SocialVPN: Enabling wide-area collaboration with integrated social and overlay networks

Trusted collaborative systems require peers to be able to communicate over private, authenticated end-to-end channels. Network-layer approaches such as Virtual Private Networks (VPNs) exist, but require considerable setup and management which hinder the establishment of ad-hoc collaborative environments: trust needs to be established, cryptographic keys need to be exchanged, and private network tunnels need to be created and maintained among end users. In this paper, we propose a novel system architecture which leverages existing social infrastructures to enable ad-hoc VPNs which are self-configuring, self-managing, yet maintain security amongst trusted and untrusted third parties. The key principles of our approach are: (1) self-configuring virtual network overlays enable seamless bi-directional IP-layer connectivity to socially connected parties; (2) online social networking relationships facilitate the establishment of trust relationships among peers; and (3) both centralized and decentralized databases of social network relationships can be securely integrated into existing public-key cryptography (PKI) implementations to authenticate and encrypt end-to-end traffic flows. The main contribution of this paper is a new peer-to-peer overlay architecture that securely and autonomously creates VPN tunnels connecting social peers, where online identities and social networking relationships may be obtained from centralized infrastructures, or managed in a decentralized fashion by the peers themselves. This paper also reports on the design and performance of a prototype implementation that embodies the SocialVPN architecture. The SocialVPN router builds upon IP-over-P2P (IPOP) virtual networks and a PKI-based tunneling infrastructure, which integrates with both centralized and decentralized social networking systems including Facebook, the Drupal opensource content management system, and emailing systems with PGP support. We demonstrate our prototype’s ability to support existing, unmodified TCP/IP applications while transparently dealing with user connectivity behind Network Address Translators (NATs). We also present qualitative and quantitative analyses of functionality and performance based on wide-area network experiments using PlanetLab and Amazon EC2. 2009 Elsevier B.V. All rights reserved.