Network support for TCP Fast Open. Christoph Paasch <cpaasch@apple.com>

Similar documents
COMP 3331/9331: Computer Networks and Applications. Lab Exercise 3: TCP and UDP (Solutions)

Protecting Mobile Devices From TCP Flooding Attacks

Question: 3 When using Application Intelligence, Server Time may be defined as.

Troubleshooting Tips and Tricks

Multipath TCP in Practice (Work in Progress) Mark Handley Damon Wischik Costin Raiciu Alan Ford

Transport Layer Protocols

Your App and Next Generation Networks

Visualizations and Correlations in Troubleshooting

Network Security: Workshop. Dr. Anat Bremler-Barr. Assignment #2 Analyze dump files Solution Taken from

Challenges of Sending Large Files Over Public Internet

An Overview of Multipath TCP

Ignoring the Great Firewall of China

CIT 380: Securing Computer Systems

Denial of Service Attacks

Host Fingerprinting and Firewalking With hping

Denial Of Service. Types of attacks

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

Network Security: Network Flooding. Seungwon Shin GSIS, KAIST

Analysis on Some Defences against SYN-Flood Based Denial-of-Service Attacks

Mobile Communications Chapter 9: Mobile Transport Layer

Secure SCTP against DoS Attacks in Wireless Internet

Sting: a TCP-based network measurement tool

TCP and Wireless Networks Classical Approaches Optimizations TCP for 2.5G/3G Systems. Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme

Midterm Exam CMPSCI 453: Computer Networks Fall 2011 Prof. Jim Kurose

First Midterm for ECE374 03/09/12 Solution!!

tcpcrypt Andrea Bittau, Dan Boneh, Mike Hamburg, Mark Handley, David Mazières, Quinn Slack Stanford, UCL

Life of a Packet CS 640,

Application Delivery Networking

Policy Based Forwarding

How To Protect A Dns Authority Server From A Flood Attack

Chapter 8 Security Pt 2

Adopting SCTP and MPLS-TE Mechanism in VoIP Architecture for Fault Recovery and Resource Allocation

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

CS 3251: Computer Networking 1 Security Protocols I

Pig Laboratory. Additional documentation for the laboratory. Exercises and Rules. Tstat Data

Recent advances in transport protocols

Firewalls, Tunnels, and Network Intrusion Detection

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Network and Services Discovery

TLP WHITE. Denial of service attacks: what you need to know

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Multipath TCP. Breaking today's networks with tomorrow's protocol

First Midterm for ECE374 02/25/15 Solution!!

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

La couche transport dans l'internet (la suite TCP/IP)

TCP Performance Management for Dummies

Single Pass Load Balancing with Session Persistence in IPv6 Network. C. J. (Charlie) Liu Network Operations Charter Communications

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

TCP SYN Flood - Denial of Service Seung Jae Won University of Windsor wons@uwindsor.ca

High-Speed TCP Performance Characterization under Various Operating Systems

Introduction about DDoS. Security Functional Requirements

IAB CONCERNS ABOUT CONGESTION CONTROL. Iffat Hasnian

CSE 473 Introduction to Computer Networks. Exam 2 Solutions. Your name: 10/31/2013

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

An Untold Story of Middleboxes in Cellular Networks

Computer Networks and the Internet

Distributed Denial of Service Attacks & Defenses

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Computer Networks UDP and TCP

Secure Software Programming and Vulnerability Analysis

CS551 End-to-End Internet Packet Dynamics [Paxson99b]

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

This sequence diagram was generated with EventStudio System Designer (

Defending Computer Networks Lecture 6: TCP and Scanning. Stuart Staniford Adjunct Professor of Computer Science

Computer Networks. Chapter 5 Transport Protocols

A Survey on Congestion Control Mechanisms for Performance Improvement of TCP

Improving Effective WAN Throughput for Large Data Flows By Peter Sevcik and Rebecca Wetzel November 2008

Key Components of WAN Optimization Controller Functionality

Frequently Asked Questions

Firewalls. Chapter 3

M U L T I P A T H T C P, P W N I N G T O D A Y S N E T W O R K S W I T H

Configuring CSS Remote Access Methods

2 TCP-like Design. Answer

On evaluating the differences of TCP and ICMP in network measurement

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

CISCO WIDE AREA APPLICATION SERVICES (WAAS) OPTIMIZATIONS FOR EMC AVAMAR

Using TrueSpeed VNF to Test TCP Throughput in a Call Center Environment

IPv6 Performance. Geoff Huston APNIC Labs February 2015

LineSwitch: Efficiently Managing Switch Flow in Software-Defined Networking while Effectively Tackling DoS Attacks

La couche transport dans l'internet (la suite TCP/IP)

CHAPTER 1 PRINCIPLES OF NETWORK MONITORING

The Fundamentals of Intrusion Prevention System Testing

TCP loss sensitivity analysis ADAM KRAJEWSKI, IT-CS-CE

A Talari Networks White Paper. Turbo Charging WAN Optimization with WAN Virtualization. A Talari White Paper

The ISP Column A monthly column on all things Internet

Efficient Transport of VoIP Firewall Control Signaling

Improving the Performance of TCP Using Window Adjustment Procedure and Bandwidth Estimation

CS5008: Internet Computing

TCP/IP Optimization for Wide Area Storage Networks. Dr. Joseph L White Juniper Networks

TCP Fast Open. Sivasankar Radhakrishnan, Yuchung Cheng, Jerry Chu, Arvind Jain. Barath Raghavan ABSTRACT 1. INTRODUCTION

Cleaning Encrypted Traffic

Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring Kevin Timm,

Transcription:

Network support for TCP Fast Open Christoph Paasch <cpaasch@apple.com>

Outline TCP Fast Open allows to reduce latency and significantly improve user-experience However, naive firewalls and bad Intrusion Detection Systems got in our way We should change that!

Latency matters PLT of 25 most popular websites (Latency = 60ms) 4000 Page Load Time [ms] 750 1 2 3 4 5 6 7 8 9 10 Bandwidth [Mbps] [1] More Bandwidth Doesn t Matter (much). M. Belshe. 2010 (https://goo.gl/x8re6q).

Latency matters PLT of 25 most popular websites (Latency = 60ms) 4000 PLT of 25 most popular websites (Bandwidth = 5Mbps) Page Load Time [ms] 750 1 2 3 4 5 6 7 8 9 10 Page Load Time [ms] 4000 Bandwidth [Mbps] 750 240 220 200 180 160 140 120 100 80 60 40 20 0 Latency [ms] [1] More Bandwidth Doesn t Matter (much). M. Belshe. 2010 (https://goo.gl/x8re6q).

Latency matters [2] measured impact of latency on service revenue Direct correlation between latency and revenue: 100ms of additional delay has significant impact on the revenue and customer satisfaction [2] Measuring and Mitigating Web Performance Bottlenecks in Broadband Access Networks. S. Sundaresan, et al. ACM IMC 2013.

Transmission Control Protocol Used for 95% of the Internet s traffic Provides a reliable and in-order byte-stream service 3-way handshake to establish the connection

The TCP joke Hi, I d like to hear a TCP joke. Hello, would you like to hear a TCP joke? Yes, I d like to hear a TCP joke. Ok, I ll tell you a TCP joke.

TCP Handshake is expensive Client Server SYN SYN/ACK ACK Data Data

TCP Handshake is expensive Client Server SYN 1 RTT before any data is sent SYN/ACK ACK Cellular Network s Data RTT can range in the hundreds of Data milliseconds

TCP Fast Open (RFC 7413) Accelerating the TCP Handshake

TCP Fast Open (TFO) Allows clients to send SYN with data Enables servers to reply right away with the response Protects itself against DoS through a cookie, unique for each client-ip Standardized at the IETF - RFC 7413 [3] TCP Fast Open. Y. Cheng, J. Chu, S. Radhakrishnan, A. Jain. IETF RFC 7413. 2014

TFO at Apple TCP Fast Open in ios 9 and OS X 10.11 (and later) Used for an Apple Service on all ios and OS X devices Public API by using connectx(2) Overall, very beneficial But, Firewalls got in our way

TFO in details 1. Cookie Exchange Client Server SYN TFO Cookie Request Generate Cookie: X = Hash(Client_IP, secret) SYN/ACK TFO Cookie = X

TFO in details 2. Sending SYN + data Client Server SYN + data TFO Cookie = X SYN/ACK Verify Cookie: X == Hash(Client_IP, secret)

TFO in details 3. Server replies with data Client Server SYN + data TFO Cookie = X SYN/ACK Verify Cookie: X == Hash(Client_IP, secret) Data ACK

Middlebox issues with TCP Fast Open and their negative impact

Middlebox issues Bad Middleboxes and Firewalls respond badly to TCP Fast Open Suppress TCP options Drop packets Mark entire connection as invalid Blackhole the clients

Using a new TCP option Issue Simplistic middleboxes remove unknown TCP options

Using a new TCP option Issue Simplistic middleboxes remove unknown TCP options Client Server SYN TFO Cookie Request SYN SYN/ACK

Using a new TCP option Issue Simplistic middleboxes remove unknown TCP options Impact Clients cannot use TFO, and thus pay a latency cost compared to well-behaving networks

Using a new TCP option Issue Simplistic middleboxes drop segments with unknown TCP options

Using a new TCP option Issue Simplistic middleboxes drop segments with unknown TCP options Client Server SYN TFO Cookie Request RTO (1s) SYN

Using a new TCP option Issue Simplistic middleboxes drop segments with unknown TCP options Impact Client has to retransmit the SYN-segment without the TCP option. The user experiences a high pageload-time.

Sending SYN+data Issue Naive middleboxes drop SYN segments with data

Sending SYN+data Issue Naive middleboxes drop SYN segments with data Client Server SYN + data TFO Cookie = X RTO (1s) SYN

Sending SYN+data Issue Naive middleboxes drop SYN segments with data Impact Clients has to retransmit the SYN-segment without the TCP option. The user experiences a high pageload-time.

Acknowledging SYN+data Issue The server acknowledges the SYN+data, thus more than the initial sequence number. Middleboxes might drop the SYN/ACK.

Acknowledging SYN+data Issue The server acknowledges the SYN+data, thus more than the initial sequence number. Middleboxes might drop the SYN/ACK. Client Server SYN (Seq=0, len=10) + data SYN/ACK (Ack=11) Expected Ack=1 SYN/ACK (Ack=11)

Acknowledging SYN+data Issue The server acknowledges the SYN+data, thus more than the initial sequence number. Middleboxes might drop the SYN/ACK. Impact The middlebox keeps on blocking the server s SYN/ ACK. The session never becomes established.

Server sends data right before 3-way handshake completes Issue Bad Intrusion Detection Systems (IDS) start blackholing the client

Server sends data right before 3-way handshake completes Issue Bad Intrusion Detection Systems (IDS) start blackholing the client Client SYN + data TFO Cookie = X Server SYN/ACK Data ACK

Server sends data right before 3-way handshake completes Issue Bad Intrusion Detection Systems (IDS) start blackholing the client Impact Client loses connectivity to the server. Subsequent connections (non-tfo) also might be blocked by the IDS.

How common is this? Mostly, TFO works successfully (~80% success-rate). But

How common is this? Mostly, TFO works successfully (~80% success-rate). But 100% of the users of the affected networks are penalized

Conclusion Latency has a direct impact on user-experience TCP Fast Open allows to significantly reduce latency Bad middleboxes are interfering with TCP Fast Open Vendors and operators: Take TFO into account for a better user-experience

References [1] More Bandwidth Doesn t Matter (much). M. Belshe. 2010 (https://goo.gl/ X8rE6Q). [2] Measuring and Mitigating Web Performance Bottlenecks in Broadband Access Networks. S. Sundaresan, et al. ACM IMC 2013. [3] TCP Fast Open. Y. Cheng, J. Chu, S. Radhakrishnan, A. Jain. IETF RFC 7413. 2014

Backup-slides

TFO and idempotency Data sent in a SYN might reach the server twice Client Server SYN + data SYN + data SYN + data got delayed in the network SYN/ACK TCP-session terminates ACK SYN + data Old SYN + data finally reaches the server

TFO and idempotency Use TFO only with idempotent data (aka., data that can be received twice by the server) E.g.,: TLS (ClientHello) HTTP-Requests

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information