Overview. Tor Circuit Setup (1) Tor Anonymity Network



Similar documents
How To Understand The Power Of A Content Delivery Network (Cdn)

DATA COMMUNICATOIN NETWORKING

Measuring the Web: Part I - - Content Delivery Networks. Prof. Anja Feldmann, Ph.D. Dr. Ramin Khalili Georgios Smaragdakis, PhD

An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol

CSC2231: Akamai. Stefan Saroiu Department of Computer Science University of Toronto

Web Caching and CDNs. Aditya Akella

ICP. Cache Hierarchies. Squid. Squid Cache ICP Use. Squid. Squid

Best Practices for Controlling Skype within the Enterprise. Whitepaper

Content Delivery Networks (CDN) Dr. Yingwu Zhu

Skype network has three types of machines, all running the same software and treated equally:

Content Distribu-on Networks (CDNs)

Distributed Systems 19. Content Delivery Networks (CDN) Paul Krzyzanowski

Distributed Systems. 23. Content Delivery Networks (CDN) Paul Krzyzanowski. Rutgers University. Fall 2015

CSCI-1680 CDN & P2P Chen Avin

Skype characteristics

Indirection. science can be solved by adding another level of indirection" -- Butler Lampson. "Every problem in computer

Akamai CDN, IPv6 and DNS security. Christian Kaufmann Akamai Technologies DENOG 5 14 th November 2013

Distributed Systems. 25. Content Delivery Networks (CDN) 2014 Paul Krzyzanowski. Rutgers University. Fall 2014

Distributed Systems. 24. Content Delivery Networks (CDN) 2013 Paul Krzyzanowski. Rutgers University. Fall 2013

Web Application Hosting Cloud Architecture

Internet Content Distribution

Overlay Networks. Slides adopted from Prof. Böszörményi, Distributed Systems, Summer 2004.

1. Comments on reviews a. Need to avoid just summarizing web page asks you for:

How To Use A Phone Over Ip (Phyto) For A Phone Call

Best Practices for Controlling Skype within the Enterprise > White Paper

VoIP over P2P networks

Lecture 3: Scaling by Load Balancing 1. Comments on reviews i. 2. Topic 1: Scalability a. QUESTION: What are problems? i. These papers look at

Internet Security. Prof. Anja Feldmann, Ph.D.

An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol

The Application Front End Understanding Next-Generation Load Balancing Appliances

Department of Computer Science Institute for System Architecture, Chair for Computer Networks. Caching, Content Distribution and Load Balancing

Professor Yashar Ganjali Department of Computer Science University of Toronto.

Internet Privacy Options

NEFSIS DEDICATED SERVER

Real-Time Analysis of CDN in an Academic Institute: A Simulation Study

BGP and Traffic Engineering with Akamai. Caglar Dabanoglu Akamai Technologies AfPIF 2015, Maputo, August 25th

The Role and uses of Peer-to-Peer in file-sharing. Computer Communication & Distributed Systems EDA 390

The old Internet. Software in the Network: Outline. Traditional Design. 1) Basic Caching. The Arrival of Software (in the network)

Internet Content Distribution

Request Routing, Load-Balancing and Fault- Tolerance Solution - MediaDNS

1 Introduction: Network Applications

Content Delivery Networks. Shaxun Chen April 21, 2009

Content Delivery Networks

SiteCelerate white paper

DNS and P2P File Sharing

Peer-to-Peer Systems: "A Shared Social Network"

Testing & Assuring Mobile End User Experience Before Production. Neotys

Load Balancing for Microsoft Office Communication Server 2007 Release 2

CS514: Intermediate Course in Computer Systems

The Effectiveness of Request Redirection on CDN Robustness

Challenges of Sending Large Files Over Public Internet

GLOBAL SERVER LOAD BALANCING WITH SERVERIRON

Global Server Load Balancing

ENTERPRISE DATA CENTER CSS HARDWARE LOAD BALANCING POLICY

The Application Delivery Controller Understanding Next-Generation Load Balancing Appliances

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Data Center Content Delivery Network

TalkShow Advanced Network Tips

AppDirector Load balancing IBM Websphere and AppXcel

Computer Networks & Security 2014/2015

F-Secure Messaging Security Gateway. Deployment Guide

Guidance Regarding Skype and Other P2P VoIP Solutions

LifeSize Transit Deployment Guide June 2011

LARGE-SCALE INTERNET MEASUREMENTS FOR DIAGNOSTICS AND PUBLIC POLICY. Henning Schulzrinne (+ Walter Johnston & James Miller) FCC & Columbia University

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

The Value of Content Distribution Networks Mike Axelrod, Google Google Public

IT Security Evaluation of Skype in Corporate Networks

1. The Web: HTTP; file transfer: FTP; remote login: Telnet; Network News: NNTP; SMTP.

Making the Internet fast, reliable and secure. DE-CIX Customer Summit Steven Schecter <schecter@akamai.com>

From Internet Data Centers to Data Centers in the Cloud

Availability Digest. Redundant Load Balancing for High Availability July 2013

Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability

NAT and Firewall Traversal with STUN / TURN / ICE

ELIXIR LOAD BALANCER 2

THE MASTER LIST OF DNS TERMINOLOGY. First Edition

Enabling Media Rich Curriculum with Content Delivery Networking

ExamPDF. Higher Quality,Better service!

Akamai CDN, IPv6 and DNS security. Christian Kaufmann Akamai Technologies APNIC th August 2013

Network Administrator s Guide

Load Balancing and Sessions. C. Kopparapu, Load Balancing Servers, Firewalls and Caches. Wiley, 2002.

CHAPTER 4 PERFORMANCE ANALYSIS OF CDN IN ACADEMICS

Content Scanning for secure transactions using Radware s SecureFlow and AppXcel together with Aladdin s esafe Gateway

Web DNS Peer-to-peer systems (file sharing, CDNs, cycle sharing)

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Cisco TelePresence Video Communication Server (Cisco VCS) IP Port Usage for Firewall Traversal. Cisco VCS X8.5 December 2014

Towards a Peer-to-Peer Extended Content Delivery Network

Rapid IP redirection with SDN and NFV. Jeffrey Lai, Qiang Fu, Tim Moors December 9, 2015

Hashing in Networked Systems

Applications & Application-Layer Protocols: The Domain Name System and Peerto-Peer

Radware s AppDirector and AppXcel An Application Delivery solution for applications developed over BEA s Weblogic

ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy

IxLoad - Layer 4-7 Performance Testing of Content Aware Devices and Networks

How To Block Skype

A Topology-Aware Relay Lookup Scheme for P2P VoIP System

Application Layer. CMPT Application Layer 1. Required Reading: Chapter 2 of the text book. Outline of Chapter 2

Transcription:

8-345: Introduction to Telecommunication Networks Lectures 8: Delivering Content Web, Peer-Peer, CDNs Peter Steenkiste Spring 05 www.cs.cmu.edu/~prs/nets-ece Web Peer-to-peer Motivation Architectures TOR Skype CDN Video Overview Tor Anonymity Network Deployed onion routing network http://torproject.org Specifically designed for low-latency anonymous Internet communications Running since October 003 Thousands of relay nodes, 00K-500K? of users Easy-to-use client proxy, integrated Web browser Not like FreeNet no data in TOR Really an overlay not pure peer-to-peer Tor Circuit Setup () Client proxy establish a symmetric session key and circuit with relay node # A = K(B) k All data sent over the circuit is encrypted Based on slides by Vitaly Shmatikov slide 3 slide 4

Tor Circuit Setup () Client proxy extends the circuit by establishing a symmetric session key with relay node # Tunnel through relay node # Tor Circuit Setup (3) Client proxy extends the circuit by establishing a symmetric session key with relay node #3 Tunnel through relay nodes # and # slide 5 slide 6 Using a Tor Circuit Client applications connect and communicate over established Tor circuit Datagrams decrypted at each link Also want end-to-end encryption not done by Tor slide 7 Using Tor Many applications can share one circuit Multiple TCP streams over one anonymous connection Tor router doesn t need root privileges Encourages people to set up their own routers More participants = better anonymity for everyone Directory servers Maintain lists of active relay nodes, their locations, current public keys, etc. Control how new nodes join the network Sybil attack : attacker creates a large number of relays Directory servers keys ship with Tor code slide 8

Web Peer-to-peer Motivation Architectures TOR Skype CDN Video Overview What is Skype? Support pc-to-pc, pc-to-phone, phone-to-pc VoIP and IM client communication Also: conference calls, video, Developed by people who created KaZaa Has peer-to-peer features that will look familiar A pp illusion Login server Buddy-list server Servers for SkypeOut and SkypeIn Anonymous call minutes statistic gathering Challenges include dealing with NATs, firewalls and scalability 9 Based on slides by Baset and Schulzrinne (Infocom 06) 0 What problems does it solve? The Skype Network NAT and firewall traversal Nielsen September 005 ratings 6.3% of US home internet users use broadband (http://www.nielsen-netratings.com/pr/pr_05098.pdf) Most users have some kind of NAT Calls between traditional telephone and internet devicese SkypeOut (pc-to-phone) Terms of service: governed by the laws of Luxembourg SkypeIn (phone-to-pc), voicemail Scale management of user state Ordinary host (OH) A Skype client (SC) Super nodes (SN) A Skype client (SC) that has public IP address, sufficient bandwidth, CPU and memory Login server Stores Skype id s, passwords, and buddy lists Used at login for authentication Skype login server Message exchange with the login server during login ordinary host (SC) super node (SN) neighbor relationships in the Skype network 3

Host Cache IP address and port number of online Skype nodes (SNs) Maximum size: 00 entries Liang, Kumar and Ross. Understanding KaZaA 00 entries for ordinary nodes (ON) Login server IP address and port number HC Windows location (depends on OS version) C:\Documents and Settings\All Users\Application Data\Skype 3 Login Public, NAT Establishes a TCP connection with the SN Keep connection alive by sending refresh message every min. Authenticates with the login server Announces arrival on the network (controlled flooding) Determines NAT type Firewall Establishes a TCP connection with the SN Authenticates with the login server 4 Skype Components: Ports Call Establishment No default listening port Randomly chooses a port (P) on installation Opens TCP and UDP listener sockets at P Opens TCP listener sockets at port 80 (HTTP) and port 443 (HTTPS) 5 Call signaling always carried over TCP and goes ee Public-public call Caller SC establishes a TCP connection with callee SC Public-NAT Difficult case is when callee is behind port-restricted NAT Different solutions based on the nature of the NAT Caller----> Super node ----> Callee TCP connections established between caller, callee, and more than one Skype nodes Firewall-firewall call Same as public-nat but no UDP packets Calls to non buddies=search+call 6 4

User Search From the Skype website Guaranteed to find a user if it exists and logged in in the last 7 hours Search is similar to search in KaZzA But were unable to trace messages beyond SN User does not exist. How does search terminate? Skype contacts login server for failed searches SN searches for a user behind UDPrestricted firewall 7 Media Transfer No silence suppression Silence packets are used to Play background noise at the peer Maintain UDP NAT binding Avoid drop in the TCP congestion window Putting a call on hold packet/3 seconds to call-peer or Skype node Same reasons as above Codec frequency range 50-8,000 Hz (total bw of 3 kilobytes/s) Reasonable call quality at (4-5 kilobytes/s) 8 Summary Selfish application Uses best CPU and bandwidth resources Evades blocking Change application priority to High after call establishment Code obfuscation, runtime decryption Login server and super nodes - not strictly peer-topeer STUN and TURN equivalent functionality (handle NATs) Combination of hashing and controlled flooding Multiple paths for in-time switching in case of failures Search falls back to login server 9 Web Peer-to-peer CDN Motivation Edge servers Content delivery Mapping Impact on Internet Video Overview 0 5

Case Study on Reliability and Scalability: The 000 Election http://www.akamai.com/html/technology/nui/news/index.html Customer Visits (Millions) 0 7 5 0 7 5 0 Crash Zone Without Akamai this site could not have served customers above their crash zone Time Content Distribution Networks (CDNs) CDNs replicate content for their customers (content providers) CDN company installs hundreds of CDN servers throughout Internet Close to users When provider updates content, CDN updates servers CDNs differ in their reach Number of sites, closeness to customers Some content providers have started to deploy their own CDNs CDN server in S. America origin server in North America CDN distribution node CDN server in Europe CDN server in Asia 3 Potential Benefits Very good scalability Near infinite if deployed properly Good economies at large scales Infrastructure is shared efficiently by customers Statistical multiplexing: hot sites use more resources Avoids congestion and long latencies Through mapping to closest server Can be extremely reliable Very high degree of redundancy Can mitigate some DoS attacks 4 6

Edge Caches Region set of caches managed as a cluster May have a specific function: http, streaming, Availability is a major concern in architecture Redundancy at the network level See next slide Dealing with server failures Servers do fail occasionally Each server has a buddy which is constantly trading hellos If hellos stop, buddy starts to respond directly to requests for primary server Users in the middle of a download may have to hit reload No one else will notice any interruption Example Configuration 5 Content Delivery: Possible Bottlenecks Process Flow Last Mile Problem First Mile Problem End User Peering Problem Internet Backbone Problem Host Server. User wants to download distributed web content 7

Process Flow Process Flow 3. User is directed through Akamai s dynamic mapping to the closest edge cache 3. Edge cache searches local hard drive for content Process Flow Process Flow 3b 3 3 3b. If requested object is not on local hard drive, edge cache checks other edge caches in same region for object 3b. If requested object is not cached or not fresh, edge cache sends an HTTP GET the origin server 8

Process Flow Process Flow 3b 3b 3 3c 4 3 3c 3c. Origin server delivers object to edge cache over optimized connection 4. Edge server delivers content to end user Core Hierarchy Regions Core Hierarchy Regions. User requests content and is mapped to optimal edge Akamai server. If content is not present in the region, it is requested from most optimal core region 9

Core Hierarchy Regions Core Hierarchy Regions 3. Core region makes one request back to origin server 4. Core region can serve many edge regions with one request to origin server Core Hierarchy Features Reduces traffic back to origin server Reduces infrastructure needs of customer Provides best protection against flash crowds Especially important for large files (e.g. Operating System updates or video files) Improved end-user response time Core regions are well connected Optimized connection speeds object delivery Mapping: Server Selection Which server? Lowest load to balance load on servers Best performance to improve client performance Based on Geography? RTT? Throughput? Load? Any alive node to provide fault tolerance How to direct clients to a particular server? As part of routing anycast, cluster load balancing Not covered As part of application HTTP redirect As part of naming DNS 40 0

Application Based HTTP supports simple way to indicate that Web page has moved (30X responses) Server receives Get request from client Decides which server is best suited for particular client and object Returns HTTP redirect to that server Can make informed application specific decision May introduce additional overhead multiple connection setup, name lookups, etc. While good solution in general, but HTTP Redirect has some design flaws Naming Based Client does name lookup for service Name server chooses appropriate server address A-record returned is best one for the client What information can name server base decision on? Server load/location must be collected Information in the name lookup request Name service client typically the local name server for client 4 4 Mapping Algorithms Three main components to finding closest edge cache to end user from a Network point of view: Packet Loss + Throughput + Latency Listed in order of importance (roughly) Mapping also takes into account edge cache performance Does a server have an object on its hard drive? Uses consistent hashing algorithm Does the edge cache have CPU, RAM, bandwidth, etc. available to serve end-user? Access to Web Site without CDN Customer Web End User Server User enters Customer s Web User s browser Objects served standard URL Server returns 3 requests embedded 4 with round trips www.customer.com HTML with objects from customer across the Internet embedded URLs Web server <img src=/images/logo.gif>

HTTP request for embedded content Akamai Server Access Using Akamai Content Served Locally HTTP request user enters standard URL HTML code contains Akamai URLs (ARL) Example ARL: img src= a000.g.akamai.net/ /www.customer.com/images/logo.gif Client s Servers End-user How Akamai Works cnn.com (content provider) DNS root server Akamai server Get foo.jpg Get index. html 3 4 5 6 7 8 9 0 Get /cnn.com/foo.jpg Akamai high-level DNS server Akamai low-level DNS server Nearby matching Akamai server 46 End-user Akamai Subsequent Requests cnn.com (content provider) DNS root server Akamai server Get index. html Akamai high-level DNS server 7 Akamai low-level DNS 8 9 Get 0 /cnn.com/foo.jpg server Nearby matching Akamai server 47 Steps in Content Retrieval Clients fetch html document from primary server E.g. fetch index.html from cnn.com URLs for replicated content are replaced in html E.g. <img src= http://cnn.com/af/x.gif > replaced with <img src= http://a73.g.akamaitech.net/7/3/cnn.com/af/x.gif > Note that modified name includes original file name Drawback: must modify the content Client is forced to resolve a.g.akamaitech.net hostname Initial focus was on static content Has shifted to services 48

Resolution of Modified Name Root server gives NS record for akamai.net Akamai.net name server returns NS record for g.akamaitech.net Name server chosen to be in region of client s name server TTL is large G.akamaitech.net nameserver chooses server in region Should try to chose server that has file in cache - How to choose? Uses a name and hash TTL is small why? 49 Further Optimizing Performance Customer CNAME s (aliases) www.customer.com Anyone looking up www.customer.com will be redirected to an Akamai hostname - customer.d4p.net No, I do not know why we use d4p.net. customer.d4p.net is CNAME d to axxx.g.akamai.net Standard Akamai mapping magic sends returns the closest edge server for axxx.g.akamai.net Benefits Overview End user never communicates with origin server high reliability Thousands of servers backing each other up If one geographic area is disabled, no other area is affected Mitigates some DoS attacks Uncacheable content is tunneled back to origin Persistent TCP connections increase performance Helps with downloading of objects to end caches Web Peer-to-peer CDN Motivation Edge servers Content delivery Mapping Impact on Internet Video 5 3

Transit ($$$) ISP Z Transit ($$) Change in Traffic with CDN Edge Caches Transit ($$ /) Peering Transit ($$$) ISP P ISP X Transit ($$) Transit ($$$) Transit ($$$) Peering Transit ($) Transit ($$) ISP Y ISP Q Impact of CDN Growth Flattening of the Internet More content is served from the edge of the network Also seeing an increase in peering More traffic remains at edge reduced load on core Changes in the economic relationships Caches benefit users: better performance, reliability Happy customers benefit the CDN ISP benefits since more content is served locally Reduces traffic from provider direct economic benefit CDNs sometimes place caches in eye ball ISPs for free, but economic models change all the time 53 54 Some Recent Trends If CDN s can deploy caches, why can t I? Content providers have started to deploy CDNs Reduce cost, assuming you are large enough Optimize caching to their specific requiremens Can still use CDNs, e.g., in certain regions,. Internet Service Providers also try deploy CDNs Sometimes difficult to build the business relationships with content owners too many ISPs! How about the know-how? Hybrid solutions are emerging, e.g., ISPs install hardware and license software from CDNs Summary Caching improves web performance Caching only at client is only partial solution Not enough locality Content Delivery Networks move data closer to user, balance load, increase availability, Is having impact on structure of the Internet No longer just a solution for static content 55 56 4

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information