View
221
Download
0
Category
Preview:
Citation preview
Implementing dynamic membership Implementing dynamic membership in a secure multicast protocolin a secure multicast protocol
Ilana Sarfati and Orna DutechIlana Sarfati and Orna Dutech
Winter 2005Winter 2005
Supervisor : Gal BadishiSupervisor : Gal Badishi
הטכניון – מכון טכנולוגי לישראלהפקולטה להנדסת חשמל
המעבדה לתוכנה
SummarySummary
IntroductionIntroduction Project PresentationProject Presentation The Join MechanismThe Join Mechanism The Leave MechanismThe Leave Mechanism The Ping FeatureThe Ping Feature Experiments and ResultsExperiments and Results
Introduction (1)Introduction (1)
In a multicast protocol, several processes form a In a multicast protocol, several processes form a multicast groupmulticast group..
Each process in the group exchanges Each process in the group exchanges messages with the other group members messages with the other group members (through pull and push operations)(through pull and push operations)..
The implementation is secure :The implementation is secure : every message is digitally signed by its creator using every message is digitally signed by its creator using
its private key.its private key. to validate other members’ messages, each group to validate other members’ messages, each group
member must hold the other members’ public key.member must hold the other members’ public key.
Introduction (2)Introduction (2)
The implementation is static:The implementation is static:It is based on the assumption that every It is based on the assumption that every member knows every other member and no member knows every other member and no host can be added or removed from the group host can be added or removed from the group in running time.in running time.
Project Presentation Project Presentation Implementation of a dynamic membership protocolImplementation of a dynamic membership protocol
The system should permit the joining and leaving of The system should permit the joining and leaving of members in running time.members in running time.
The challenge was to permit a fluent communication The challenge was to permit a fluent communication between the newly joined members and existing ones, and between the newly joined members and existing ones, and conversely to inform every member about the leaving of conversely to inform every member about the leaving of one of them.one of them.
The solution had to be scalable and preserve the safety of The solution had to be scalable and preserve the safety of the system (against DoS attacks…).the system (against DoS attacks…).
The join mechanism (1)The join mechanism (1)
When a new member joins the group :When a new member joins the group : its certificate (containing its public key, its ip its certificate (containing its public key, its ip
address, its port…) must be propagated address, its port…) must be propagated among the other processes.among the other processes.
it must receive the certificates of the already it must receive the certificates of the already connected processes.connected processes.
A join request is the message sent by the new A join request is the message sent by the new host to some members to indicate them that it host to some members to indicate them that it wants to join. It contains the new host certificate.wants to join. It contains the new host certificate.
It is the only non signed message in the It is the only non signed message in the system.system.
The join mechanism (2)The join mechanism (2)
The joining host has a partial (little) view of the system The joining host has a partial (little) view of the system which is composed of a fixed subset of (hopefully) which is composed of a fixed subset of (hopefully) connected members.connected members.
Its Its JoinerJoiner thread sends to all of them a join request. It thread sends to all of them a join request. It will terminate as soon as a request is answered by a will terminate as soon as a request is answered by a member. If no one is answered after a while, other member. If no one is answered after a while, other requests will be sent. This process eventually ends (c.f. requests will be sent. This process eventually ends (c.f. the ping feature).the ping feature).
One One JoinWaiterJoinWaiter thread is created by the thread is created by the JoinerJoiner thread thread for each join request. Its role is to wait for an answer of for each join request. Its role is to wait for an answer of a particular member. If it receives an answer, the host a particular member. If it receives an answer, the host becomes an official member.becomes an official member.
The join mechanism (3)The join mechanism (3)
Each member runs a Each member runs a JoinReceiverJoinReceiver thread which is in thread which is in charge of receiving the join requests of new hosts.charge of receiving the join requests of new hosts.
When a join request is received, it adds the new host When a join request is received, it adds the new host certificate in its database and sends the certificates of certificate in its database and sends the certificates of all the hosts it holds in its database to the all the hosts it holds in its database to the corresponding corresponding JoinWaiterJoinWaiter thread of the new host. thread of the new host.
The The JoinWaiterJoinWaiter thread then inserts those certificates thread then inserts those certificates into the new host database and terminates.into the new host database and terminates.
The new host is now able to validate signed message of The new host is now able to validate signed message of members in the group.members in the group.
Propagation of a join messagePropagation of a join message
Apart of adding the new certificate to its database, the Apart of adding the new certificate to its database, the JoinReceiverJoinReceiver thread also adds the join request in the thread also adds the join request in the message database so that it will be propagated as a message database so that it will be propagated as a normal message using push and pull operations.normal message using push and pull operations.
Every host that receives a join request in push / pull Every host that receives a join request in push / pull operations updates its database with the new operations updates its database with the new certificate.certificate.
By this mean, the new host certificate is propagated By this mean, the new host certificate is propagated among all members of the group. The new host can among all members of the group. The new host can generate messages and all the members will be able to generate messages and all the members will be able to validate them.validate them.
The leave mechanism (1)The leave mechanism (1)
When a user leaves the system, its public key When a user leaves the system, its public key should be deleted from the other users' should be deleted from the other users' database.database. The goal is to ensure that every host has a The goal is to ensure that every host has a
view of active members so that it will not send view of active members so that it will not send messages to hosts who have left. messages to hosts who have left.
A leave request is the message sent by a host to A leave request is the message sent by a host to a member to indicate that it wants to leave. It is a member to indicate that it wants to leave. It is an empty message which is identified by its type.an empty message which is identified by its type.
The leave mechanism (2)The leave mechanism (2)
The leaving host creates a new thread called The leaving host creates a new thread called LeaverLeaver..
This thread sends to a view of members a leave This thread sends to a view of members a leave request. It will terminate as soon as a request is request. It will terminate as soon as a request is answered by a member. If no one is answered answered by a member. If no one is answered after a while, other requests will be sent (to a after a while, other requests will be sent (to a new view). This process eventually ends (c.f. the new view). This process eventually ends (c.f. the ping feature).ping feature).
One One LeaveWaiterLeaveWaiter thread is created by the thread is created by the LeaverLeaver thread for each leave request. Its role is thread for each leave request. Its role is to wait for an ack from a particular member.to wait for an ack from a particular member.
The leave mechanism (3)The leave mechanism (3)
Each member runs a Each member runs a LeaveReceiverLeaveReceiver thread thread which is in charge of receiving the leave request which is in charge of receiving the leave request of other hosts.of other hosts.
When a leave request is received, it removes the When a leave request is received, it removes the certificate of the host sending the request from certificate of the host sending the request from its database and sends an ack to the its database and sends an ack to the corresponding corresponding LeaveWaiterLeaveWaiter thread. thread.
The The LeaverLeaver thread then terminates. thread then terminates. The leaving host can now quit the system.The leaving host can now quit the system.
Propagation of a leave messagePropagation of a leave message
Apart from removing the certificate of the leaving host Apart from removing the certificate of the leaving host from its database, the from its database, the LeaveReceiverLeaveReceiver thread also adds thread also adds the leave request in the message database so that it will the leave request in the message database so that it will be propagated as a normal message using push and pull be propagated as a normal message using push and pull operations.operations.
Every host that receives a leave request in push / pull Every host that receives a leave request in push / pull operations updates its database by removing the operations updates its database by removing the certificate of the leaving host.certificate of the leaving host.
By this mean, all members will be informed that a host By this mean, all members will be informed that a host has left the group, and will have their database updated.has left the group, and will have their database updated.
The ping feature : MotivationThe ping feature : Motivation
Problem:Problem:If a host cannot answer anymore to requests If a host cannot answer anymore to requests (maybe because it failed), the other members (maybe because it failed), the other members should know about it so that they’ll not try to should know about it so that they’ll not try to communicate with it anymore.communicate with it anymore.
Solution :Solution :If host B doesn’t answer to the requests of If host B doesn’t answer to the requests of member A during a long time, it has to be member A during a long time, it has to be removed from A’s database.removed from A’s database.
The ping feature parametersThe ping feature parameters
A host B is suspect to A if it has not answered at A host B is suspect to A if it has not answered at least one of A’s requests.least one of A’s requests.
If host B doesn’t answer a maximal number If host B doesn’t answer a maximal number ((NPingBoundNPingBound) of successive requests from A, it is ) of successive requests from A, it is removed from A’s database.removed from A’s database.
If it answers to one of A’s requests, it is not a If it answers to one of A’s requests, it is not a suspect member anymore.suspect member anymore.
When A selects a view for its next request, it When A selects a view for its next request, it includes a certain percentage (includes a certain percentage (PPingViewPPingView) of ) of suspect members.suspect members.
The ping feature implementationThe ping feature implementation
There is no specific ping message. Instead, every There is no specific ping message. Instead, every member keeps a list of the suspect hosts and a counter member keeps a list of the suspect hosts and a counter that counts the number of successive unanswered that counts the number of successive unanswered requests for each host.requests for each host.
The regular protocols of sending requests and messages The regular protocols of sending requests and messages between members are used to update this list:between members are used to update this list:
The threads The threads JoinWaiterJoinWaiter, , LeaveWaiterLeaveWaiter, , PullWaiterPullWaiter, , PushWaiterPushWaiter, , PullReceiverPullReceiver and and PushReceiverPushReceiver are in charge of updating this are in charge of updating this list.list.
They can increment the counter, add a new host, remove a host They can increment the counter, add a new host, remove a host if it has answered a request, or remove a host from the database if it has answered a request, or remove a host from the database when NPingBound was reached.when NPingBound was reached.
Experiments and Results (1)Experiments and Results (1)
I.I. Joining mechanism and propagation of join requestsJoining mechanism and propagation of join requestsThe experiment consists of one host running alone. Nine other The experiment consists of one host running alone. Nine other hosts join one by one by sending a join request to the host that hosts join one by one by sending a join request to the host that has just joined the group (approximately there is a join all 2 has just joined the group (approximately there is a join all 2 seconds).seconds).
serie1
0
2
4
6
8
10
0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 100
time (s)
nu
m o
f kn
ow
n h
ost
s b
y th
e
first
join
er
Experiments and Results (2)Experiments and Results (2)
II.II. Leaving mechanism and propagation of leave requestsLeaving mechanism and propagation of leave requestsThe experiment consists of 10 hosts running. They know each The experiment consists of 10 hosts running. They know each other. No one generate messages. The hosts 6, 7, 8, 9, and 10 other. No one generate messages. The hosts 6, 7, 8, 9, and 10 leave the group after 75 seconds, by sending leave requests.leave the group after 75 seconds, by sending leave requests.
Experience 3
0
2
4
6
8
10
1 9 17 25 33 41 49 57 65 73 81 89 97
time (s)
Nu
mb
er
of
ho
sts
kn
ow
n
Host 3
Host 5
Experiments and Results (3)Experiments and Results (3)
III.III. Ping featurePing featureThe experiment consists of 10 hosts running. They know each The experiment consists of 10 hosts running. They know each other. No one generate messages. The even hosts fail (they do other. No one generate messages. The even hosts fail (they do not send leave requests before leaving) after 50 sec.not send leave requests before leaving) after 50 sec.
0
1
2
3
4
5
6
7
8
9
10
1 26 51 76 101 126 151 176 201 226
Time (s)
nu
m o
f h
osts
kn
ow
n
Host 1
Host 5
Recommended