tcp for today’s web
DESCRIPTION
TCP for today’s Web. Connections today. Web-page > 300KB but objects are small 7.5KB -2.4KB [25] lots of small objects in a page . Implication: TCP Handshake == 10%-30% penalty. Add data into Handshake. SYN-Flag. SYN/ACK-Flag. ACK-Flag+Data. Let’s talk. How about HTTP1.1. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: TCP for today’s Web](https://reader036.vdocument.in/reader036/viewer/2022062323/56815ea5550346895dcd320d/html5/thumbnails/1.jpg)
TCP for today’s Web
![Page 2: TCP for today’s Web](https://reader036.vdocument.in/reader036/viewer/2022062323/56815ea5550346895dcd320d/html5/thumbnails/2.jpg)
Connections today
• Web-page > 300KB• but objects are small 7.5KB -2.4KB [25]• lots of small objects in a page.
Implication:TCP Handshake == 10%-30% penalty
![Page 3: TCP for today’s Web](https://reader036.vdocument.in/reader036/viewer/2022062323/56815ea5550346895dcd320d/html5/thumbnails/3.jpg)
Add data into Handshake
SYN-Flag
SYN/ACK-Flag
ACK-Flag+Data
Let’s talk
![Page 4: TCP for today’s Web](https://reader036.vdocument.in/reader036/viewer/2022062323/56815ea5550346895dcd320d/html5/thumbnails/4.jpg)
How about HTTP1.1• What is HTTP1.1
– Persistent keep alive– Re-use old connections so no more TCP handshakes
• But …– browser tries to be fast opens multiple TCP connections (limits
reuse)– Domain sharding -- place resource on different domains to
further increases parallelism (so forced to use diff connections).– MB terminate idle conns to reduce state --> so persis con no
longer persistent.– mobile devs shut down conns to conserve power
![Page 5: TCP for today’s Web](https://reader036.vdocument.in/reader036/viewer/2022062323/56815ea5550346895dcd320d/html5/thumbnails/5.jpg)
Status of HTTP1.1
• 92% conn use HTTP1.1– But still Handshake has 5-7% overhead in general– For first use of connect, overhead is 8-27%
• Chrome always uses HTTP1.1– But 33% of conn use new TCP
![Page 6: TCP for today’s Web](https://reader036.vdocument.in/reader036/viewer/2022062323/56815ea5550346895dcd320d/html5/thumbnails/6.jpg)
New Security Attacks
SYN-Flag+ Data
SYN/ACK-Flag+ Data
ACK-Flag+Data
![Page 7: TCP for today’s Web](https://reader036.vdocument.in/reader036/viewer/2022062323/56815ea5550346895dcd320d/html5/thumbnails/7.jpg)
New Attacks: SYN Flood
SYN-Flag+ Data
Make up a false ip addressSend a bunch of SYN pks with data
Server does a lot processingAnd gets overloaded
Note: Since you used a fake address, the response from the server don’t come to you, so you don’t maintain state or devote resources
![Page 8: TCP for today’s Web](https://reader036.vdocument.in/reader036/viewer/2022062323/56815ea5550346895dcd320d/html5/thumbnails/8.jpg)
New Attacks: Reflection
SYN-Flag+ Data
Use host B’s IP as sourceSend a bunch of SYN pks with data
Note: Every server responds to host B with a flood of packet. Host B gets attacked. Once against you don’t devote any resources on your machine to do attack. And since response is larger than syn-flag+data it is better than you attack direction
![Page 9: TCP for today’s Web](https://reader036.vdocument.in/reader036/viewer/2022062323/56815ea5550346895dcd320d/html5/thumbnails/9.jpg)
Attack Model
• Attacks work because:– Attacker can spoof SRC IPs.
• To prevent this:– TFO adds a cookie to the protocol– Client must include cookie in the handshake– The cookie is an encrypted version of source IP
• Source IP encrypted with the server’s private key• Server unencrypts cookie and compares
![Page 10: TCP for today’s Web](https://reader036.vdocument.in/reader036/viewer/2022062323/56815ea5550346895dcd320d/html5/thumbnails/10.jpg)
System Assumptions
Acceptable Changes:• 1. symmetric crypto – (can be done in fast path) but no asymmetric.
• 2. soft state – (can't keep permanent state-- scale issues)
• 3. minor App changes– Don’t want to prevent adoption
![Page 11: TCP for today’s Web](https://reader036.vdocument.in/reader036/viewer/2022062323/56815ea5550346895dcd320d/html5/thumbnails/11.jpg)
Add Cookie to the First Handshake
SYN-Flag+TFO-Option
SYN/ACK-Flag+ Cookie
ACK-Flag+Data
Let’s use TFO
Here’s a cookie for next time
![Page 12: TCP for today’s Web](https://reader036.vdocument.in/reader036/viewer/2022062323/56815ea5550346895dcd320d/html5/thumbnails/12.jpg)
Second Connection to Same server benefits
SYN-Flag+Cookie+Data
SYN/ACK-Flag+ Data
ACK-Flag+Data
We are using FTO:
here’s a cookie for
proof.
![Page 13: TCP for today’s Web](https://reader036.vdocument.in/reader036/viewer/2022062323/56815ea5550346895dcd320d/html5/thumbnails/13.jpg)
Second Connection to Same server benefits
SYN-Flag+Cookie+Data
SYN/ACK-Flag
ACK-Flag+Data
![Page 14: TCP for today’s Web](https://reader036.vdocument.in/reader036/viewer/2022062323/56815ea5550346895dcd320d/html5/thumbnails/14.jpg)
Attacks Revisited
• Reflection– To get cookie must compromise host or network• If you can then you don’t need reflection
• SYN Flood– We limit the number TFO connections– So server is still always willing to accept regular
TCP connections
![Page 15: TCP for today’s Web](https://reader036.vdocument.in/reader036/viewer/2022062323/56815ea5550346895dcd320d/html5/thumbnails/15.jpg)
Deployment Issues
• Middleboxes are HORRIBLE– They drop new TCP options– NAT changes IP addresses so cookies can’t work
![Page 16: TCP for today’s Web](https://reader036.vdocument.in/reader036/viewer/2022062323/56815ea5550346895dcd320d/html5/thumbnails/16.jpg)
Deployment Issues: Load Balancers
LoadBalancer
![Page 17: TCP for today’s Web](https://reader036.vdocument.in/reader036/viewer/2022062323/56815ea5550346895dcd320d/html5/thumbnails/17.jpg)
Deployment Issues: Load Balancers
LoadBalancer
All servers need to share the same key so TFO can work. So, you may need to also change the keys more frequently
![Page 18: TCP for today’s Web](https://reader036.vdocument.in/reader036/viewer/2022062323/56815ea5550346895dcd320d/html5/thumbnails/18.jpg)
![Page 19: TCP for today’s Web](https://reader036.vdocument.in/reader036/viewer/2022062323/56815ea5550346895dcd320d/html5/thumbnails/19.jpg)
![Page 20: TCP for today’s Web](https://reader036.vdocument.in/reader036/viewer/2022062323/56815ea5550346895dcd320d/html5/thumbnails/20.jpg)
![Page 21: TCP for today’s Web](https://reader036.vdocument.in/reader036/viewer/2022062323/56815ea5550346895dcd320d/html5/thumbnails/21.jpg)
![Page 22: TCP for today’s Web](https://reader036.vdocument.in/reader036/viewer/2022062323/56815ea5550346895dcd320d/html5/thumbnails/22.jpg)
Lessons• A webpage === lots of small objects– Harder to ameliorate overheads
• TCP Handshake overhead• 2 RTT Loss detection
• Most common loss pattern in WAN– Last packet in small connection– Use redundancy (FEC) to overcome this.
• Eliminate Handshake overhead – Send packet during the handshake– Insert secret cookie in handshake to eliminate attacks