2 research outputs found
On the Design and Implementation of Structured P2P VPNs
Centralized Virtual Private Networks (VPNs) when used in distributed systems
have performance constraints as all traffic must traverse through a central
server. In recent years, there has been a paradigm shift towards the use of P2P
in VPNs to alleviate pressure placed upon the central server by allowing
participants to communicate directly with each other, relegating the server to
handling session management and supporting NAT traversal using relays when
necessary. Another, less common, approach uses unstructured P2P systems to
remove all centralization from the VPN. These approaches currently lack the
depth in security options provided by other VPN solutions, and their
scalability constraints have not been well studied.
In this paper, we propose and implement a novel VPN architecture, which uses
a structured P2P system for peer discovery, session management, NAT traversal,
and autonomic relay selection and a central server as a partially-automated
public key infrastructure (PKI) via a user-friendly web interface. Our model
also provides the first design and implementation of a P2P VPN with full
tunneling support, whereby all non-P2P based Internet traffic routes through a
trusted third party and does so in a way that is more secure than existing full
tunnel techniques. To verify our model, we evaluate our reference
implementation by comparing it quantitatively to other VPN technologies
focusing on latency, bandwidth, and memory usage. We also discuss some of our
experiences with developing, maintaining, and deploying a P2P VPN
Virtual Private Overlays: Secure Group Commounication in NAT-Constrained Environments
Structured P2P overlays provide a framework for building distributed
applications that are self-configuring, scalable, and resilient to node
failures. Such systems have been successfully adopted in large-scale Internet
services such as content delivery networks and file sharing; however,
widespread adoption in small/medium scales has been limited due in part to
security concerns and difficulty bootstrapping in NAT-constrained environments.
Nonetheless, P2P systems can be designed to provide guaranteed lookup times,
NAT traversal, point-to-point overlay security, and distributed data stores. In
this paper we propose a novel way of creating overlays that are both secure and
private and a method to bootstrap them using a public overlay. Private overlay
nodes use the public overlay's distributed data store to discover each other,
and the public overlay's connections to assist with NAT hole punching and as
relays providing STUN and TURN NAT traversal techniques. The security framework
utilizes groups, which are created and managed by users through a web based
user interface. Each group acts as a Public Key Infrastructure (PKI) relying on
the use of a centrally-managed web site providing an automated Certificate
Authority (CA). We present a reference implementation which has been used in a
P2P VPN (Virtual Private Network). To evaluate our contributions, we apply our
techniques to an overlay network modeler, event-driven simulations using
simulated time delays, and deployment in the PlanetLab wide-area testbed