on the design of autonomic, decentralized vpns david wolinsky, kyungyong lee, oscar boykin, and...
TRANSCRIPT
![Page 1: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/1.jpg)
On the Design of Autonomic, Decentralized VPNs
David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo
ACIS P2P GroupUniversity of Florida
![Page 2: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/2.jpg)
Motivation• Individuals want to be connected
– Online games– Exchange media
• Family pictures and movies• Favorite music
– Social networking• Employees want access to company resources
– Access while remote– Private databases, clouds, and websites– Company printers
![Page 3: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/3.jpg)
Issues• VPNs need to be more approachable!
– Centralized VPNs require dedicated resources– Free VPNs rely on a third-party (trust issues)– Distributed / decentralized VPNs are complex
• P2P provides promising opportunities to reduce complexity! Challenges:– No PKI secured P2P overlays– PKI relies on centralized revocation– Challenging bootstrapping small private overlays
![Page 4: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/4.jpg)
GroupVPN• We have a solution!• Take an existing P2P VN (IPOP) and add:
– The ability to bootstrap into private overlays– P2P and VN security (Secure P2P VPN)– Decentralized revocation techniques– Enable seamless configuration and management
of the VPN• We call it GroupVPN!• Concepts and a platform for decentralized
collaborative environments
![Page 5: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/5.jpg)
Outline• Issues and Motivation• IPOP Overview – Motivating the GroupVPN• Bootstrapping an Isolated Overlay• Securing an Overlay• Decentralized Revocation• The GroupVPN• Conclusion
![Page 6: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/6.jpg)
Outline• Issues and Motivation• IPOP Overview – Motivating the GroupVPN• Bootstrapping an Isolated Overlay• Securing an Overlay• Decentralized Revocation• The GroupVPN• Conclusion
![Page 7: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/7.jpg)
IPOP Overview
networks (SocialVPN)• Written in C#, portable without recompilation
Virtual Network Device
NIC
APP
VPN Client Software
VPN Overlay
Virtual LAN
Virtual Network Device
NIC
APP
VPN Client Software
• A VN framework• Supports peer
discovery (address resolution) through a DHT and social
![Page 8: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/8.jpg)
IPOP’s P2P UsageP2P Node
DHT Entry
Message
IPOP
![Page 9: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/9.jpg)
IPOP’s P2P Usage• All nodes join a
DHT overlay• Decentralized
NAT traversal– Hole punching– Relaying across
overlayNode Z
P2P Node
DHT Entry
Message
IPOP
![Page 10: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/10.jpg)
IPOP’s P2P Usage
• IP Mapping => DHT[IP] = P2P
• All nodes join a DHT P2P
• Decentralized NAT traversal– Hole punching– Relaying across
overlay
1) Bootstrap into overlay
Node Z10.0.123.248
10.0.123.248 is at Node Z
P2P Node
DHT Entry
Message
IPOP
![Page 11: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/11.jpg)
IPOP’s P2P Usage• All nodes join a
DHT P2P• Decentralized
NAT traversal– Hole punching– Relaying across
overlay
1) Bootstrap into overlay
Node Z10.0.123.248
10.0.5.251
10.0.123.248 is at Node Z
10.0.1.2P2P Node
DHT Entry
Message
IPOP
• IP Mapping => DHT[IP] = P2P• Connecting two peers:
– Resolve IP to a P2P Address
![Page 12: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/12.jpg)
IPOP’s P2P Usage
• IP Mapping => DHT[IP] = P2P• Connecting two peers:
– Resolve IP to a P2P Address
• All nodes join a DHT P2P
• Decentralized NAT traversal– Hole punching– Relaying across
overlay
1) Bootstrap into overlay
2) Query overlay for IP ó P2P
Node Z10.0.123.248
Node X10.0.1.2
Node W10.0.5.251
10.0.5.251 is at Node W
10.0.123.248 is at Node Z
10.0.1.2 is at Node X
P2P Node
DHT Entry
Message
IPOP
e
![Page 13: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/13.jpg)
IPOP’s P2P Usage
• IP Mapping => DHT[IP] = P2P• Connecting two peers:
– Resolve IP to a P2P Address– Form direct connection between the two parties
• All nodes join a DHT P2P
• Decentralized NAT traversal– Hole punching– Relaying across
overlay
1) Bootstrap into overlay
2) Query overlay for IP ó P2P
3) Connection request routed
via overlay
Node Z10.0.123.248
Node X10.0.1.2
Node W10.0.5.251
10.0.5.251 is at Node W
10.0.123.248 is at Node Z
10.0.1.2 is at Node X
P2P Node
DHT Entry
Message
IPOP
e
![Page 14: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/14.jpg)
IPOP’s P2P Usage
• IP Mapping => DHT[IP] = P2P• Connecting two peers:
– Resolve IP to a P2P Address– Form direct connection between the two parties
• All nodes join a DHT P2P
• Decentralized NAT traversal– Hole punching– Relaying across
overlay
1) Bootstrap into overlay
2) Query overlay for IP ó P2P
3) Connection request routed
via overlay
Node Z10.0.123.248
Node X10.0.1.2
Node W10.0.5.251
10.0.5.251 is at Node W
10.0.123.248 is at Node Z
10.0.1.2 is at Node X
4) Direct link for virtual IP traffic
P2P Node
DHT Entry
Message
IPOP
e
![Page 15: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/15.jpg)
Remaining Challenges• Difficulty supporting ad-hoc networks
– Undesirable to create bootstrap node and distribute information
– Alternatively, use a public / shared overlay for all VNs• DHT is left insecure• Poorly performing / connected peers reduce effectiveness of
routing via the overlay
• Lacks security– P2P security would protect the DHT– Link (or end to end) security would protect the VN => VPN
• How to perform decentralized revocation?• Requires intimate knowledge of IPOP to bootstrap a new
P2P VN
![Page 16: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/16.jpg)
Outline• Issues and Motivation• IPOP Overview – Motivating the GroupVPN• Bootstrapping an Isolated Overlay• Securing an Overlay• Decentralized Revocation• The GroupVPN• Conclusion
![Page 17: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/17.jpg)
Bootstrapping Overlays• Challenges:
– Dedicated bootstrap node or set of nodes– Distribute IP addresses out of band– Too much work for small or ad-hoc overlays
• Our solution:– Bootstrap using existing overlays– Current support: public IPOP overlay and XMPP
![Page 18: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/18.jpg)
Abstraction• EdgeListeners handle creating
outgoing links and handling incoming links
• Edges store state for links• Connections store overlay
information for links and represent• Connection Managers create links,
verify bidirectional connectivity, and add to routing
• Node constructs the environment and provides basic routing primitives
EdgeListener (Transport Manager)
Edges (Links to remote nodes)
Connections (Verified bidirectional links)
Node (Overlay Management)
RoutingConnection Managers –
Structured / Bootstrapping / Direct
![Page 19: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/19.jpg)
Overheads of Multiplexing• UDP NAT Traversal:
– UDP EdgeListener learns public:private IP:Port mapping from public IPOP overlay
– Reuse same socket (IP:Port) / EdgeListener in the private overlay
– Multiplex a single UDP EdgeListener via ``Pathing’’
• Otherwise Tunnel packets through the public IPOP overlay
Latency (ms) Bandwidth (mbps)
Native .303 225.27
With Pathing .308 224.36
![Page 20: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/20.jpg)
Outline• Issues and Motivation• IPOP Overview – Motivating the GroupVPN• Bootstrapping an Isolated Overlay• Securing an Overlay• Decentralized Revocation• The GroupVPN• Conclusion
![Page 21: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/21.jpg)
Securing an Overlay• Requirements
– P2P links must be secured for DHT– VPN links may optionally be secured (for higher
level of security)– Must support unreliable senders (UDP / Overlay)– Certificates must be mobile / not bound to IP
Address• Questions:
– Best approach to make transparent– Overheads / feasibility
![Page 22: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/22.jpg)
Making Security Transparent• Filter model – can be
placed anywhere in sending / receiving stack
• DTLS supports unreliable transmissions
• Bind certificate to overlay address
VPN Software
Overlay Sender
PtP Sender
TAP Device
VPN Software
Overlay Receiver
PtP Receiver
TAP Device
SenderVPN IP: 5.0.5.5
NodeAddress: ABCDEFEdge IP: 10.227.56.77
ReceiverVPN IP: 5.0.5.4
NodeAddress: 123456Edge IP: 192.168.5.33
Secure PtP Sender Secure PtP Receiver
P2P Overlay
Physical IP Packet
Overlay Packet
Security Packet
IP Packet
Chat App Sender
Secure Overlay Sender
PtP Sender
UI as Source
Chat App Receiver
Secure Overlay Receiver
PtP Receiver
UI as Receiver
SenderUserName: Alice
NodeAddress: ABCDEFEdge IP: 10.227.56.77
ReceiverUserName: Bob
NodeAddress: 123456Edge IP: 192.168.5.33
Overlay Sender Overlay Receiver
Physical IP Packet
P2P Overlay
Security Packet
Overlay Packet
Chat Message
![Page 23: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/23.jpg)
Overheads of Security• Time for a single node to join
an overlay• Small (nearly negligible
difference between secure and insecure bootstrapping times
• Time for bootstrap an overlay (simultaneous joins)
• Similar results for a single node to join the overlay
![Page 24: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/24.jpg)
Outline• Issues and Motivation• IPOP Overview – Motivating the GroupVPN• Bootstrapping an Isolated Overlay• Securing an Overlay• Decentralized Revocation• The GroupVPN• Conclusion
![Page 25: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/25.jpg)
Revocation – Traditional Approaches
• Centralized revocation list– Revoked certificates are added to a signed
revocation list– Typically hosted at a URL
• Online Certificate Status Protocol (OCSP)– Determine the status of a single certificate– Typically hosted as a web service
• Centralized solutions, not ideal for P2P
![Page 26: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/26.jpg)
Decentralized Revocation• OCSP via the DHT
– Revoked certificates are marked in the DHT as being revoked
– Valid certificates• Have no entry in the DHT• Time limited entry stored in the DHT (more secure)• The former approach can be hampered by collusion
attacks on the DHT, the latter may introduce unattractive overheads
• Immediate revocation via overlay broadcast
![Page 27: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/27.jpg)
Broadcast Revocation• Efficient broadcast method
immediately revokes invalid certificates in O(log2N)
• Process:– Broadcasting node sends to neighbor
nodes in a range– Each receiving node processes the
revocation and sends in their subrange
– Repeat until no nodes in subrange
• Efficient – Almost all receive in less than O(log N)
![Page 28: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/28.jpg)
Outline• Issues and Motivation• IPOP Overview – Motivating the GroupVPN• Bootstrapping an Isolated Overlay• Securing an Overlay• Decentralized Revocation• The GroupVPN• Conclusion
![Page 29: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/29.jpg)
GroupVPN – Background• Bring all the pieces together
– Users still need to configure the system– No interface for certificate signing / revocation
• Solution: GroupVPN Web Interface– Publicly available at www.grid-appliance.org– Also, redistributable as a virtual machine image– Organize VPNs as social networking groups– Automated signing of certificates– Initiate certificate revocation
![Page 30: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/30.jpg)
Interacting with GroupVPN• Group Interface
– Create / join groups• Creating a group (Admin)
– Specifying VPN attributes• IP Address range• Security parameters• User agreement
– Accept / reject / revoke user access• Group members
– Download VPN configuration data– VPN config data contains a private, unique identifier– During first run of a VPN, this ID is sent to the web interface
to obtain a X509 signed certificate
![Page 31: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/31.jpg)
P2P Node
DHT Entry
Message
VPN
Public toPrivate
![Page 32: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/32.jpg)
User) Join group, obtain credentials
and P2P information
P2P Node
DHT Entry
Message
VPN
Public toPrivate
![Page 33: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/33.jpg)
GroupVPN in Action
User) Join group, obtain credentials
and P2P information
1) Request / obtain group certificate
P2P Node
DHT Entry
Message
VPN
Public toPrivate
![Page 34: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/34.jpg)
GroupVPN in Action
User) Join group, obtain credentials
and P2P information
1) Request / obtain group certificate
2) Bootstrap into public overlay
Node Z
P2P Node
DHT Entry
Message
VPN
Public toPrivate
![Page 35: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/35.jpg)
GroupVPN in Action
User) Join group, obtain credentials
and P2P information
1) Request / obtain group certificate
2) Bootstrap into public overlay
3) Query overlay for Private overlay members
Node Z
Node X
Node W
P2P Node
DHT Entry
Message
VPNNode XNode W
Public toPrivate
![Page 36: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/36.jpg)
GroupVPN in Action
User) Join group, obtain credentials
and P2P information
1) Request / obtain group certificate
2) Bootstrap into public overlay
3) Query overlay for Private overlay members
Node Z
Node X
Node W
P2P Node
DHT Entry
Message
VPNNode XNode W
Public toPrivate
4) Obtain IP Address and Pathing information for
private overlay participants
![Page 37: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/37.jpg)
GroupVPN in Action
User) Join group, obtain credentials
and P2P information
1) Request / obtain group certificate
2) Bootstrap into public overlay
3) Query overlay for Private overlay members
Node Z
Node X
Node W
P2P Node
DHT Entry
Message
VPNNode XNode W
Public toPrivate
5) Connect to Private Overlay using Pathing
4) Obtain IP Address and Pathing information for
private overlay participants
![Page 38: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/38.jpg)
GroupVPN Versus IPOP
1) Bootstrap into overlay
2) Query overlay for IP ó P2P
3) Connection request routed
via overlay
Node Z10.0.123.248
10.0.123.248 is at Node Z4) Direct “secure” link
for virtual IP traffic
P2P Node
DHT Entry
Message
IPOP
e
Node X10.0.1.2
Node W10.0.5.251
10.0.5.251 is at Node W
10.0.1.2 is at Node X
![Page 39: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/39.jpg)
Outline• Issues and Motivation• IPOP Overview – Motivating the GroupVPN• Bootstrapping an Isolated Overlay• Securing an Overlay• Decentralized Revocation• The GroupVPN• Conclusion
![Page 40: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/40.jpg)
Conclusion• Multiplexing sockets enable seamless NAT
traversal from a public overlay to a private overlay with low overheads
• Security has nearly negligible overheads for bootstrapping overlays
• Overlays can be used to provide decentralized revocation
• GroupVPN like systems qualitatively reduce the overheads for deploying and managing VPNs
![Page 41: On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida](https://reader034.vdocuments.us/reader034/viewer/2022050714/56649de45503460f94adafba/html5/thumbnails/41.jpg)
Thank you!Questions?
(More at www.grid-appliance.org)