diff --git a/Chapters/Introduction.tex b/Chapters/Introduction.tex index eacaec3..032f5b4 100644 --- a/Chapters/Introduction.tex +++ b/Chapters/Introduction.tex @@ -10,9 +10,9 @@ realistic conditions are scarce. This thesis addresses that gap. We benchmark ten peer-to-peer VPN implementations across seven workloads and four network impairment -profiles, producing over 300 unique measurements. We complement these -performance benchmarks with a source code analysis of each -implementation, verified by the respective maintainers. The entire +profiles. We complement these performance benchmarks with a source +code analysis of each implementation, verified by the respective +maintainers. The entire experimental framework is built on Nix, NixOS, and the Clan deployment system, so every result is independently reproducible. @@ -20,10 +20,10 @@ system, so every result is independently reproducible. Peer-to-peer architectures can provide censorship-resistant, fault-tolerant infrastructure because they have no single point of -failure \cite{shukla_towards_2021}. IoT edge computing, content -delivery networks, and blockchain platforms like Ethereum all rely on -some form of peer-to-peer topology. But these benefits only hold when -nodes are spread across diverse hosting entities. +failure \cite{shukla_towards_2021}. Blockchain platforms like Ethereum +depend on this property, as do IoT edge networks and content delivery +systems. But these benefits only hold when nodes are spread across +diverse hosting entities. In practice, this diversity remains illusory. Amazon, Hetzner, and OVH collectively host 70\% of all Ethereum nodes @@ -64,8 +64,9 @@ consumer-grade NAT can therefore participate as a first-class peer in a distributed system. The Clan deployment framework uses Nix and NixOS to eliminate -configuration drift and dependency conflicts. The result is that a -single administrator can reliably self-host distributed services. +configuration drift and dependency conflicts, which makes it +practical for a single administrator to self-host distributed +services. Overlay VPNs are central to Clan's architecture: they supply the peer connectivity that lets nodes form a network regardless of physical location or NAT situation. @@ -84,19 +85,21 @@ than systematic evaluation, which motivated the present work. Existing research offers only partial coverage of this space. Lackorzynski et al.\ \cite{lackorzynski_comparative_2019} benchmark OpenVPN, IPSec, Tinc, Freelan, MACsec, and WireGuard in the context -of industrial communication systems, measuring point-to-point -throughput, latency, and CPU overhead. Their work does not address -overlay network behavior such as NAT traversal or dynamic peer discovery. +of industrial communication systems. They measure point-to-point +throughput, latency, and CPU overhead but do not address overlay +network behavior such as NAT traversal or dynamic peer discovery. The most closely related study by Kjorveziroski et al.\ \cite{kjorveziroski_full-mesh_2024} evaluates full-mesh VPN solutions -for distributed systems, analyzing throughput, reliability under packet -loss, and relay behavior for VPNs including ZeroTier. However, it -focuses primarily on solutions with a central point of failure and -limits its workloads to synthetic iperf3 tests. This thesis extends -that work: it evaluates a broader set of VPN implementations with -emphasis on fully decentralized architectures, tests them under -application-level workloads (video streaming, package downloads), -applies multiple network impairment profiles, and provides a +for distributed systems, looking at throughput, reliability under +packet loss, and relay behavior for VPNs including ZeroTier. However, +it focuses primarily on solutions with a central point of failure and +limits its workloads to synthetic iperf3 tests. + +This thesis extends that work in several directions. It evaluates a +broader set of VPN implementations with emphasis on fully +decentralized architectures and tests them under application-level +workloads such as video streaming and package downloads. It also +applies multiple network impairment profiles and provides a reproducible experimental framework built on Nix, NixOS, and Clan. A secondary goal was to create an automated benchmarking framework @@ -111,17 +114,16 @@ This thesis makes the following contributions: \begin{enumerate} \item A benchmark of ten peer-to-peer VPN implementations across - seven workloads (including video streaming and package downloads) - and four network impairment profiles, with over 300 unique - measurements. + seven workloads and four network impairment profiles. The workloads + include video streaming and package downloads alongside synthetic + throughput tests. \item A source code analysis of all ten VPN implementations. Manual code review was combined with LLM-assisted analysis and the results were verified by the respective maintainers on GitHub. \item A reproducible experimental framework built on Nix, NixOS, - and the Clan deployment system. All dependencies are pinned, - system configuration is declarative, and cryptographic material - is generated deterministically, so every result can be - independently replicated. + and the Clan deployment system. Dependencies are pinned and system + configuration is declarative, down to deterministic cryptographic + material generation. Every result can be independently replicated. \item A performance analysis showing that Tailscale outperforms the Linux kernel's default networking stack under degraded conditions, and that kernel parameter tuning (Reno congestion control in place