[p2p-hackers] Announcing: P2P social VPN

Renato Figueiredo renato at acis.ufl.edu
Fri Aug 1 23:16:58 EDT 2008


Hi Alex,

>
> > A key novel aspect of the SocialVPN is its ability to avoid
> > conflicts between the VPN and a host's existing IPv4 network
> > by using private networks and dynamic address translation,
> > a technique described in the COPS workshop this year.
>
> For what it's worth - the technique of double-NAT'ing node-to-node
> traffic exactly the way it's described in Section 2.2 of your paper
> is well-known and it is routinely used in traditional VPN setups.
>
> It is essentially the *only* option of resolving IP conflicts that
> occur in a "roaming user" scenarios, so it's only natural that you
> converged to the same solution :)

We started from a perspective that is not traditional in the sense that it's
as if each roaming user is connected to multiple VPNs, so double-natting
needs to be performed for every link. I'm not aware of traditional VPNs
where a single virtual network interface from a roaming user can be
multiplexed such that it allows the user to be connected to multiple remote
networks, each with different private address space ranges.

>
> The biggest issue with this approach though is the very presence of
> the NAT in the picture. Simple NAT that operates just on IP/UDP/TCP
> headers breaks a bunch of application protocols, most notably - FTP
> (which you have listed as unsupported on the website), H.323, SIP,
> some Oracle stuff and parts of Windows SMB. That's not to mention
> various broken-by-design multiplayer gaming protocols.
>

I agree, this is a tricky issue. For many of the applications we're
interested in, the double NAT is not a problem, so we decided to compromise
and focus on those. But certainly there are apps that unfortunately will not
work without the add-on modules you mentioned. We don't have a lot of
practical experience with gaming protocols, from what you say it may be more
common than we thought. We got SIP and mDNS to work but as you point out
there are important protocols that can break down in this model, such as
FTP.

By the way, we have an alternative implementation of the overlay that
supports a flat virtual address space without translation and decentralized
DHCP that we use for legacy distributed applications, such as Condor. In
this scenario we encapsulate the whole environment in clusters of VMs with
NATed private interfaces, where we can sidestep conflicts by using for
example class-E addresses.

Bests,
--rf

> As such, the use of double-NAT'ing technique requires NAT engine to
> support so-called ALGs - "add-on" modules that take care of properly
> adjusting IPs that may be embedded into an application protocol.
>
> This in turn requires NAT engine to be stateful, i.e. it should keep
> track of the state of all TCP connections that go through it. It is
> needed because the application data adjustments may cause latter to
> grow or contract and so the NAT engine needs to compensate for that
> by adjusting TCP sequence numbers. Needless to say that this is far
> from being trivial.
>
> Alex
>
> ----


> On Jul 31, 2008, at 11:07 PM, Renato Figueiredo wrote:
>
> Dear list members,
>
> We have developed SocialVPN (socialvpn.org), a P2P virtual network that
> uses social network infrastructures to seamlessly bootstrap VPN links
> between social peers.
>
> The SocialVPN builds upon the open-source Brunet P2P library. We have
> extended the IPOP (IP-over-P2P) virtual network, a structured P2P system
> which features decentralized UDP hole punching, optimizations tailored to IP
> tunneling, and support for multicast DNS (Bonjour/Avahi). A key novel aspect
> of the SocialVPN is its ability to avoid conflicts between the VPN and a
> host's existing IPv4 network by using private networks and dynamic address
> translation, a technique described in the COPS workshop this year.
>
> Our current implementation runs on Windows or Linux and uses the Facebook
> API, and bootstraps with an overlay deployed on PlanetLab. We are planning
> on implementations for other platforms and to support the OpenSocial API. If
> you are interested in using this software or develop applications around it,
> you can find documentation and downloads at http://socialvpn.org.
>
> Regards,
> --rf
>  _______________________________________________
> p2p-hackers mailing list
> p2p-hackers at lists.zooko.com
> http://lists.zooko.com/mailman/listinfo/p2p-hackers
>
>
>


-- 
Dr. Renato J. Figueiredo
Associate Professor
ACIS Lab / Electrical and Computer Engineering
University of Florida
http://byron.acis.ufl.edu
ph: 352-392-6430
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.zooko.com/pipermail/p2p-hackers/attachments/20080801/28cc62f5/attachment.htm 


More information about the p2p-hackers mailing list