IPOP

From Grid-Appliance Wiki

IPOP (IP over P2P) is an open-source research/development project that provides a decentralized, distributed virtual private network. Key features of IPOP include:

• Low configuration overhead
• Self-optimizing connections
• Dependable P2P overlay
• Support for computers behind NATs and Firewalls

Contents 1 IPOP Overview 1.1 VPNs and Applications Using IPOP 1.2 IP Virtualization 2 Accessing IPOP 2.1 Documentation 2.2 Software: Current Release 2.3 Current Development Source Code 2.4 Discussion Lists 3 The Team 4 Published Work 5 To-Do Ideas 6 Related Work 7 License

IPOP Overview

IPOP uniquely differentiates itself from related virtual network techniques in how it builds upon a Peer-to-Peer (P2P) overlay supporting both virtual IP packet routing and distributed hash table (DHT)-based object storage/lookup. It enables the creation of virtual networks (VNs) without the requirement of having any centralized hosting mechanism. Additionally, IPOP provides features that allow two machines constrained by different NATs (Network Address Translation devices) to communicate with each other through traversal techniques as well as through the P2P overlay (akin to triangular routing) without configuring any routing rules, similar to the proxying techniques used in other VNs.

IPOP integrates with existing kernel-level tap virtual network devices for packet capture/injection, and implements a user-level P2P VN router. The user-level IPOP router builds upon the Brunet P2P library, which provides the core services of routing, object storage/lookup, and overlay connection management supporting multiple transports (TCP, UDP, and tunnels) and NAT traversal. Public IPOP overlays run on the PlanetLab infrastructure and have been used, among other projects, in wide-area virtual-machine based distributed computing system deployments in the Grid Appliance project.

VPNs and Applications Using IPOP

• GroupVPN provides users the ability to create their own private networks using group environments to secure and manage the system, from a birds eye, it is quite similar to Hamachi. What differentiates the approach from Hamachi's is the focus on decentralization. GroupVPN uses a group environment to enable user-friendly application of a PKI. So peers only interact once with the website to register their VPN instance and thereafter never again connecting directly to the decentralized system. Peer authenticate directly with each other and have no worries about man-in-the-middle attacks. In addition, GroupVPN is completely open, allowing users to deploy their own web interfaces and decentralized infrastructures. Users can create their own groups through our website or downloading their own WebUI VMware VM (WebUI is still in beta).

• SocialVPN allows users to create their own private networks seamlessly by connecting to a XMPP server, such as GoogleTalk. For security, the system uses PKI and exchanges keys over a built-in XMPP client.

• The Grid Appliance is a self-configuring Virtual Machine appliance that is used to create ad-hoc pools of computer resources both within a local-area and across wide-area networks to execute high-throughput, long-running jobs. Appliances are connected through the use of the GroupVPN through the use of the GroupAppliance architecture provided by the GridAppliance website WebUI.

Differentiating GroupVPN and SocialVPN:

• SocialVPN allows individuals to determine who they trust and how they don't, whereas the GroupVPN allows some subset of the group to maintain access into the pool
• SocialVPN provides each user their own view of the network, i.e., produces a NAT like environment for each user. The GroupVPN places all users into the same IP subnet and so all applications will work normally without tweaks.
• SocialVPN provides a list of users that are connected via a web interface, which makes sense, since there is a handshake procedure to add a friend to your list. In the GroupVPN, there is no Web UI as it is unrequired, the ways to get IP addresses of members in the subnet are via multicast, broadcast, out-of-band exchange, or by having a central recording service that all machines contact periodically to announce their state (i.e., being online) -- multicast / broadcast Dht key.

IP Virtualization

In a P2P system, each node has two ways to be addressed: via the lower layer network, e.g. an IP address, and through the overlay via a P2P address. A machine's IP address/port endpoint is only used to help bootstrap overlay connections, the P2P address is used when communicating through the overlay. So applying a VN over a P2P overlay network results in three layers of address abstraction: the physical IP address (of a public host, or a translated address if behind a NAT), the P2P address of the VN router, and the virtual IP address of the VN interface.

IPOP supports multiple Virtual Networks sharing the same overlay as follows:

1. Each virtual IP is associated with a namespace, e.g., IPOP views an IP in the form Namespace:IP. This is transparent to the user and to the virtual network interface - each IPOP router is configured to be bound to a single IP namespace.
2. Dynamic IP-to-P2P address allocation and resolution through the use of a decentralized data store, i.e., the DHT mentioned above

For this purpose, the DHT must support atomic and idempotent writes. IPOP utilizes a DHT that comes packaged with the P2P system. A DHT is similar to a hash table, a database where data is stored in a (key, value) format, though the data is distributed throughout the system using a deterministic approach. During address allocation, a machine attempts to perform an atomic write where the DHT key concatenates the namespace and requested IP address and the value is its P2P address. The DHT is also used to store information about namespaces that is used during DHCP configuration, such as the valid address range, lease time, and reserved IP addresses.

Because IPOP uses the P2P address (which is decoupled from the physical network address of a host) for message routing, virtual IP address migration happens transparently to applications (even across domains), and connectivity can be established as quickly as P2P links reform. For example, when a user disconnects from a P2P system, they disconnect from other endpoints and no packets can be routed to them. When they connect at a later time or in another location those links are recreated and they are routable at the same P2P address.

Accessing IPOP

Documentation

• IPOP Issue Tracker
• The Ipop How To
• ACIS P2P video channel with demonstrations and tutorials.
• FAQ
• Current Free-to-Join Brunet Overlays
• Brunet bug track system hosted at Google code.
• Creating P2P Applications

Software: Current Release

Revision 9.4.12:

• Source Code
• Binary Release with Windows and Linux support

Current Development Source Code

• Github repository for Brunet
• Github repository for IPOP

Discussion Lists

• ACISP2P Google Group: Discussion list mostly related to development of P2P/IPOP projects in our Lab.
• ACISP2PUSER Google Group: Discussion regarding to installation, configuration, administration, usage, and your own development with our projects.

The Team

Members of the ACIS Lab at University of Florida in Gainesville, Florida:

Faculty Members

• Dr. Renato J. Figueiredo
• Dr. P. Oscar Boykin

Graduate Students

• Kyungyong Lee
• Yonggang Liu
• Pierre St. Juste
• David Wolinsky
• Jiangyan Xu

Published Work

• David I Wolinsky, Pierre St. Juste, Oscar Boykin, and Renato Figueiredo, 'Addressing the P2P Bootstrap Problem for Small Overlay Networks', In the Proceedings of the 10th IEEE International Conference on Peer-to-Peer Computing 2010 (P2P'10), 08/2010. PDF.
• David Isaac Wolinsky, Yonggang Liu, Pierre St. Juste, Girish Venkatasubramanian, Renato Figueiredo. 'On the Design of Scalable, Self-Configuring Virtual Networks'. In Proceedings of SuperComputing '09 (SC), 11/2009. PDF.
• David Wolinsky, Yonggang Liu, Renato Figueiredo. 'Towards a Uniform Self-Configuring Virtual Private Network for Workstations and Clusters in Grid Computing'. In Proceedings of Virtualization Technologies in Distributed Computing (VTDC). 06/2009. PDF.
• Arijit Ganguly, David Wolinsky, P. Oscar Boykin, Renato Figueiredo. 'Improving Peer Connectivity in Wide-area Overlays of Virtual Workstations'. In Proceedings of IEEE High Performance Distributed Computing (HPDC). Best paper award, 06/2008 PDF
• Arijit Ganguly, David Wolinsky, P. Oscar Boykin, Renato Figueiredo. 'Decentralized Dynamic Host Configuration in Wide-Area Overlay Networks of Virtual Workstations'. In Proceedings of Large-Scale and Volatile Desktop Grids (PCGrid), 03/2007 PDF
• Arijit Ganguly, Abhishek Agrawal, P. Oscar Boykin, Renato Figueiredo. 'WOW: Self-Organizing Wide Area Overlay Networks of Virtual Workstations". In Proceedings of the 15th IEEE International Symposium on High Performance Distributed Computing (HPDC), pages 30-41. Paris. PDF
• Arijit Ganguly, Abhishek Agrawal, P. Oscar Boykin and Renato Figueiredo. 'IP over P2P: Enabling Self-Configuring Virtual IP Networks for Grid Computing'. In Proceedings of the 20th IEEE International Parallel and Distributed Processing Symposium (IPDPS). Rhodes Island, Greece. PDF

To-Do Ideas

• Projects and feature requests involving IPOP and related projects.

Related Work

• ANA: Autonomic Network Architecture Research Project
• Virtuoso/VNET
• Private Virtual Clusters
• Violin
• SoftUDC VNET
• Ocala
• ViNe
• N2N

License

IPOP and related libraries are distributed under GPLv2 and Later.