Download presentation
Presentation is loading. Please wait.
1
MPTCP Proxies & Anchors Georg Hampel & Thierry Klein Bell Labs – Alcatel-Lucent draft_hampel_mptcp_proxies_anchors_00
2
Host Proxy Anchor Incremental deployment Protocol NAT Some BBM mobility scenarios MPTCP Network Functions on MPTCP Network Nodes Host MPTCP TCP MPTCP Host MPTCP
3
Host MPTCP Host Anchor MPTCP Host MPTCP Host Anchor MPTCP Examples for MPTCP Anchor Simultaneous MobilityMobility + Firewall
4
MPTCP NN Femto Where will MPTCP NNs reside? Carrier AP ISP eNodeB LTE Wi-Fi In 3G/4G carrier networks for traffic offload Multiple MPTCP NNs may lie in a chain
5
Issues: MPTCP-related signaling with Proxies/Anchors Authentication between hosts and Proxies/Anchors Security Implementation
6
Implicit vs. Explicit Proxy/Anchor Implicit ProxyImplicit Anchor Host Explicit ProxyExplicit Anchor Deployment: Proxy/Anchor resides on 3G/4G access network Authentication: Implicit with access authentication Deployment: Anywhere Authentication: Explicitly needed TCPMPTCP TCP MPTCP
7
MPTCP PROXY TCP MPTCP Host SYN + MP_CAP SYN-ACK + MP_CAP + PROXY = 1 ACK + MP_CAP MPTCP NN SEEK_ADDR ADD_ADDR +JOIN = 0 SYN + MP_JOIN SYN-ACK + MP_JOIN ACK + MP_JOIN Implicit Proxy MPTCP-capable Session Initiator
8
MPTCP ANCHOR MPTCP MPTCP Host SYN + MP_CAP SYN-ACK + MP_CAP ACK + MP_CAP MPTCP NN SEEK_ADDR ADD_ADDR +JOIN = 0 + Addr_ID = 255 SYN + MP_JOIN, Addr_ID=X SYN-ACK+MP_JOIN, Addr_ID=Y ACK + MP_JOIN Implicit Anchor MPTCP-capable Session Initiator SEEK_ADDR ADD_ADDR +JOIN = 0 + Addr_ID = 255 SYN + MP_JOIN, Addr_ID=X + ANCHOR = 1 SYN-ACK+MP_JOIN, Addr_ID=Y ACK + MP_JOIN
9
ANCHOR ? PROXY ? PROXY MPTCP Host SYN + MP_CAP SYN-ACK +MP_CAP +PROXY=1 ACK + MP_CAP MPTCP NN Implicit Proxy Chains MPTCP NN PROXY MPTCP Host SYN SYN-ACK + MP_CAP ACK MPTCP NN + MP_CAP + PROXY=1 + MP_CAP PROXY ? MPTCP Host SYN SYN-ACK ACK MPTCP NN + MP_CAP + PROXY=1 +MP_CAP +PROXY=1
10
Explicit signaling: Authentication + Peer’s IP address/PortNo 1.In-band MPTCP signaling: No extensible authentication possible dismissed 2. Out-of-band MPTCP signaling: HTTPS? IPsec? Beyond scope of MPTCP? not considered 3. Authentication via pre-shared keys: 32-bit host ID + + MPTCP key derived from pre-shared keys + + Peer’s IP/Port = ~40B (IPv6) 4. External signaling protocol: Host + NN establish MPTCP key, host sends peer’s IP/port 5. External protocol for signaling & traffic: Transparent to MPTCP not considered Explicit Proxy/Anchor
11
MPTCP PROXY TCP MPTCP Host SYN + MP_CAP (keyA) ACK + FWD_ADDR(IP, Prt) MPTCP NN SYN + MP_JOIN SYN-ACK + MP_JOIN ACK + MP_JOIN Explicit Proxy Authentication via Pre-Shared Keys SYN-ACK + MP_CAP (keyN) SYN + MP_CAP(keyA) + ANCHOR = 1 SYN-ACK ACK + MP_CAP() + PROXY = 1 ACK 4-way handshake 3-way handshake
12
MPTCP ANCHOR MPTCP MPTCP Host SYN + MP_CAP (keyA) ACK + FWD_ADDR(IP, Prt) MPTCP NN Explicit Anchor Authentication via Pre-Shared Keys SYN-ACK + MP_CAP (keyN) SYN + MP_CAP(keyA) + ANCHOR = 1 SYN-ACK + MP_CAP(keyB) ACK + MP_CAP(keyB) + ANCHOR = 1 ACK + MP_CAP(keyA, keyB) SYN + MP_JOIN, Addr_ID=X SYN-ACK+MP_JOIN, Addr_ID=Y ACK + MP_JOIN SYN + MP_JOIN, Addr_ID=X + ANCHOR = 1 SYN-ACK+MP_JOIN, Addr_ID=Y ACK + MP_JOIN 4-way handshake 3-way handshake
13
PROXY Chain of Explicit Anchor/Proxy + Implicit Proxy Authentication via Pre-Shared Keys ANCHOR MPTCP Host SYN + MP_CAP (keyA) ACK + FWD_ADDR(IP, Prt) Explicit MPTCP NN SYN-ACK + MP_CAP (keyEN) SYN + MP_CAP(keyA) + ANCHOR = 1 + MP_CAP(keyIN) + PROXY = 1 ACK + MP_CAP(keyIN) + PROXY = 1 + ANCHOR = 1 ACK + MP_CAP(keyA, keyIN) Implicit MPTCP NN SYN-ACK SEEK_ADDR ADD_ADDR, Addr_ID = X +JOIN = 0 ADD_ADDR, Addr_ID = 255 +JOIN = 0 4-way hand shake 3-way hand shake
14
Security - Explicit Proxy/Anchor Security problem in absence of proper authentication: Distributed-DoS attacker uses proxy to hide its IP address Attacker Victim IP_SRC = ATTACK IP_DST = Proxy IP_SRC = Proxy IP_DST = VICTIM MPTCP NN
15
MPTCP Host MPTCP Anchor Simultaneous Mobility with (Implicit) Anchor Traffic SYN + MP_JOIN TCP RST SYN + MP_JOIN TCP RST SYN + MP_JOIN Caches SRC IP TCP RST Caches SRC IP TCP RST SYN + MP_JOIN SYN-ACK + MP_JOIN
16
Proxy Realization Proxy creates logical MPTCP – TCP split connection Large number of connections: Minimize cost-per-connection Minimize cost if only one path Design implications ! Minimize buffer for multipath Design implications ! Cost-vs-Feature Tradeoff Mobility only Simple, low-cost implementation Multipath Higher performance at higher price
17
MPTCP Re-Charter Proposal 1. Proxies & Anchors 2. Mobility
Similar presentations
