On Proxy Server based Multipath Connections (PSMC)

1
On Proxy Server based Multipath Connections
(PSMC)

• PhD Proposal
• Yu Cai
• 12/2003
• University of Colorado at Colorado Springs

2
Outline

• 1. Introduction
• 2. Related work
• 3. PSMC algorithms
• 4. PSMC protocols
• 5. PSMC applications
• 6. PSMC security
• 7. Conclusion

3
Introduction

• Single path connection most commonly-used
  network connection model in todays network
  environment.
• Multipath connections provide potentially
  multiple paths between network nodes. The traffic
  from a source can be spread over multiple paths
  and transmitted in parallel through the network.

Single path connection vs. multipath connections
4
Why Multipath Connections

• Improve the network security by providing
  alternate paths
• Improve the network reliability, stability and
  availability
• Improve the network performance by increasing the
  aggregate bandwidth between network nodes
• Utilize the network resources more efficiently
• Cope well with network congestion, link breakage,
  burst traffic and potential attacks
• Provide better quality-of-service

5
Related Works on Multipath Connections

• Multipath connections have been studied since
  70s.
• The IBM Systems Network Architecture (SNA) in
  1974
• Nicholas F. Maxemchuk in 1975, the dispersity
  routing
• Classification of multipath connections based on
  OSI 7-layer model.
• Physical layer Multipath Interference Antenna
  Array.
• Data link layer Link Aggregation, defined in
  IEEE 802.3ad. (requires additional hardware
  support)

6
Related Works on Multipath Connections

• Network layer studied extensively as multipath
  routing.
• Wired network. (requires changes on routers)
• Table-driven routing (link state or distance
  vector). MDVA(Multipath distance vector
  algorithm ) VG01Chen98
• Wireless ad hoc network. (only for ad hoc
  network)
• On-demand routing.
• SMR(Split Multipath Routing ) LG00,
• Source Routing.
• MSR(Multipath Source Routing ) ZZS02
• Transport layer Linux multipath connections for
  multiple ISP connections. (no fail-over
  mechanism).

7
Proxy Server based Multipath Connections (PSMC)

• Existing multipath connection approaches have
  various limitations and drawbacks.
• We want new solution
• Must be compatible with current network and dont
  require changes on network infrastructure
• Must be robust and reliable with high
  performance
• Must be flexible when deployed so more
  applications can benefit from it.
• We propose to study a new multipath connection
  approach proxy servers based multipath
  connections (PSMC).

8
The Key Idea of PSMC

• The key ideas of PSMC is as followings.
• By using a set of connection relay proxy servers,
  we could set up indirect routes via the proxy
  servers, and transport packets over the network
  through the indirect routes.
• By enhancing existing TCP/IP protocols, we could
  efficiently distribute and reassemble packets
  among multiple paths at two end nodes, and
  increase end-to-end TCP throughput.
• The approach offers applications the ability to
  improve network security, reliability,
  performance, stability, availability and
  efficiency.

9
PSMC Diagram
10
Three Key Parts in PSMC

• The multipath sender distributes packets over
  the selected multiple paths efficiently and
  adaptively.
• The intermediate connection relay proxy servers
  examine the incoming packets and forward them to
  the end server.
• The multipath receiver collects the packets from
  multiple paths, reassembles them in order and
  delivers them to the user.

11
Why PSMC

• Compatibility Utilizes existing TCP/IP protocols
  and network infrastructure. Dont require changes
  on physical network infrastructure.
• Flexibility Can be more conveniently and
  adaptively deployed in various network
  environments.
• Usability A large number of applications in
  various categories could benefit from utilizing
  PSMC.
• Reliability Reliable and robust protocol with
  high end-to-end performance.

12
Algorithms for PSMC

• Proxy server selection is a critical decision in
  PSMC. Different server selections result in
  different performance.
• Needs to solve the following two proxy server
  selection problems.
• 1) Server Selection Problem.
• Given the target server and a set of proxy
  servers, choose the best proxy server or servers
  for a client or for a group of clients, to
  achieve the maximum aggregate bandwidth.
• 2) Server Placement Problem.
• Given the target server and a set of network
  nodes, choose the best node(s) to place the proxy
  servers, to maximize the aggregate bandwidth.

13
Diagram of Sever Selection / Placement Problem
How to avoid joint paths when selecting proxy
servers? (joint path might become potential
bottleneck) How to select geographically diverse
proxy servers?
Server selection problem
Server placement problem
14
Related Work on Algorithms

• Mirror server and cache server selection problem
  has been studied recent years.
• Formal approach abstract network model use
  graph theory.
• Common assumptions when getting network model
• a) network topology is known,
• b) the cost associated with each path is known,
  
• c) single and static network connections.
• Algorithms include QPV01
• (selecting M replicas among N potential sites)

tree-based greedy random hot spot
O(N3M2) O(N2M) O(NM) N2 min (NlogN, NM)
15
Algorithms for Parallel Download Problem

• NP-hard problem. We plan to develop heuristic
  algorithms, or by loosing the optimal constrains
  to simplify the problem to make it solvable in
  P-time.
• We have developed genetic algorithms to choose
  best mirror sites for parallel download from
  multiple mirror sites. The problem can be viewed
  as a sub problem of PSMC.

16
Parallel Download Algorithm Performance
Performance result of the parallel download
algorithms tested on the simulated network and
real-world network looks promising.
17
PSMC Protocols Packets Handling

• Protocols need to be designed for packets
  handling
• Distribute / reassemble packets add a thin layer
  between TCP and IP. Modify the Linux kernel.
• Transmit packets use IP Tunnel or IPSec to
  enable indirect routes.
• Why adding a thin layer for packets distribution
  and reassembling?
• Utilize existing TCP protocols, particularly the
  packets re-sequencing and re-sending mechanism.
• Hide the complexity of multipath connections from
  end user.
• Maintain the high end-to-end TCP throughput.

18
PSMC Protocols IP Tunnel

• IP tunnel is a technique to encapsulate IP
  datagram within IP datagram. This allows datagram
  destined for one IP address to be wrapped and
  redirected to another IP address.
• IPSec is an extension to the IP protocol which
  provides security to the IP and the upper-layer
  protocols. The IPSec architecture is described in
  the RFC2401.
• Why IP Tunnel
• IP Tunneling is well developed and widely
  available.
• It is a layer 2 protocol, transparent to higher
  layer.
• IP Tunneling performance is acceptable.
• We have investigated other approaches including
  SOCKS proxy server and Zebedee, which dont fit
  our needs.

19
Special Issues for PSMC Protocols

• Several special issues for PSMC protocols
• Based on the feedback from end server,
  dynamically adjust packets distribution.
• Outgoing packets might contain redundant
  information and/or probing message.
• Fail-over mechanism, packets resend and
  re-sequencing mechanism, when packets are lost or
  connections are broken.
• Sticky-connection mechanism when some packets
  need to be sent through a particular path.
• Related work
• ATCP (ad hoc TCP) LS01.
• Linux Virtual Server (LVS).
• Virtual Private Network (VPN)

20
IP Tunnel and IPSec
21
PSMC Diagram
22
PSMC Applications

• Secure Collective Defense (SCOLD) network
• PSMC in wireless ad hoc network.
• Indirect route / additional bandwidth upon
  operational requests.
• QoS for video streaming.
• Parallel download from multiple mirror sites.

23
Secure Collective Defense (SCOLD) network

• SCOLD tolerates the DDoS attacks through indirect
  routes via proxy servers, and improves network
  performance by spreading packets through multiple
  indirect routes.
• SCOLD will incorporate various cyber security
  techniques, like secure DNS update, Autonomous
  Anti-DDoS network, IDIP(Intrusion Detection and
  Isolation Protocol) protocols.
• The prototype of SCOLD system version 1.0 is
  finished with secure DNS update and indirect
  route.
• We plan to enhance SCOLD for better scalability,
  reliability, performance and security.

24
SCOLD victim under DDoS attacks
A.com
B.com
C.com
...
...
...
a
a
a
a
b
b
b
b
c
c
c
c
C
B
DNS2
DNS3
DNS1
A
DDoS Attack Traffic
Client Traffic
R
R2
R1
R3
DNS
Back door Alternate Gateways
target.com
Victim
Main gateway R under attacks, we want to inform
Clients to go through the back door - alternate
gateways R1- R3. We needs to hide IPs of R1-R3,
otherwise they are subject to potential attacks
too. how to inform Clients? how to hide IPs of
R1-R3?
25
SCOLD raise alarm (1) and inform clients (2)
A.com
B.com
C.com
...
...
...
a
a
a
a
b
b
b
b
c
c
c
c
C
B
DNS2
DNS3
DNS1
A
RerouteCoordinator
R
DNS
1 raise alarm
R2
R3
R1
2 inform clients
Victim
target.com
1. IDS on gateway R detects intrusion, raise
alarm to Reroute Coordinator. 2. Coordinator
informs clients for new route a) inform clients
DNS b) inform clients network proxy server c)
inform clients directly d) inform the proxy
servers and ask the proxy server do (a c).
26
SCOLD set up new indirect route (3)
A.com
B.com
C.com
...
...
...
a
a
a
a
b
b
b
b
c
c
c
c
C
B
DNS2
DNS3
DNS1
A
3 new route
R
RerouteCoordinator
R2
R1
R3
DNS
Victim
target.com
3. Clients set up new indirect route to target
via proxy servers. Proxy servers equipped with
IDS to defend attacks hide alternate gateway and
reroute coordinator provide potential multiple
paths.
27
SCOLD Testbed
28
Preliminary result of SCOLD

• Table 1 Ping Response Time (on 3 hop route)
• Table 2 SCOLD FTP/HTTP download Test (from
  client to target)
• Table 3 Time to Set up Indirect Route in SCOLD

No DDoS attack direct route DDoS attackdirect route No DDoS attack indirect route DDoS attack indirect route
0.49 ms 225 ms 0.65 ms 0.65 ms
Ping Less than 1 s
HTTP Less than 1 s
FTP Less than 1 s
29
PSMC Applications Evaluation

• The performance and overhead of multipath
  connections will be evaluated.
• PSMC will be compared with other multipath
  connection approaches, like source routing, and
  Linux multipath connections.
• Extensive simulation study on PSMC applications
  in virtual network, real network, small scale
  network and large scale network will be
  conducted.

30
Security Issues Related to PSMC

• Potential security issues raised by misusing of
  PSMC how to control aggressive clients?
• Potential attacks against PSMC Tunneling to
  death? (similar to ping to death).
• How to detect and deal with comprised nodes in
  PSMC network?
• Study the collective defend mechanism to tie
  different organizations with better cooperation
  and collaboration.

31
Research Plan

• Will systematically study PSMC in the following
  areas
• Algorithms for server selections
• Protocols for packet handling
• Applications
• Security issues

32
Thank you!