Design Issues for NSIS Signaling Protocols Henning Schulzrinne Columbia University NSIS working group meeting IETF 56 (March 2003,

Slides:



Advertisements
Similar presentations
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
Advertisements

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
Camarillo / Schulzrinne / Kantola November 26th, 2001 SIP over SCTP performance analysis
CCNA – Network Fundamentals
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
Telematics group University of Göttingen, Germany Overhead and Performance Study of the General Internet Signaling Transport (GIST) Protocol Xiaoming.
NSIS Transport Layer draft-ietf-nsis-ntlp-00.txt Slides:
Stream Control Transmission Protocol 網路前瞻技術實驗室 陳旻槿.
Network Architectures Week 3 Part 2. Comparing The Internet & OSI.
CASP – Cross- Application Signaling Protocol Henning Schulzrinne August 27, 2002.
Computer Networks Transport Layer. Topics F Introduction  F Connection Issues F TCP.
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.
Trade-offs and open issues with path discovery and transport or not all requirements are orthogonal… Henning Schulzrinne Columbia University
 The Open Systems Interconnection model (OSI model) is a product of the Open Systems Interconnection effort at the International Organization for Standardization.
Gursharan Singh Tatla Transport Layer 16-May
1 Transport Layer Computer Networks. 2 Where are we?
CIS 725 Wireless networks. Low bandwidth High error rates.
The Design Space for NSIS Signaling Protocols Henning Schulzrinne Columbia University NSIS working group interim meeting February 2003,
Presentation on Osi & TCP/IP MODEL
March 7, 2005MOBIKE WG, IETF 621 Mobility Protocol Options for IKEv2 (MOPO-IKE) Pasi Eronen.
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
Jaringan Komputer Dasar OSI Transport Layer Aurelio Rahmadian.
Networks – Network Architecture Network architecture is specification of design principles (including data formats and procedures) for creating a network.
TCP/IP Essentials A Lab-Based Approach Shivendra Panwar, Shiwen Mao Jeong-dong Ryoo, and Yihan Li Chapter 5 UDP and Its Applications.
Introduction to Networks CS587x Lecture 1 Department of Computer Science Iowa State University.
1 Version 3.0 Module 11 TCP Application and Transport.
TCP : Transmission Control Protocol Computer Network System Sirak Kaewjamnong.
CS332, Ch. 26: TCP Victor Norman Calvin College 1.
Fundamentals of Computer Networks ECE 478/578 Lecture #19: Transport Layer Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.
Networked & Distributed Systems TCP/IP Transport Layer Protocols UDP and TCP University of Glamorgan.
ECE 526 – Network Processing Systems Design Networking: protocols and packet format Chapter 3: D. E. Comer Fall 2008.
NSIS IETF 56 MONDAY, March 17, 2003: Morning Session TUESDAY, March 18, 2003: Afternoon Sessions I.
NTLP Design Considerations draft-mcdonald-nsis-ntlp-considerations-00.txt NSIS Interim Meeting – Columbia University February 2003.
Telematics group University of Göttingen, Germany Overhead and Performance Study of the General Internet Signaling Transport (GIST) Protocol Xiaoming.
CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
Transport Layer COM211 Communications and Networks CDA College Theodoros Christophides
NTLP Design Considerations draft-mcdonald-nsis-ntlp-considerations-00.txt NSIS Interim Meeting – Columbia University February 2003.
Data Communications and Networks
4.1.4 multi-homing.
Lecture 4 Overview. Ethernet Data Link Layer protocol Ethernet (IEEE 802.3) is widely used Supported by a variety of physical layer implementations Multi-access.
Introducing a New Concept in Networking Fluid Networking S. Wood Nov Copyright 2006 Modern Systems Research.
Teacher:Quincy Wu Presented by: Ying-Neng Hseih
Optimization Problems in Wireless Coding Networks Alex Sprintson Computer Engineering Group Department of Electrical and Computer Engineering.
1 Transport Layer: Basics Outline Intro to transport UDP Congestion control basics.
4343 X2 – The Transport Layer Tanenbaum Ch.6.
IP1 The Underlying Technologies. What is inside the Internet? Or What are the key underlying technologies that make it work so successfully? –Packet Switching.
IETF 55 Nov A Two-Level Architecture for Internet Signaling draft-braden-2level-signal-arch-01.txt Bob Braden, Bob Lindell USC Information.
© 2002, Cisco Systems, Inc. All rights reserved..
11 CS716 Advanced Computer Networks By Dr. Amir Qayyum.
Chapter 9 The Transport Layer The Internet Protocol has three main protocols that run on top of IP: two are for data, one for control.
3. END-TO-END PROTOCOLS (PART 1) Rocky K. C. Chang Department of Computing The Hong Kong Polytechnic University 22 March
1 NSIS: A New Extensible IP Signaling Protocol Suite Myungchul Kim Tel:
The Transport Layer Implementation Services Functions Protocols
Chapter 9: Transport Layer
Instructor Materials Chapter 9: Transport Layer
Open issues with PANA Protocol
Next Generation: Internet Protocol, Version 6 (IPv6) RFC 2460
5. End-to-end protocols (part 1)
Long-haul Transport Protocols
PART 5 Transport Layer Computer Networks.
Understand the OSI Model Part 2
Magda El Zarki Professor, ICS UC, Irvine
Transport Layer Unit 5.
Process-to-Process Delivery:
The Design Space for NSIS Signaling Protocols
NTLP strawman draft-schulzrinne-gimps
Network Basics and Architectures Neil Tang 09/05/2008
Presentation transcript:

Design Issues for NSIS Signaling Protocols Henning Schulzrinne Columbia University NSIS working group meeting IETF 56 (March 2003, San Francisco)

Overview My NSIS assumptions Logical components of NSIS functionality “Transport” layer –requirements –transport protocols Peer node discovery

My NSIS mental model Want to support a variety of “signaling” applications –not just QoS and FW/NAT  otherwise, why bother with 2-layer model? –path-associated state management –applications: manage data flows along path: NAT/firewall, QoS just along path: –active network code deposits –network property discovery (“traceroute-on-steroids”) –network property management (not just NATs/firewalls) –we are not designing all applications now, but should not lightly prevent future use Noel Chiappa: “the measure of a great architecture is one which meets requirements the designers didn't know about” bidirectional signaling support with equivalent functionality –NI  NR and NR  NI –possibly NE  NE

Logical components of a signaling protocol Three logical components of any signaling protocol –Discovery – “what’s the next node along the data path?” –Transport – get information there (reliably) –Service – “set up some state” May be combined into one message, e.g., PATH combines discovery, transport (with 2961), session setup –RSVP design makes it difficult to separate components –addressing model (h-b-h, e2e) tied to message But a general signaling protocol should allow to “swap out” each part –discovery  may know from routing table or want to visit "old" path –transport  wide variety of requirements and underlying network support –service  two-layer model 

Layering Some terminology confusion for NTLP – service vs. protocol –we’ll take protocol (and contradict framework…) –= functionality added to lower layer maybe ‘messaging layer’ is less overloaded NTLP peer discoveryNSLP2 reliable transport IPv4, IPv6 UDP ? NSLP1

Reliability Most signaling applications require that end systems have reasonable assurance that state was established –if it wasn’t important, why bother sending message to begin with ? –often, modestly time-critical: human factors  call setup latency economic  fast and reliable teardown RSVP discovered later  staged refresh timer (RFC 2961)

Transport requirements Signaling transport users may require large data volumes: –active network code –signed objects (easily several kB long if self- contained; standard cert is ~5 kB) –objects with authentication tokens (OSP, …) –diagnostics accumulating data Signaling applications may have high rates: –DOS attacks –automated retry after reservation failure (“redial”) –odd routing (load balancing over backup link)

Other transport issues In-sequence delivery –avoids lost teardown messages MTU discovery –MTU can change during session  may force end-to- end rediscovery –NSIS packet size can change during transit –not a problem if all messages are small (< 512 bytes?) Congestion control  prevent network overload –traffic burst for state synchronization –retry after failures

Other transport issues (2) Flow control  prevent NE overload –traffic burst for state synchronization –AAA makes per-node processing much more variable Security association –needed for any channel security Message bundling –probably interesting mostly for small (optimistic refresh?) messages DOS prevention –need validated peer  never, ever send more than one message for each request!

Transport protocols for IETF protocols “trivial” –no RTT discovery –no fragmentation –exponential back-off for retransmission –no windowing (although often unclear whether multiple outstanding messages are ok) –no protection against identifier re-use after reboot –work very poorly in wireless environments –examples: SIP (UDP), tftp, RSVP , DNS, SLP (UDP) “real” –examples: SCTP, TCP –flow control, congestion control, fragmentation, RTT estimation –enhancements for selective acknowledgments –fast retransmit (duplicate acknowledgements)

Building your own “real” transport protocol Only worthwhile if it avoids initial handshake Thus, one cannot just copy TCP or SCTP at the application layer (rely on session-based sequence numbers) Interoperability of transport protocols is non-trivial (see SCTP) Greatly increases protocol complexity (SCTP = 134 pages) Upgrades unlikely, both in specification and implementation (can’t leverage large base) Unlikely that anything but most basic functionality gets implemented

Transport protocol options None  raw IP –limited to IPsec for NE-NE channel security –can’t send Path via IPsec: no idea what SA TCP –needs encapsulation (= one-word message length) –HOL blocking – waiting for old message –IPsec or TLS for channel security SCTP –easier end system diversity  relevant mostly for path de-coupled –avoids HOL blocking – but effect is very hard to actually observe (see upcoming IEEE Network article) TCP UDP raw IP  requires layering reliability on top of UDP  add complications (see SIP experience)

Reliability options (1) End-to-end retransmission –NI retransmits until confirmation by NR simple – only requires NI state deals with node failures  usually, no good RTT estimate  flying blind  doesn’t work well for NR-initiated messages  node processing (incl. AAA) adds delay variability  RTT very unpredictable Hop-by-hop below NTLP –share congestion state between sessions  better RTT estimate –re-use transport optimizations such as SACK –inappropriate services? –mandates explicit discovery (see later)

Reliability options (2) Hop-by-hop by NTLP per session can use implicit discovery –RFC 2961 –simple exponential back-off: no windowing, no SACK  bad for long-delay pipes –timer estimation difficult often few messages for one NSIS session must only have transport semantics Hop-by-hop by NSLP –diversity of needs vs. cost what does a feature cost if not used/needed? –what’s left for NTLP in that case?

Transport (non-)issues “But xP is stateful and we want soft-state” –existence of transport association should not be coupled to NTLP or NSLP state lifetime –loss of transport does not signify anything (except maybe a reboot of the peer) –primarily an optimization issue: state maintenance vs. state establishment overhead Multicast –Each branch can have own transport session –In RSVP, only Path* are multicast End-to-end principle –not clear what the “ends” are here –each NE is not just forwarding, but processing and modifying messages –explicitly noted for performance enhancement Number of associations per node –limited by select(), but not poll()

Transport (non-)issues State overhead –information about next/previous hop has to be somewhere… Transport header overhead –most messages are likely >> 40 bytes Transport implementation overhead –Conceivable end systems and routers already implement IP, UDP, TCP TCP needed for DIAMETER, SNMP in routers TCP on any reasonable mobile device (HTTP, SMTP, POP, IMAP, …) –Less clear for SCTP

Finding NSIS peers The problem is not finding (all/some) NSIS elements –  service location problem (SLP, DNS, etc.) but rather finding the next NE on the data path to the NR implicit (send to destination) explicit active (by probing) passive (by observation) routing tables next-hop router directory (e.g., map next AS to NSIS node)

When to discover peers Can be triggered by NI or NE May not want it automatically –e.g., remove reservation – don’t want to be first on new path! –good to have separation of discovery and operation Options: –for every new NI-NR session including edge changes –for every application-layer refresh –requested by NI –when detecting a route change in the middle of the network NE cannot tell (directly) that route has changed “no more traffic for session 42!”

Next-node discovery Next-node discovery probably causes operational distinction between path-coupled and path-decoupled path-coupled: –one of the routers downstream –unless every data packet is a signaling packet, always only guess at coupling! path-decoupled: –some server in next AS –anything else make (interdomain) sense?

Peer discovery: RSVP style Forward messages (Path, PathTear) addressed to NR Backward messages (Resv*,PathErr) sent hop-by-hop Path messages: discovery + special application semantics NINE NR non NE Path Resv Ack

Peer node discovery: path-coupled With forward connection setup Only needed if next IP hop is not NSIS-aware Discovery messages: pure or application-enabled? NINE NR non NE discovery TP setup (if no existing assoc.) NSIS

Tradeoffs for transport Waiting for TP connection adds additional delay –always: ½ RTT waiting for discovery response –SCTP: one round-trip for cookie exchange Likely only an issue at edge, since nodes in the middle will usually have existing transport connection Matters for mobile if first NE changes frequently –may not if deeper inside the access network –(and use SCTP to allow end system to change IP addresses) but TP address reverse-routing verification also makes some kinds of DOS attacks harder: –CPU exhaustion by sending bogus PK objects (e.g., CMS) –AAA attacks by forcing authorization checks that fail might use only on roaming handoff (get session secret)

Identifiers Need identifiers for each logical association/session –know whether this path has been traversed before need discovery or not –pass to correct upper layer handler SIP lesson: do not overload identifiers

Identifiers should be… globally unique –otherwise, they’ll have to be combined with something else not depend on host addresses –NI and NR may change during session (mobility) –NAT and RFC 1918-uniqueness issues –RSVP SENDER_TEMPLATE and SESSION object  constrains applications hard to match (multiple formats) same session has different identifiers along a path  hard to manage probably not depend on globally unique host identifier (MAC) address constant length –easy to parse and compare cryptographically random –not sufficient for security, but often helps to prevent long-distance session stealing attacks –can often avoid a complicated hash function

Identifiers Two types: –mappable via some lookup protocol or directory to another (lower-layer) identifier domain names, URLs, URNs, IP addresses not relevant to NSIS session identification –non-mappable (“distinguishers”) just unique, but only operation is “==“

Globally unique identifiers Only three known approaches: –Allocate hierarchically DNS, URLs expensive  not likely to be another hierarchy –Allocate centrally (maybe in pools) IEEE blocks –Allocate randomly birthday problem None of existing global IDs are useful for NSIS: –MAC address: not every interface/host has one –IP addreses: NATs –DNS: not every host has a domain name (or can find it)

Cryptographically random identifiers If sufficiently long, collision probability << other failure scenarios (e.g., repeated packet loss) collision probability  1-e -n(n-1)/2d for n=10,000, d=2 64  for d=2 128  cf. Powerball lottery: PSTN call failure probability: 10 -5

Strawman design considerations Do not try to replicate a “real” transport protocol at NTLP/NSLP Allow raw IP + any suitable transport protocol Allow combining of discovery with NSLP signaling –with tight MTU constraints (< 500 bytes) –with “trivial” transport functionality