Improved writing
This commit is contained in:
@@ -10,9 +10,9 @@ realistic conditions are scarce.
|
|||||||
|
|
||||||
This thesis addresses that gap. We benchmark ten peer-to-peer VPN
|
This thesis addresses that gap. We benchmark ten peer-to-peer VPN
|
||||||
implementations across seven workloads and four network impairment
|
implementations across seven workloads and four network impairment
|
||||||
profiles, producing over 300 unique measurements. We complement these
|
profiles. We complement these performance benchmarks with a source
|
||||||
performance benchmarks with a source code analysis of each
|
code analysis of each implementation, verified by the respective
|
||||||
implementation, verified by the respective maintainers. The entire
|
maintainers. The entire
|
||||||
experimental framework is built on Nix, NixOS, and the Clan deployment
|
experimental framework is built on Nix, NixOS, and the Clan deployment
|
||||||
system, so every result is independently reproducible.
|
system, so every result is independently reproducible.
|
||||||
|
|
||||||
@@ -20,10 +20,10 @@ system, so every result is independently reproducible.
|
|||||||
|
|
||||||
Peer-to-peer architectures can provide censorship-resistant,
|
Peer-to-peer architectures can provide censorship-resistant,
|
||||||
fault-tolerant infrastructure because they have no single point of
|
fault-tolerant infrastructure because they have no single point of
|
||||||
failure \cite{shukla_towards_2021}. IoT edge computing, content
|
failure \cite{shukla_towards_2021}. Blockchain platforms like Ethereum
|
||||||
delivery networks, and blockchain platforms like Ethereum all rely on
|
depend on this property, as do IoT edge networks and content delivery
|
||||||
some form of peer-to-peer topology. But these benefits only hold when
|
systems. But these benefits only hold when nodes are spread across
|
||||||
nodes are spread across diverse hosting entities.
|
diverse hosting entities.
|
||||||
|
|
||||||
In practice, this diversity remains illusory.
|
In practice, this diversity remains illusory.
|
||||||
Amazon, Hetzner, and OVH collectively host 70\% of all Ethereum nodes
|
Amazon, Hetzner, and OVH collectively host 70\% of all Ethereum nodes
|
||||||
@@ -64,8 +64,9 @@ consumer-grade NAT can therefore participate as a first-class peer
|
|||||||
in a distributed system.
|
in a distributed system.
|
||||||
|
|
||||||
The Clan deployment framework uses Nix and NixOS to eliminate
|
The Clan deployment framework uses Nix and NixOS to eliminate
|
||||||
configuration drift and dependency conflicts. The result is that a
|
configuration drift and dependency conflicts, which makes it
|
||||||
single administrator can reliably self-host distributed services.
|
practical for a single administrator to self-host distributed
|
||||||
|
services.
|
||||||
Overlay VPNs are central to Clan's architecture: they supply the
|
Overlay VPNs are central to Clan's architecture: they supply the
|
||||||
peer connectivity that lets nodes form a network regardless of
|
peer connectivity that lets nodes form a network regardless of
|
||||||
physical location or NAT situation.
|
physical location or NAT situation.
|
||||||
@@ -84,19 +85,21 @@ than systematic evaluation, which motivated the present work.
|
|||||||
Existing research offers only partial coverage of this space.
|
Existing research offers only partial coverage of this space.
|
||||||
Lackorzynski et al.\ \cite{lackorzynski_comparative_2019} benchmark
|
Lackorzynski et al.\ \cite{lackorzynski_comparative_2019} benchmark
|
||||||
OpenVPN, IPSec, Tinc, Freelan, MACsec, and WireGuard in the context
|
OpenVPN, IPSec, Tinc, Freelan, MACsec, and WireGuard in the context
|
||||||
of industrial communication systems, measuring point-to-point
|
of industrial communication systems. They measure point-to-point
|
||||||
throughput, latency, and CPU overhead. Their work does not address
|
throughput, latency, and CPU overhead but do not address overlay
|
||||||
overlay network behavior such as NAT traversal or dynamic peer discovery.
|
network behavior such as NAT traversal or dynamic peer discovery.
|
||||||
The most closely related study by Kjorveziroski et al.\
|
The most closely related study by Kjorveziroski et al.\
|
||||||
\cite{kjorveziroski_full-mesh_2024} evaluates full-mesh VPN solutions
|
\cite{kjorveziroski_full-mesh_2024} evaluates full-mesh VPN solutions
|
||||||
for distributed systems, analyzing throughput, reliability under packet
|
for distributed systems, looking at throughput, reliability under
|
||||||
loss, and relay behavior for VPNs including ZeroTier. However, it
|
packet loss, and relay behavior for VPNs including ZeroTier. However,
|
||||||
focuses primarily on solutions with a central point of failure and
|
it focuses primarily on solutions with a central point of failure and
|
||||||
limits its workloads to synthetic iperf3 tests. This thesis extends
|
limits its workloads to synthetic iperf3 tests.
|
||||||
that work: it evaluates a broader set of VPN implementations with
|
|
||||||
emphasis on fully decentralized architectures, tests them under
|
This thesis extends that work in several directions. It evaluates a
|
||||||
application-level workloads (video streaming, package downloads),
|
broader set of VPN implementations with emphasis on fully
|
||||||
applies multiple network impairment profiles, and provides a
|
decentralized architectures and tests them under application-level
|
||||||
|
workloads such as video streaming and package downloads. It also
|
||||||
|
applies multiple network impairment profiles and provides a
|
||||||
reproducible experimental framework built on Nix, NixOS, and Clan.
|
reproducible experimental framework built on Nix, NixOS, and Clan.
|
||||||
|
|
||||||
A secondary goal was to create an automated benchmarking framework
|
A secondary goal was to create an automated benchmarking framework
|
||||||
@@ -111,17 +114,16 @@ This thesis makes the following contributions:
|
|||||||
|
|
||||||
\begin{enumerate}
|
\begin{enumerate}
|
||||||
\item A benchmark of ten peer-to-peer VPN implementations across
|
\item A benchmark of ten peer-to-peer VPN implementations across
|
||||||
seven workloads (including video streaming and package downloads)
|
seven workloads and four network impairment profiles. The workloads
|
||||||
and four network impairment profiles, with over 300 unique
|
include video streaming and package downloads alongside synthetic
|
||||||
measurements.
|
throughput tests.
|
||||||
\item A source code analysis of all ten VPN implementations. Manual
|
\item A source code analysis of all ten VPN implementations. Manual
|
||||||
code review was combined with LLM-assisted analysis and the results
|
code review was combined with LLM-assisted analysis and the results
|
||||||
were verified by the respective maintainers on GitHub.
|
were verified by the respective maintainers on GitHub.
|
||||||
\item A reproducible experimental framework built on Nix, NixOS,
|
\item A reproducible experimental framework built on Nix, NixOS,
|
||||||
and the Clan deployment system. All dependencies are pinned,
|
and the Clan deployment system. Dependencies are pinned and system
|
||||||
system configuration is declarative, and cryptographic material
|
configuration is declarative, down to deterministic cryptographic
|
||||||
is generated deterministically, so every result can be
|
material generation. Every result can be independently replicated.
|
||||||
independently replicated.
|
|
||||||
\item A performance analysis showing that Tailscale outperforms the
|
\item A performance analysis showing that Tailscale outperforms the
|
||||||
Linux kernel's default networking stack under degraded conditions,
|
Linux kernel's default networking stack under degraded conditions,
|
||||||
and that kernel parameter tuning (Reno congestion control in place
|
and that kernel parameter tuning (Reno congestion control in place
|
||||||
|
|||||||
Reference in New Issue
Block a user