On Proxy Server based Multipath Connections (PSMC) - PowerPoint PPT Presentation

1 / 32
About This Presentation
Title:

On Proxy Server based Multipath Connections (PSMC)

Description:

greedy. N2 min (NlogN, NM) O(NM) hot spot. random. Algorithms for Parallel ... target.com. DNS1. DNS2. DNS3. SCOLD: raise alarm (1) and inform clients (2) ... – PowerPoint PPT presentation

Number of Views:259
Avg rating:3.0/5.0
Slides: 33
Provided by: Secu5
Learn more at: http://www.cs.uccs.edu
Category:

less

Transcript and Presenter's Notes

Title: On Proxy Server based Multipath Connections (PSMC)


1
On Proxy Server based Multipath Connections
(PSMC)
  • PhD Proposal
  • Yu Cai
  • 12/2003
  • University of Colorado at Colorado Springs

2
Outline
  • 1. Introduction
  • 2. Related work
  • 3. PSMC algorithms
  • 4. PSMC protocols
  • 5. PSMC applications
  • 6. PSMC security
  • 7. Conclusion

3
Introduction
  • Single path connection most commonly-used
    network connection model in todays network
    environment.
  • Multipath connections provide potentially
    multiple paths between network nodes. The traffic
    from a source can be spread over multiple paths
    and transmitted in parallel through the network.

Single path connection vs. multipath connections
4
Why Multipath Connections
  • Improve the network security by providing
    alternate paths
  • Improve the network reliability, stability and
    availability
  • Improve the network performance by increasing the
    aggregate bandwidth between network nodes
  • Utilize the network resources more efficiently
  • Cope well with network congestion, link breakage,
    burst traffic and potential attacks
  • Provide better quality-of-service

5
Related Works on Multipath Connections
  • Multipath connections have been studied since
    70s.
  • The IBM Systems Network Architecture (SNA) in
    1974
  • Nicholas F. Maxemchuk in 1975, the dispersity
    routing
  • Classification of multipath connections based on
    OSI 7-layer model.
  • Physical layer Multipath Interference Antenna
    Array.
  • Data link layer Link Aggregation, defined in
    IEEE 802.3ad. (requires additional hardware
    support)

6
Related Works on Multipath Connections
  • Network layer studied extensively as multipath
    routing.
  • Wired network. (requires changes on routers)
  • Table-driven routing (link state or distance
    vector). MDVA(Multipath distance vector
    algorithm ) VG01Chen98
  • Wireless ad hoc network. (only for ad hoc
    network)
  • On-demand routing.
  • SMR(Split Multipath Routing ) LG00,
  • Source Routing.
  • MSR(Multipath Source Routing ) ZZS02
  • Transport layer Linux multipath connections for
    multiple ISP connections. (no fail-over
    mechanism).

7
Proxy Server based Multipath Connections (PSMC)
  • Existing multipath connection approaches have
    various limitations and drawbacks.
  • We want new solution
  • Must be compatible with current network and dont
    require changes on network infrastructure
  • Must be robust and reliable with high
    performance
  • Must be flexible when deployed so more
    applications can benefit from it.
  • We propose to study a new multipath connection
    approach proxy servers based multipath
    connections (PSMC).

8
The Key Idea of PSMC
  • The key ideas of PSMC is as followings.
  • By using a set of connection relay proxy servers,
    we could set up indirect routes via the proxy
    servers, and transport packets over the network
    through the indirect routes.
  • By enhancing existing TCP/IP protocols, we could
    efficiently distribute and reassemble packets
    among multiple paths at two end nodes, and
    increase end-to-end TCP throughput.
  • The approach offers applications the ability to
    improve network security, reliability,
    performance, stability, availability and
    efficiency.

9
PSMC Diagram
10
Three Key Parts in PSMC
  • The multipath sender distributes packets over
    the selected multiple paths efficiently and
    adaptively.
  • The intermediate connection relay proxy servers
    examine the incoming packets and forward them to
    the end server.
  • The multipath receiver collects the packets from
    multiple paths, reassembles them in order and
    delivers them to the user.

11
Why PSMC
  • Compatibility Utilizes existing TCP/IP protocols
    and network infrastructure. Dont require changes
    on physical network infrastructure.
  • Flexibility Can be more conveniently and
    adaptively deployed in various network
    environments.
  • Usability A large number of applications in
    various categories could benefit from utilizing
    PSMC.
  • Reliability Reliable and robust protocol with
    high end-to-end performance.

12
Algorithms for PSMC
  • Proxy server selection is a critical decision in
    PSMC. Different server selections result in
    different performance.
  • Needs to solve the following two proxy server
    selection problems.
  • 1) Server Selection Problem.
  • Given the target server and a set of proxy
    servers, choose the best proxy server or servers
    for a client or for a group of clients, to
    achieve the maximum aggregate bandwidth.
  • 2) Server Placement Problem.
  • Given the target server and a set of network
    nodes, choose the best node(s) to place the proxy
    servers, to maximize the aggregate bandwidth.


13
Diagram of Sever Selection / Placement Problem
How to avoid joint paths when selecting proxy
servers? (joint path might become potential
bottleneck) How to select geographically diverse
proxy servers?
Server selection problem
Server placement problem
14
Related Work on Algorithms
  • Mirror server and cache server selection problem
    has been studied recent years.
  • Formal approach abstract network model use
    graph theory.
  • Common assumptions when getting network model
  • a) network topology is known,
  • b) the cost associated with each path is known,
  • c) single and static network connections.
  • Algorithms include QPV01
  • (selecting M replicas among N potential sites)

tree-based greedy random hot spot
O(N3M2) O(N2M) O(NM) N2 min (NlogN, NM)
15
Algorithms for Parallel Download Problem
  • NP-hard problem. We plan to develop heuristic
    algorithms, or by loosing the optimal constrains
    to simplify the problem to make it solvable in
    P-time.
  • We have developed genetic algorithms to choose
    best mirror sites for parallel download from
    multiple mirror sites. The problem can be viewed
    as a sub problem of PSMC.

16
Parallel Download Algorithm Performance
Performance result of the parallel download
algorithms tested on the simulated network and
real-world network looks promising.
17
PSMC Protocols Packets Handling
  • Protocols need to be designed for packets
    handling
  • Distribute / reassemble packets add a thin layer
    between TCP and IP. Modify the Linux kernel.
  • Transmit packets use IP Tunnel or IPSec to
    enable indirect routes.
  • Why adding a thin layer for packets distribution
    and reassembling?
  • Utilize existing TCP protocols, particularly the
    packets re-sequencing and re-sending mechanism.
  • Hide the complexity of multipath connections from
    end user.
  • Maintain the high end-to-end TCP throughput.

18
PSMC Protocols IP Tunnel
  • IP tunnel is a technique to encapsulate IP
    datagram within IP datagram. This allows datagram
    destined for one IP address to be wrapped and
    redirected to another IP address.
  • IPSec is an extension to the IP protocol which
    provides security to the IP and the upper-layer
    protocols. The IPSec architecture is described in
    the RFC2401.
  • Why IP Tunnel
  • IP Tunneling is well developed and widely
    available.
  • It is a layer 2 protocol, transparent to higher
    layer.
  • IP Tunneling performance is acceptable.
  • We have investigated other approaches including
    SOCKS proxy server and Zebedee, which dont fit
    our needs.

19
Special Issues for PSMC Protocols
  • Several special issues for PSMC protocols
  • Based on the feedback from end server,
    dynamically adjust packets distribution.
  • Outgoing packets might contain redundant
    information and/or probing message.
  • Fail-over mechanism, packets resend and
    re-sequencing mechanism, when packets are lost or
    connections are broken.
  • Sticky-connection mechanism when some packets
    need to be sent through a particular path.
  • Related work
  • ATCP (ad hoc TCP) LS01.
  • Linux Virtual Server (LVS).
  • Virtual Private Network (VPN)

20
IP Tunnel and IPSec
21
PSMC Diagram
22
PSMC Applications
  • Secure Collective Defense (SCOLD) network
  • PSMC in wireless ad hoc network.
  • Indirect route / additional bandwidth upon
    operational requests.
  • QoS for video streaming.
  • Parallel download from multiple mirror sites.

23
Secure Collective Defense (SCOLD) network
  • SCOLD tolerates the DDoS attacks through indirect
    routes via proxy servers, and improves network
    performance by spreading packets through multiple
    indirect routes.
  • SCOLD will incorporate various cyber security
    techniques, like secure DNS update, Autonomous
    Anti-DDoS network, IDIP(Intrusion Detection and
    Isolation Protocol) protocols.
  • The prototype of SCOLD system version 1.0 is
    finished with secure DNS update and indirect
    route.
  • We plan to enhance SCOLD for better scalability,
    reliability, performance and security.

24
SCOLD victim under DDoS attacks
A.com
B.com
C.com
...
...
...
a
a
a
a
b
b
b
b
c
c
c
c
C
B
DNS2
DNS3
DNS1
A
DDoS Attack Traffic
Client Traffic
R
R2
R1
R3
DNS
Back door Alternate Gateways
target.com
Victim
Main gateway R under attacks, we want to inform
Clients to go through the back door - alternate
gateways R1- R3. We needs to hide IPs of R1-R3,
otherwise they are subject to potential attacks
too. how to inform Clients? how to hide IPs of
R1-R3?
25
SCOLD raise alarm (1) and inform clients (2)
A.com
B.com
C.com
...
...
...
a
a
a
a
b
b
b
b
c
c
c
c
C
B
DNS2
DNS3
DNS1
A
RerouteCoordinator
R
DNS
1 raise alarm
R2
R3
R1
2 inform clients
Victim
target.com
1. IDS on gateway R detects intrusion, raise
alarm to Reroute Coordinator. 2. Coordinator
informs clients for new route a) inform clients
DNS b) inform clients network proxy server c)
inform clients directly d) inform the proxy
servers and ask the proxy server do (a c).
26
SCOLD set up new indirect route (3)
A.com
B.com
C.com
...
...
...
a
a
a
a
b
b
b
b
c
c
c
c
C
B
DNS2
DNS3
DNS1
A
3 new route
R
RerouteCoordinator
R2
R1
R3
DNS
Victim
target.com
3. Clients set up new indirect route to target
via proxy servers. Proxy servers equipped with
IDS to defend attacks hide alternate gateway and
reroute coordinator provide potential multiple
paths.
27
SCOLD Testbed
28
Preliminary result of SCOLD
  • Table 1 Ping Response Time (on 3 hop route)
  • Table 2 SCOLD FTP/HTTP download Test (from
    client to target)
  • Table 3 Time to Set up Indirect Route in SCOLD

No DDoS attack direct route DDoS attackdirect route No DDoS attack indirect route DDoS attack indirect route
0.49 ms 225 ms 0.65 ms 0.65 ms
Ping Less than 1 s
HTTP Less than 1 s
FTP Less than 1 s
29
PSMC Applications Evaluation
  • The performance and overhead of multipath
    connections will be evaluated.
  • PSMC will be compared with other multipath
    connection approaches, like source routing, and
    Linux multipath connections.
  • Extensive simulation study on PSMC applications
    in virtual network, real network, small scale
    network and large scale network will be
    conducted.

30
Security Issues Related to PSMC
  • Potential security issues raised by misusing of
    PSMC how to control aggressive clients?
  • Potential attacks against PSMC Tunneling to
    death? (similar to ping to death).
  • How to detect and deal with comprised nodes in
    PSMC network?
  • Study the collective defend mechanism to tie
    different organizations with better cooperation
    and collaboration.

31
Research Plan
  • Will systematically study PSMC in the following
    areas
  • Algorithms for server selections
  • Protocols for packet handling
  • Applications
  • Security issues

32
Thank you!
Write a Comment
User Comments (0)
About PowerShow.com