MPTCP Proxies & Anchors Georg Hampel & Thierry Klein Bell Labs – Alcatel-Lucent draft_hampel_mptcp_proxies_anchors_00

Host Proxy Anchor Incremental deployment Protocol NAT Some BBM mobility scenarios MPTCP Network Functions on MPTCP Network Nodes Host MPTCP TCP MPTCP Host MPTCP

Host MPTCP Host Anchor MPTCP Host MPTCP Host Anchor MPTCP Examples for MPTCP Anchor Simultaneous MobilityMobility + Firewall

MPTCP NN Femto Where will MPTCP NNs reside? Carrier AP ISP eNodeB LTE Wi-Fi In 3G/4G carrier networks for traffic offload Multiple MPTCP NNs may lie in a chain

Issues: MPTCP-related signaling with Proxies/Anchors Authentication between hosts and Proxies/Anchors Security Implementation

Implicit vs. Explicit Proxy/Anchor Implicit ProxyImplicit Anchor Host Explicit ProxyExplicit Anchor Deployment: Proxy/Anchor resides on 3G/4G access network Authentication: Implicit with access authentication Deployment: Anywhere Authentication: Explicitly needed TCPMPTCP TCP MPTCP

MPTCP  PROXY  TCP MPTCP Host SYN + MP_CAP SYN-ACK + MP_CAP + PROXY = 1 ACK + MP_CAP MPTCP NN SEEK_ADDR ADD_ADDR +JOIN = 0 SYN + MP_JOIN SYN-ACK + MP_JOIN ACK + MP_JOIN Implicit Proxy MPTCP-capable Session Initiator

MPTCP  ANCHOR  MPTCP MPTCP Host SYN + MP_CAP SYN-ACK + MP_CAP ACK + MP_CAP MPTCP NN SEEK_ADDR ADD_ADDR +JOIN = 0 + Addr_ID = 255 SYN + MP_JOIN, Addr_ID=X SYN-ACK+MP_JOIN, Addr_ID=Y ACK + MP_JOIN Implicit Anchor MPTCP-capable Session Initiator SEEK_ADDR ADD_ADDR +JOIN = 0 + Addr_ID = 255 SYN + MP_JOIN, Addr_ID=X + ANCHOR = 1 SYN-ACK+MP_JOIN, Addr_ID=Y ACK + MP_JOIN

ANCHOR ? PROXY ? PROXY MPTCP Host SYN + MP_CAP SYN-ACK +MP_CAP +PROXY=1 ACK + MP_CAP MPTCP NN Implicit Proxy Chains MPTCP NN PROXY MPTCP Host SYN SYN-ACK + MP_CAP ACK MPTCP NN + MP_CAP + PROXY=1 + MP_CAP PROXY ? MPTCP Host SYN SYN-ACK ACK MPTCP NN + MP_CAP + PROXY=1 +MP_CAP +PROXY=1

Explicit signaling: Authentication + Peer’s IP address/PortNo 1.In-band MPTCP signaling: No extensible authentication possible  dismissed 2. Out-of-band MPTCP signaling: HTTPS? IPsec? Beyond scope of MPTCP?  not considered 3. Authentication via pre-shared keys: 32-bit host ID + + MPTCP key derived from pre-shared keys + + Peer’s IP/Port = ~40B (IPv6) 4. External signaling protocol: Host + NN establish MPTCP key, host sends peer’s IP/port 5. External protocol for signaling & traffic: Transparent to MPTCP  not considered Explicit Proxy/Anchor

MPTCP  PROXY  TCP MPTCP Host SYN + MP_CAP (keyA) ACK + FWD_ADDR(IP, Prt) MPTCP NN SYN + MP_JOIN SYN-ACK + MP_JOIN ACK + MP_JOIN Explicit Proxy Authentication via Pre-Shared Keys SYN-ACK + MP_CAP (keyN) SYN + MP_CAP(keyA) + ANCHOR = 1 SYN-ACK ACK + MP_CAP() + PROXY = 1 ACK 4-way handshake 3-way handshake

MPTCP  ANCHOR  MPTCP MPTCP Host SYN + MP_CAP (keyA) ACK + FWD_ADDR(IP, Prt) MPTCP NN Explicit Anchor Authentication via Pre-Shared Keys SYN-ACK + MP_CAP (keyN) SYN + MP_CAP(keyA) + ANCHOR = 1 SYN-ACK + MP_CAP(keyB) ACK + MP_CAP(keyB) + ANCHOR = 1 ACK + MP_CAP(keyA, keyB) SYN + MP_JOIN, Addr_ID=X SYN-ACK+MP_JOIN, Addr_ID=Y ACK + MP_JOIN SYN + MP_JOIN, Addr_ID=X + ANCHOR = 1 SYN-ACK+MP_JOIN, Addr_ID=Y ACK + MP_JOIN 4-way handshake 3-way handshake

PROXY Chain of Explicit Anchor/Proxy + Implicit Proxy Authentication via Pre-Shared Keys ANCHOR MPTCP Host SYN + MP_CAP (keyA) ACK + FWD_ADDR(IP, Prt) Explicit MPTCP NN SYN-ACK + MP_CAP (keyEN) SYN + MP_CAP(keyA) + ANCHOR = 1 + MP_CAP(keyIN) + PROXY = 1 ACK + MP_CAP(keyIN) + PROXY = 1 + ANCHOR = 1 ACK + MP_CAP(keyA, keyIN) Implicit MPTCP NN SYN-ACK SEEK_ADDR ADD_ADDR, Addr_ID = X +JOIN = 0 ADD_ADDR, Addr_ID = 255 +JOIN = 0 4-way hand shake 3-way hand shake

Security - Explicit Proxy/Anchor Security problem in absence of proper authentication: Distributed-DoS attacker uses proxy to hide its IP address Attacker Victim IP_SRC = ATTACK IP_DST = Proxy IP_SRC = Proxy IP_DST = VICTIM MPTCP NN

MPTCP Host MPTCP Anchor Simultaneous Mobility with (Implicit) Anchor Traffic SYN + MP_JOIN TCP RST SYN + MP_JOIN TCP RST SYN + MP_JOIN Caches SRC IP TCP RST Caches SRC IP TCP RST SYN + MP_JOIN SYN-ACK + MP_JOIN

Proxy Realization Proxy creates logical MPTCP – TCP split connection Large number of connections: Minimize cost-per-connection Minimize cost if only one path  Design implications ! Minimize buffer for multipath  Design implications ! Cost-vs-Feature Tradeoff Mobility only  Simple, low-cost implementation Multipath  Higher performance at higher price

MPTCP Re-Charter Proposal 1. Proxies & Anchors 2. Mobility