1 / 58

QoS and security - using traditional services for new ends

QoS and security - using traditional services for new ends. Henning Schulzrinne Dept. of Computer Science Columbia University. Overview. Some impolite remarks about network research and QoS QoS challenges in real networks: NATs and firewalls DOS reliability Permission-based networking

byron-maynard
Download Presentation

QoS and security - using traditional services for new ends

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. QoS and security - using traditional services for new ends Henning Schulzrinne Dept. of Computer Science Columbia University QoSIP - Catania

  2. Overview • Some impolite remarks about network research and QoS • QoS challenges in real networks: • NATs and firewalls • DOS • reliability • Permission-based networking • GIMPS: next steps in signaling QoSIP - Catania

  3. Impolite remarks on QoS and network research QoSIP - Catania

  4. Lifecycle of technologies traditional technology propagation: military corporate consumer opex/capex doesn’t matter; expert support capex/opex sensitive, but amortized; expert support capex sensitive; amateur Can I afford it? Can it be done? Can my mother use it? QoSIP - Catania

  5. Networking research is fashion-driven workshop white paper DARPA, NSF  $$ EU Nth framework trailing-edge research Sigcomm Infocom Mobicom ICNP secondary conferences networking courses First (European) workshop on X -- YAP on X mobile networks wireless ad-hoc, sensor ATM DQDB QoS active networks QoSIP - Catania

  6. What’s promising/interesting – two different axes: Intellectual merit  interesting analysis, broadly applicable, … Satisfies practical needs  may not be a scientific breakthrough Field has few grand challenges and metrics cf., speech understanding or face recognition Depends largely on external technology inputs faster CPUs, better optical gear, compression typical performance improvements in queueing: 20-50% Networking research impact on deployed systems and protocols? on understanding network behavior? on other papers? Which of the 10,000 QoS papers had real impact? What papers were responsible for most important networking advances? TCP , web?, email? Impact of network research QoSIP - Catania

  7. Maturing network research • Old questions: • Can we make X work over packet networks? • All major dedicated network applications (flight reservations, embedded systems, radio, TV, telephone, fax, messaging, …) are now available on IP • Can we get M/G/T bits to the end user? • Raw bits everywhere: “any media, anytime, anywhere” • New questions: • Dependency on communications  Can we make the network reliable? • Can non-technical users use networks without becoming amateur sys-admins?  auto/zeroconfiguration, autonomous computing, self-healing networks, … • Can we prevent social and financial damage inflicted through networks (viruses, spam, DOS, identity theft, privacy violations, …)? QoSIP - Catania

  8. Observations on network research • Frustration with inability to change network infrastructure in less than 10 -- 20 year horizons: • IPv6 • Layer-3 multicast • QoS • Security • Network research community has dismal track record for new applications • web, IM, P2P (Gnutella, BitTorrent), … vs. video-on-demand • Niche applications get disproportionate attention • active networks, ad-hoc networks, (structured) P2P • successful applications don’t care if they don’t scale • centralized IM & search, unstructured P2P, … • Disconnect from standardization • Few attempts to bring research work into standards bodies • Standards bodies slow to catch up (e.g., P2P) QoSIP - Catania

  9. Why do good ideas fail? • Research: O(.), CPU overhead • “per-flow reservation (RSVP) doesn’t scale”  not the problem • at least now -- routinely handle O(50,000) routing states • Reality: • deployment costs of any new L3 technology is probably billions of $ • Cost of failure: • conservative estimate (1 grad student year = 2 papers) • 10,000 QoS papers @ $20,000/paper  $200 million QoSIP - Catania

  10. Cause of death for the next big thing QoSIP - Catania

  11. QoS • QoS is meaningless to users • difficult to engineer service that is consistently poor, but usable • common QoS models now: • scavenger service (worse-than-best-effort)  self-protection • DiffServ on access routers and NAT boxes • care about service availability  reliability • but most commercial service is good enough for VoIP/video/… most of the time • charging model problem  users will arbitrage and buy basic quality except during congestion periods • see multi-homing vs. high-end providers • as more and more value depends on network services, can't afford random downtimes QoSIP - Catania

  12. hypothesis: “The success of a technology is inversely proportional to the number of papers published before its popularity.” ACM: 10,158 papers with QoS or “quality of service” in abstract IEEE: 7,297 papers real-time streaming video-on-demand  DVD via Netflix or TCP onto 200 GB hard disk bandwidth “too cheap to meter” undemocratic – some traffic is more equal than others reminds you of your mom: no, you can’t have that 10 Mb/s now socialist: administer scarcity - we like SUVs (or to drive 100 mph)! “risky scheme”: security only displacement applications (such as telephony) need QoS requires cooperation: edge-ISP, transit ISPs, end systems snake oil: add QoS, lose half your bandwidth Why did QoS (mostly) fail? QoSIP - Catania

  13. dishonesty: we only talk about the beneficiaries network has become harder to evolve: network address translation firewalls high packetization overhead (VPNs, IPv6) to be useful, has to be nearly universally supported (“no, you can’t make calls to AS 123”) network QoS vs. business class model: “coach is empty, please refund fare” currently, the ISP interface is IP and BGP – adding a third one is a big deal new Internet service model: TCP client (inside) – server (outside) exception: peer-to-peer on college campuses network to host: you first, no, you first failure of IP QoS  success ofMPLS more TE than QoS Why did QoS fail? (con’td) QoSIP - Catania

  14. Where did QoS technology succeed? • Edge network: • VLAN prioritization • 802.11e MAC layer priority • IP TOS byte (not quite DiffServ) – known since 1980s… • Docsis/PacketCable  application-initiated • Mostly deals with self-interference • No admission control • No authorization (except Docsis) QoSIP - Catania

  15. Network reliability • we don’t know precisely why network applications fails • components and backbones appear to pretty reliable • but we measured at 99.5% of usable time  far below 99.999% in telecom networks • lots of possible culprits, including DNS and carrier interconnects • temporary overloads • reduce operator errors • e.g., XCONF effort in IETF • inherently safe or fail-safe protocols? • faster convergence in routing protocols • BGP  up to 20-30 minutes! QoSIP - Catania

  16. New applications – need for QoS? • New bandwidth-intensive applications • Reality-based networking • (security) cameras • Distributed games often require only low-bandwidth control information • current game traffic ~ VoIP • Computation vs. storage vs. communications • communications cost has decreased less rapidly than storage costs • Emphasis on user control of communications • from anywhere, anytime, any media to where appropriate, my time, my media • Guess: #1 user-selected research problem: fix spam • #2: keep cell phone from ringing in the movie theater QoSIP - Catania

  17. New network architectures for security QoSIP - Catania

  18. Security challenges • DOS, security attacks  permissions-based communications • only allow modest rates without asking • effectively, back to circuit-switched • Higher-level security services  more application-layer access via gateways, proxies, … • User identity • problem is not availability, but rather over-abundance QoSIP - Catania

  19. Trustability: Internet decay • Decay of inner cities: small number of bad elements + lack of social controls and law enforcement • Small number of miscreants • “The bulk of U.S. spam is coming from a very limited set of IPs with high-bandwidth connections," said Alperovitch, who estimated that the high-volume spamming addresses number fewer than 10,000 and the number of spammers at less than 200.” (Informationweek, Aug. 2004) • Naïve users • with increasing firepower QoSIP - Catania

  20. Trustability problems • Traditional security didn’t solve user interface problem • is citi-bank.com my bank or phishing? • traditional firewall (crunchy outside, squishy inside) • fails with any content – even JPEGs aren’t safe • email usability rapidly decreasing • most spam proposals unlikely to work • notion of “global village” is an oxymoron • in a village, you know your neighbors • on-going approaches useful, but limited • conversion of protocols to secured versions (e.g., via TLS) • prevent source address spoofing • OS and application robustness against buffer overflow attacks • IETF MARID (SenderID, SPF, …) for email sender identification • DOS traceback • thus, may need to rethink network architecture QoSIP - Catania

  21. Trustability: A more polite Internet • introduce yourself first • “shoot first, ask later” (Bush) • “ask first, shoot later” (Kerry) yes, up to 10 kb/s may I send? • limits large-scale DDOS • more circuit-oriented • may get permission slip for future use QoSIP - Catania

  22. Restoring the village part of the global village • It’s not what you know, it’s who you know • Authentication works only if addresses can be recognized by policy or human • Doesn’t work well for first-time contacts  much of communications • won’t be fixed by SPF and SenderID • Need to leverage indirect knowledge • our approach: social networks for recognizing users in SIP systems • leverage knowledge across media: visiting web page enables receipt of email from related address  make phishing more difficult QoSIP - Catania

  23. GIMPS – a modular data plane signaling protocol (with Robert Hancock, Hannes Tschofenig, S. van den Bosch, G. Karagiannis, A. McDonald, X. Fu and others) QoSIP - Catania

  24. Overview • Signaling: application vs. data plane • Resource control • DiffServ vs. IntServ • What’s wrong with RSVP? • Components of a general solution • NSIS = NTLP (GIMPS) + {NSLP}+ • Route change detection QoSIP - Catania

  25. Signaling – the big picture SIP proxy server session signaling off-path NE off-path signaling data AS#2 AS#1 on-path signaling datapath signaling QoSIP - Catania

  26. Need for data plane state establishment • Differentiated treatment of packets • QoS • firewall (loss = 100% vs. loss = 0%) • Mapping state • network address translation (NAT) • Counting packets • accounting • Other state establishment • setting up active network capsules • MPLS paths • pseudo-wire emulation (PWE) – T1 over IP • Related: visit subset of data path nodes, but don’t leave state behind • diagnostics  better traceroute • link speeds, load, loss, packet treatment, … QoSIP - Catania

  27. On-path vs. off-path signaling • On-path (path-coupled): visit subset of routers on data path • Off-path (path-decoupled): anything else, but presumably roughly along data path • one proposal: one “touch point” for each AS • bandwidth broker • difficult part is resource tracking, not signaling • No fundamental differences in protocol  separate out next-hop discovery to allow re-use QoSIP - Catania

  28. Differentiated packet handling • Not just QOS, but also • firewall • network address translation • accounting and measurement filter management IntServ DiffServ traffic shaping, handling & measurement traffic filtering QoSIP - Catania

  29. DiffServ  IntServ • Filter always uses packet characteristic • 5-tuple (protocol, source/destination address + port) + global label (TOS) • multiple “flows” can be mapped to one treatment mechanism QoSIP - Catania

  30. The scaling bogeyman It doesn’t scale! • Networks routinely handle large-scale per-flow state • firewalls • NATs • scaling = cost per flow is constant (or decreasing) • flow numbers are modest: • OC-48 can handle 31,875 DS-0 voice calls • Mean call duration = 9 min  60 requests/second • probably about 3 MB of data • partially explained by poor initial RSVP explanations • where flow search time ~ O(N) rather than O(1) • likely limitations are in AAA, not router signaling QoSIP - Catania

  31. RSVP characteristics • soft-state = state vanishes if not refreshed • two-pass signaling = path discovery + reservation • receiver-based resource reservation • separation of QoS signaling from routing • with some router feedback QoSIP - Catania

  32. The problem with RSVP • Designed for QoS establishment, used mostly for other things (RSVP-TE) • Designed for large-scale IP multicast  customer never materialized • adds significant complexity: • receiver-based  PATH + RESV • designed for ASM (any-source) rather than SSM (source-specific) • receiver-based motivated by receiver diversity – not very useful in practice • Designed in simpler days (1997): • does not work well with mobile nodes (IP mobility or changing IP addresses) • no support for NATs • security mostly bolted on – non-standard mechanisms • single-purpose, with no clear extensibility model • very primitive transport mechanism • either refresh or exponential decay (refresh reduction, RFC 2961) QoSIP - Catania

  33. The cost of multicast for RSVP • reservation styles • multiple senders in same group: shared vs. distinct • sender selection: explicit vs. wildcard • receiver-oriented • motivated by heterogeneous • can do leaf-initiated join rather than root-initiated • but still need periodic PATH to visit new sub-tree • three different flow specs • Sender_TSpec, ADSpec, (TSpec, RSpec) • fairly tightly woven into core protocol • state merging and management • killer reservation (KR-II) • generally, error handling problematic 60 20 60 30 20 10 20 40 60 20 60 ResvErr! 20 10 40 60 draft-fu-rsvp-multicast-analysis QoSIP - Catania

  34. IETF NSIS working group • chartered in Dec. 2001, after BOF in March 2001 • Motivated by Braden’s two-layer model (draft-lindell-waypoint, draft-braden-2level-signal-arch) • Active participation from Roke Manor, Siemens, NEC Europe, Nokia, Samsung, Columbia • Based partially on CASP protocol designed by Columbia/Siemens group and prototyped at UKy QoSIP - Catania

  35. client layer does the real work: reserve resources open firewall ports … messaging layer: establishes and tears down state negotiates features and capabilities transport layer: reliable transport NSIS protocol structure NSLP (C) QoS, NAT/FW, … NTLP (GIMPS) GIMPS transport layer UDP, TCP, SCTP IP router alert QoSIP - Catania

  36. Network friendly congestion-controlled re-use of state across applications application-neutral add more applications later transport neutral any reliable protocol initially, TCP and SCTP also, UDP for initial probing policy neutral no particular AAA policy or protocol interaction with COPS, DIAMETER needs work soft state per-node time-out explicit removal of state extensible data format negotiation NSIS properties QoSIP - Catania

  37. Topology hiding not recommended, but possible Light weight implementation complexity security associations (re-use) may not need kernel implementation NSIS properties, cont'd. QoSIP - Catania

  38. What is GIMPS? • Genericsignaling transport service • establishes state along path of data • one sender, typically one receiver • can be multiple receivers  multicast (not in initial version) • can be used for QoS per-flow or per-class reservation • but not restricted to that • avoid restricting users of protocol (and religious arguments): • sender vs. receiver orientation • more or less closely tied to data path • initially, router-by-router (path-coupled) • later, network (AS) path (path-decoupled) QoSIP - Catania

  39. NSIS network model – path-coupled • NTLP nodes form NTLP chain • not every node processes all client protocols: • non-NTLP node: regular router • omnivorous: processes all NTLP messages • selective: bypassed by NTLP messages with unknown client protocols selective NTLP chain QoS QoS QoS midcom omnivorous QoSIP - Catania

  40. Network model – path-decoupled • Also route network-by-network • can combine router-by-router with out-of-path messaging Bandwidth broker NAC NTLP AS15465 AS17 AS 1249 data QoSIP - Catania

  41. GIMPS messages • Regular NTLP messages • establish or tear down state • carry client protocol • datagram (“D”) or connection (“C”) mode • Hop-by-hop reliability • Generated by any node along the chain QoSIP - Catania

  42. Most signaling messages are small and infrequent but: not all applications  e.g., mobile code for active networks digital signatures re-"dialing" when resources are busy Need: reliability  to avoid long setup delays flow control  avoid overloading signaling server congestion control  avoid overloading network fragmentation of long signaling messages in-sequence delivery  avoid race conditions transport-layer security  integrity, privacy This defines standard reliable transport protocols: TCP SCTP Avoid re-inventing wheel  see SIP experience NSIS transport protocol usage QoSIP - Catania

  43. GIMPS transport protocol usage • One transport connection  many NSLP sessions • may use multiple TCP/SCTP ports • can use TLS for transport-layer security • compared to IPsec, well-exercised key establishment • not quite clear what the principal is • re-use of transport  • no overhead of TCP and SCTP session establishment • avoid TLS session setup • better timer estimates • SCTP avoids HOL blocking QoSIP - Catania

  44. Message forwarding • Route stateless or state-full: • stateless: record route and retrace • state-full: based on next-hop information in ‘C’ node • Destination: • address  look at destination address • address + record  record route • route  based on recorded route • state forward  based on next-hop state • state backward  based on previous-hop state • State: • no-op  leave state as is • ADD  add message (and maybe client) state • DEL  delete message state QoSIP - Catania

  45. Message format common header • No GIMPS distinction between requests and responses • just routed in different directions • client protocol may define requests and responses • Common header defines: • destination flag • state flag • session identifier • traffic selector: identify traffic "covered" by this session • message sequence number • response sequence number • message cookie  avoid IP address impersonation • origin address  may not be data source or sink • destination address or scope extensions client protocol data QoSIP - Catania

  46. Message format, cont'd • Limit session lifetime • Avoid loops  hop counter • Mobility: • dead branch removal flag • branch identifier • Record route: gathers up addresses of NSIS nodes visited • Route: addresses that NSIS message should visit QoSIP - Catania

  47. Capability negotiation • NSIS has named capabilities • including client protocols • Three mechanisms: • discovery: count capabilities along a path • "10 out of 15 can do QoS" • record: record capabilities for each node • require: for scout message, only stop once node supports all capabilities (or-of-and) • avoid protocol versioning QoSIP - Catania

  48. Next-hop discovery • scout messages are special NSIS messages • limited < MTU size • addressed to session destination • UDP with router alert option  get looked at by each router • reflected when matching NSIS node found next IP hop NSIS-aware? existing transport connection? Y Y done N N use D mode to find next NSIS hop establish transport connection QoSIP - Catania

  49. Mobility and route changes • avoids session identification by end point addresses • avoid use of traffic selector as session identifier • remove dead branch DEL (B=2) discovers new route on refresh B=1 ADD B=2 QoSIP - Catania

  50. QoS-NSLP: resource reservation • NSLP for signaling QoS reservations in the Internet • both sender- and receiver-initiated reservations • soft-state • peer-to-peer signaling and refresh (rather than end-to-end) • bundled sessions (e.g., video + audio) • agnostic about QoS models (IntServ, DiffServ, RMD, …) QoSIP - Catania

More Related