Hi Alex, > > > A key novel aspect of the SocialVPN is its ability to avoid > > conflicts between the VPN and a host's existing IPv4 network > > by using private networks and dynamic address translation, > > a technique described in the COPS workshop this year. > > For what it's worth - the technique of double-NAT'ing node-to-node > traffic exactly the way it's described in Section 2.2 of your paper > is well-known and it is routinely used in traditional VPN setups. > > It is essentially the *only* option of resolving IP conflicts that > occur in a "roaming user" scenarios, so it's only natural that you > converged to the same solution :)
We started from a perspective that is not traditional in the sense that it's as if each roaming user is connected to multiple VPNs, so double-natting needs to be performed for every link. I'm not aware of traditional VPNs where a single virtual network interface from a roaming user can be multiplexed such that it allows the user to be connected to multiple remote networks, each with different private address space ranges. > > The biggest issue with this approach though is the very presence of > the NAT in the picture. Simple NAT that operates just on IP/UDP/TCP > headers breaks a bunch of application protocols, most notably - FTP > (which you have listed as unsupported on the website), H.323, SIP, > some Oracle stuff and parts of Windows SMB. That's not to mention > various broken-by-design multiplayer gaming protocols. > I agree, this is a tricky issue. For many of the applications we're interested in, the double NAT is not a problem, so we decided to compromise and focus on those. But certainly there are apps that unfortunately will not work without the add-on modules you mentioned. We don't have a lot of practical experience with gaming protocols, from what you say it may be more common than we thought. We got SIP and mDNS to work but as you point out there are important protocols that can break down in this model, such as FTP. By the way, we have an alternative implementation of the overlay that supports a flat virtual address space without translation and decentralized DHCP that we use for legacy distributed applications, such as Condor. In this scenario we encapsulate the whole environment in clusters of VMs with NATed private interfaces, where we can sidestep conflicts by using for example class-E addresses. Bests, --rf > As such, the use of double-NAT'ing technique requires NAT engine to > support so-called ALGs - "add-on" modules that take care of properly > adjusting IPs that may be embedded into an application protocol. > > This in turn requires NAT engine to be stateful, i.e. it should keep > track of the state of all TCP connections that go through it. It is > needed because the application data adjustments may cause latter to > grow or contract and so the NAT engine needs to compensate for that > by adjusting TCP sequence numbers. Needless to say that this is far > from being trivial. > > Alex > > ---- > On Jul 31, 2008, at 11:07 PM, Renato Figueiredo wrote: > > Dear list members, > > We have developed SocialVPN (socialvpn.org), a P2P virtual network that > uses social network infrastructures to seamlessly bootstrap VPN links > between social peers. > > The SocialVPN builds upon the open-source Brunet P2P library. We have > extended the IPOP (IP-over-P2P) virtual network, a structured P2P system > which features decentralized UDP hole punching, optimizations tailored to IP > tunneling, and support for multicast DNS (Bonjour/Avahi). A key novel aspect > of the SocialVPN is its ability to avoid conflicts between the VPN and a > host's existing IPv4 network by using private networks and dynamic address > translation, a technique described in the COPS workshop this year. > > Our current implementation runs on Windows or Linux and uses the Facebook > API, and bootstraps with an overlay deployed on PlanetLab. We are planning > on implementations for other platforms and to support the OpenSocial API. If > you are interested in using this software or develop applications around it, > you can find documentation and downloads at http://socialvpn.org. > > Regards, > --rf > _______________________________________________ > p2p-hackers mailing list > [email protected] > http://lists.zooko.com/mailman/listinfo/p2p-hackers > > > -- Dr. Renato J. Figueiredo Associate Professor ACIS Lab / Electrical and Computer Engineering University of Florida http://byron.acis.ufl.edu ph: 352-392-6430
_______________________________________________ p2p-hackers mailing list [email protected] http://lists.zooko.com/mailman/listinfo/p2p-hackers
