A social VPN is a virtual private network that is created among individual peers, automatically, based on relationships established by them through a social networking service. A social VPN aims at providing peer-to-peer (P2P) network connectivity between a user and his or her friends, in an easy to set up manner that hides from the users the complexity in setting up and maintaining authenticated/encrypted end-to-end VPN tunnels.
Architecture
[edit]An architecture of a social VPN is based on a centralized infrastructure where users authenticate, discover their friends and exchange cryptographic public keys, and a P2P overlay which is used to route messages between VPN endpoints.[1] For example, this allows an organization to have routed connections with separate offices, or with other organizations, over the Internet. A routed VPN connection across the Internet logically operates as a dedicated Wide Area Network (WAN) link.[2]
Packet capture and injection
[edit]A social VPN uses a virtual network interface (such as TUN/TAP devices in Windows and Unix systems) to capture and inject IP packets from a host. Once captured, packets are encrypted, encapsulated, and routed over an overlay network.
Security
[edit]A social VPN uses online social networks to distribute public keys and advertise node address to friends. The acquired public keys are used to establish encrypted communication between two endpoints. Symmetric keys are exchanged during the process of establishing an end-to-end link by two social VPN peers.
Routing
[edit]Routing in the social VPN is peer-to-peer. One approach that has been implemented uses a structured P2P system for sending IP packets encapsulated in overlay messages from a source to destination.
Private IP address space
[edit]A social VPN uses dynamic IP address assignment and translation to avoid collision with existing (private) address spaces of end hosts, and to allow the system to scale to the number of users that today's successful online social network services serve (tens of millions). Users are able to connect directly only to a small subset of the total number of users of such a service, where the subset is determined by their established relationships.
Naming
[edit]A social VPN uses names derived from the social network service to automatically assign host names to endpoints. These names are translated to virtual private IP addresses in the overlay by a loop-back DNS virtual server.
Related systems
[edit]- The MIT Unmanaged Internet Architecture[3] (UIA)provides ad hoc, zero-configuration routing infrastructure for mobile devices, but the ad hoc connections are not established through a social networking infrastructure.[4]
- "Friend Net" is a similar concept put forth in a 2002 blog entry.[5]
- Hamachi is a zero-configuration VPN which uses a security architecture different from that of social VPN.[6] The leafnetworks VPN also supports the creation of networks using the Facebook API.
Software
[edit]An open-source social VPN implementation based on the Facebook social network service and the Brunet P2P overlay is available for Windows and Linux systems under MIT license. It creates direct point-to-point secure connections between computers with the help of online social networks, and supports transparent traversal of NATs. It uses the P2P overlay to create direct VPN connections between pairs of computers (nodes). To establish a connection, two nodes advertise their P2P node address (as well as public keys for secure communication) to each other through an online social network. Once each node acquires the node address (and public keys) of the other node, an IP-to-nodeAddress mapping is created and IP packets can be routed through the VPN tunnel.
References
[edit]- ^ R. Figueiredo, P. O. Boykin, P. St. Juste, D. Wolinsky, "SocialVPNs: Integrating Overlay and Social Networks for Seamless P2P Networking", in Proceedings of IEEE WETICE/COPS, Rome, Italy, June 2008.
- ^ Technet Microsoft, Inc. "How VPN Works".
- ^ Unmanaged Internet Architecture
- ^ Bryan Ford, Jacob Strauss, Chris Lesniewski-Laas, Sean Rhea, Frans Kaashoek, and Robert Morris, "Persistent Personal Names for Globally Connected Mobile Devices", in Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation (OSDI '06), Seattle, WA, November 2006.
- ^ Lucas Gonze "Friendnet", blog entry (2002-12-15). Retrieved on 2008-09-23.
- ^ LogMeIn Hamachi Security Architecture Archived 2007-09-27 at archive.today.