View
212
Download
0
Category
Preview:
Citation preview
MPTCP Proxies & Anchors
Georg Hampel & Thierry KleinBell Labs – Alcatel-Lucent
draft_hampel_mptcp_proxies_anchors_00
Host
Proxy Anchor
• Incremental deployment • Protocol NAT• Some BBM mobility scenarios
MPTCP Network Functions on MPTCP Network Nodes
Host
Host
MPTCP
MPTCP
TCP
MPTCP
Host
MPTCP
MPTCP
MPTCP
Host
Host
MPTCP
Host
Host
Anchor
MPTCP
Host
Host
MPTCP
Host
Anchor
MPTCP
Examples for MPTCP Anchor
Simultaneous Mobility Mobility + Firewall
MPTCP NN
MPTCP NN
MPTCP NN
Femto
Where will MPTCP NNs reside?
Carrier Carrier
AP ISP
eNodeB
LTE
Wi-Fi
• In 3G/4G carrier networks for traffic offload• Multiple MPTCP NNs may lie in a chain
Issues:
• MPTCP-related signaling with Proxies/Anchors
• Authentication between hosts and Proxies/Anchors
• Security
• Implementation
Implicit vs. Explicit Proxy/Anchor
Implicit Proxy Implicit Anchor
Host Host
Host Host
Host Host
Host Host
Explicit Proxy Explicit Anchor
Deployment: Proxy/Anchor resides on 3G/4G access networkAuthentication: Implicit with access authentication
Deployment: AnywhereAuthentication: Explicitly needed
TCPMPTCP
MPTCP TCPMPTCP
MPTCP MPTCP MPTCP
MPTCPMPTCP
MPTCP
MPTCP
MPTCP PROXY TCP
MPTCP Host MPTCP Host
SYN + MP_CAP
SYN-ACK
+ MP_CAP+ PROXY = 1
ACK + MP_CAP
MPTCP NN
SEEK_ADDR
ADD_ADDR+JOIN = 0
SYN + MP_JOIN
SYN-ACK + MP_JOIN
ACK + MP_JOIN
Implicit Proxy MPTCP-capable Session Initiator
MPTCP ANCHOR MPTCP
MPTCP Host MPTCP Host
SYN + MP_CAP
SYN-ACK + MP_CAP
ACK + MP_CAP
MPTCP NN
SEEK_ADDR
ADD_ADDR +JOIN = 0+ Addr_ID = 255
SYN + MP_JOIN, Addr_ID=X
SYN-ACK+MP_JOIN, Addr_ID=Y
ACK + MP_JOIN
Implicit Anchor MPTCP-capable Session Initiator
SEEK_ADDR
ADD_ADDR +JOIN = 0+ Addr_ID = 255
SYN + MP_JOIN, Addr_ID=X+ ANCHOR = 1
SYN-ACK+MP_JOIN, Addr_ID=Y
ACK + MP_JOIN
ANCHOR ?
ANCHOR ?
PROXY ?
PROXY
MPTCP Host MPTCP Host
SYN + MP_CAP
SYN-ACK
+MP_CAP +PROXY=1
ACK + MP_CAP
MPTCP NN
Implicit Proxy Chains MPTCP NN
PROXY
MPTCP Host MPTCP Host
SYN
SYN-ACK + MP_CAP
ACK
MPTCP NN MPTCP NN+ MP_CAP
+ PROXY=1
+ MP_CAP
PROXY ?
MPTCP Host MPTCP Host
SYN
SYN-ACK
ACK
MPTCP NN MPTCP NN+ MP_CAP
+ PROXY=1 +MP_CAP
+PROXY=1
Explicit signaling: Authentication + Peer’s IP address/PortNo
1. In-band MPTCP signaling: No extensible authentication possible dismissed
2. Out-of-band MPTCP signaling: HTTPS? IPsec? Beyond scope of MPTCP? not
considered
3. Authentication via pre-shared keys:32-bit host ID ++ MPTCP key derived from pre-shared keys ++ Peer’s IP/Port = ~40B (IPv6)
4. External signaling protocol:Host + NN establish MPTCP key, host sends peer’s
IP/port
5. External protocol for signaling & traffic: Transparent to MPTCP not considered
Explicit Proxy/Anchor
MPTCP PROXY TCP
MPTCP Host MPTCP Host
SYN + MP_CAP (keyA)
ACK + FWD_ADDR(IP, Prt)
MPTCP NN
SYN + MP_JOIN
SYN-ACK + MP_JOIN
ACK + MP_JOIN
Explicit Proxy Authentication via Pre-Shared Keys
SYN-ACK + MP_CAP (keyN)
SYN + MP_CAP(keyA) + ANCHOR = 1
SYN-ACK
ACK + MP_CAP() + PROXY = 1 ACK
4-wayhandshake
3-wayhandshake
MPTCP ANCHOR MPTCP
MPTCP Host MPTCP Host
SYN + MP_CAP (keyA)
ACK + FWD_ADDR(IP, Prt)
MPTCP NN
Explicit Anchor Authentication via Pre-Shared Keys
SYN-ACK + MP_CAP (keyN)
SYN + MP_CAP(keyA) + ANCHOR = 1
SYN-ACK + MP_CAP(keyB)
ACK + MP_CAP(keyB) + ANCHOR = 1ACK + MP_CAP(keyA, keyB)
SYN + MP_JOIN, Addr_ID=X
SYN-ACK+MP_JOIN, Addr_ID=Y
ACK + MP_JOIN
SYN + MP_JOIN, Addr_ID=X+ ANCHOR = 1
SYN-ACK+MP_JOIN, Addr_ID=Y
ACK + MP_JOIN
4-wayhandshake
3-wayhandshake
PROXY
Chain of Explicit Anchor/Proxy + Implicit ProxyAuthentication via Pre-Shared Keys
ANCHOR
MPTCP Host MPTCP Host
SYN + MP_CAP (keyA)
ACK + FWD_ADDR(IP, Prt)
ExplicitMPTCP NN
SYN-ACK + MP_CAP (keyEN)
SYN + MP_CAP(keyA) + ANCHOR = 1
+ MP_CAP(keyIN)+ PROXY = 1
ACK + MP_CAP(keyIN)+ PROXY = 1 + ANCHOR = 1 ACK + MP_CAP(keyA, keyIN)
ImplicitMPTCP NN
SYN-ACK
SEEK_ADDR
ADD_ADDR, Addr_ID = X+JOIN = 0
ADD_ADDR, Addr_ID = 255+JOIN = 0
4-wayhand
shake3-wayhandshake
Security - Explicit Proxy/Anchor
Security problem in absence of proper authentication: Distributed-DoS attacker uses proxy to hide its IP address
Attacker Victim
IP_SRC = ATTACKIP_DST = Proxy
IP_SRC = ProxyIP_DST = VICTIM
MPTCP NN
MPTCP Host MPTCP HostMPTCP Anchor
Simultaneous Mobility with (Implicit) Anchor
Traffic
SYN + MP_JOIN
TCP RST
SYN + MP_JOIN
TCP RST
SYN + MP_JOIN
SYN + MP_JOIN
Caches SRC IP
TCP RSTCaches SRC
IP
TCP RST
SYN + MP_JOIN
SYN-ACK + MP_JOIN SYN-ACK + MP_JOIN
Proxy Realization
Proxy creates logical MPTCP – TCP split connection
Large number of connections: Minimize cost-per-connection
• Minimize cost if only one path Design implications !
• Minimize buffer for multipath Design implications !
Cost-vs-Feature Tradeoff
• Mobility only Simple, low-cost implementation
• Multipath Higher performance at higher price
MPTCP Re-Charter Proposal
1. Proxies & Anchors
2. Mobility
Recommended