Application Scenarios

Here we describe a few useful applications of i3 and the OCALA proxy. These applications require no changes to the legacy applications, operating systems, NATs or firewalls.

Application Scenarios

Connecting to home machines

Most users today have problems connecting to their broadband-connected home machines from their workplace for two reasons:
  1. Changing IP address: Most ISPs change the IP address allocated to the machine periodically, some more frequently than others, and this is a hassle to most users trying to run some service on their host.
  2. NAT: A significant fraction of home routers also serve as NATs for security reasons. In such a case, since the address allocated to the host is essentially a locally valid address, it is not valid externally. Also, enabling an incoming connection through the NAT, requires special NAT configuration.
The first problem has to do with mobility, while the second problem has to with combining disparate address spaces. The solution using the i3 implementation is simple. The client proxy can be run on the home host which can insert public triggers under a dns name, say john.home.i3, in the Planetlab i3 infrastructure. Also, the remote machine also needs to run the client proxy. Once this done, all access on the remote machine to john.home.i3 will be redirected to the home machine. For details of how the client proxy works see here.

Secure Intranet Access

For security reasons, many organizations today resort to the draconian measure of setting up a firewall that filters outgoing connections and does not allow any incoming connections. Such measures make it hard for users to connect to their work machines from elsewhere. The security administration is not to blame here: there is no other feasible flexible alternative. The i3 implementation can be used for this scenario. A server proxy runs inside the organization and thus has unrestricted to all the intranet machines. This server proxy is set up to authenticate users connecting from home. This authentication requires a simple key management system. The firewall is configured to allow incoming access to the server proxy. This method offers a secure way of allowing Intranet access.

The following figures illustrate how such application is supported by i3. Consider a company, Acme, that wants to give access to its employees to the services and the resources on the intranet. To achieve this, Acme sets-up a machine S that runs the (see i3 server proxy module. The server proxy maintains a trigger (id, S) where it can be contacted by remote clients. Now, consider a remote client C that wants to access host H, with the DNS name, inside the firewall. Let (idC, C) be a trigger inserted by client C. Then the following sequence of steps take place:

Firewall Scenario
Note that the functionality provided by the setting in the figure above is similar to the functionality provided by a Virtual Private Network (VPN). However, our solution has two advantages over VPNs:
  1. In a VPN, once a client connects to an intranet, it will get an IP address on that intranet. But this means that if the client is infected, the client can potentially infect all machines on the intranet. To avoid this problem, many of the existing VPN solutions use firewalls to restrict the access of the remote clients, which can defeat the original propose of the VPN. In contrast, our solution makes it hard for an infected client to infect other machines on the intranet, since a virus or worm cannot use address scanning. This is because, as discussed here, the client proxy returns to the application a fake IP address that has only local meaning; this address has no relation with the real IP address of the destination. Furthermore any attempt of address scanning in the range used to allocate fake IP addresses can be easily detected as the client proxy knows exactly the fake addresses that are in use.
  2. A client can access multiple intranets at the same time. This is not possible in existing VPN solutions since a client can acquire only one IP address at a time.

Middle-box Applications

There are several interesting middle-box applications today: intrusion detection systems (like Bro), spam filtering (an application-level middle-box) etc. They however require access to the edge router of an organization etc, which is not always feasible. To make the deployment of middle-boxes more convenient, the routing flexibility of i3 can be used. The client proxy can be configured to redirect traffic through, say, a intrusion detection system, which would then monitor traffic. The key point to note here is that intrusion detection system can be running on any machine, in fact, it can even be running on different machines at different times. An implementation of the client proxy which allows re-direction through an intrusion detection system is in the works. This implementation will allow the user to interpose any middle-box to monitor the traffic of willing users (who run the client proxy).