Presentation is loading. Please wait.

Presentation is loading. Please wait.

Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.

Published byMorris Abner Fox Modified over 9 years ago

Similar presentations

Presentation on theme: "Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with."— Presentation transcript:

1 Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science http://nms.lcs.mit.edu/ Joint work with Alex Snoeren & Dave Andersen

2 Anatomy of a connection Connection defined by IP A :Port A  IP B :Port B An IP address does not identify a host; it only identifies a network interface Is this a good definition of a connection? Some socket on breeze.lcs.mit.edu www.cnn.com’s HTTP service (port) 18.31.0.83:5678 207.25.71.23:80

3 Problem #1: Host mobility Cerf’s comment from DoD Internet paper: “ If a host were to move, its network (and host) addresses would change and this would affect the connection identifiers used by the TCP. This is rather like a problem called "dynamic reconnection" which has plagued network designers since the inception of the ARPANET project in 1968.” Two options today for connections:  Terminate and retry  Somehow preserve IP address and continue “Horizontal” mobility isn’t quite enough...

4 Vertical mobility: Seamless inter-provider movement In-building & In-room Campus-Area Packet Radio Metro-Area Regional-Area/ ”wireless cable”

5 Problem #2: Unreliable components What happens to a bound connection on failure or unresponsiveness? cnn.com Individual components rather unreliable Replicate for improved reliability and availability

6 Possible solutions 1. Force constant IP address for end-point  Mobile IP  Layer-N switches with “Virtual IPs” 2. Make names routable  All packets identify destination by name, which serves as routing identifier  Intentional naming (late binding), TRIAD 3. In-band migration  Don’t confound end-point and routing identifiers!

7 Home Agent Intercepts pkts Address constancy: Mobile IP Foreign Agent (FA) Mobile Host Correspondent Hosts Temporary address d tmp changes with mobility D “Tunnel” to FA D d FA “Detunnel” to D on addr d tmp D D

8 Why Mobile IP isn’t right Requires additional network support and infrastructure (HA, FA, authentication,…) Triangle routing even for “local” interactions Many types of mobile applications  Connections that don’t care for seamlessness  Connection initiators  Both initiators and responders Ingress filtering  reverse tunneling too! Vertical mobility can’t be properly handled Applications can’t be made aware of mobility

9 Address constancy: Layer-N switching Client But we want: Global distribution With work can solve: Local distribution

10 Name-based routing (example) [service = camera] [building = NE43 [room = 510]] Intentional name Late binding: integrate resolution and message routing image Lookup Intentional name resolvers form an overlay network

11 What should a connection be? Between communicating applications, not network interfaces Should be possible for an application to easily change network interface of connection:  While preserving good unicast routes  Securely Should not require a priori knowledge of valid network interfaces Dynamism should not affect semantics or correctness, nor worsen reliability If done right, can solve both problems at once!

12 Migrate overview Name server Migrating Host foo.bar.edu Location Query (DNS Lookup) Connection Initiation Location Update (Dynamic DNS Update) Connection Migration xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy Fixed Host

13 Problems Consistency of name mapping Correctness  Handling packet losses around time of movement  What if someone else gets your old address? Security  Connection hijacking  Denial-of-service protection Semantics  How to maintain semantics of connection sequence across different nodes?

14 Dynamic name mappings Zero TTL on A-records for migratable names Use Dynamic DNS (RFC 2136, 2137) for Internet names Potential problems:  Race condition between name update and movement Simply retry! This isn’t a new failure mode  What about old BIND implementations? Pray that they’ll vanish off the face of the earth  What about extra DNS load? What load? Ask Akamai!

15 Previous Migration Schemes Multi-homed schemes  Require new transport protocols (SCTP)  Often require a priori knowledge of possible set of IP addresses Connection-ID schemes  May not preserve transport semantics  May require a per-packet overhead  Many security and DoS issues

16 Migrating a connection Initiate migration from new network address  Identify previous connection with token, on SYN  Secure token to protect against hijacking  Requires some state machine changes to guarantee correctness Preserves service model to application Handles “middle boxes”  Works with most NATs, PEPs, stateful firewalls Requires changes to transport protocol  Kernel TCP, SCTP, RTP (linked library)

17 TCP Connection Migration 1.Initial SYN 2.SYN/ACK 3.ACK (with data) 4.Normal data transfer 5.Migrate SYN 6.Migrate SYN/ACK 7.ACK (with data)

18 TCP Connection Migration 1.Initial SYN 2.SYN/ACK 3.ACK (with data) 4.Normal data transfer 5.Migrate SYN 6.Migrate SYN/ACK 7.ACK (with data)

19 TCP Connection Migration 1.Initial SYN 2.SYN/ACK 3.ACK (with data) 4.Normal data transfer 5.Migrate SYN 6.Migrate SYN/ACK 7.ACK (with data)

20 Two correctness issues SYN uses 1 byte of sequence space; what should SYN ACK value be set to?  Needed to correctly handle lost segments What if someone else gets your previous address?  Peer TCP will reset connection

21 Correctness: SYN ACK corresponds to data 1.Initial SYN 2.SYN/ACK 3.ACK (with data) 4.Normal data transfer 5.Migrate SYN 6.Migrate SYN/ACK 7.ACK (with data)

22 Modified TCP State Machine MIGRATE_WAIT 2MSL timeout recv: SYN (migrate T, R) send: SYN, ACK recv: RST appl: migrate send: SYN (migrate T, R) recv: SYN (migrate T, R) send: SYN, ACK 2 new transitions between existing states - and - 1 new state handles potential race condition due to rapid readdressing

23 Securing the Migration Problem: Increased vulnerability to hijacking  Ingress filtering (RFC 2827) doesn’t help  Attacker only needs token and sequence space Solution: Keep the token secret  Negotiate it using Diffie-Hellman exchange (Elliptic-Curve DH)  Use sequence numbers to prevent replay  Complete crypto exchange in SYN handshake Result: Connections are as secure as standard TCP  Use IPsec or SSH for real security

24 Semantics of multi-machine migration Sequence spaces across different machines may not have same application-layer semantics 7801-9000 ACK 9000

25 One solution: Soft-state synchronzation Technique for static content (e.g., file) Information about mapping between filename and TCP initial sequence periodically disseminated 7801-9000 ACK 9000 Health Monitor foo.mp3 ISN = I Token = T caddr = C a cport = C p preload-tcb

26 Implementation Use application-specific stream mapper to map between sequence space and app (e.g., HTTP range requests) HTTP GET parser/creator HTTP header parser/ stripper Data relay Response handler Backend HTTP server HTTP range request Response To client Stream mapper involved in initial connection processing and in re-establishment Client request

27 Experiment #1: Mobility Fixed Basestation Fixed Server 100Mbps Ethernet Mobile Location 1 19.2Kbps Modem Mobile Location 2 19.2Kbps Modem …then moves to a new location Mobile client initiates a transfer…

28 Migration Trace SYN/ACK Buffered Packets (old address) Migrate SYN

29 A Lossy Trace with SACK SYN/ACK Migrate SYN Buffered Packets (old address) ACK w/SACK

30 Experiment #2: Failover works! 0.000 cl.1065 > sA.8080:. ack 0505 win 31856 ----> (Erroneous) sA death pronouncement issued 0.080 sA.8080 > cl.1065: P 0505:1953(1448) ack 1 win 31856 ----> Successful connection migration to sB 0.095 sB.1033 > cl.1065: S 0:0(0) win 0 0.096 cl.1065 > sB.1033: S 0:0(0) ack 1953 win 32120 0.142 sB.1033 > cl.1065:. ack 1 win 32120 ----> Continued data transmission from sA (Reset by client) 0.174 sA.8080 > cl.1065: P 0505:1953(1448) ack 1 win 31856 0.174 cl.1065 > sA.8080: R 1:1(0) win 0 ----> Resumed data transmission from sB 0.241 sB.1033 > cl.1065: P 1953:3413(1460) ack 1 win 32120...

31 Oscillations aren’t a problem

32 Summary Host mobility and service failover are examples of the same fundamental problem:  Connections must be between applications The Migrate architecture enables connections to be separated from, and move between, IP addresses Mobility & service failover are both really end-to-end issues! Got code?

33 Migrate code for Linux 2.2 available from: http://nms.lcs.mit.edu/software/ Migrate project Web page: http://nms.lcs.mit.edu/projects/migrate/ Networks and Mobile Systems

Download ppt "Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with."

Similar presentations

Security Issues In Mobile IP

Security Issues In Mobile IP
Secure Mobile IP Communication

Secure Mobile IP Communication
Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)
An End-to-End Approach to Host Mobility Alex C. Snoeren and Hari Balakrishnan MIT Laboratory for Computer Science.

An End-to-End Approach to Host Mobility Alex C. Snoeren and Hari Balakrishnan MIT Laboratory for Computer Science.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
CCNA – Network Fundamentals

CCNA – Network Fundamentals
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
CS3505 The Internet and Info Hiway transport layer protocols : TCP/UDP.

CS3505 The Internet and Info Hiway transport layer protocols : TCP/UDP.
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
ConnectionMigration 818L Network Centric Computing Spring 2002 Ishan Banerjee.

ConnectionMigration 818L Network Centric Computing Spring 2002 Ishan Banerjee.
Mobile IP Overview: Standard IP Standard IP Evolution of Mobile IP Evolution of Mobile IP How it works How it works Problems Assoc. with it Problems Assoc.

Mobile IP Overview: Standard IP Standard IP Evolution of Mobile IP Evolution of Mobile IP How it works How it works Problems Assoc. with it Problems Assoc.
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.

Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
Mobility in the Internet Part II CS 444N, Spring 2002 Instructor: Mary Baker Computer Science Department Stanford University.

Mobility in the Internet Part II CS 444N, Spring 2002 Instructor: Mary Baker Computer Science Department Stanford University.
Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Anycast Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.

Anycast Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.
Networking Support In Java Nelson Padua-Perez Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.

Networking Support In Java Nelson Padua-Perez Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.
1 Link Layer & Network Layer Some slides are from lectures by Nick Mckeown, Ion Stoica, Frans Kaashoek, Hari Balakrishnan, and Sam Madden Prof. Dina Katabi.

1 Link Layer & Network Layer Some slides are from lectures by Nick Mckeown, Ion Stoica, Frans Kaashoek, Hari Balakrishnan, and Sam Madden Prof. Dina Katabi.
COS 461: Computer Networks

COS 461: Computer Networks
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
1 ELEN 602 Lecture 15 More on IP TCP. 2 byte stream Send buffer segments Receive buffer byte stream Application ACKs Transmitter Receiver TCP Streams.

1 ELEN 602 Lecture 15 More on IP TCP. 2 byte stream Send buffer segments Receive buffer byte stream Application ACKs Transmitter Receiver TCP Streams.

Similar presentations

Ads by Google