Download PPT Version

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
Document related concepts

TV Everywhere wikipedia , lookup

Computer network wikipedia , lookup

Multiprotocol Label Switching wikipedia , lookup

SIP extensions for the IP Multimedia Subsystem wikipedia , lookup

Computer security wikipedia , lookup

Distributed firewall wikipedia , lookup

Asynchronous Transfer Mode wikipedia , lookup

Net bias wikipedia , lookup

Lag wikipedia , lookup

RapidIO wikipedia , lookup

Serial digital interface wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Wireless security wikipedia , lookup

IEEE 1355 wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Real-Time Messaging Protocol wikipedia , lookup

Internet protocol suite wikipedia , lookup

Deep packet inspection wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

TCP congestion control wikipedia , lookup

Transcript 
Securely Enabling Intermediary-based
Transport Services
U. Blumenthal, I. Faynberg, S. Kasera,
S.Mizikovsky, G. Sundaram and T. Woo
Presented by Thomas Woo
Bell Labs, Lucent Technologies
Summary
 We provide motivations and problem statement of
securely enabling intermediary-based transport
services
 We present several concrete examples to highlight
the problem
 We invite discussions on further defining the
problem, and possible solutions
Motivation
 “Access’’ links mostly refer to wireless links
– 3G (UMTS, CDMA 2000)
– 802.11
– Satellite
but applies also to wireline links such as dialup and even cable
 These links exhibit many problems that affect end-to-end
transport-level performance
– High loss: up to 10-2
– High latency and variability of latency: up to 100s of ms
– Low bandwidth
– Variable bandwidth: adaptive multi-rate
– Intermittent connectivity: temporal signal lull due to mobility
Motivation (cont’d)
 Intermediary-based transport services can help
mitigate many transport-level problems of access
links
 Examples:
– TCP PEPs (RFC 3135)
– Triggers for Transport
Mobile
User
Server
Wireless
Access Link
Wired Network
Transport
Service
Intermediary
TCP Connection
Problem Statement
 To perform its function, an intermediary may need to:
– Signal to the end points
– Inspect or even modify the traffic sent between the end points
 Threats:
– An attacker can send bogus signals to end points
– Existing end-to-end security may be compromised
• An attacker can gain unauthorized access to end to end traffic
 Need to securely enable intermediary-based transport
services while minimizing impact on end-to-end security
– Solicitation and configuration of services
– Security relationships between end-points, intermediary
Solicitation and Configuration of Service
 Service discovery
– Especially important for mobile users
 Service consent
– End-points must consent to service offered
 Service configuration
– End-points, intermediary exchange parameters for
configuring services
 Transfer of state
– Transfer service related state from one intermediary to
another in the event of impending failure, load-balancing, or
due to user mobility
Security Relationships between
End-points, Intermediary
 Signaling aspect
– Establish security relationship between end-points and
intermediary
• Authenticate and authorize trusted intermediary
• One-to-one vs one-to-many
– Securely exchange control information
 Data aspect
– Securely reveal selected packet information to authorized
intermediaries for processing (inspection and/or modification as
authorized)
Example 1: TCP Enhancements
 Problem: Large wireless link delay variance causes
degradation in TCP throughput
 Solution: TCP PEP [RFC3135]
 Example: Ack Regulator [Mobicom 2002]
– regulate acks from mobile user at intermediary to account
for downlink delay variance
Mobile
User
Server
TCP
PEP
Wired Network
Data
Regulated Acks
Acks
TCP Connection
Example 1: TCP Enhancements (cont’d)
 Requirement: AR mechanism relies on TCP header
information
– TCP port numbers for flow identification
– TCP sequence number for ACK pacing
How do we securely enable TCP PEP service such as AR?
Example 2: Header Compression
 Problem: Access link bandwidth tends to be limited
 Solution: Header compression/decompression close
to access link with the help of an intermediary could
be used [RFC 1144, RFC 2507, RFC 3095, SRTP]
 An end-to-end IPsec tunnel between the two endpoints would prevent header compression at an
intermediate node
Can we support header compression and have good security
at the same time?
Example 3: Network-based Packet Filtering
 Problem: Spoofed IPsec packets to VPN client can consume valuable
transport resources, especially in bandwidth-limited wireless links
 Solution: Network-based packet filtering
 Issue: Client mobility requires dynamic configuration, invocation and
revocation of network-based filters
Attacker sends address-spoofed,
IPSec encrypted packets to mobile user
VPN
Client
Attacker
Enterprise
VPN Gateway
Wireless
Access Packet
Network Filter
End-to-End
IPSec Tunnel
Internet
Example 4: Triggers for Transport
 Problem: An access link can go up, go down and change rate
 Solution: TrigTran intermediary to notify transport end systems of
such events
 Issue: Such notifications should be performed in a secure manner
See next presentation
Issues to Explore in Architecture
 Characteristics of intermediary-based transport services
– Their need for packet processing and signaling
 Support for multiple intermediaries in an end-to-end path?
 One-to-one vs one-to-many security relationship
 Association of intermediary with “access” links
 How to minimize the impact on end-to-end security?
 Protocol Functions
– How to reliably and securely configure, invoke and revoke intermediarybased transport services from the end systems?
– How does the intermediary obtain the information needed to offer
services?
 Applicability of existing mechanisms, e.g., IKE for key exchange?
Conclusion
 Our draft:
– Describes the problem of securely enabling intermediary-based
transport services
– Identifies example scenarios
BackUps
TCP Enhancements
 Problem: Large wireless link delay variance causes
degradation in TCP throughput
TCP Enhancements (cont’d)
AR improves throughput significantly over Reno, Sack (up
to 50%)
Higher proportional improvement at smaller buffer size
AR throughput improvement robust against buffer size
Intuition
 TCP's window-based congestion control functions by estimating
the available bandwidth-delay product. A loss happens when
the congestion window exceeds the available bandwidth-delay
product (BDP)
 Large delay and/or rate variation causes the available BDP to
vary as well. Thus, TCP's window-based congestion control may
trigger a loss even when the congestion window is significantly
below the "average" BDP but larger than the instantaneous BDP
 If the instantaneous BDP shrinks by sufficiently large amount,
multiple packets can be lost at the same time, causing further
window backoff and even timeouts
Multimedia Packet Differentiation
 Example: Differentiated packet treatment based on
network congestion condition using multimedia transport
header [Keller et al (Infocom 2000)]
Video
Server
Video
Receiver
Congested Link
Packet
Filter
Drop Lower
Priority Layers
Multi-layer Video Unicast
Multimedia Packet Differentiation (cont’d)
No Differentiated Packet Treatment: plain queuing
High frequency subbands
Low frequency subbands
Differentiated Packet Treatment: dropping low priority layers
Grey level shows amount
of data received in 5 frames:
 white: nothing received
 black: everything received
time
Dramatic improvement in video quality
*slide is taken from Keller et. al.’s INFOCOM 2000 presentation
Multimedia Packet Differentiation (cont’d)
60
50
40
30
20
10
0
5000
4000
3000
2000
1000
kbps
PSNR
Reaction to bursts
Plain
Active
Burst
0
0
2
4
6
8 time 10
12
14
16
Plain – No differentiated packet filtering
Active – Differentiated dropping of low priority layers
Burst – Congestion burst
Header Compression Benefits
 TCP/IP headers reduced from 40 octets to 4 octets
(RFC 2507)
– 6% savings for 576 octet packets but 90% savings for ACK
only packets
 RTP/UDP/IP headers reduced from 40 bytes to 1
octet under steady state (RFC 3095)
– 65% savings for 60 octet speech packets
Related documents
TCP/IP Configuration
TCP/IP Configuration
CLIENT SERVER ARCHITECTURE
CLIENT SERVER ARCHITECTURE
How the Internet Works
How the Internet Works
Conclusions and project presentation - comp
Conclusions and project presentation - comp
Slides
Slides
Proposed Differentiated Services on the Internet
Proposed Differentiated Services on the Internet
Slide 1
Slide 1
Networking - Institute of Mathematics and Informatics
Networking - Institute of Mathematics and Informatics
TCP/IP Architecture TCP/IP ARCHITECTURE
TCP/IP Architecture TCP/IP ARCHITECTURE
Subject Description Form Subject Code EIE3333 Subject Title Data
Subject Description Form Subject Code EIE3333 Subject Title Data