Peer-to-peer Virtual Private Networks and Applications

Transcription

1 Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing Center/ACIS Lab University of Florida Visiting Researcher at VU

2 Backdrop Virtual machines in cloud computing On-demand, pay-per-use, user-configurable Federated environments End-to-end Internet connectivity hindered by address space and presence of NATs, firewalls Network virtualization seamlessly connecting virtual machines across multiple providers Applications Distributed virtual private clusters Education, training in distributed computing Private communication among Internet users extending online social networks 2

3 Rationale Virtualization techniques for decoupling, isolation, multiplexing also apply to networking E.g. VLANs, VPNs However, there are challenges in configuration, deployment, and management Peer-to-peer techniques provide a basis for scalable routing, and self-management Software routers, integration at network end-points enables deployment over existing infrastructure Architecture, design needs to account for connectivity constraints, and support TCP/IP efficiently; optimize for common cases 3

4 Application Examples Cloud-bursting Run additional worker VMs on a cloud provider Extending enterprise LAN to cloud VMs seamless scheduling, data transfers Federated Inter-cloud environments Multiple private clouds across various institutions Virtual machines can be deployed on different sites and form a distributed virtual private cluster Hands-on laboratories for classes Deploy your own cluster Connecting devices of social network peers Media streaming, file sharing, gaming, 4

5 Background Talk - Outlook Architecting self-organizing virtual networks Topology, routing, tunneling, addressing, NAT traversal, performance Applications in Grid/cloud and end-user environments Virtual Private Clusters Social VPNs Applications in education FutureGrid 5

6 Resource Virtualization Virtual machines (Xen, VMware, KVM) paved the way to Infrastructure-as-a-Service (IaaS) Computing environment decoupled from physical infrastructure Pay-as-you-go for computing cycles Virtual networks complement virtual machines for increased flexibility and isolation in IaaS VMs must communicate seamlessly regardless of where they are provisioned Traffic isolation; security, resource control 6

7 Virtual Machines and Networks Virtual Infrastructure V2 V3 V1 VMM + VN Physical Infrastructure Domain B Domain A WAN Domain C 7

8 Virtual Networks Single infrastructure, many virtual networks E.g. one per user, application, project, social network Each isolated and independently configured Addressing, protocols; authentication, encryption Multiplexing physical network resources Network interfaces, links, switches, routers 8

9 Network Virtualization Where? Software Virtualized endpoints Software Network Device Network Fabric Network Device (Virtual) machine (Virtual) machine Virtualized Fabric (e.g VLAN, OpenSwitch) 9

10 Landscape Peer-wise Internet connectivity constrained IPv4 address space limitations; NATs, firewalls Challenges - shared environment Lack of control of networking resources Cannot program routers, switches Public networks privacy is important Often, lack privileged access to underlying resources May be root within a VM, but lacking hypervisor privileges Dynamic creation, configuration and tear-down Complexity of management 10

11 Peer-to-Peer Virtual Networks Overview User-level IP overlays deployable on Internet end resources (software routers, virtual NICs) Why virtual? Hide complexities associated with NAT traversal, IPv4 address space constraints from applications Support unmodified applications Why peer-to-peer? Self-organizing - reduce management complexity and cost Decentralized architecture for scalability and robustness 11

12 The IP-over-P2P (IPOP) Approach Isolation Virtual address space decoupled from Internet Packets picked, encapsulated, tunneled and delivered within the scope of virtual network Self-organization Overlay topology, routing tables Autonomously deals with joins, leaves, failures Decentralized P2P messaging architecture No global state, no central point of failure Tunnels (UDP, TCP, ), routing Decentralized NAT traversal No need for STUN server infrastructure [IPDPS 2006, Ganguly et al] 12

13 IPOP: Architecture Overview Unmodified applications Connect( ,80) Application Virtual Router Capture/tunnel, scalable, resilient, self-configuring Routing; object store VNIC Isolated, private virtual address space Wide-area Overlay network Virtual Router VNIC Application

14 P2P Overlay (Brunet) Bi-directional ring ordered by 160-bit IPOPid s Structured connections: Near : with neighbors Far : across the ring n2 n3 n4 IPOPid n5 n6 Multi-hop path between n1 and n7 n1 n7 Far n12 n8 Near n1 < n2 < n3 <. < n13 < n14 n11 n10 n9

15 Overlay: Edges and Routing Overlay edges Multiple transports: UDP, TCP, TLS NAT traversal (UDP hole-punching) Greedy routing Deliver to peer closest to destination IPOPid Constant # of edges per node (average k) O((1/k)log 2 (n)) overlay hops On-demand edges Created/trimmed down based on IP communication 15

16 Creating Overlay Edges CTM request A A s endpoint URIs: tcp:// :3000 (local) udp:// :4433 (NAT learned) Link request Overlay path A sends a Connect-to-me (CTM) request to B s IPOPid Contains all its URIs (UDP/TCP IP:port endpoints) Routed over P2P overlay to B B CTM reply B s endpoint URIs: tcp:// :5000 udp:// :6000 B sends CTM reply with its URIs overlay routed B initiates linking with A Attempts linking with parallel requests to A s URIs 16

17 NAT Traversal Direct edge between A and B A B Technique for cone UDP NATs: A s link request message to B creates ephemeral state in A s NAT allowing messages from B to pass through NAT (and vice-versa) Overlay: manage keep-alives so NAT mapping holes stay open; re-link if NAT mappings expire 17

18 Naming and Multiplexing One P2P overlay can multiplex multiple VNs E.g. multiple virtual clusters from different projects IP routing within the scope of a namespace User-provided string identifies IPOP namespace Each IPOP node is configured with a namespace IP-to-P2P address resolution: DHT-Get(namespace:IP) -> IPOPid 18

19 Managing Virtual IP Addresses Address assignment: static, or dynamic Supports DHCP Store configuration (including base address, mask) on DHT entry bound to namespace DHCP proxy runs on each IPOP node Pick DHCP request Lookup DHCP configuration for namespace Guess an IP address at random within range Attempt to store in DHT; wait for majority to acknowledge; retry upon failure 19

20 Optimization: On-demand edges At each node: Count IP-over-P2P packets to other nodes When number of packets within an interval exceeds threshold: Initiate connection setup; create edge Trimming on-demand edges no longer in use Overhead involved in connection maintenance 20

21 Optimization: Tunnel Edges Peers X, Y may not be able to communicate directly if they are behind symmetric NATs X, Y exchange list of neighbor URIs Each attempts to create edge to common intermediary Z to serve as proxy Routing abstracted as regular overlay edge X-Y connected by virtual edge Useful to maintain ring topology in the face of failures (routing outages, symmetric NATs) 21

22 Implementation IPOP open-source system C# user-level router Tap virtual network device Performance 1GbE physical LAN Latency (ms) Bwidth (Mb/s) Mem (KB) Host n/a IPOP IPOP+sec

23 Performance (WAN) Netperf stream native (Mbps) Netperf stream IPOP (Mbps) Netperf RR trans/s native Netperf RR trans/s IPOP EC2/UF EC2GoGrid UF/GoGrid

24 Related Work There exist several VPN technologies: Enterprise VPNs (e.g. Cisco); Open-source (e.g OpenVPN); Consumer/gaming/SMB (e.g. Hamachi) Not easily applicable to federating cloud resources Proprietary code; difficulty in configuration/management Research work in the context of Grid/cloud computing VNET (Northwestern University), VIOLIN (Purdue University), Private Virtual Cluster (INRIA), ViNe (Tsugawa, UF) VU 24

25 IPOP Social Networks Users now commonly manage relationships to social peers through Online Social Networks Facebook, Google+ Communication hindered by OSN provider APIs, privacy concerns A generic IP network can enable existing and new social network applications But users don t have public IPs, don t want to necessarily open NATs/firewalls to all users Users don t want to configure and discover network services manually 25

26 Social VPNs Alice's Compute Node Alice's Friend's Compute Node Bob's Compute Node on EC2 OSN IP-over-P2P Tunnel XMPP Alice Bob Carl

27 Social VPNs From a user s perspective: it s simple My computer gets a virtual network card It connects me directly to my social peers All IP packets: authenticated, encrypted, end-to-end Leverage well-known PKI techniques No configuration besides establishing social links All I need to do to is log in to a web based social network Applications, middleware work as if the computers were on the same local-area network Including multicast-based resource discovery UPnP, mdns 27

28 Applications Social VPN is not the application It is not tied to an application either It enables applications that are of interest for collaboration Security needed beyond network layer Authenticated end-to-end private IP tunnels provide a foundation Traditional applications Media streaming, desktop sharing, file sharing, cycle sharing Platform for decentralized social network applications Fault-tolerant micro-blogging, private file sharing,.. 28

29 IPOP Social VPN Internals NAT traversal and routing core Private end-to-end tunnels Peer discovery and certificate exchange XMPP Jabber, Google Facebook APIs (was in first prototype; no longer in the code) Dynamic IP address assignment Facebook: more users than IPv4 24-bit private space Also must avoid conflicts with local private networks, and support mobility 29

30 Addressing and Mapping 160-bit P2P IDs used for overlay routing Each node generates random P2P ID Node issues a self-signed public key certificate with its P2P identifier; publishes through OSN APIs Certificates of friends nodes are discovered, retrieved, revoked through OSN APIs IPv4 addresses seen by applications Dynamically-generated non-conflicting private subnet Local node and friends nodes are mapped dynamically to addresses within range Naming possible through SocialDNS IP src/dest addresses translated (ports are not) [COPS 2008]

31 Address Translation Alice's Compute Node Alice's Friend's Compute Node Bob's Compute Node on EC2 Alice Send-to BobP2P Recv-from AliceP2P SVPN: /16 Alice: Bob: > BobP2P SVPN: /16 Bob: Alice: > AliceP2P

32 32 Group-oriented Social VPNs SocialVPN focuses on unstructured peer-topeer communication User s VPN scoped by their own social links Powerful abstraction, but there are applications require all-to-all connectivity E.g. a virtual private cluster How to use relationships established through Web-based portals to create virtual clusters? Group-oriented VPNs Software packaging in virtual appliance images

33 33 Use case: Education and Training Importance of experimental work in systems research Needs also to be addressed in education Complement to fundamental theory FutureGrid: a testbed for experimentation and collaboration Education and training contributions: Lower barrier to entry pre-configured environments, zeroconfiguration technologies Community/repository of hands-on executable environments: develop once, share and reuse

34 34 Educational appliances in FutureGrid A flexible, extensible platform for handson, lab-oriented education on FutureGrid Executable modules virtual appliances Deployable on FutureGrid resources Deployable on other cloud platforms, as well as virtualized desktops Community sharing Web 2.0 portal, appliance image repositories An aggregation hub for executable modules and documentation

35 35 What is a virtual appliance? A virtual appliance packages software and configuration needed for a particular purpose into a virtual machine image The virtual appliance has no hardware just software and configuration The image is a (big) file It can be instantiated on hardware

36 36 Virtual appliance example Linux + Apache + MySQL + PHP LAMP image A web server Another Web server copy instantiate Virtualization Layer Repeat

37 37 Clustered applications Replace LAMP with the middleware of your choice e.g. MPI, Hadoop, Condor MPI image copy instantiate An MPI worker Virtualization Layer Another MPI worker Repeat

38 38 Grid appliance - virtual clusters Same image, per-group VPNs Hadoop + Virtual Network GroupVPN Credentials (from Web site) copy Group VPN A Hadoop worker instantiate Virtual machine Virtual IP - DHCP Repeat Another Hadoop worker Virtual IP - DHCP

39 39 Grid appliance clusters Virtual appliances Encapsulate software environment in image Virtual disk file(s) and virtual hardware configuration The Grid appliance Encapsulates cluster software environments Current examples: Condor, MPI, Hadoop Homogeneous images at each node Virtual Network connecting nodes forms a cluster Deploy within or across domains

40 40 Grid appliance internals Host O/S Linux Grid/cloud stack MPI, Hadoop, Condor, Glue logic for zero-configuration Automatic DHCP address assignment Multicast DNS (Bonjour, Avahi) resource discovery Shared data store - Distributed Hash Table Interaction with VM/cloud

41 41 One appliance, multiple hosts Allow same logical cluster environment to instantiate on a variety of platforms Local desktop, clusters; FutureGrid; Amazon EC2; Science Clouds Avoid dependence on host environment Make minimum assumptions about VM and provisioning software Desktop: 1 image, VMware, VirtualBox, KVM Para-virtualized VMs (e.g. Xen) and cloud stacks need to deal with idiosyncrasies Minimum assumptions about networking Private, NATed Ethernet virtual network interface

42 42 Configuration framework At the end of GroupVPN initialization: Each node of a private virtual cluster gets a DHCP address on virtual tap interface A barebones cluster Additional configuration required depending on middleware Which node is the Condor negotiator? Hadoop front-end? Which nodes are in the MPI ring? Key frameworks used: IP multicast discovery over GroupVPN Front-end queries for all IPs listening in GroupVPN Distributed hash table Advertise (put key,value), discover (get key)

43 43 Configuring and deploying groups Generate virtual floppies Through GroupVPN Web interface Deploy appliances image(s) FutureGrid (Nimbus/Eucalyptus), EC2 GUI or command line tools Use APIs to copy virtual floppy to image Submit jobs; terminate VMs when done

44 44 Classes in FutureGrid Classes are setup and managed using the FutureGrid portal Project proposal: can be a class, workshop, short course, tutorial Needs to be approved by FutureGrid project to become active Users can be added to a project Users create accounts using the portal Project leaders can authorize them to gain access to resources Students can then interactively use FG resources (e.g. to start VMs)

45 45 Use of FutureGrid in classes Cloud computing/distributed systems classes U.of Florida, U. Central Florida, U. of Puerto Rico, Univ. of Piemonte Orientale (Italy), Univ. of Mostar (Croatia) Distributed scientific computing Louisiana State University Tutorials, workshops: Big Data for Science summer school A cloudy view on computing SC 11 tutorial Clouds for science Science Cloud Summer School (2012)

46 Deployed Systems PlanetLab bootstrap overlays Grid appliance deployments: Archer - ~700-CPU cluster SocialVPN deployments: Thousands of downloads, hundreds of deployed nodes

47 On-going Work Integration of IPOP with IPsec for dynamicallyprovisioned cloud virtual networks Collaboration with Thilo Kielmann (VU), Guillaume Pierre (Rennes) and the Contrail/ConPaaS teams Overlay by-pass, integration with OpenFlow software-defined networks IPv6/IPv4 overlays, virtual clusters for highthroughput computing, education Archer (computer architecture) FutureGrid (virtual appliances for education) PRAGMA (Pacific Rim Grid) 47

48 Acks and Thanks ACIS P2P group (IPOP) Over the years: P. O. Boykin, Heungsik Eom, Arijit Ganguly, Pierre St. Juste, Kyungyong Lee, Yonggang Liu, Girish Venkatasubramanian, David Wolinsky, Jiangyan Xu FutureGrid, National Science Foundation Awards , , Vrije Universiteit and Contrail For more information and downloads:

49 49