A path layer for the Internet: Enabling network operations on encrypted protocols

M. Kühlewind, Tobias Bühler, B. Trammell, S. Neuhaus, Roman Muntener, G. Fairhurst
{"title":"A path layer for the Internet: Enabling network operations on encrypted protocols","authors":"M. Kühlewind, Tobias Bühler, B. Trammell, S. Neuhaus, Roman Muntener, G. Fairhurst","doi":"10.23919/CNSM.2017.8255973","DOIUrl":null,"url":null,"abstract":"The deployment of encrypted transport protocols imposes new challenges for network operations. Key in-network functions such as those implemented by firewalls and passive measurement devices currently rely on information exposed by the transport layer. Encryption, in addition to improving privacy, helps to address ossification of network protocols caused by middleboxes that assume certain information to be present in the clear. However, “encrypting it all” risks diminishing the utility of these middleboxes for the traffic management tasks for which they were designed. A middlebox cannot use what it cannot see. We propose an architectural solution to this issue, by introducing a new “path layer” for transport-independent, in-band signaling between Internet endpoints and network elements on the paths between them, and using this layer to reinforce the boundary between the hop-by-hop network layer and the end-to-end transport layer. We define a path layer header on top of UDP to provide a common wire image for new, encrypted transports. This path layer header provides information to a transportindependent on-path state machine that replaces stateful handling currently based on exposed header flags and fields in TCP; it enables explicit measurability of transport layer performance; and offers extensibility by sender-to-path and path-to-receiver communications for diagnostics and management. This provides not only a replacement for signals that are not available with encrypted traffic, but also allows integrity-protected, enhanced signaling under endpoint control. We present an implementation of this wire image integrated with the QUIC protocol, as well as a basic stateful middlebox built on Vector Packet Processing (VPP) provided by FD.io.","PeriodicalId":211611,"journal":{"name":"2017 13th International Conference on Network and Service Management (CNSM)","volume":"41 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"10","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 13th International Conference on Network and Service Management (CNSM)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.23919/CNSM.2017.8255973","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 10

Abstract

The deployment of encrypted transport protocols imposes new challenges for network operations. Key in-network functions such as those implemented by firewalls and passive measurement devices currently rely on information exposed by the transport layer. Encryption, in addition to improving privacy, helps to address ossification of network protocols caused by middleboxes that assume certain information to be present in the clear. However, “encrypting it all” risks diminishing the utility of these middleboxes for the traffic management tasks for which they were designed. A middlebox cannot use what it cannot see. We propose an architectural solution to this issue, by introducing a new “path layer” for transport-independent, in-band signaling between Internet endpoints and network elements on the paths between them, and using this layer to reinforce the boundary between the hop-by-hop network layer and the end-to-end transport layer. We define a path layer header on top of UDP to provide a common wire image for new, encrypted transports. This path layer header provides information to a transportindependent on-path state machine that replaces stateful handling currently based on exposed header flags and fields in TCP; it enables explicit measurability of transport layer performance; and offers extensibility by sender-to-path and path-to-receiver communications for diagnostics and management. This provides not only a replacement for signals that are not available with encrypted traffic, but also allows integrity-protected, enhanced signaling under endpoint control. We present an implementation of this wire image integrated with the QUIC protocol, as well as a basic stateful middlebox built on Vector Packet Processing (VPP) provided by FD.io.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
Internet的路径层:允许在加密协议上进行网络操作
加密传输协议的部署给网络运营带来了新的挑战。关键的网络功能,例如由防火墙和被动测量设备实现的功能,目前依赖于传输层公开的信息。加密除了提高隐私性之外,还有助于解决由中间框造成的网络协议僵化问题,这些中间框假定某些信息是透明的。然而,“加密一切”可能会降低这些中间盒在流量管理任务中的效用,而这些中间盒是为流量管理任务设计的。中间盒子不能使用它看不到的东西。我们针对这个问题提出了一个架构解决方案,通过引入一个新的“路径层”,用于在互联网端点和它们之间的路径上的网络元素之间的传输独立的带内信令,并使用该层来加强逐跳网络层和端到端传输层之间的边界。我们在UDP之上定义了一个路径层报头,为新的加密传输提供一个通用的线路映像。该路径层报头向传输独立的路径上状态机提供信息,该状态机取代当前基于TCP中暴露的报头标志和字段的有状态处理;它使传输层性能的显式可测量性;并通过发送者到路径和路径到接收者的通信提供可扩展性,用于诊断和管理。这不仅提供了加密通信中不可用的信号的替代,而且还允许在端点控制下进行完整性保护和增强的信令。我们提出了一个与QUIC协议集成的有线图像的实现,以及一个基于FD.io提供的矢量分组处理(VPP)的基本状态中间盒。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
Measuring exposure in DDoS protection services Connectivity extraction in cloud infrastructures An evolutionary controllers' placement algorithm for reliable SDN networks A lightweight snapshot-based DDoS detector Enforcing free roaming among EU countries: An economic analysis
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1