170 likes | 194 Views
MPTCP Proxies & Anchors. draft_hampel_mptcp_proxies_anchors_00. Georg Hampel & Thierry Klein Bell Labs – Alcatel-Lucent. MPTCP. MPTCP Network Functions on MPTCP Network Nodes. MPTCP. Host. Host. TCP. Anchor. Proxy. MPTCP. MPTCP. Host. Host. MPTCP. MPTCP. Protocol NAT
E N D
MPTCP Proxies & Anchors draft_hampel_mptcp_proxies_anchors_00 Georg Hampel & Thierry Klein Bell Labs – Alcatel-Lucent
MPTCP MPTCP Network Functions on MPTCP Network Nodes MPTCP Host Host TCP Anchor Proxy MPTCP MPTCP Host Host MPTCP MPTCP • Protocol NAT • Some BBM mobility scenarios • Incremental deployment
Examples for MPTCP Anchor Simultaneous Mobility Mobility + Firewall MPTCP MPTCP Host Host Host Anchor Anchor Host Host Host Host MPTCP MPTCP
Carrier ISP Where will MPTCP NNs reside? eNodeB LTE MPTCP NN MPTCP NN MPTCP NN Femto Carrier Wi-Fi AP • In 3G/4G carrier networks for traffic offload • Multiple MPTCP NNs may lie in a chain
Issues: • MPTCP-related signaling with Proxies/Anchors • Authentication between hosts and Proxies/Anchors • Security • Implementation
Implicit vs. Explicit Proxy/Anchor MPTCP MPTCP Implicit Proxy Implicit Anchor MPTCP MPTCP MPTCP MPTCP TCP Host Host Host Host Deployment: Proxy/Anchor resides on 3G/4G access network Authentication: Implicit with access authentication Explicit Proxy Explicit Anchor MPTCP TCP MPTCP MPTCP MPTCP Host Host Host Host Deployment: Anywhere Authentication: Explicitly needed
Implicit Proxy MPTCP-capable Session Initiator MPTCP Host MPTCP NN MPTCP Host SYN +MP_CAP + MP_CAP +PROXY = 1 SYN-ACK MPTCP PROXY TCP ACK +MP_CAP SEEK_ADDR ADD_ADDR +JOIN = 0 SYN +MP_JOIN SYN-ACK +MP_JOIN ACK +MP_JOIN
Implicit Anchor MPTCP-capable Session Initiator MPTCP Host MPTCP NN MPTCP Host SYN +MP_CAP SYN-ACK + MP_CAP MPTCP ANCHOR MPTCP ACK +MP_CAP SEEK_ADDR SEEK_ADDR ADD_ADDR +JOIN = 0 + Addr_ID = 255 ADD_ADDR +JOIN = 0 + Addr_ID = 255 SYN +MP_JOIN, Addr_ID=X + ANCHOR = 1 SYN +MP_JOIN, Addr_ID=X SYN-ACK+MP_JOIN, Addr_ID=Y SYN-ACK+MP_JOIN, Addr_ID=Y ACK +MP_JOIN ACK +MP_JOIN
Implicit Proxy Chains MPTCP Host MPTCP NN MPTCP NN MPTCP Host SYN +MP_CAP +MP_CAP +PROXY=1 SYN-ACK ANCHOR ? PROXY ACK +MP_CAP MPTCP Host MPTCP NN MPTCP NN MPTCP Host + MP_CAP +PROXY=1 SYN SYN-ACK + MP_CAP PROXY ANCHOR ? ACK + MP_CAP MPTCP Host MPTCP NN MPTCP NN MPTCP Host + MP_CAP +PROXY=1 SYN +MP_CAP +PROXY=1 SYN-ACK PROXY ? PROXY ? ACK
Explicit Proxy/Anchor • Explicit signaling: Authentication + Peer’s IP address/PortNo • In-band MPTCP signaling: • No extensible authentication possible dismissed • 2. Out-of-band MPTCP signaling: • HTTPS? IPsec? Beyond scope of MPTCP? not considered • 3. Authentication via pre-shared keys: • 32-bit host ID + • + MPTCP key derived from pre-shared keys + • + Peer’s IP/Port = ~40B (IPv6) • 4. External signaling protocol: • Host + NN establish MPTCP key, host sends peer’s IP/port • 5. External protocol for signaling & traffic: • Transparent to MPTCP not considered
Explicit Proxy Authentication via Pre-Shared Keys MPTCP Host MPTCP NN MPTCP Host SYN +MP_CAP (keyA) SYN-ACK +MP_CAP (keyN) ACK +FWD_ADDR(IP, Prt) SYN +MP_CAP(keyA) +ANCHOR = 1 4-way handshake SYN-ACK 3-way handshake MPTCP PROXY TCP ACK +MP_CAP() + PROXY = 1 ACK SYN +MP_JOIN SYN-ACK +MP_JOIN ACK +MP_JOIN
Explicit Anchor Authentication via Pre-Shared Keys MPTCP Host MPTCP NN MPTCP Host SYN +MP_CAP (keyA) SYN-ACK +MP_CAP (keyN) ACK +FWD_ADDR(IP, Prt) SYN +MP_CAP(keyA) +ANCHOR = 1 4-way handshake SYN-ACK + MP_CAP(keyB) 3-way handshake MPTCP ANCHOR MPTCP ACK +MP_CAP(keyB) + ANCHOR = 1 ACK + MP_CAP(keyA, keyB) SYN +MP_JOIN, Addr_ID=X + ANCHOR = 1 SYN +MP_JOIN, Addr_ID=X SYN-ACK+MP_JOIN, Addr_ID=Y SYN-ACK+MP_JOIN, Addr_ID=Y ACK +MP_JOIN ACK +MP_JOIN
Chain of Explicit Anchor/Proxy + Implicit Proxy Authentication via Pre-Shared Keys Explicit MPTCP NN Implicit MPTCP NN MPTCP Host MPTCP Host SYN +MP_CAP (keyA) SYN-ACK +MP_CAP (keyEN) ACK +FWD_ADDR(IP, Prt) SYN +MP_CAP(keyA) + ANCHOR = 1 4-way hand shake + MP_CAP(keyIN) + PROXY = 1 SYN-ACK 3-way hand shake ANCHOR PROXY ACK +MP_CAP(keyIN) +PROXY = 1+ANCHOR = 1 ACK + MP_CAP(keyA, keyIN) SEEK_ADDR ADD_ADDR, Addr_ID = X +JOIN = 0 ADD_ADDR, Addr_ID = 255 +JOIN = 0
Security -Explicit Proxy/Anchor • Security problem in absence of proper authentication: • Distributed-DoS attacker uses proxy to hide its IP address IP_SRC = ATTACK IP_DST = Proxy IP_SRC = Proxy IP_DST = VICTIM Attacker Victim MPTCP NN
Simultaneous Mobility with (Implicit) Anchor MPTCP Host MPTCP Anchor MPTCP Host Traffic SYN +MP_JOIN TCP RST SYN +MP_JOIN TCP RST Caches SRC IP SYN +MP_JOIN TCP RST Caches SRC IP SYN +MP_JOIN TCP RST SYN +MP_JOIN SYN-ACK +MP_JOIN SYN-ACK +MP_JOIN
Proxy Realization • Proxy creates logical MPTCP – TCP split connection • Large number of connections: Minimize cost-per-connection • Minimize cost if only one path Design implications ! • Minimize buffer for multipath Design implications ! • Cost-vs-Feature Tradeoff • Mobility only Simple, low-cost implementation • Multipath Higher performance at higher price
MPTCP Re-Charter Proposal • Proxies & Anchors • Mobility