Finished cover page
This commit is contained in:
@@ -6,8 +6,8 @@
|
||||
|
||||
This chapter describes the methodology used to benchmark peer-to-peer
|
||||
mesh VPN implementations. The experimental design prioritizes
|
||||
reproducibility at every layer---from dependency management to network
|
||||
conditions---enabling independent verification of results and
|
||||
reproducibility at every layer; from dependency management to network
|
||||
conditions; enabling independent verification of results and
|
||||
facilitating future comparative studies.
|
||||
|
||||
\section{Experimental Setup}
|
||||
@@ -20,7 +20,8 @@ identical specifications:
|
||||
\begin{itemize}
|
||||
\item \textbf{CPU:} Intel Model 94, 4 cores / 8 threads
|
||||
\item \textbf{Memory:} 64 GB RAM
|
||||
\item \textbf{Network:} 1 Gbps Ethernet (e1000e driver; one machine uses r8169)
|
||||
\item \textbf{Network:} 1 Gbps Ethernet (e1000e driver; one machine
|
||||
uses r8169)
|
||||
\item \textbf{Cryptographic acceleration:} AES-NI, AVX, AVX2, PCLMULQDQ,
|
||||
RDRAND, SSE4.2
|
||||
\end{itemize}
|
||||
@@ -56,7 +57,8 @@ mesh topologies. Table~\ref{tab:vpn_selection} summarizes the selection.
|
||||
\hline
|
||||
\textbf{VPN} & \textbf{Architecture} & \textbf{Notes} \\
|
||||
\hline
|
||||
Tailscale (Headscale) & Coordinated mesh & Open-source coordination server \\
|
||||
Tailscale (Headscale) & Coordinated mesh & Open-source
|
||||
coordination server \\
|
||||
ZeroTier & Coordinated mesh & Global virtual Ethernet \\
|
||||
Nebula & Coordinated mesh & Slack's overlay network \\
|
||||
Tinc & Fully decentralized & Established since 1998 \\
|
||||
@@ -208,9 +210,9 @@ effective round-trip impairment is approximately doubled.
|
||||
\begin{tabular}{lccccc}
|
||||
\hline
|
||||
\textbf{Profile} & \textbf{Latency} & \textbf{Jitter} &
|
||||
\textbf{Loss} & \textbf{Reorder} & \textbf{Correlation} \\
|
||||
\textbf{Loss} & \textbf{Reorder} & \textbf{Correlation} \\
|
||||
\hline
|
||||
Baseline & --- & --- & --- & --- & --- \\
|
||||
Baseline & ; & ; & ; & ; & ; \\
|
||||
Low & 2 ms & 2 ms & 0.25\% & 0.5\% & 25\% \\
|
||||
Medium & 4 ms & 7 ms & 1.0\% & 2.5\% & 50\% \\
|
||||
High & 12 ms & 30 ms & 5.0\% & 10\% & 50\% \\
|
||||
@@ -289,7 +291,8 @@ Key pinned inputs include:
|
||||
\item \textbf{nixpkgs:} Follows \texttt{clan-core/nixpkgs}, ensuring a
|
||||
single version across the dependency graph
|
||||
\item \textbf{clan-core:} The Clan framework, pinned to a specific commit
|
||||
\item \textbf{VPN sources:} Hyprspace, EasyTier, Nebula locked to exact commits
|
||||
\item \textbf{VPN sources:} Hyprspace, EasyTier, Nebula locked to
|
||||
exact commits
|
||||
\item \textbf{Build infrastructure:} flake-parts, treefmt-nix, disko,
|
||||
nixos-facter-modules
|
||||
\end{itemize}
|
||||
@@ -312,7 +315,7 @@ configuration entirely or rolls back.
|
||||
Clan's inventory system maps machines to service roles declaratively.
|
||||
For each VPN, the orchestrator writes an inventory entry assigning
|
||||
machines to roles (e.g., Nebula lighthouse vs.\ peer). The Clan module
|
||||
system translates this into NixOS configuration---systemd services,
|
||||
system translates this into NixOS configuration; systemd services,
|
||||
firewall rules, peer lists, and key references. The same inventory
|
||||
entry always produces the same NixOS configuration.
|
||||
|
||||
@@ -364,12 +367,11 @@ environments across benchmark runs.
|
||||
Lackorzynski et al.\ \cite{lackorzynski_comparative_2019} evaluate
|
||||
VPN protocols in the context of industrial communication systems (Industry 4.0),
|
||||
benchmarking OpenVPN, IPSec, Tinc, Freelan, MACsec, and WireGuard.
|
||||
Their analysis focuses on point-to-point protocol performance---throughput,
|
||||
latency, and CPU overhead---rather than overlay network behavior.
|
||||
Their analysis focuses on point-to-point protocol performance; throughput,
|
||||
latency, and CPU overhead; rather than overlay network behavior.
|
||||
In contrast, this thesis evaluates VPNs that provide a full data plane
|
||||
with peer-to-peer connectivity, NAT traversal, and dynamic peer discovery.
|
||||
|
||||
|
||||
\subsection{Full-Mesh VPN Performance Evaluation}
|
||||
|
||||
Kjorveziroski et al.\ \cite{kjorveziroski_full-mesh_2024} provide a
|
||||
@@ -388,4 +390,3 @@ This thesis extends their work in several ways:
|
||||
\item Fully reproducible experimental framework via Nix/NixOS/Clan
|
||||
\end{itemize}
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user