Flow processing and the rise of the middle.

Similar documents
Multipath TCP in Practice (Work in Progress) Mark Handley Damon Wischik Costin Raiciu Alan Ford

Network Security: Network Flooding. Seungwon Shin GSIS, KAIST

Firewalls P+S Linux Router & Firewall 2013

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

tcpcrypt Andrea Bittau, Dan Boneh, Mike Hamburg, Mark Handley, David Mazières, Quinn Slack Stanford, UCL

Network Functions Virtualization on top of Xen

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Chapter 11 Cloud Application Development

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

A S B

Datagram-based network layer: forwarding; routing. Additional function of VCbased network layer: call setup.

Network Security through Software Defined Networking: a Survey

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Application Note. Firewall Requirements for the Onsight Mobile Collaboration System and Hosted Librestream SIP Service v5.0

JUNOS DDoS SECURE. Advanced DDoS Mitigation Technology

Linux Network Security

Internet Security Firewalls

Improving DNS performance using Stateless TCP in FreeBSD 9

Chapter 9. IP Secure

Firewalls. Chapter 3

CS 457 Lecture 19 Global Internet - BGP. Fall 2011

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

An Overview of Multipath TCP

Outline. Outline. Outline

Wireless Encryption Protection

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

5.0 Network Architecture. 5.1 Internet vs. Intranet 5.2 NAT 5.3 Mobile Network

Software-Defined Networking for the Data Center. Dr. Peer Hasselmeyer NEC Laboratories Europe

Solution of Exercise Sheet 5

Agenda. Understanding of Firewall s definition and Categorization. Understanding of Firewall s Deployment Architectures

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

Internet Protocol: IP packet headers. vendredi 18 octobre 13

CMPT 471 Networking II

Application Note. Onsight TeamLink And Firewall Detect v6.3

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Application Delivery Networking

Should the IETF do anything about DDoS attacks? Mark Handley

Cloud Networking Disruption with Software Defined Network Virtualization. Ali Khayam

SDN AND SECURITY: Why Take Over the Hosts When You Can Take Over the Network

12. Firewalls Content

Content Distribution Networks (CDN)

Firewalls 1 / 43. Firewalls

THE BCS PROFESSIONAL EXAMINATIONS BCS Level 5 Diploma in IT. October 2009 EXAMINERS' REPORT. Computer Networks

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Network Security TCP/IP Refresher

Next Generation IPv6 Network Security a Practical Approach Is Your Firewall Ready for Voice over IPv6?

Firewalls. Chien-Chung Shen

Proxy Server, Network Address Translator, Firewall. Proxy Server

Non-intrusive, complete network protocol decoding with plain mnemonics in English

IP Security. Ola Flygt Växjö University, Sweden

Intro to Firewalls. Summary

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Definition of firewall

Load Balancing and Sessions. C. Kopparapu, Load Balancing Servers, Firewalls and Caches. Wiley, 2002.

Security Technology: Firewalls and VPNs

Lecture 2-ter. 2. A communication example Managing a HTTP v1.0 connection. G.Bianchi, G.Neglia, V.Mancuso

CSCE 465 Computer & Network Security

INTRODUCTION TO FIREWALL SECURITY

allow all such packets? While outgoing communications request information from a

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Packet Matching. Paul Offord, Advance7

The Case Against Jumbo Frames. Richard A Steenbergen <ras@gtt.net> GTT Communications, Inc.

LESSON Networking Fundamentals. Understand TCP/IP

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Boosting mobility performance with Multi-Path TCP

Stateful Firewalls. Hank and Foo

Data Sheet. V-Net Link 700 C Series Link Load Balancer. V-NetLink:Link Load Balancing Solution from VIAEDGE

Using SYN Flood Protection in SonicOS Enhanced

IP Address Classes (Some are Obsolete) Computer Networking. Important Concepts. Subnetting Lecture 8 IP Addressing & Packets

Firewall Design Principles Firewall Characteristics Types of Firewalls

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

Cisco Configuring Commonly Used IP ACLs

Best Practices Guide: Vyatta Firewall. SOFTWARE-BASED NETWORKING & SECURITY FROM VYATTA February 2013

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

BREAKING HTTPS WITH BGP HIJACKING. Artyom Gavrichenkov R&D Team Lead, Qrator Labs

OpenFlow and Software Defined Networking presented by Greg Ferro. OpenFlow Functions and Flow Tables

Evaluating IPv6 Firewalls & Verifying Firewall Security Performance

IP addressing and forwarding Network layer

Kick starting science...

Firewalls, Tunnels, and Network Intrusion Detection

How To Switch A Layer 1 Matrix Switch On A Network On A Cloud (Network) On A Microsoft Network (Network On A Server) On An Openflow (Network-1) On The Network (Netscout) On Your Network (

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

State of Texas. TEX-AN Next Generation. NNI Plan

21.4 Network Address Translation (NAT) NAT concept

Firewall Implementation

Transcription:

Flow processing and the rise of the middle. Mark Handley, UCL With acknowledgments to Michio Honda, Laurent Mathy, Costin Raiciu, Olivier Bonaventure, and Felipe Huici.

Part 1 Today s Internet

Protocol Layering Link layers (eg Ethernet) are local to a particular link Routers look at IP headers to decide how to route a packet. TCP provides reliability via retransmission, flow control, etc. Application using OS s TCP API to do its job. HTTP TCP HTTP TCP IP IP IP IP Ethernet Ethernet ATM ATM Modem Modem Web Server Internet Router Internet Router Web Client

Protocol Layering Link layers (eg Ethernet) are local to a particular link Routers look at IP headers to decide how to route a packet. TCP provides reliability via retransmission, flow control, etc. Application using OS s TCP API to do its job. HTTP HTTP Fiction! TCP TCP IP IP IP IP mostly Ethernet Ethernet ATM ATM Modem Modem Web Server Internet Router Internet Router Web Client

What actually happens to TCP in the wild? We studied 142 access networks in 24 countries. Ran tests to measure what actually happened to TCP. Are new options actually permitted? Does re-segmentation occur in the network? Are sequence numbers modified? Do middleboxes proactively ack?

Middleboxes and new TCP Options in SYN Middleboxes that remove unknown options are not so rare, especially on port 80

What actually happens to TCP in the wild? Rewrote sequence numbers: 10% of paths (18% on port 80) Presumably to improve initial sequence number randomization Resegmented data: 3% of paths (13% on port 80) Proxy Ack: 3% of paths (7% on port 80) Note: all of these paths also removed new options from the SYN Ack data not sent: 26% of paths (33% on port 80) do strange things if you send an ack for data not yet sent.

What actually happens to TCP in the wild? Rewrote sequence numbers: 10% of paths (18% on port 80) Presumably to improve initial sequence number randomization Resegmented data: 3% of paths (13% on port 80) Proxy Ack: 3% of paths (7% on port 80) Note: all of these paths also removed new options from the SYN Ack data not sent: 26% of paths (33% on port 80) do strange things if you send an ack for data not yet sent.

Not to mention NAT Pretty nearly ubiquitous, but comparatively benign DPI-driven rate limiters Lawful intercept equipment Application optimizers Anything at the server end: Firewalls Reverse proxies Load balancers Traffic scrubbers Normalizers, etc Our methodology will not detect most of these, but we re pretty sure they re out there too.

IPv6 will save us! No.

Part 2: Tomorrow s Internet

Option 1: Extrapolate the current Internet Plenty of box vendors will sell you a solution. Whatever you think your problem is. Current apps get optimized and set in silicon. Future apps tunnelled over HTTP (but what do all those port 80 specialized middleboxes do?) Impossible to reason about the concatenation of middleboxes. If you think STUN/TURN/ICE is hard to reason about, you ve not seen anything yet,

Option 2: Devise a wonderful new Internet architecture that everyone will love and deploy.

Option 3: Reverse engineer a new Internet architecture from the current mess. Observation: The Internet is becoming a concatenation of IP networks interconnected by L4+ functionality.

A segmented Internet IP processing access core datacentre L4+ processing L4+ processing It already looks somewhat like this, but the L4+ processing is more distributed.

A platform for Change Those L4+ platforms need to be more general that today s middleboxes. More open. More upgradable, as new apps arrive. Aggregate functionality, so it s managable. Identifiable, so we can reason about them Cheap and scalable.

Flowstream

Flowstream

Flowstream

Flowstream Xen OpenFlow ClickOS

Flowstream OpenFlow FreeBSD + netmap Process (maybe running Click userspace)

Flowstream Xen OpenFlow Luigi Rizzo s netmap: Saturate 10Gb/s with 64 byte packets in userspace ClickOS FreeBSD + netmap Process (maybe running Click userspace)

Empowering the ends, not just the middle

Types of Processing 1. Monitoring/read-only 2. Drop/filter/rate-limit 3. Redirect (eg tunnel) 4. Tee 5. Rewrite

Authorization On-path providers can instantiate flow-processing functionality. Can t stop them anyway. Source and destination also share ownership of a flow. Can we allow them to set up flow processing?

Authorization Source or destination-initiated processing: Need some way to pay. Need to avoid hijacking.

Authorization Request from destination is simple(ish) to authenticate. Simple nonce exchange proves requester is downstream. May be sufficient for monitoring, etc. Otherwise need to prove address ownership (eg via RPKI) Request from source is harder. Anyone upstream can NAT traffic to claim ownership. Address proof (even using RPKI) only proves requester is on path upstream.

Becoming on-path Prefer to filter here Can filter here access datacentre DDoS attack

Becoming on-path access BGP route for dst BGP route for dst datacentre DDoS attack

Becoming on-path access BGP route for dst BGP route for dst datacentre Destination ISP has dynamically extended the reach of its network

Change Project http://www.change-project.eu/ Flow processing as a first class primitive Scalable extensible software platform to enable it. Mechanisms to remotely authorize instantiation of processing. Protocols to communicate with flow processing platforms, so we can reason about the network.

Going with the flow Currently flow processing in middleboxes serves to inhibit new applications. Optimization of the present Inextensible inflexible network security Key question: is it possible to re-claim the middlebox as a force for enabling end-to-end innovation?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information