Joe Touch USC/ISI July 10, 2003 1 The X-Bone ICB Meeting July 10, 2003 Joe Touch Director, Postel...

Joe Touch USC/ISIJuly 10, 2003 1

The X-BoneICB MeetingJuly 10, 2003

Joe TouchDirector, Postel Center for Experimental NetworkingComputer Networks DivisionUSC/ISI

July 10, 2003 2Joe Touch USC/ISI

X-Bone IP Overlays

Web GUI

X-Bone system

Multiple views

Automatedmonitoring

link

xd GUIxd GUI

OverlayManager

OverlayManager

ResourceDaemon

ResourceDaemon

ResourceDaemon

ResourceDaemonResource

Daemon

ResourceDaemon

routerhost

ring-ovl

IP Base

A

B

DC

A

B

DC

star-ovl

A

B

DC

Star Overlay

Base IPv4Network

Ring Overlay

July 10, 2003 3Joe Touch USC/ISI

What is the X-Bone?

Virtual Internet Architecture Consistent with dynamic routing, existing

Internet applications and services Distributed VPN Manager

SNMP-like client/server Multicast invites

Interfaces Overlay Language GUI front-end

July 10, 2003 4Joe Touch USC/ISI

Virtual Internet Arch.

VHs & VRs connected by tunnels VHs add/delete headers VRs transit only

Completely virtual Revisitation Recursion

Network-as-router recursion Control Recursion (compile-time)

Rename unbound inner network VR interfaces Network Recursion (run-time)

Phantom VHs at unbound inner network VR interfaces

July 10, 2003 5Joe Touch USC/ISI

X-Bone View of VPN

E2E Closed set of participants More controlled than PE-based Support ALL Internet apps Network, not a full mesh

(supports use of an internal AS structure)

IP over IP Current deployment assumes mcastIP NO OTHER ASSUMPTIONS Can use any tunnel to get IP in IP, but uses explicit

key distribution (interoperability)

July 10, 2003 6Joe Touch USC/ISI

Software Architecture

OM runs the overlay Control or network

recursion

RD configures nodes SNMP-like transactions

Multicast invites RD privacy

Security ACLs, resource counts S/MIME invites SSL configuration

July 10, 2003 7Joe Touch USC/ISI

Interfaces

Overlay Joe Node apple

(OS=BSD) (iface a b c) Node pear

(CPU=P4) (iface p) Ring r3

(BW=2M) (mac,gran,gold=apple, one,two,three=pear),(one.p <L> mac.a>)(two.p <M> gran.a>)(three.p <N> gold.a>)(mac.b <X> gran.c)(gran.b <Y> gold.c)(gold.b <Z> mac.c)

July 10, 2003 8Joe Touch USC/ISI

Capabilities

Revisitation Recursion (scalability, multilayer) Dynamic routing Integration with DNS Application deployment

July 10, 2003 9Joe Touch USC/ISI

Revisitation

A B C D F

X Y ZA

F

B CD

E

E

July 10, 2003 10Joe Touch USC/ISI

Recursion

Hierarchy w/connected sub-overlays Sub-overlays look like routers

Base networkBase network

Primary overlayPrimary overlay

Sub-1Sub-1 Sub-2

Sub-2

July 10, 2003 11Joe Touch USC/ISI

Application deployment

(User Input)App-Instance

Specific Params

ApplicationGenerator

Script

1

2

(XBone-Auto)Overlay/Node Specific:Ovl Name, IPs, Topol

ring-ovl

A

B

DC

OM

edit

Action FileGenerator

Script34

RD

RDRD

RD

NodeAction

File

5

July 10, 2003 12Joe Touch USC/ISI

Project Status

DynaBone (DARPA) 10/03 {04? ☺} Multilayer overlays for dynamic defense Adding native recursion

X-Tend (NSF) 12/05 Augmenting X-Bone for education &

research Add features based on need Add documentation, instruction examples Green-box install

July 10, 2003 13Joe Touch USC/ISI

X-Tensions ☺

Due Aug 2003 Net list topology Divide-and-conquer

control Layered VPNs Revised API & code Dynamic & secure DNS

+1 yr Layered restoration Incremental add/delete Ad-hoc mgt Application ‘jails’, process

policy (MAC)

Due within 6 mos. IPv6 Cisco Linux IPsec (?) Dynamic routing Proximity topology Revisitation Specific host list, find-and-

select, directory discovery (LDAP)

Apple OS-X Symbolic hostnames OM fault tolerance (hot

backup, state-full recovery)

Monitor link performance

July 10, 2003 14Joe Touch USC/ISI

2 Header FAQ

Why two headers? Inet needs net and link ARP Revisitation

Why overlap inside X-Bone, not outside? Innerlays never reuse interfaces:

by construction

July 10, 2003 15Joe Touch USC/ISI

Outerlay

DynaBone architecture

Spread-Spectrum Multilayer Internet Overlays

Innerlays

Base networkBase network

3DES encrypt / Linkstate3DES encrypt / Linkstate

RC5 encrypt / RIPRC5 encrypt / RIP

MD5 auth / staticMD5 auth / staticMD5 auth / staticMD5 auth / staticXPRM

PRM

July 10, 2003 16Joe Touch USC/ISI

Performance issues

Nesting: 800+ parallel innerlays 15 layers of recursion

Bandwidth as 1/N for recursion

July 10, 2003 17Joe Touch USC/ISI

Demo configuration

OuterlayOuterlay

50#50#50#50#50#50#50#50#50#50

#50#50#50

#50

TCP S/F – 3DES

TCP S/F – 3DES

Others – MD5Others – MD5

UDP – SHA1UDP – SHA1

Base networkBase network

80800

Innerlays

July 10, 2003 18Joe Touch USC/ISI

Monitor & Control GUI

July 10, 2003 19Joe Touch USC/ISI

Issue Positions

Optimization Pathchar, proximity, node – OK Not for link

QoS Upper-bound, increase delay – OK No guarantees

IP for simplicity Any IP encapsulation tunnel Esp. if it looks like an interface

July 10, 2003 20Joe Touch USC/ISI

URLs

All at www.isi.edu/touch www.isi.edu/xbone www.isi.edu/xtend www.isi.edu/dynabone www.isi.edu/tethernet