17
MPTCP Proxies & Anchors Georg Hampel & Thierry Klein Bell Labs – Alcatel-Lucent draft_hampel_mptcp_proxies_anchors_00

MPTCP Proxies & Anchors Georg Hampel & Thierry Klein Bell Labs – Alcatel-Lucent draft_hampel_mptcp_proxies_anchors_00

Embed Size (px)

Citation preview

Page 1: MPTCP Proxies & Anchors Georg Hampel & Thierry Klein Bell Labs – Alcatel-Lucent draft_hampel_mptcp_proxies_anchors_00

MPTCP Proxies & Anchors

Georg Hampel & Thierry KleinBell Labs – Alcatel-Lucent

draft_hampel_mptcp_proxies_anchors_00

Page 2: MPTCP Proxies & Anchors Georg Hampel & Thierry Klein Bell Labs – Alcatel-Lucent draft_hampel_mptcp_proxies_anchors_00

Host

Proxy Anchor

• Incremental deployment • Protocol NAT• Some BBM mobility scenarios

MPTCP Network Functions on MPTCP Network Nodes

Host

Host

MPTCP

MPTCP

TCP

MPTCP

Host

MPTCP

MPTCP

MPTCP

Page 3: MPTCP Proxies & Anchors Georg Hampel & Thierry Klein Bell Labs – Alcatel-Lucent draft_hampel_mptcp_proxies_anchors_00

Host

Host

MPTCP

Host

Host

Anchor

MPTCP

Host

Host

MPTCP

Host

Anchor

MPTCP

Examples for MPTCP Anchor

Simultaneous Mobility Mobility + Firewall

Page 4: MPTCP Proxies & Anchors Georg Hampel & Thierry Klein Bell Labs – Alcatel-Lucent draft_hampel_mptcp_proxies_anchors_00

MPTCP NN

MPTCP NN

MPTCP NN

Femto

Where will MPTCP NNs reside?

Carrier Carrier

AP ISP

eNodeB

LTE

Wi-Fi

• In 3G/4G carrier networks for traffic offload• Multiple MPTCP NNs may lie in a chain

Page 5: MPTCP Proxies & Anchors Georg Hampel & Thierry Klein Bell Labs – Alcatel-Lucent draft_hampel_mptcp_proxies_anchors_00

Issues:

• MPTCP-related signaling with Proxies/Anchors

• Authentication between hosts and Proxies/Anchors

• Security

• Implementation

Page 6: MPTCP Proxies & Anchors Georg Hampel & Thierry Klein Bell Labs – Alcatel-Lucent draft_hampel_mptcp_proxies_anchors_00

Implicit vs. Explicit Proxy/Anchor

Implicit Proxy Implicit Anchor

Host Host

Host Host

Host Host

Host Host

Explicit Proxy Explicit Anchor

Deployment: Proxy/Anchor resides on 3G/4G access networkAuthentication: Implicit with access authentication

Deployment: AnywhereAuthentication: Explicitly needed

TCPMPTCP

MPTCP TCPMPTCP

MPTCP MPTCP MPTCP

MPTCPMPTCP

MPTCP

MPTCP

Page 7: MPTCP Proxies & Anchors Georg Hampel & Thierry Klein Bell Labs – Alcatel-Lucent draft_hampel_mptcp_proxies_anchors_00

MPTCP PROXY TCP

MPTCP Host MPTCP Host

SYN + MP_CAP

SYN-ACK

+ MP_CAP+ PROXY = 1

ACK + MP_CAP

MPTCP NN

SEEK_ADDR

ADD_ADDR+JOIN = 0

SYN + MP_JOIN

SYN-ACK + MP_JOIN

ACK + MP_JOIN

Implicit Proxy MPTCP-capable Session Initiator

Page 8: MPTCP Proxies & Anchors Georg Hampel & Thierry Klein Bell Labs – Alcatel-Lucent draft_hampel_mptcp_proxies_anchors_00

MPTCP ANCHOR MPTCP

MPTCP Host MPTCP Host

SYN + MP_CAP

SYN-ACK + MP_CAP

ACK + MP_CAP

MPTCP NN

SEEK_ADDR

ADD_ADDR +JOIN = 0+ Addr_ID = 255

SYN + MP_JOIN, Addr_ID=X

SYN-ACK+MP_JOIN, Addr_ID=Y

ACK + MP_JOIN

Implicit Anchor MPTCP-capable Session Initiator

SEEK_ADDR

ADD_ADDR +JOIN = 0+ Addr_ID = 255

SYN + MP_JOIN, Addr_ID=X+ ANCHOR = 1

SYN-ACK+MP_JOIN, Addr_ID=Y

ACK + MP_JOIN

Page 9: MPTCP Proxies & Anchors Georg Hampel & Thierry Klein Bell Labs – Alcatel-Lucent draft_hampel_mptcp_proxies_anchors_00

ANCHOR ?

ANCHOR ?

PROXY ?

PROXY

MPTCP Host MPTCP Host

SYN + MP_CAP

SYN-ACK

+MP_CAP +PROXY=1

ACK + MP_CAP

MPTCP NN

Implicit Proxy Chains MPTCP NN

PROXY

MPTCP Host MPTCP Host

SYN

SYN-ACK + MP_CAP

ACK

MPTCP NN MPTCP NN+ MP_CAP

+ PROXY=1

+ MP_CAP

PROXY ?

MPTCP Host MPTCP Host

SYN

SYN-ACK

ACK

MPTCP NN MPTCP NN+ MP_CAP

+ PROXY=1 +MP_CAP

+PROXY=1

Page 10: MPTCP Proxies & Anchors Georg Hampel & Thierry Klein Bell Labs – Alcatel-Lucent draft_hampel_mptcp_proxies_anchors_00

Explicit signaling: Authentication + Peer’s IP address/PortNo

1. In-band MPTCP signaling: No extensible authentication possible dismissed

2. Out-of-band MPTCP signaling: HTTPS? IPsec? Beyond scope of MPTCP? not

considered

3. Authentication via pre-shared keys:32-bit host ID ++ MPTCP key derived from pre-shared keys ++ Peer’s IP/Port = ~40B (IPv6)

4. External signaling protocol:Host + NN establish MPTCP key, host sends peer’s

IP/port

5. External protocol for signaling & traffic: Transparent to MPTCP not considered

Explicit Proxy/Anchor

Page 11: MPTCP Proxies & Anchors Georg Hampel & Thierry Klein Bell Labs – Alcatel-Lucent draft_hampel_mptcp_proxies_anchors_00

MPTCP PROXY TCP

MPTCP Host MPTCP Host

SYN + MP_CAP (keyA)

ACK + FWD_ADDR(IP, Prt)

MPTCP NN

SYN + MP_JOIN

SYN-ACK + MP_JOIN

ACK + MP_JOIN

Explicit Proxy Authentication via Pre-Shared Keys

SYN-ACK + MP_CAP (keyN)

SYN + MP_CAP(keyA) + ANCHOR = 1

SYN-ACK

ACK + MP_CAP() + PROXY = 1 ACK

4-wayhandshake

3-wayhandshake

Page 12: MPTCP Proxies & Anchors Georg Hampel & Thierry Klein Bell Labs – Alcatel-Lucent draft_hampel_mptcp_proxies_anchors_00

MPTCP ANCHOR MPTCP

MPTCP Host MPTCP Host

SYN + MP_CAP (keyA)

ACK + FWD_ADDR(IP, Prt)

MPTCP NN

Explicit Anchor Authentication via Pre-Shared Keys

SYN-ACK + MP_CAP (keyN)

SYN + MP_CAP(keyA) + ANCHOR = 1

SYN-ACK + MP_CAP(keyB)

ACK + MP_CAP(keyB) + ANCHOR = 1ACK + MP_CAP(keyA, keyB)

SYN + MP_JOIN, Addr_ID=X

SYN-ACK+MP_JOIN, Addr_ID=Y

ACK + MP_JOIN

SYN + MP_JOIN, Addr_ID=X+ ANCHOR = 1

SYN-ACK+MP_JOIN, Addr_ID=Y

ACK + MP_JOIN

4-wayhandshake

3-wayhandshake

Page 13: MPTCP Proxies & Anchors Georg Hampel & Thierry Klein Bell Labs – Alcatel-Lucent draft_hampel_mptcp_proxies_anchors_00

PROXY

Chain of Explicit Anchor/Proxy + Implicit ProxyAuthentication via Pre-Shared Keys

ANCHOR

MPTCP Host MPTCP Host

SYN + MP_CAP (keyA)

ACK + FWD_ADDR(IP, Prt)

ExplicitMPTCP NN

SYN-ACK + MP_CAP (keyEN)

SYN + MP_CAP(keyA) + ANCHOR = 1

+ MP_CAP(keyIN)+ PROXY = 1

ACK + MP_CAP(keyIN)+ PROXY = 1 + ANCHOR = 1 ACK + MP_CAP(keyA, keyIN)

ImplicitMPTCP NN

SYN-ACK

SEEK_ADDR

ADD_ADDR, Addr_ID = X+JOIN = 0

ADD_ADDR, Addr_ID = 255+JOIN = 0

4-wayhand

shake3-wayhandshake

Page 14: MPTCP Proxies & Anchors Georg Hampel & Thierry Klein Bell Labs – Alcatel-Lucent draft_hampel_mptcp_proxies_anchors_00

Security - Explicit Proxy/Anchor

Security problem in absence of proper authentication: Distributed-DoS attacker uses proxy to hide its IP address

Attacker Victim

IP_SRC = ATTACKIP_DST = Proxy

IP_SRC = ProxyIP_DST = VICTIM

MPTCP NN

Page 15: MPTCP Proxies & Anchors Georg Hampel & Thierry Klein Bell Labs – Alcatel-Lucent draft_hampel_mptcp_proxies_anchors_00

MPTCP Host MPTCP HostMPTCP Anchor

Simultaneous Mobility with (Implicit) Anchor

Traffic

SYN + MP_JOIN

TCP RST

SYN + MP_JOIN

TCP RST

SYN + MP_JOIN

SYN + MP_JOIN

Caches SRC IP

TCP RSTCaches SRC

IP

TCP RST

SYN + MP_JOIN

SYN-ACK + MP_JOIN SYN-ACK + MP_JOIN

Page 16: MPTCP Proxies & Anchors Georg Hampel & Thierry Klein Bell Labs – Alcatel-Lucent draft_hampel_mptcp_proxies_anchors_00

Proxy Realization

Proxy creates logical MPTCP – TCP split connection

Large number of connections: Minimize cost-per-connection

• Minimize cost if only one path Design implications !

• Minimize buffer for multipath Design implications !

Cost-vs-Feature Tradeoff

• Mobility only Simple, low-cost implementation

• Multipath Higher performance at higher price

Page 17: MPTCP Proxies & Anchors Georg Hampel & Thierry Klein Bell Labs – Alcatel-Lucent draft_hampel_mptcp_proxies_anchors_00

MPTCP Re-Charter Proposal

1. Proxies & Anchors

2. Mobility