efficient cross-layer negotiation · application http ftp dns rtp transport ssl security transport...
TRANSCRIPT
![Page 1: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/1.jpg)
Efficient Cross-Layer Negotiation
Bryan FordMPI-SWS andYale University
Janardhan IyengarFranklin & Marshall
College
Presented at HotNets-VIII, October 22, 2009
“Tng: Transport Next Generation” ProjectSupport: NSF FIND grants CNS-0916413 and CNS-0916678
![Page 2: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/2.jpg)
A Proliferation of Layersand Layer Combinations
SCTP DCCP
DTLS
IPv6
IPsec
UDP
HTTP DNS RTPFTPApplication
SSLTransportSecurity
TCP UDPTransport
IPsecNetworkSecurity
IPNetwork
Ethernet Token-Ring PPPDataLink
TCP
SSL
HTTP
IPv6
IPsec
IPsec
UDP
Teredo
IPv6
(DirectAccess)
HTTP
SSL
TCP
IP
Ethernet
![Page 3: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/3.jpg)
Future: Ever More Layers/Combinations?
Application
Stream Stream
Network
Link
Channel
Multi-StreamingTransports
SCTP [rfc4960],SST [SIGCOMM'07]
Network
Link
Application
Subflow
Multipath Transport
Subflow
MultipathTransports
SCTP [rfc4960],MPTCP [WIP]
Network
Link
Application
Endpoint
Flow
Semantic
Isolation
Further Decomposition
[“Breaking Up the Transport Logjam”,
HotNets'08]
![Page 4: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/4.jpg)
The Negotiation Problem
Decisions, decisions!
Network
Transport
TransportSecurity
Application
IPv4 IPv6
TCP SCTP
SSL
HTTP
IPv4 IPv6
UDP DCCP
DTLS
SIP IAX
![Page 5: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/5.jpg)
Compatibility and Preference
Which combinations do both endpoints support?
Which combinations do they prefer?
IPv4 IPv6
UDP DCCP
DTLS
SIP IAX
Host A Host B
IPv4 IPv6
UDP DCCP
DTLS
SIP IAX
?
![Page 6: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/6.jpg)
Talk Outline
● Background and Alternatives● A Model for Negotiation● Negotiation Transport Protocol● Discussion, Conclusion
![Page 7: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/7.jpg)
Backgroundand
Alternatives
![Page 8: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/8.jpg)
Approach 0: Name Encoding
[draft-wood-tae-specifying-
uri-transports]
http++sctp:// means:
HTTP
SCTP
IP
http++ssl++sctp:// means:
HTTP
SCTP
IP
SSL
?
http://means:
HTTP
TCP
IP
[rfc2616]
https://means:
HTTP
TCP
IP
SSL
[rfc2818]
![Page 9: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/9.jpg)
Disadvantages of Name Encoding
Loss of Transparency– User cares about application, not underlying stack...
but is forced to see and care about underlying stack– When underlying stack changes, URLs change/break
● redirectors proliferate between http:// and https:// spaces
Loss of Compatibility– If user puts “http++sctp://...” link on a web page,
legacy browsers break; cannot fall back to TCP
Where Do You Stop?– “http++tls++tcp++ipv6++ethernet” ???
![Page 10: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/10.jpg)
Approach 1: Try and Fall Back
Host A Host B
SCTP INIT
TCP INIT
SCTP RST
TCP ACK
![Page 11: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/11.jpg)
Challenge 1: Controlling Delay
● Failures can incur timeouts (e.g., due to NATs)● ...potentially compounded by layering
UDP DCCP
Host A Host B
UDP DCCPTimeout(s)
IPv4 IPv6
DTLS
SIP IAX
IPv4 IPv6
DTLS
SIP IAX
Timeout(s)
Timeout(s)
Timeout(s)
![Page 12: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/12.jpg)
Approach 2: Try in Parallel
Host A Host B
SCTP INIT
TCP INIT
SCTP RST
TCP ACK
![Page 13: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/13.jpg)
Challenge 2a: Redundant State
Host A Host B
SCTP INIT
TCP INIT
SCTP ACK
TCP ACK
![Page 14: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/14.jpg)
SIPUDPIPv4
SIP
UDPIPv4
DTLS IAXUDPIPv4
IAX
UDPIPv4
DTLS
SIPDCCPIPv4
SIP
DCCPIPv4
DTLS IAXDCCPIPv4
IAX
DCCPIPv4
DTLS
SIPUDPIPv6
SIP
UDPIPv6
DTLS IAXUDPIPv6
IAX
UDPIPv6
DTLS
SIPDCCPIPv6
SIP
DCCPIPv6
DTLS IAXDCCPIPv6
IAX
DCCPIPv6
DTLS
Challenge 2b: Combinations
Layering can lead to explosion of choices
IPv4 IPv6
UDP DCCP
DTLS
SIP IAX
Host A
Host B
![Page 15: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/15.jpg)
Approach 3:Out-of-Band Information
Host A Host B
DNS++ Req
DNS++ Reply
IPv4 IPv6
UDP DCCP
DTLS
SIP IAX
SIP
DCCPIPv6
DTLS
DNS Server
![Page 16: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/16.jpg)
Challenge 3a: Administration
Host BDNS Server
“Dynamic DNS++”?
DNS server must know:● Name→IP mapping
(as before)● Entire protocol stack
supported by Host B● Protocol options...?
⇒ SynchronizationNightmare?
![Page 17: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/17.jpg)
Challenge 3b: E2E Robustness
If endpoints agree on configuration X, will it work?
IPv4 IPv6
UDP DCCP
DTLS
SIP IAX
Host A Host B
IPv4 IPv6
UDP DCCP
DTLS
SIP IAX
IPv4 IPv6
UDP DCCP
Middlebox
![Page 18: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/18.jpg)
Our Solution: Negotiation● Hosts explicitly describe possible configurations
during initial “meta-communication” exchange,before actual communication commences
Host A Host B
“Hi, I speak:
”IPv4 IPv6
UDP DCCP
DTLS
SIP IAX
“Hi, I speak:
”IPv4 IPv6
UDP DCCP
DTLS
SIP IAX
![Page 19: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/19.jpg)
A Modelfor Negotiation
![Page 20: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/20.jpg)
Negotiation Model Overview
1.Initiator sends a Protocol Graph Proposal
2.Responder returns Revised Protocol Graph
3.(Optional) further protocol graph revision steps
4.Peers commit, Acknowledge Protocol Graph
5.Peers communicate via negotiated protocols
![Page 21: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/21.jpg)
Message 1: Initiator → Responder:Propose Protocol Graph
TCP DCCP
TLS DTLS
opt1 opt2 opt1 opt2
opt1 opt2 opt1 opt2
(alternatives)
goal (SIP)
opt1 opt2
base (IP)
NegotiationMessage 1
Host A Host B
![Page 22: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/22.jpg)
NegotiationMessage 2
Host A Host B
Message 2: Responder → Initiator:Revise Protocol Graph
TCP DCCP
TLS DTLS
opt1 opt2 opt1 opt2
opt1 opt2 opt1 opt2
base (IP)
goal (SIP)
opt1 opt2
![Page 23: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/23.jpg)
Message 3: Initiator → Responder:Acknowledge Protocol Graph
TCP
TLS
opt1
base (IP)
goal (SIP)
opt2
NegotiationMessage 3
Host A Host B
![Page 24: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/24.jpg)
Message 4+:According to Negotiated Stack
TCP
TLS
SIP
Host A Host B
Normal Packets
![Page 25: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/25.jpg)
Concurrent Protocol Initialization
Whenever feasible:● embed protocol-specific handshake info into graph● run handshakes concurrently while negotiating● commit only negotiated configuration atomically
Host A Host A
TCP DCCP
TLS DTLSClientHello ClientHello
INIT Request
SIPREGISTER
IP
1
TCP DCCP
TLS DTLSServerHello ServerHello
INIT-ACK Reply
SIP200 OK
IP
2
![Page 26: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/26.jpg)
Key Benefits of Negotiation Model
● Supports backward-compatible evolution– New smart nodes can fall back on old dumb protocols
● Happens strictly between nodes concerned– Users don't have to care (e.g., between http: & https:)– Name server administrators don't have to care
● Protocol graph representation scales to handle:– Arbitrarily deep protocol stacks– Many alternatives per layer
● Setup whole “layer cakes” in minimal # of RTTs– Regardless of protocol stack depth
![Page 27: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/27.jpg)
Further Challenges & Extensions(see paper)
● Multi-Round Negotiation– due to dependencies, hiding of alternatives, graph size
● Negotiation Across Multiple Contexts– IPv4 vs IPv6, new protocol vs legacy, UDP encapsulation
● Recursive Negotiation– negotiate “crypto wrapper” and “contents” concurrently
● Peer-to-Peer Negotiation– symmetric peers must converge on a configuration
![Page 28: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/28.jpg)
NegotiationTransportProtocol
![Page 29: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/29.jpg)
How to Express Protocol Graphs?
Node #2
Node #1
Node #n
...
Child 1 Node ID Child 2 Node ID
Child m Node ID
...
Negotiation Message Node Description
Options LengthNum Children
Protocol-Specifc Data (variable)
Negotiation Options (variable)
Negotiation Message Structure:
![Page 30: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/30.jpg)
How to Convey Protocol Graphs?
Negotiation messages might be big:– Many layers × many alternatives for each to describe– Embedded protocol-specific data: crypto keys, etc.
Individual graph nodes may be large or small– Segment large nodes, aggregate small ones into packets
Receiver probably wants only specific nodes– Efficiently ignore/drop anything it doesn't understand
⇒ Specialized Negotiation Transport Protocol
![Page 31: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/31.jpg)
Chunk #2
Negotiation Transport:Packet Structure
Fixed Header
Chunk #n
...
NegotiationTransport Packet
Chunk #1
Fixed header + multiple chunks [SCTP]each describing different graph node
![Page 32: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/32.jpg)
Negotiation Transport
Negotiation Protocol Magic Cookie
Transmit Seq
Negotiation Transaction ID
Ack Seq
Transport Header
AckCt
Step Number
–
Msg Type
Negotiation packet sequencing permitsindividual packet ack/retransmit [SST]
![Page 33: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/33.jpg)
Negotiation Transport
Node ID
Protocol ID
Chunk Length
Chunk Payload (variable)
Transport Chunk
–
Each chunk describes [part of] a graph node● Receiver can ack & discard all chunks
for unknown protocols without storing any
![Page 34: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/34.jpg)
Not needed
Let negotiated protocol worry about:● Connection state machines● Application-friendly semantics (e.g., streams)● Flow control● Congestion control (beyond slow-start)● ...
![Page 35: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/35.jpg)
Discussion,Conclusion
![Page 36: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/36.jpg)
What Doesn't (Really) Work
● Encoding protocol stacks in names– Non-transparent to user; compatibility hell
● Try alternatives serially & fall back– Delay/timeout hell
● Probe alternatives in parallel– Redundant protocol instances; combinatorial hell
● Encode alternatives in DNS responses– Not end-to-end robust; administrative hell
![Page 37: Efficient Cross-Layer Negotiation · Application HTTP FTP DNS RTP Transport SSL Security Transport TCP UDP IPsec Network ... Application Endpoint Flow Semantic Isolation Further Decomposition](https://reader033.vdocument.in/reader033/viewer/2022042418/5f349274f8135f12d80896c9/html5/thumbnails/37.jpg)
What Might Work
Explicit In-Band Negotiation:● Get user & third parties out of the loop● Describe alternatives in compact protocol graphs● Handshake deep layer cakes concurrently● Receiver stores only what he understands & wants
“Tng: Transport Next Generation” project
http://bford.info/tng/
Support: NSF FIND grants CNS-0916678 and CNS-0916413