Building a massively scalable serverless vpn using any source multicast
This presentation is the property of its rightful owner.
Sponsored Links
1 / 20

Building a massively scalable serverless VPN using Any Source Multicast PowerPoint PPT Presentation


  • 84 Views
  • Uploaded on
  • Presentation posted in: General

Building a massively scalable serverless VPN using Any Source Multicast. Athanasios Douitsis Dimitrios Kalogeras. National Technical University of Athens. IPSec. IP. TCP+SSL. IP. IP. IPSec. UDP. L2TP. PPP. IP. Popular VPN solutions. PPP over L2TP over IPSec transport mode

Download Presentation

Building a massively scalable serverless VPN using Any Source Multicast

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Building a massively scalable serverless vpn using any source multicast

Building a massively scalable serverless VPN using Any Source Multicast

  • Athanasios Douitsis

  • Dimitrios Kalogeras

National Technical University of Athens


Popular vpn solutions

IPSec

IP

TCP+SSL

IP

IP

IPSec

UDP

L2TP

PPP

IP

Popular VPN solutions

  • PPP over L2TP over IPSec transport mode

  • IPSec tunnel mode

  • OpenVPN

Trend: Usage of a central VPN concentrator

A. Douitsis, D.Kalogeras - Building a massively scalable serverless VPN using Any Source Multicast


Vpn central concentrator considerations

VPN central concentrator considerations

  • Single point of failure

    • Reliability impact

    • Security impact

  • Passage of all client traffic through the concentrator

    • Impact on VPN concentrator resources (CPU, network)

    • Impact on network near the VPN concentrator

A. Douitsis, D.Kalogeras - Building a massively scalable serverless VPN using Any Source Multicast


Alternative p2p instead of hub topology

Alternative: P2P instead of hub topology

P2P Communication through the multicast cloud

No need for a central VPN server

A. Douitsis, D.Kalogeras - Building a massively scalable serverless VPN using Any Source Multicast


Any source multicast as a shared medium

Any Source Multicast as a Shared Medium

  • Election of a predefined common multicast group (G) as the shared medium

  • Easy subscription of any node to the shared medium (IGMP join G)

  • Transmissions inside the shared mediumare received by all listeners

  • Any node can also transmit messages to the shared medium G

  • No contention issues inside G

  • All VPN members directly connected to the L2 VPN

A. Douitsis, D.Kalogeras - Building a massively scalable serverless VPN using Any Source Multicast


Encapsulation of l2 packets inside udp multicast

UDP

Ethernet

Encapsulation of L2 packets inside UDP multicast

  • One Ethernet frame inside each UDP packet

  • UDP Destination = multicast group G

  • UDP source = actual node IP address (unchanged)

  • Ethernet Source = Host generated MAC address (some constrains apply)

  • Ethernet destination = Destination MAC address (more on that later)

A. Douitsis, D.Kalogeras - Building a massively scalable serverless VPN using Any Source Multicast


Duality between ethernet and ip multicast personality

Duality between Ethernet and IP multicast personality

  • For each single node:

    • Real global source IP address

    • Virtual VPN source MAC address

  • 1-1 relationship between global IP address and VPN Source MAC address

  • Generation of VPN Source MAC address from global IP address: Just add two bytes at the front

    • MAC uniqueness is guaranteed

  • Example: If Source IP == 1.2.3.4, then VPN Source MAC := 0a:0a:01:02:03:04

  • Make sure 0a:0a doesn’t clash with real vendor

  • A. Douitsis, D.Kalogeras - Building a massively scalable serverless VPN using Any Source Multicast


    Encapsulation of ethernet inside udp explanation

    UDP:

    Source: 1.2.3.4

    Destination: 224.1.2.3

    Ethernet:

    Source: 0a:0a:01:02:03:04

    Destination: 0a:0a:05:06:07:08

    Encapsulation of Ethernet inside UDP: explanation

    Host A sends a packet to the VPN LAN

    Host A:

    Real IP: 1.2.3.4

    Virtual MAC: 0a:0a:01:02:03:04

    The multicast enabled IP network takes the packet and sends it to all 224.1.2.3 subscribers

    multicast cloud

    Host B:

    Real IP: 5.6.7.8

    Virtual MAC: 0a:0a:05:06:07:08

    Host C:

    Real IP: 9.10.11.12

    Virtual MAC: 0a:0a:09:10:11:12

    Subscriber B receives the packet and forwards it through its networking stack

    Subscriber C receives the packet but is really not interested as its MAC != packet destination MAC

    A. Douitsis, D.Kalogeras - Building a massively scalable serverless VPN using Any Source Multicast


    Extension many macs behind an ip

    Extension: Many MACs behind an IP

    • Hiding of many VPN MAC addresses behind one single IP address

    • 1-to-many relationship between global IP address and VPN MAC address

    • Generation of VPN MAC address from global IP address: Again, Just add two bytes at the front

    • Example: If Global IP == 1.2.3.4, then MAC := 0a:xx:01:02:03:04

      • 01< xx< ff

      • 256 MACs max behind one real IP

    • Nice for virtualization setups

    A. Douitsis, D.Kalogeras - Building a massively scalable serverless VPN using Any Source Multicast


    Optimization usage of multicast only when needed

    Optimization: Usage of multicast only when needed

    • Modern Ethernet Switches:

      • MAC to port lookup table

      • Delivery of Broadcasts (mostly ARP, ICMPv6 etc) to all ports

      • Delivery of packets with unknown dest. MAC to all ports

      • Delivery of packets with known dest. MAC only to corresponding port

    • Modification of our virtual L2 VPN towards the same goal.

      • MAC to global IP table

      • Broadcasts (mostly ARP, ICMPv6 etc) to all G subscribers

      • Packets with unknown dest. MAC to all G subscribers

      • Packets with known dest. MAC only to corresponding IP using Unicast!

    A. Douitsis, D.Kalogeras - Building a massively scalable serverless VPN using Any Source Multicast


    Unicast optimization explained

    UDP:

    Source: 1.2.3.4

    Destination: 224.1.2.3

    UDP:

    Source: 5.6.7.8

    Destination: 1.2.3.4

    Ethernet:

    Source: 0a:0a:01:02:03:04

    Destination: 0a:0a:05:06:07:08

    Ethernet:

    Source: 0a:0a:05:06:07:08

    Destination: 0a:0a:01:02:03:04

    Unicast Optimization explained

    Host A sends a packet to the VPN LAN

    Host A:

    Real IP: 1.2.3.4

    Virtual MAC: 0a:0a:01:02:03:04

    The multicast enabled IP network takes the packet and sends it to all 224.1.2.3 subscribers

    multicast cloud

    Host B:

    Real IP: 5.6.7.8

    Virtual MAC: 0a:0a:05:06:07:08

    Subscriber B receives the packet and adds the appropriate entry in it MAC-to-IP table

    Subscriber B responds with a direct unicast packet to A because it knows its global IP

    A. Douitsis, D.Kalogeras - Building a massively scalable serverless VPN using Any Source Multicast


    Implementation

    Implementation

    • Kernel interface

      • Usage of the versatile tun/tap driver

        • virtual tap0 ethernet device

        • /dev/net/tap character device

    • User space application

      • Reads from /dev/net/tap and writes to UDP socket

      • Reads from UDP socket and writes to /dev/net/tap

    A. Douitsis, D.Kalogeras - Building a massively scalable serverless VPN using Any Source Multicast


    Ingress data flow

    Ingress data flow

    • Arrival of packet from network

    • Reading of the packet from the socket

    • (optional) Parsing of the packet and caching of MAC-to-IP pair

    • De-capsulation of the Ethernet Frame from the UDP packet

    • (optional) Other kinds of meddling with the de-capsulated Ethernet frame

    • Writing of Ethernet Frame to /dev/net/tap

    • Kernel sees an Ethernet Frame coming from i/f tap0

    A. Douitsis, D.Kalogeras - Building a massively scalable serverless VPN using Any Source Multicast


    Egress data flow

    Egress data flow

    • Generation of an Ethernet Frame on the tap0 interface by the kernel

    • Reading of the Ethernet Frame from the /dev/net/tap device by the user space VPN application

    • (optional) Consultation of the MAC-to-IP cache table

    • Encapsulation of the Ethernet Frame inside a UDP packet

    • (optional) Other kinds of meddling with the soon-to-be-transmitted Ethernet packet

    • Transmission of the packet either as multicast or Unicast

    A. Douitsis, D.Kalogeras - Building a massively scalable serverless VPN using Any Source Multicast


    Ingress egress explained

    Ingress/Egress explained

    Egress Data flow

    VPN Member Host

    Kernel Space

    User Space

    send() to socket

    multicast socket

    VPN Client

    tun/tap driver

    /dev/net/tap

    char device

    read() from device

    A frame is generated

    i/f tap0

    multicast cloud

    VPN Member Host

    recv() from socket

    Kernel Space

    User Space

    Ingress Data flow

    multicast socket

    VPN Client

    tun/tap driver

    /dev/net/tap

    char device

    write() to device

    i/f tap0

    The frame is delivered inside tap0

    A. Douitsis, D.Kalogeras - Building a massively scalable serverless VPN using Any Source Multicast


    Security considerations

    Security considerations

    • Problem: Multicast Group joinable and listenable by anyone/anywhere

    • Possible solution #1. Communications are secured at the encapsulation layer, e.g. Secure Multicast.

      • Multicast Group Domain of Interpretation (RFC3547). Downside: group controller/key server required.

      • But: “Normal” IPSec perfectly usable for unicast communications

    • Possible solution #2. Communications are secured inside the VPN LAN, e.g. secure LAN.

      • Usage of IPSec inside the VPN LAN

    • Possible solution #3. Use secure protocols (>L3) inside the VPN LAN

      • HTTPS, SSH, SFTP

    A. Douitsis, D.Kalogeras - Building a massively scalable serverless VPN using Any Source Multicast


    Conclusion benefits

    Conclusion: Benefits

    • Resiliency: No central server needed

    • Scalability: Solution can scale to very large number of nodes with the Unicast optimization enabled

    • Transparency: tap0 for all intents and purposes an ordinary Ethernet interface

    • Portability: Simple implementation easily portable to any platform.

    A. Douitsis, D.Kalogeras - Building a massively scalable serverless VPN using Any Source Multicast


    But drawbacks

    But: Drawbacks

    • Security provisioning somewhat tricky

      • server required for GDOI

    • IP Multicast required on all nodes (some networks still don’t support multicast)

    A. Douitsis, D.Kalogeras - Building a massively scalable serverless VPN using Any Source Multicast


    Extensions future ideas

    Extensions / Future Ideas

    • Virtual Routers between different VPNs

    • Physical Gateways to a VPN

      • bridging of a real ethernet device with a tap

    • Packet filters on tap devices

    • Many virtual VPN members inside one physical entity

      • Can work well with hardware virtualization

    A. Douitsis, D.Kalogeras - Building a massively scalable serverless VPN using Any Source Multicast


    Thank you

    Thank You!

    • Questions?

    • [email protected]

    A. Douitsis, D.Kalogeras - Building a massively scalable serverless VPN using Any Source Multicast


  • Login