On On Proxy Server based Proxy Server based

Multipath Connections Multipath Connections (PSMC)(PSMC)

PhD Proposal PhD Proposal

Yu CaiYu Cai10/200310/2003

University of Colorado at Colorado SpringsUniversity of Colorado at Colorado Springs

Presentation outlinePresentation outline

IntroductionIntroduction

Related workRelated work

Algorithms for PSMC proxy server selection. Algorithms for PSMC proxy server selection.

Protocols for PSMC packets handling. Protocols for PSMC packets handling.

PSMC applicationsPSMC applications

Security issues of PSMC. Security issues of PSMC.

Conclusion Conclusion

IntroductionIntroduction

Single path connection vs. multipath connections

The connections between two network nodes are mostly The connections between two network nodes are mostly single path connections in today’s network single path connections in today’s network environment. environment.

Multipath connections provide potentially multiple Multipath connections provide potentially multiple paths between network nodes, so that the traffic from a paths between network nodes, so that the traffic from a source can be spread over multiple paths and source can be spread over multiple paths and transmitted in parallel through the network.transmitted in parallel through the network.

The benefits of multipath connectionsThe benefits of multipath connections

Utilize the network resources more efficiently, Utilize the network resources more efficiently,

Improve the effective bandwidth of network nodes, Improve the effective bandwidth of network nodes,

Increase the packet delivery liability, Increase the packet delivery liability,

Provide quality-of-service guarantee, Provide quality-of-service guarantee,

Cope well with network congestion, link breakage and Cope well with network congestion, link breakage and

burst traffic. burst traffic.

Related works on multipath connectionsRelated works on multipath connections

The IBM Systems Network Architecture (SNA) The IBM Systems Network Architecture (SNA) network in 1974. network in 1974.

N. F. Maxemchuk in 1975 (dispersity routing). The N. F. Maxemchuk in 1975 (dispersity routing). The research was extended to virtual circuit networks and research was extended to virtual circuit networks and ATM network.ATM network.

Categories of multipath connections based on OSI Categories of multipath connections based on OSI network 7 layer modelnetwork 7 layer model

1. Physical layer: One is Multipath Interference, causes 1. Physical layer: One is Multipath Interference, causes FM radio sounds staticy. FM radio sounds staticy.

2. Data link layer: Link Aggregation, defined in IEEE 2. Data link layer: Link Aggregation, defined in IEEE 802.3ad. 802.3ad.

Related works on multipath connectionsRelated works on multipath connections

3. Network layer: been studied extensively as multipath 3. Network layer: been studied extensively as multipath routing. routing.

a. Wired network: a. Wired network: Table-driven routing (link state or distance vector), Table-driven routing (link state or distance vector), Source Routing, Source Routing, MultiProtocol Label Switching (MPLS).MultiProtocol Label Switching (MPLS).

b. Wireless ad hoc network b. Wireless ad hoc network Table-driven routing (link state or distance vector), Table-driven routing (link state or distance vector), Source Routing, Source Routing,

4. Transport layer: Linux multipath connections for 4. Transport layer: Linux multipath connections for multiple ISP connectionsmultiple ISP connections

Proxy Server based Multipath Connections (PSMC)Proxy Server based Multipath Connections (PSMC)

We propose to study proxy servers based multipath We propose to study proxy servers based multipath connections (PSMC). It is a cross-layer connections (PSMC). It is a cross-layer implementation. implementation.

The The key ideakey idea of PSMC is as followings. of PSMC is as followings. By using a set of connection relay By using a set of connection relay proxy serversproxy servers, we could set , we could set

up up indirect routesindirect routes via the proxy servers, and transport packets via the proxy servers, and transport packets

over the network through the indirect routes. over the network through the indirect routes.

By enhancing existing TCP/IP protocols, we could efficiently By enhancing existing TCP/IP protocols, we could efficiently

distribute and reassemble packetsdistribute and reassemble packets among multiple paths at among multiple paths at

two end nodes, and increase end-to-end TCP throughput. two end nodes, and increase end-to-end TCP throughput.

The approach offers applications the ability to increase the The approach offers applications the ability to increase the

network performance, efficiency, stability, availability and network performance, efficiency, stability, availability and

security.security.

PSMC diagramPSMC diagram

Why PSMCWhy PSMC

PSMC has advantages like other multipath connections approachesPSMC has advantages like other multipath connections approaches

Flexibility:Flexibility: PSMC can be more conveniently and adaptively PSMC can be more conveniently and adaptively

deployed in various network environments. PSMC don’t require deployed in various network environments. PSMC don’t require

changes on physical network infrastructure, but only feasible changes on physical network infrastructure, but only feasible

changes on network software and protocols. PSMC also give the end changes on network software and protocols. PSMC also give the end

users more control on setting up multipath connections.users more control on setting up multipath connections.

Compatibility:Compatibility: PSMC utilizes existing TCP/IP protocols and PSMC utilizes existing TCP/IP protocols and

network infrastructure. This ensures the compatibility with current network infrastructure. This ensures the compatibility with current

Internet. It also ensures the performance, efficiency, reliability, and Internet. It also ensures the performance, efficiency, reliability, and

hides the complexity from end-users. hides the complexity from end-users.

Applications:Applications: A large number of applications in various categories A large number of applications in various categories

could benefit from utilizing PSMC. For example, secure collective could benefit from utilizing PSMC. For example, secure collective

defense network (SCOLD), providing additional bandwidth based defense network (SCOLD), providing additional bandwidth based

on operational requirement, or providing QoS for video streaming.on operational requirement, or providing QoS for video streaming.

Three components in PSMC Three components in PSMC

The multipath The multipath sendersender is responsible to efficiently and is responsible to efficiently and

adaptively distribute packets over the selected multiple adaptively distribute packets over the selected multiple

paths. Some of the packets will go through the normal paths. Some of the packets will go through the normal

direct route, other packets will go through the indirect direct route, other packets will go through the indirect

routes via the proxy servers. routes via the proxy servers.

The intermediate connection relay The intermediate connection relay proxy serversproxy servers, ,

examine the incoming packets and forward them to the examine the incoming packets and forward them to the

destinations through the selected path. destinations through the selected path.

The multipath The multipath receiverreceiver, collects the packets arrived , collects the packets arrived

from multiple paths, reassemble them in order and from multiple paths, reassemble them in order and

deliver them to the user.deliver them to the user.

Algorithms for PSMCAlgorithms for PSMC

Proxy servers selection is a critical part in PSMC. Proxy servers selection is a critical part in PSMC. Different proxy server selections result in different Different proxy server selections result in different performance.performance.

We have developed heuristic algorithms to choose best We have developed heuristic algorithms to choose best mirror sites for parallel download from multiple mirror mirror sites for parallel download from multiple mirror sites, which can be viewed as a sub problem of PSMC. sites, which can be viewed as a sub problem of PSMC.

Server Location ProblemServer Location Problem

Needs to solve the following two proxy servers selection Needs to solve the following two proxy servers selection

problems.problems.

1) 1) Server Selection ProblemServer Selection Problem. Given the target server location and a . Given the target server location and a

set of proxy servers, choose the best proxy server(s) for a client or set of proxy servers, choose the best proxy server(s) for a client or

for a group of client, to achieve best performance, in terms of for a group of client, to achieve best performance, in terms of

bandwidth.bandwidth.

2) 2) Server Placement ProblemServer Placement Problem. Given the target server location and . Given the target server location and

a set of nodes, choose the best node(s) to place the proxy servers, for a set of nodes, choose the best node(s) to place the proxy servers, for

certain connection requirements, like maximize the network certain connection requirements, like maximize the network

aggregated bandwidth.aggregated bandwidth.

Likely NP problems. Heuristic algorithms, or loosing the Likely NP problems. Heuristic algorithms, or loosing the

optimal constrains to simplify the problemoptimal constrains to simplify the problem

Diagram of sever selection/placement problemDiagram of sever selection/placement problem

Sever selection problemSever placement problem

Related work on algorithmsRelated work on algorithms

Mirror servers and web cache servers selection Mirror servers and web cache servers selection problem has been studied recent years.problem has been studied recent years.

Two types of approaches.Two types of approaches.

1) Formal approach: based on graphic theory.1) Formal approach: based on graphic theory.Common assumptions of getting network graph are: Common assumptions of getting network graph are:

a) network topology pre-known, a) network topology pre-known,

b) path cost pre-known, b) path cost pre-known,

c) single and static connection.c) single and static connection.

Algorithms including: Algorithms including:

a) random algorithm, a) random algorithm, b) greedy algorithm, b) greedy algorithm,

c) tree-based algorithm, c) tree-based algorithm, d) k-min algorithm.d) k-min algorithm.

2) Practical approach: no assumption, for real world. 2) Practical approach: no assumption, for real world. a) IDMap, a) IDMap, b) Client clustering.b) Client clustering.

Why PSMC algorithms?Why PSMC algorithms?

Even though there are various sever selection Even though there are various sever selection algorithms and approaches, the ad hoc selection is still algorithms and approaches, the ad hoc selection is still the main approaches used in practice.the main approaches used in practice.

Existing server selection algorithms only study the Existing server selection algorithms only study the cases for mirror servers and cache servers. But the cases for mirror servers and cache servers. But the proxy servers in PSMC have several uniqueness, this proxy servers in PSMC have several uniqueness, this will result in different optimal constrains and optimal will result in different optimal constrains and optimal goals.goals.

Further study on algorithms needs to be done.Further study on algorithms needs to be done.

PSMC Protocols: packets handling PSMC Protocols: packets handling

Protocols need to be designed to distribute, reassemble Protocols need to be designed to distribute, reassemble and transmit packets. and transmit packets.

Packets distribution and reassembling: add a thin layer Packets distribution and reassembling: add a thin layer between TCP/UDP and IP. Linux kernel enhancement. between TCP/UDP and IP. Linux kernel enhancement. Linux Virtual Server packet handling. ATCP packet Linux Virtual Server packet handling. ATCP packet handling.handling.

Why adding a thin layer?Why adding a thin layer?a) Utilize existing TCP/IP protocols, particularly the a) Utilize existing TCP/IP protocols, particularly the packets re-sequencing and re-sending mechanism.packets re-sequencing and re-sending mechanism.b) Hide the complexity of multipath connections from b) Hide the complexity of multipath connections from upper layer usersupper layer usersc) Maintain the high end-to-end TCP throughput. c) Maintain the high end-to-end TCP throughput.

PSMC Protocols: packet transmissionPSMC Protocols: packet transmission

Packets transmission: after investigate various Packets transmission: after investigate various approaches, like SOCKS proxy server, Zebedee, we approaches, like SOCKS proxy server, Zebedee, we proposed to use IP Tunnel or IPSec to enable indirect proposed to use IP Tunnel or IPSec to enable indirect routes via proxy servers. routes via proxy servers.

IP Tunneling is well developed and widely available. It IP Tunneling is well developed and widely available. It is a layer 2 protocol, transparent to higher layer. IP is a layer 2 protocol, transparent to higher layer. IP Tunneling performance is acceptable. Tunneling performance is acceptable.

Tunneling protocols enhancement for PSMC. Like Tunneling protocols enhancement for PSMC. Like tunnel handshake, host authentication, security tunnel handshake, host authentication, security mechanism. VPN tunneling protocols.mechanism. VPN tunneling protocols.

Special issues on PSMC ProtocolsSpecial issues on PSMC Protocols

Two special issues for PSMC protocolsTwo special issues for PSMC protocols Fail-over, packets resend and packet re-sequencing Fail-over, packets resend and packet re-sequencing

mechanism when packets are lost or connections are mechanism when packets are lost or connections are broken. broken.

Sticky-connection mechanism when packets need to Sticky-connection mechanism when packets need to be sent through a particular route, like http keep be sent through a particular route, like http keep alive.alive.

Inside cooperate environment, alternate solutions for Inside cooperate environment, alternate solutions for setting up multipath connections include:setting up multipath connections include: Modify the routing table in the routerModify the routing table in the router MPLSMPLS Source routingSource routing

PSMC prototypes and applications PSMC prototypes and applications

Secure Collective Defense (SCOLD) networkSecure Collective Defense (SCOLD) network. SCOLD . SCOLD

toleratestolerates the DDoS attacks through indirect routes via the DDoS attacks through indirect routes via

proxy servers, and improves network performance by proxy servers, and improves network performance by

spreading packets through multiple indirect routes. spreading packets through multiple indirect routes.

SCOLD incorporates various cyber security SCOLD incorporates various cyber security

techniques, like secure DNS update, Autonomous Anti-techniques, like secure DNS update, Autonomous Anti-

DDoS network, IDIP protocols. DDoS network, IDIP protocols.

We have finished the prototype of SCOLD system. We We have finished the prototype of SCOLD system. We

plan to enhance SCOLD for better scalability, plan to enhance SCOLD for better scalability,

reliability, performance and security.reliability, performance and security.

Intrusion defense mechanismIntrusion defense mechanism

Intrusion PreventionIntrusion Prevention General Security PolicyGeneral Security Policy Ingress/Egress FilteringIngress/Egress Filtering

Intrusion DetectionIntrusion Detection Honey potHoney pot Host-based IDS Tripwire Host-based IDS Tripwire Anomaly DetectionAnomaly Detection Misuse DetectionMisuse Detection

Intrusion ResponseIntrusion Response Identification/Trace back/PushbackIdentification/Trace back/Pushback Intrusion Tolerance: SCOLDIntrusion Tolerance: SCOLD

SCOLD: victim under DDoS attacksSCOLD: victim under DDoS attacks

Victim

aa a a b b b b c c c c

A.com B.com C.com

... ......

A B C

R

R2 R1R3

Back door: Alternate Gateways

DNS

DDoS Attack Traffic

Client Traffic

Main gateway R under attacks, we want to inform Clients to go through the “back door” - alternate gateways R1- R3. We needs to hide IPs of R1-R3, otherwise they are subject to potential attacks too. how to inform Clients? how to hide IPs of R1-R3?

target.com

DNS1 DNS2 DNS3

SCOLD: raise alarm (1) and inform clients (2)SCOLD: raise alarm (1) and inform clients (2)

1. IDS on gateway R detects intrusion, raise alarm to Reroute Coordinator.2. Coordinator informs clients for new route:a) inform clients’ DNS; b) inform clients’ network proxy server; c) inform clients directly; d) inform the proxy servers and ask the proxy server do (a – c).

Victim

aa a a b b b b c c c c

A.com B.com C.com

... ......

A B C

R

R2 R1R3

DNS

target.com

DNS1 DNS2 DNS3

RerouteCoordinato

r1: raise alarm

2: inform clientsProxy1

SCOLD: set up new indirect route (3)SCOLD: set up new indirect route (3)

Victim

aa a a b b b b c c c c

A.com B.com C.com

... ......

A B C

R

R2 R1R3

DNStarget.com

DNS1 DNS2 DNS3

RerouteCoordinato

r

3: new routeProxy1 Proxy2

3. Clients set up new indirect route to target via proxy servers. Proxy servers: equipped with IDS to defend attacks; hide alternate gateway and reroute coordinator; provide potential multiple paths.

Proxy3

SCOLD TestbedSCOLD Testbed

No DDoS attack, direct route

DDoS attack, direct route

No DDoS attack, indirect route

with DDoS attack indirect route Doc

Size

FTP HTTP FTP HTTP FTP HTTP FTP HTTP 100k 0.11 s 3.8 s 8.6 s 9.1 s 0.14 s 4.6 s 0.14 s 4.6 s 250k 0.28 s 11.3 s 19.5 s 13.3 s 0.31 s 11.6 s 0.31 s 11.6 s 500k 0.65 s 30.8 s 39 s 59 s 0.66 s 31.1 s 0.67 s 31.1 s 1000k 1.16 s 62.5 s 86 s 106 s 1.15 s 59 s 1.15 s 59 s 2000k 2.34 s 121 s 167 s 232 s 2.34 s 122 s 2.34 s 123 s

No DDoS attack direct route

DDoS attackdirect route

No DDoS attack indirect route

DDoS attack indirect route

0.49 ms 225 ms 0.65 ms 0.65 ms

Performance of SCOLD

Table 1: Ping Response Time (on 3 hop route)Table 1: Ping Response Time (on 3 hop route)

Table 2: SCOLD FTP/HTTP download Test (from client to target)Table 2: SCOLD FTP/HTTP download Test (from client to target)

Other PSMC applicationsOther PSMC applications

Other PSMC applications includes: Other PSMC applications includes: PSMC in wireless ad hoc network: good test for PSMC’s PSMC in wireless ad hoc network: good test for PSMC’s

ability to adapt to dynamic environment, packets resending ability to adapt to dynamic environment, packets resending and re-sequencing.and re-sequencing.

Indirect route upon operational requests: provides additional Indirect route upon operational requests: provides additional bandwidth and backup route based on operational bandwidth and backup route based on operational requirements. requirements.

Providing QoS for video streaming: send different portion of Providing QoS for video streaming: send different portion of stream through different paths.stream through different paths.

Parallel download from multiple mirror sites: sever selection Parallel download from multiple mirror sites: sever selection algorithm implementation.algorithm implementation.

PSMC applications evaluationPSMC applications evaluation

We will evaluate the overhead of multipath We will evaluate the overhead of multipath connections, including tunneling overhead, handshake connections, including tunneling overhead, handshake overhead, packets distribution/reassembling overhead. overhead, packets distribution/reassembling overhead.

We will evaluate the performance of multipath We will evaluate the performance of multipath connections in terms of response time, throughput and connections in terms of response time, throughput and bandwidth. bandwidth.

We will also compare PSMC with other multipath We will also compare PSMC with other multipath connections approaches, like source routing, or Linux connections approaches, like source routing, or Linux multipath connections.multipath connections.

We will conduct extensive simulation study on PSMC We will conduct extensive simulation study on PSMC applications in virtual network, real network, small applications in virtual network, real network, small scale network and large scale network.scale network and large scale network.

Security issues related to PSMC Security issues related to PSMC

Potential security issues raised by misusing of PSMC: Potential security issues raised by misusing of PSMC: how to control aggressive clients?how to control aggressive clients?

Potential attacks against PSMC: Tunneling to death? Potential attacks against PSMC: Tunneling to death? (similar to ping to death).(similar to ping to death).

Detect comprised nodes in PSMC network (through Detect comprised nodes in PSMC network (through dynamic IP ?).dynamic IP ?).

Study the collective defend mechanism to tie different Study the collective defend mechanism to tie different organizations with better cooperation and organizations with better cooperation and collaboration.collaboration.

Contributions:Contributions:

Systematically study the proxy server based multipath Systematically study the proxy server based multipath connections (PSMC), including connections (PSMC), including

Algorithms for server selections, Algorithms for server selections,

Protocols for packet handling, Protocols for packet handling,

Applications and prototypes Applications and prototypes

Security issues.Security issues.

ConclusionConclusion

PSMC offers applications the ability to increase the PSMC offers applications the ability to increase the

network performance, efficiency, stability, availability network performance, efficiency, stability, availability

and security.and security.

In addition, PSMC offers more flexibility, compatibility In addition, PSMC offers more flexibility, compatibility

and usability than other type of multipath connections. and usability than other type of multipath connections.

Study on PSMC could have boarder impact on today’s Study on PSMC could have boarder impact on today’s

Internet topology and security.Internet topology and security.