1 / 17

MPTCP Proxies & Anchors

MPTCP Proxies & Anchors. draft_hampel_mptcp_proxies_anchors_00. Georg Hampel & Thierry Klein Bell Labs – Alcatel-Lucent. MPTCP. MPTCP Network Functions on MPTCP Network Nodes. MPTCP. Host. Host. TCP. Anchor. Proxy. MPTCP. MPTCP. Host. Host. MPTCP. MPTCP. Protocol NAT

beatricer
Télécharger la présentation

MPTCP Proxies & Anchors

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MPTCP Proxies & Anchors draft_hampel_mptcp_proxies_anchors_00 Georg Hampel & Thierry Klein Bell Labs – Alcatel-Lucent

  2. MPTCP MPTCP Network Functions on MPTCP Network Nodes MPTCP Host Host TCP Anchor Proxy MPTCP MPTCP Host Host MPTCP MPTCP • Protocol NAT • Some BBM mobility scenarios • Incremental deployment

  3. Examples for MPTCP Anchor Simultaneous Mobility Mobility + Firewall MPTCP MPTCP Host Host Host Anchor Anchor Host Host Host Host MPTCP MPTCP

  4. Carrier ISP Where will MPTCP NNs reside? eNodeB LTE MPTCP NN MPTCP NN MPTCP NN Femto Carrier Wi-Fi AP • In 3G/4G carrier networks for traffic offload • Multiple MPTCP NNs may lie in a chain

  5. Issues: • MPTCP-related signaling with Proxies/Anchors • Authentication between hosts and Proxies/Anchors • Security • Implementation

  6. Implicit vs. Explicit Proxy/Anchor MPTCP MPTCP Implicit Proxy Implicit Anchor MPTCP MPTCP MPTCP MPTCP TCP Host Host Host Host Deployment: Proxy/Anchor resides on 3G/4G access network Authentication: Implicit with access authentication Explicit Proxy Explicit Anchor MPTCP TCP MPTCP MPTCP MPTCP Host Host Host Host Deployment: Anywhere Authentication: Explicitly needed

  7. Implicit Proxy MPTCP-capable Session Initiator MPTCP Host MPTCP NN MPTCP Host SYN +MP_CAP + MP_CAP +PROXY = 1 SYN-ACK MPTCP  PROXY  TCP ACK +MP_CAP SEEK_ADDR ADD_ADDR +JOIN = 0 SYN +MP_JOIN SYN-ACK +MP_JOIN ACK +MP_JOIN

  8. Implicit Anchor MPTCP-capable Session Initiator MPTCP Host MPTCP NN MPTCP Host SYN +MP_CAP SYN-ACK + MP_CAP MPTCP  ANCHOR  MPTCP ACK +MP_CAP SEEK_ADDR SEEK_ADDR ADD_ADDR +JOIN = 0 + Addr_ID = 255 ADD_ADDR +JOIN = 0 + Addr_ID = 255 SYN +MP_JOIN, Addr_ID=X + ANCHOR = 1 SYN +MP_JOIN, Addr_ID=X SYN-ACK+MP_JOIN, Addr_ID=Y SYN-ACK+MP_JOIN, Addr_ID=Y ACK +MP_JOIN ACK +MP_JOIN

  9. Implicit Proxy Chains MPTCP Host MPTCP NN MPTCP NN MPTCP Host SYN +MP_CAP +MP_CAP +PROXY=1 SYN-ACK ANCHOR ? PROXY ACK +MP_CAP MPTCP Host MPTCP NN MPTCP NN MPTCP Host + MP_CAP +PROXY=1 SYN SYN-ACK + MP_CAP PROXY ANCHOR ? ACK + MP_CAP MPTCP Host MPTCP NN MPTCP NN MPTCP Host + MP_CAP +PROXY=1 SYN +MP_CAP +PROXY=1 SYN-ACK PROXY ? PROXY ? ACK

  10. Explicit Proxy/Anchor • Explicit signaling: Authentication + Peer’s IP address/PortNo • In-band MPTCP signaling: • No extensible authentication possible  dismissed • 2. Out-of-band MPTCP signaling: • HTTPS? IPsec? Beyond scope of MPTCP?  not considered • 3. Authentication via pre-shared keys: • 32-bit host ID + • + MPTCP key derived from pre-shared keys + • + Peer’s IP/Port = ~40B (IPv6) • 4. External signaling protocol: • Host + NN establish MPTCP key, host sends peer’s IP/port  • 5. External protocol for signaling & traffic: • Transparent to MPTCP  not considered

  11. Explicit Proxy Authentication via Pre-Shared Keys MPTCP Host MPTCP NN MPTCP Host SYN +MP_CAP (keyA) SYN-ACK +MP_CAP (keyN) ACK +FWD_ADDR(IP, Prt) SYN +MP_CAP(keyA) +ANCHOR = 1 4-way handshake SYN-ACK 3-way handshake MPTCP  PROXY  TCP ACK +MP_CAP() + PROXY = 1 ACK SYN +MP_JOIN SYN-ACK +MP_JOIN ACK +MP_JOIN

  12. Explicit Anchor Authentication via Pre-Shared Keys MPTCP Host MPTCP NN MPTCP Host SYN +MP_CAP (keyA) SYN-ACK +MP_CAP (keyN) ACK +FWD_ADDR(IP, Prt) SYN +MP_CAP(keyA) +ANCHOR = 1 4-way handshake SYN-ACK + MP_CAP(keyB) 3-way handshake MPTCP  ANCHOR  MPTCP ACK +MP_CAP(keyB) + ANCHOR = 1 ACK + MP_CAP(keyA, keyB) SYN +MP_JOIN, Addr_ID=X + ANCHOR = 1 SYN +MP_JOIN, Addr_ID=X SYN-ACK+MP_JOIN, Addr_ID=Y SYN-ACK+MP_JOIN, Addr_ID=Y ACK +MP_JOIN ACK +MP_JOIN

  13. Chain of Explicit Anchor/Proxy + Implicit Proxy Authentication via Pre-Shared Keys Explicit MPTCP NN Implicit MPTCP NN MPTCP Host MPTCP Host SYN +MP_CAP (keyA) SYN-ACK +MP_CAP (keyEN) ACK +FWD_ADDR(IP, Prt) SYN +MP_CAP(keyA) + ANCHOR = 1 4-way hand shake + MP_CAP(keyIN) + PROXY = 1 SYN-ACK 3-way hand shake ANCHOR PROXY ACK +MP_CAP(keyIN) +PROXY = 1+ANCHOR = 1 ACK + MP_CAP(keyA, keyIN) SEEK_ADDR ADD_ADDR, Addr_ID = X +JOIN = 0 ADD_ADDR, Addr_ID = 255 +JOIN = 0

  14. Security -Explicit Proxy/Anchor • Security problem in absence of proper authentication: • Distributed-DoS attacker uses proxy to hide its IP address IP_SRC = ATTACK IP_DST = Proxy IP_SRC = Proxy IP_DST = VICTIM Attacker Victim MPTCP NN

  15. Simultaneous Mobility with (Implicit) Anchor MPTCP Host MPTCP Anchor MPTCP Host Traffic SYN +MP_JOIN TCP RST SYN +MP_JOIN TCP RST Caches SRC IP SYN +MP_JOIN TCP RST Caches SRC IP SYN +MP_JOIN TCP RST SYN +MP_JOIN SYN-ACK +MP_JOIN SYN-ACK +MP_JOIN

  16. Proxy Realization • Proxy creates logical MPTCP – TCP split connection • Large number of connections: Minimize cost-per-connection • Minimize cost if only one path  Design implications ! • Minimize buffer for multipath Design implications ! • Cost-vs-Feature Tradeoff • Mobility only Simple, low-cost implementation • Multipath  Higher performance at higher price

  17. MPTCP Re-Charter Proposal • Proxies & Anchors • Mobility

More Related