Title: On Proxy Server based Multipath Connections (PSMC)
1On Proxy Server based Multipath Connections
(PSMC)
- PhD Proposal
- Yu Cai
- 12/2003
- University of Colorado at Colorado Springs
2Outline
- 1. Introduction
- 2. Related work
- 3. PSMC algorithms
- 4. PSMC protocols
- 5. PSMC applications
- 6. PSMC security
- 7. Conclusion
3Introduction
- Single path connection most commonly-used
network connection model in todays network
environment. - Multipath connections provide potentially
multiple paths between network nodes. The traffic
from a source can be spread over multiple paths
and transmitted in parallel through the network.
Single path connection vs. multipath connections
4Why Multipath Connections
- Improve the network security by providing
alternate paths - Improve the network reliability, stability and
availability - Improve the network performance by increasing the
aggregate bandwidth between network nodes - Utilize the network resources more efficiently
- Cope well with network congestion, link breakage,
burst traffic and potential attacks - Provide better quality-of-service
5Related Works on Multipath Connections
- Multipath connections have been studied since
70s. - The IBM Systems Network Architecture (SNA) in
1974 - Nicholas F. Maxemchuk in 1975, the dispersity
routing - Classification of multipath connections based on
OSI 7-layer model. - Physical layer Multipath Interference Antenna
Array. - Data link layer Link Aggregation, defined in
IEEE 802.3ad. (requires additional hardware
support)
6Related Works on Multipath Connections
- Network layer studied extensively as multipath
routing. - Wired network. (requires changes on routers)
- Table-driven routing (link state or distance
vector). MDVA(Multipath distance vector
algorithm ) VG01Chen98 -
- Wireless ad hoc network. (only for ad hoc
network) - On-demand routing.
- SMR(Split Multipath Routing ) LG00,
- Source Routing.
- MSR(Multipath Source Routing ) ZZS02
- Transport layer Linux multipath connections for
multiple ISP connections. (no fail-over
mechanism).
7Proxy Server based Multipath Connections (PSMC)
- Existing multipath connection approaches have
various limitations and drawbacks. - We want new solution
- Must be compatible with current network and dont
require changes on network infrastructure - Must be robust and reliable with high
performance - Must be flexible when deployed so more
applications can benefit from it. - We propose to study a new multipath connection
approach proxy servers based multipath
connections (PSMC).
8The Key Idea of PSMC
- The key ideas of PSMC is as followings.
- By using a set of connection relay proxy servers,
we could set up indirect routes via the proxy
servers, and transport packets over the network
through the indirect routes. - By enhancing existing TCP/IP protocols, we could
efficiently distribute and reassemble packets
among multiple paths at two end nodes, and
increase end-to-end TCP throughput. - The approach offers applications the ability to
improve network security, reliability,
performance, stability, availability and
efficiency.
9PSMC Diagram
10Three Key Parts in PSMC
- The multipath sender distributes packets over
the selected multiple paths efficiently and
adaptively. - The intermediate connection relay proxy servers
examine the incoming packets and forward them to
the end server. - The multipath receiver collects the packets from
multiple paths, reassembles them in order and
delivers them to the user.
11Why PSMC
- Compatibility Utilizes existing TCP/IP protocols
and network infrastructure. Dont require changes
on physical network infrastructure. - Flexibility Can be more conveniently and
adaptively deployed in various network
environments. - Usability A large number of applications in
various categories could benefit from utilizing
PSMC. - Reliability Reliable and robust protocol with
high end-to-end performance.
12Algorithms for PSMC
- Proxy server selection is a critical decision in
PSMC. Different server selections result in
different performance. - Needs to solve the following two proxy server
selection problems. - 1) Server Selection Problem.
- Given the target server and a set of proxy
servers, choose the best proxy server or servers
for a client or for a group of clients, to
achieve the maximum aggregate bandwidth. - 2) Server Placement Problem.
- Given the target server and a set of network
nodes, choose the best node(s) to place the proxy
servers, to maximize the aggregate bandwidth.
13Diagram of Sever Selection / Placement Problem
How to avoid joint paths when selecting proxy
servers? (joint path might become potential
bottleneck) How to select geographically diverse
proxy servers?
Server selection problem
Server placement problem
14Related Work on Algorithms
- Mirror server and cache server selection problem
has been studied recent years. - Formal approach abstract network model use
graph theory. - Common assumptions when getting network model
- a) network topology is known,
- b) the cost associated with each path is known,
- c) single and static network connections.
- Algorithms include QPV01
- (selecting M replicas among N potential sites)
tree-based greedy random hot spot
O(N3M2) O(N2M) O(NM) N2 min (NlogN, NM)
15Algorithms for Parallel Download Problem
- NP-hard problem. We plan to develop heuristic
algorithms, or by loosing the optimal constrains
to simplify the problem to make it solvable in
P-time. - We have developed genetic algorithms to choose
best mirror sites for parallel download from
multiple mirror sites. The problem can be viewed
as a sub problem of PSMC.
16Parallel Download Algorithm Performance
Performance result of the parallel download
algorithms tested on the simulated network and
real-world network looks promising.
17PSMC Protocols Packets Handling
- Protocols need to be designed for packets
handling - Distribute / reassemble packets add a thin layer
between TCP and IP. Modify the Linux kernel. - Transmit packets use IP Tunnel or IPSec to
enable indirect routes. - Why adding a thin layer for packets distribution
and reassembling? - Utilize existing TCP protocols, particularly the
packets re-sequencing and re-sending mechanism. - Hide the complexity of multipath connections from
end user. - Maintain the high end-to-end TCP throughput.
18PSMC Protocols IP Tunnel
- IP tunnel is a technique to encapsulate IP
datagram within IP datagram. This allows datagram
destined for one IP address to be wrapped and
redirected to another IP address. - IPSec is an extension to the IP protocol which
provides security to the IP and the upper-layer
protocols. The IPSec architecture is described in
the RFC2401. - Why IP Tunnel
- IP Tunneling is well developed and widely
available. - It is a layer 2 protocol, transparent to higher
layer. - IP Tunneling performance is acceptable.
- We have investigated other approaches including
SOCKS proxy server and Zebedee, which dont fit
our needs.
19Special Issues for PSMC Protocols
- Several special issues for PSMC protocols
- Based on the feedback from end server,
dynamically adjust packets distribution. - Outgoing packets might contain redundant
information and/or probing message. - Fail-over mechanism, packets resend and
re-sequencing mechanism, when packets are lost or
connections are broken. - Sticky-connection mechanism when some packets
need to be sent through a particular path. - Related work
- ATCP (ad hoc TCP) LS01.
- Linux Virtual Server (LVS).
- Virtual Private Network (VPN)
20IP Tunnel and IPSec
21PSMC Diagram
22PSMC Applications
- Secure Collective Defense (SCOLD) network
- PSMC in wireless ad hoc network.
- Indirect route / additional bandwidth upon
operational requests. - QoS for video streaming.
- Parallel download from multiple mirror sites.
23Secure Collective Defense (SCOLD) network
- SCOLD tolerates the DDoS attacks through indirect
routes via proxy servers, and improves network
performance by spreading packets through multiple
indirect routes. - SCOLD will incorporate various cyber security
techniques, like secure DNS update, Autonomous
Anti-DDoS network, IDIP(Intrusion Detection and
Isolation Protocol) protocols. - The prototype of SCOLD system version 1.0 is
finished with secure DNS update and indirect
route. - We plan to enhance SCOLD for better scalability,
reliability, performance and security.
24SCOLD victim under DDoS attacks
A.com
B.com
C.com
...
...
...
a
a
a
a
b
b
b
b
c
c
c
c
C
B
DNS2
DNS3
DNS1
A
DDoS Attack Traffic
Client Traffic
R
R2
R1
R3
DNS
Back door Alternate Gateways
target.com
Victim
Main gateway R under attacks, we want to inform
Clients to go through the back door - alternate
gateways R1- R3. We needs to hide IPs of R1-R3,
otherwise they are subject to potential attacks
too. how to inform Clients? how to hide IPs of
R1-R3?
25SCOLD raise alarm (1) and inform clients (2)
A.com
B.com
C.com
...
...
...
a
a
a
a
b
b
b
b
c
c
c
c
C
B
DNS2
DNS3
DNS1
A
RerouteCoordinator
R
DNS
1 raise alarm
R2
R3
R1
2 inform clients
Victim
target.com
1. IDS on gateway R detects intrusion, raise
alarm to Reroute Coordinator. 2. Coordinator
informs clients for new route a) inform clients
DNS b) inform clients network proxy server c)
inform clients directly d) inform the proxy
servers and ask the proxy server do (a c).
26SCOLD set up new indirect route (3)
A.com
B.com
C.com
...
...
...
a
a
a
a
b
b
b
b
c
c
c
c
C
B
DNS2
DNS3
DNS1
A
3 new route
R
RerouteCoordinator
R2
R1
R3
DNS
Victim
target.com
3. Clients set up new indirect route to target
via proxy servers. Proxy servers equipped with
IDS to defend attacks hide alternate gateway and
reroute coordinator provide potential multiple
paths.
27SCOLD Testbed
28Preliminary result of SCOLD
- Table 1 Ping Response Time (on 3 hop route)
- Table 2 SCOLD FTP/HTTP download Test (from
client to target) - Table 3 Time to Set up Indirect Route in SCOLD
No DDoS attack direct route DDoS attackdirect route No DDoS attack indirect route DDoS attack indirect route
0.49 ms 225 ms 0.65 ms 0.65 ms
Ping Less than 1 s
HTTP Less than 1 s
FTP Less than 1 s
29PSMC Applications Evaluation
- The performance and overhead of multipath
connections will be evaluated. - PSMC will be compared with other multipath
connection approaches, like source routing, and
Linux multipath connections. - Extensive simulation study on PSMC applications
in virtual network, real network, small scale
network and large scale network will be
conducted.
30Security Issues Related to PSMC
- Potential security issues raised by misusing of
PSMC how to control aggressive clients? - Potential attacks against PSMC Tunneling to
death? (similar to ping to death). - How to detect and deal with comprised nodes in
PSMC network? - Study the collective defend mechanism to tie
different organizations with better cooperation
and collaboration.
31Research Plan
- Will systematically study PSMC in the following
areas - Algorithms for server selections
- Protocols for packet handling
- Applications
- Security issues
32Thank you!