Overlay Convergence Architecture for Legacy Applications

Nov 22, 2006: Website redesigned.


Legacy applications benefit from OCALA in two different ways. Firstly, OCALA enables applications to leverage the new functionality offered by overlays. Secondly, the OC-I sub-layer of OCALA allows a path to traverse multiple overlays thus composing their functionalities. We now describe some applications that demonstrate these two types of benefits.

Functionality Enabled by Overlays

i3 offers functionality such as NAT traversal and receiver imposed middleboxes, while HIP offers secure mobility. The following applications leverage these through the i3 and HIP OC-D modules.

  • NAT Traversal: i3 enables access to machines behind NATs. By using the i3 OC-D module in conjunction with the OC-I sub-layer, a user can run legacy servers behind NATs. In addition to allowing external users to contact these servers, it also enables home users to securely access their machines from anywhere by simply remembering the human-readable name of their home machine.

    For a demo of a web server accessed over i3, using the OCALA remote-client-proxy, please visit http://www.cs.berkeley.edu/~dilip/photos.shtml.

    For more details on the NAT traversal service offered by OCALA, please visit the OCALA NAT Traversal Service page.

    NAT traversal using i3

  • Receiver Imposed Middleboxes: i3 enables hosts to redirect all incoming traffic to go through a middle-box which may be located anywhere in the network. This functionality of i3 can be used to force all incoming traffic to a legacy server to pass through an intrusion detection middlebox, which may not be located on the physical path to the server. The following figure shows some analysis performed by a Bro intrusion detection box imposed on the path to a legacy FTP server using OCALA.

    Analysis performed by Bro

  • Secure Mobility: HIP enables hosts to securely communicate with each other even when the hosts are mobile. This functionality of HIP is leveraged to support ssh connections that remain alive even when one of the hosts changes its IP address.

Functionality Enabled by the OC-I Sub-layer

The OC-I sub-layer's ability to provide simultaneous access to multiple overlays and to bridge together different overlays enables the following applications:

  • Secure Intranet Access: A more flexible and secure version of Virtual Private Networks (VPNs) can be implemented by using the OC-I sub-layer to contact legacy hosts over a overlay. A legacy server gateway runs inside the organization and hence has unrestricted access to all intranet hosts. To access Intranet machines, external end-hosts relay packets through the legacy gateway. Authentication and encryption are important requirements in this scenario, and we simply leverage the OC-I sub-layer's security mechanisms for this purpose. Any routing overlay, including vanilla IP, can be used for communicating between the user's machine and the legacy gateway. The main advantage of this system over regular VPN-based systems is that a client can access multiple Intranets at the same time even if both Intranets use the same address range. Users specify their preference through the configuration file -- for example, all connections to *.company1.com should go through the gateway1 of company 1 while connections to *.company2.com should use the gateway of company 2. Another distinguishing feature of this system is that, unlike in traditional VPNs, a client is not assigned an IP address from the Intranet address space. This improves security by making it difficult for a client infected by a scanning worm to directly attack other hosts within the Intranet.

  • Overlay Composition: Overlay composition allows an application to explicitly stitch together different network overlays. Apart from enabling inter-operability, this allows a user to merge the functionalities of multiple overlays in interesting ways. For example, a user who connects to the Internet through a wireless hop, may use i3 for uninterrupted communication while switching between various wireless networks. In addition, the user may also wish to optimize wide-area performance using RON. We achieve this by using i3 to connect to a close-by i3-to-RON gateway, which will then relay packets over a RON-optimized path.

    Stitching together overlays

Last Updated on 11/22/06 15:51:48