fault
tolerance, security, and performance Supporting VIs:
NetFS – OS support for VIs DataRouter – app.-directed net-layer
forwarding
January 2004 3Joe Touch USC/ISI
VI Definition
VI is a network composed of: Virt. hosts, virt. routers, virt. links
(tunnels) Provides at least the same services as IA In a virtual context
First-principles extension More than a patch More than interim
January 2004 4Joe Touch USC/ISI
Motivation
Unified, consistent virtual architecture VPNs, overlay nets, peer nets Incremental deployment of new services Ongoing experiments
Topology-based services DHTs, geographic forwarding [GeoNet],
string-rewriter forwarding [DataRouter] Layer-based services
Contained dynamic routing, fault tolerance (FEC), security (traffic hiding), multi-algorithm [DynaBone], Plutarch’s subnet composition
January 2004 5Joe Touch USC/ISI
Extra Constraints
Internet-like Routing (link up) vs. provisioning (link add)
…one header to bind them all… (use IP, provide IP recursion)
Complete E2E system All VNs are E2E
VN “Turing Test” A net can’t tell it’s virtual
Use existing protocols, OSs, apps.
January 2004 6Joe Touch USC/ISI
Principles
TENET 1. Internet-like VIs = VRs + VHs + tunnels Emulating the Internet
TENET 2. All-Virtual Decoupled from their base network
TENET 3. Recursion-as-router Some of VRs are VI networks
January 2004 7Joe Touch USC/ISI
Recursion-as-Router
Hierarchy w/connected sub-overlays Sub-overlays look like routers
Base networkBase network
Primary overlayPrimary overlay
Sub-1Sub-1 Sub-2
Sub-2
January 2004 8Joe Touch USC/ISI
Corollaries
Behavior: VH adds/deletes headers VRs transit (constant # headers)
Structure: VIs support concurrence VIs support revisitation
Each VI has own names, addresses Address indicates overlay context
January 2004 9Joe Touch USC/ISI
Detailed Architecture
Components: VH hidden router VL 2 layers (strong link, weak net) VR partitioned forwarding
Capabilities: Revisitation multihoming Recursion router as network, BARP
RUNNING CODE (FreeBSD, Linux, Cisco)
January 2004 10Joe Touch USC/ISI
Architecture Use:New Concepts
Recursion, revisitation BARP
Service to deploy & manage VIs Language for describing VIs
Control / deployment Network
January 2004 11Joe Touch USC/ISI
More Concepts:Service composition
Base networkBase network
Primary overlayPrimary overlay
Sub-1Sub-1 Sub-2
Sub-2
Compose: X-Bone,
DTN, Plutarch
Alternate: DynaBone,
Control Plane,FEC, Boosters
Base networkBase network
OuterlayOuterlay
Sub-1Sub-1
Sub-2Sub-2
Sub-3Sub-3
January 2004 12Joe Touch USC/ISI
More Architecture Uses:Correct/explain anomalies
Multihoming Phantom router in all hosts Input context for forwarding/binding
Revisitation Two-level tunnels Input context sets
IPsec tunnel mode & dynamic routing
January 2004 13Joe Touch USC/ISI
Typical Q’s
Why not VPNs/Peer, etc.? Most net-level are incremental, partial, etc. App. Level recapitulates network & won’t compose
Isn’t this more complex? AS-like management encapsulation (multi-level) Can make application view simpler (per-app. networks)
Isn’t this suboptimal/non-diverse? So is VM; like VM, OOB info. & direct measurements can
help Layering implies increasing coarseness
Wasn’t this done in (X) before? VIA is uniform, consistent, & implemented
What’s so hard? See “uses” & “anomalies”
January 2004 14Joe Touch USC/ISI
Performance Impact
1/N performance
0
25
50
75
100
125
150
175
200
1 10 100encapsulations
K p
kts
/se
c
Netgraph
GIF
Host-host
Host-router-host
January 2004 15Joe Touch USC/ISI
Prior & Related Work
Service/new protocols Cronus, M/6/Q/A-Bone
Multi/other layer Cronus, Supranet, MorphNet, VANs
Partial VPN, VNS, RON, Detour, PPVPN, SOS
Virtualization, Revistation, Recursion X-Bone, Spawning, DynaBone, NetFS, Netlab
January 2004 16Joe Touch USC/ISI
VI analogy to VM
Protection For concurrency, separation
Simpler configuration Run over simpler topologies
Decouple from physical Emulate larger/different nets
Automation Generic, external mechanism
January 2004 17Joe Touch USC/ISI
Why 2 layers?
Network E2E IDs, routing
Link ICMP, ARP, forwarding
Reasons: Revisitation Separate link-layer IPsec keys Allows separate interfaces – thus dynamic
routing Issues
Overlap for efficiency Strong vs. weak
to YX Y
Strong
X Y
Weak
to Y
January 2004 18Joe Touch USC/ISI
X-Bone
Web GUI
X-Bone system Automatedmonitoring
link
xd GUIxd GUI
OverlayManager
OverlayManager
ResourceDaemon
ResourceDaemon
ResourceDaemon
ResourceDaemonResource
Daemon
ResourceDaemon
routerhost
Multiple views
ring-ovl
IP Base
A
B
DC
A
B
DC
star-ovl
A
B
DC
Star Overlay
Base IPv4Network
Ring Overlay
January 2004 19Joe Touch USC/ISI
The X-Bone is…
A system for automated overlay deployment Among a closed set of trusted hosts and routers Pprovide coordination, configuration, management Many details are plug-replaceable
New tricks for overlays (use of overlays) Overlays on overlays on overlays on … Fault tolerance, service deployment Member in multiple overlays, in single multiple times
New tricks for old dogs (extend net arch.) Use existing stacks and applications
January 2004 20Joe Touch USC/ISI
What We Don’t Do…
Optimize the overlay topology We use a plug-in module (AI folk can provide) It requires network status (emerging now) Fault tolerance only via ground truth (admin.
issue) X-Bone is capability more than performance
(now)
Non-IP overlays IP is the interoperability layer IP recurses / stacks nicely
January 2004 21Joe Touch USC/ISI
Creating a Ring Ovl.
isipc2
eql
udel seccos div
sin
bbn
Internet
Ring Ovl.
OM
Request Result
January 2004 22Joe Touch USC/ISI
Potential Uses
Test new protocols Test denial-of-service solutions
Deploy new services incrementally Dynamic routing, proxylets, security
Increase lab & testbed utility Overlapping nets, add delay & loss
Scale to 10,000 nodes Simplify view of topology
Support fault tolerance Added level of recovery
January 2004 23Joe Touch USC/ISI
Features
Secure X.509 certs, SSL control, ACLs
Resilient Heartbeats with auto-dismantle Crash recovery/restore Detects/avoids replays; idempotent actions w/rollback
Overlay features Dummynet, IPsec
Application deployment ABone Squid proxy system (U. Catalonia) PlanetLab-like slice of vservers
January 2004 24Joe Touch USC/ISI
Recent Additions
In 3.0 (1/2004): IPv6 Dynamic DNS/DNSsec Cisco via buddy host Zebra dynamic routing User-specified topology XML-based API
Coming soon Revisitation (using network stacks) Recursion
January 2004 25Joe Touch USC/ISI
Architecture issues
Core (PP) VPNs need stub assistance All transport is E2E Inject routes via BGP/RIP or redirect default Often assumes one VPN
Boundary control Typical VPN
O(N) tunnels & routes / O(N) firewall rules Separate routing and firewalls
O(1) routes / O(N) firewall rules Firewall via groups
O(1) routes / O(1) firewall rules
January 2004 26Joe Touch USC/ISI
Relation to:
NetLab (net EmuLab) Focuses on L2-VPNs Incorporating X-Bone concepts
Revisitation, IPsec tun over IPIP/GRE
PlanetLab Focuses on OS Primitive networking Reinventing net. configuration mech.
January 2004 27Joe Touch USC/ISI
Availability (and not)…
http://www.isi.edu/xbone Platforms
FreeBSD 4.x/5.x (IPv4/6 IPsec) Linux RedHat (IPv4/IPsec only) Cisco via buddy host (IPv4 IPsec, IPv6) Under development/test:
NetBSD (tested only) MacOS X (prelim. testing)
Platforms not capable of VIs: Windows 2K/XP Linux FreeS/WAN Vxworks, Janos PlanetLab inside vserver
January 2004 28Joe Touch USC/ISI
Outerlay
DynaBone
Spread-Spectrum Multilayer Internet Overlays
Innerlays
Base networkBase network
3DES encrypt / Linkstate3DES encrypt / Linkstate
RC5 encrypt / RIPRC5 encrypt / RIP
MD5 auth / staticMD5 auth / staticMD5 auth / staticMD5 auth / staticXPRM
PRM
January 2004 29Joe Touch USC/ISI
Goals
Auto platform for spread-spectrum Architecture in which to use … (see BASF) Closed-group communication
E2E, E2(gateway), etc. Enable multilayer defense (IP addr, SPI, decrypts)
Platform for muggles Transparent to applications, protocols, OS’s Auto-deploy
January 2004 30Joe Touch USC/ISI
DynaBone via X-Bones
Parallel innerlays Coordinate use via PRMs
Base networkBase network
OuterlayOuterlay
Sub-1Sub-1
Sub-2Sub-2
Sub-3Sub-3
January 2004 31Joe Touch USC/ISI
Layered Overlays
Innerlays A network you can gracefully disconnect Attacker-like parallelsim as a defense
Outerlay Hides the Innerlays from OS, applications Allows transparent restoration
Automated deployment via X-Bone User deployed, trans-AS, no new protocols Integrates heterogeneous net-level
security
January 2004 32Joe Touch USC/ISI
PRM Detail
PRM
Mux
per packet?per TCP?
M
Demux
reorder?drop dups?
Monitor
injectmeasure
DDOSAttack
Detection
PerformanceMetrics
(pathchar)
January 2004 33Joe Touch USC/ISI
Monitor & Control GUI
January 2004 34Joe Touch USC/ISI
NetGraph PRM Module
/data [format]/policy(?value)/stop?innerlay/go?innerlay
PRM
MUX
IFACEAPI
BARP
RR SS
Rand Copy
Web
B-table
January 2004 35Joe Touch USC/ISI
PRM Performance
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
1 10 100 1000 10000
Gbps
Kpps
January 2004 36Joe Touch USC/ISI
NetFS File System
/netfs
iface route ipfwproto
fxp0lo
default alias1 alias2
ether ip
tcp udp
25 26
mask addr
10.0.0.1default
10
addr mask
255.0.0.0
ipsec
10.3.0.0 255.255.0.0
January 2004 37Joe Touch USC/ISI
Goals
Simple, standard interface Across different OS’s File system API and semantics
Fine-grained security User, group, world, etc. Per instance of each resource
Context-dependent views Limits “ifconfig –a” response
January 2004 38Joe Touch USC/ISI
Intertwined Vontrol
interfaces Socket API
sockopt
ioctl
sysctl
In-band API
routes
communication channels
NetFS File API
January 2004 39Joe Touch USC/ISI
Per-process Context
/netfs
iface route
BA ZYX
Process A
~netfs
iface route
Process B
~netfs
iface route
January 2004 40Joe Touch USC/ISI
Related Work
Linux’s /procfs Processes
Jail(fbsd) & vserver(linux) Limits root access to 1 IP addr per
partition Plan 9’s /net
Sockets FreeBSD extensions (underway)
Add naming (kernel hack) to interfaces
January 2004 41Joe Touch USC/ISI
DataRouter
P isi.eduS D1 bird #55fea3
#55fea3P usc.eduS D2 D1
D1D2D1
s/(bird)(.*)(isi.edu)/(D2)($2)(usc.edu)/
January 2004 42Joe Touch USC/ISI
Motivation
Application-level networks are ‘bad’ Recapitulate the network layer Require additional E2E transport protocols Hard to compose
Network-level overlays not enough Application-level info. is hidden IP forwarding is not sufficient
January 2004 43Joe Touch USC/ISI
Goal = peer/DHT support:
Useful: Supports application-directed forwarding Enables composition/integration of app. svcs.
Clean: Avoids reinventing the network layer Avoids reinventing the transport layer
Appropriate: Forwards fast Supports IPsec Is somewhat safe
January 2004 44Joe Touch USC/ISI
DataRouter IS:
Header = IP Loose Source Route Network layer option Works as an encapsulation header (ala
IPsec) Entry = string
Explicit application context Forwarding via string rewriting
String (IP address, string’) pair
January 2004 45Joe Touch USC/ISI
DataRouter ISN’T:
Routing protocol IP doesn’t force OSPF, BGP, etc.
Overlay configuration IP doesn’t force particular topology
January 2004 46Joe Touch USC/ISI
Enabled Capabilities
App. forwarding via network svc.
Late-binding integration One packet: TCP/SYN w/ Google as DR Google DNS IP
Anycast services First DR hop = anycast server Further hops added by appending
January 2004 47Joe Touch USC/ISI
Quick FAQ:
This is forwarding; who does routing? Application that would have done forwarding
(Chord, CAN, Napster, Google, DNS) Can transport handle unbound dests?
Use HIP to decouple TCP/UDP from IP What is the API?
DR strings via SOCKOPT Forwarding entries via droute command
Why use REs? Sufficient, efficient, complete
How does it avoid breaking E2E? By allowing E2E TCP
Why use a LSR IP option? Integrates w/existing ICMP, IPsec; allows ‘overlays’;
transparent
January 2004 48Joe Touch USC/ISI
Example Uses
All in a parsed string: Class:string metric:string Escape “:” Select largest metric
DNS Longest suffix
DNS Joe.com
URL Exact URL Joe.com/apple
Napster Exact MP3 Hash(title)
Google Closest WebDB
“Harry Potter movie”
IPv4 Longest prefix
IPv4 10.0.0.4
January 2004 49Joe Touch USC/ISI
Related Work
Application-directed forwarding DHTs, web proxies… Google, DNS
Alternate network forwarding Dbase index [Carzaniga03] Linda [Carriero86] Data manipilation lang.
[Chandranmenon95] Catanet, TRIAD, I3, IPNL, Heaps, Net Ptrs…
Electronic control
January 2004 50Joe Touch USC/ISI
Performance
0
100
200
300
400
IP/reg IP/RER Hash/RER RE/RER UDP TCP
K packets/sec
January 2004 51Joe Touch USC/ISI
TetherNet
Complete Internet IP connectivity
Works behind NATs Works behind short-lease DHCP
January 2004 52Joe Touch USC/ISI
Subnet Rental
January 2004 53Joe Touch USC/ISI
Optical Internets
Optical recapitulates electronic WDM = VCs Burst switching = MPLS/label switching Jump ahead to packet-based
Router Queue-free architecture Forwarding via partial filters TTL decrement IP checksum
LAN Protocols OCDMA MAC design
January 2004 54Joe Touch USC/ISI
Forward via Filters Bit-subset groups share next-
hops Remainder to helper router
R = 0%
1 1 0 1‘MATCH’SignalAND
Input
Threshold = 3
“1” “1” “0” “1”
R = 0%R = 0%R = 0%
Threshold = 0
“1” bits correlator
Match = ‘high’
Match = ‘low’NOT
“0” bits correlator
“1” “1” “0” “1”
January 2004 55Joe Touch USC/ISI
TTL Decrementer
LSB-first: Invert until 1 Stop @ 1st “1 (delete if no “1”)
Electronic controlElectronic control
MOD
SOA 1(CW)
Signal inversion10 Gbit/s NRZ
“databar”
PD
“data”
D-flip flop
MODpPPLN
D Q
Q
MODp
PPLN
packet out w/updated TTL
1 MOD
SOA 1(CW)
Signal inversion10 Gbit/s NRZ
“ ”
PD
“data”
TTL start
D-flip flop
MODp
PPLN
D Q
Q
MODp
PPLN
2
January 2004 56Joe Touch USC/ISI
Internet Checksum
Serial 1-bit full-adder
Xi
CoYi
Ci
S
k2*16 bit delay
k1*16 bit delay
January 2004 57Joe Touch USC/ISI
http://www.isi.edu/ xbone
Greg Finn, Steve Hotz, Amy Hughes, Lars Eggert, YuShun Wang, Nimish Kasat, Osama Dosary, Ankur Sheth, Shitanshu Shah, Wei-Chun Chou, Stephen Suryaputra, Savas Guven
dynabone Venkata Pingali, Runfang Zhou
netfs Josh Train
(datarouter) Venkata Pingali
tethernet Lars Eggert, YuShun Wang
pow / ocdma Joseph Bannister, Puroshutham Kamath, Michelle Hauer,
Dinez Gurkin, John McGeehan