An Untold Story of Middleboxes in Cellular Networks

Zhaoguang Wang1

Zhiyun Qian1, Qiang Xu1, Z. Morley Mao1, Ming Zhang2

1University of Michigan 2Microsoft Research

Background on cellular network

2

Internet Cellular Core Network

An untold story of middleboxes in cellular networks 8/18/2011

Why carriers deploy middleboxes?

3

Internet Cellular Core Network

Private IP Public IP

IP address

An untold story of middleboxes in cellular networks 8/18/2011

Problems with middleboxes

4

Internet Cellular Core Network

An untold story of middleboxes in cellular networks 8/18/2011

Policies ?

Application performance

?

P2P ?

Smartphone energy cost

?

Challenges and solutions

• Policies can be complex and proprietary

√ Design a suite of end-to-end probes

• Cellular carriers are diverse

√ Publicly available client Android app

• Implications of policies are not obvious

√ Conduct controlled experiments

5 An untold story of middleboxes in cellular networks 8/18/2011

Related work

• Internet middleboxes study

– [Allman, IMC 03], [Medina, IMC 04]

• NAT characterization and traversal

– STUN[MacDonald et al.], [Guha and Francis, IMC 05]

• Cellular network security

– [Serror et al., WiSe 06], [Traynor et al., Usenix Security 07]

• Cellular data network measurement

– WindRider, [Huang et al., MobiSys 10]

6 An untold story of middleboxes in cellular networks 8/18/2011

Goals

• Develop a tool that accurately infers the NAT and firewall policies in cellular networks

• Understand the impact and implications

– Application performance

– Energy consumption

– Network security

7 An untold story of middleboxes in cellular networks 8/18/2011

The NetPiculet measurement system

8

Internet Cellular Core Network

NetPiculet Server

NetPiculet Client

NetPiculet Client

NetPiculet Client

NetPiculet Client

Policies…

An untold story of middleboxes in cellular networks 8/18/2011

Target policies in NetPiculet

9

Firewall

IP spoofing

TCP connection timeout

Out-of-order packet buffering

NAT

NAT mapping type

Endpoint filtering

TCP state tracking

Filtering response

Packet mangling

An untold story of middleboxes in cellular networks 8/18/2011

Target policies in NetPiculet

10

Firewall

IP spoofing

TCP connection timeout

Out-of-order packet buffering

NAT

NAT mapping type

Endpoint filtering

TCP state tracking

Filtering response

Packet mangling

An untold story of middleboxes in cellular networks 8/18/2011

Key findings

8/18/2011 An untold story of middleboxes in cellular networks 11

Firewall

Some carriers allow IP spoofing Create network vulnerability

Some carriers time out idle connections aggressively Drain batteries of smartphones

Some firewalls buffer out-of-order packet Degrade TCP performance

NAT One NAT mapping linearly increases port # with time Classified as random in previous work

Diverse carriers studied

• NetPiculet released in Jan. 2011

– 393 users from 107 cellular carriers in two weeks

12 An untold story of middleboxes in cellular networks 8/18/2011

91%

9%

UMTS

EVDO

43%

24%

19%

10%

2% 2%

Europe

Asia

North America

South America

Australia

Africa

Technology Continent

Outline

13

1 • IP spoofing

2 • TCP connection timeout

3 • TCP out-of-order buffering

4 •NAT mapping

An untold story of middleboxes in cellular networks 8/18/2011

Outline

14

1 • IP spoofing

2 • TCP connection timeout

3 • TCP out-of-order buffering

4 •NAT mapping

An untold story of middleboxes in cellular networks 8/18/2011

Why allowing IP spoofing is bad?

15

Internet Cellular Core Network

10.9.9.101

10.9.9.202

SRC_IP = 10.9.9.101 …

DST_IP = 10.9.9.101 …

DST_IP = 10.9.9.101 …

DST_IP = 10.9.9.101 …

DST_IP = 10.9.9.101 …

An untold story of middleboxes in cellular networks 8/18/2011

Test whether IP spoofing is allowed

8/18/2011 An untold story of middleboxes in cellular networks 16

Internet Cellular Core Network

NetPiculet Server

NetPiculet Client

Allow IP spoofing!

10.9.9.101

SRC_IP = 10.9.9.202 PAYLOAD = 10.9.9.101

4 out of 60 carriers allow IP spoofing

17 An untold story of middleboxes in cellular networks 8/18/2011

7%

93%

Allow

Disallow

IP spoofing should be disabled

Outline

18

1 • IP spoofing

2 • TCP connection timeout

3 • TCP out-of-order buffering

4 •NAT mapping

An untold story of middleboxes in cellular networks 8/18/2011

Why short TCP timeout timers are bad?

19

Internet Cellular Core Network

KEEP-ALIVE KEEP-ALIVE KEEP-ALIVE Terminate Idle TCP Connection

An untold story of middleboxes in cellular networks 8/18/2011

5min < Timer

Measure the TCP timeout timer

8/18/2011 An untold story of middleboxes in cellular networks 20

Internet Cellular Core Network

NetPiculet Server

NetPiculet Client

5min < Timer <

10min

Time = 0 Time = 5 min Time = 10 min

Is alive?

Yes!

Is alive?

Short timers identified in a few carriers

< 5 min 5%

5 - 10 min 10%

10 -20 min 8%

20 - 30 min 11%

> 30 min 66%

21

4 carriers set timers less than 5 minutes

An untold story of middleboxes in cellular networks 8/18/2011

Short timers drain your batteries

• Assume a long-lived TCP connection, a battery of 1350mAh

• How much battery on keep-alive messages in one day?

22

20%

5 min

An untold story of middleboxes in cellular networks 8/18/2011

Outline

23

1 • IP spoofing

2 • TCP connection timeout

3 • TCP out-of-order buffering

4 •NAT mapping

An untold story of middleboxes in cellular networks 8/18/2011

TCP out-of-order packet buffering

8/18/2011 An untold story of middleboxes in cellular networks 24

Internet Cellular Core Network

NetPiculet Server

NetPiculet Client

Buffering out-of-order

packets

Packet 1 Packet 2 Packet 3 Packet 4 Packet 5 Packet 6

Fast Retransmit cannot be triggered

25

1 2

Degrade TCP performance!

An untold story of middleboxes in cellular networks 8/18/2011

RTO

TCP performance degradation

• Evaluation methodology – Emulate 3G environment using WiFi

– 400 ms RTT, loss rate 1%

26

+44%

Longer downloading

time

More energy consumption

8/18/2011

Outline

27

1 • IP spoofing

2 • TCP connection timeout

3 • TCP out-of-order buffering

4 •NAT mapping

An untold story of middleboxes in cellular networks 8/18/2011

NAT mapping is critical for NAT traversal

28

A B

NAT 1 NAT 2 An untold story of middleboxes in cellular networks 8/18/2011

Use NAT mapping type for port prediction P2P

What is NAT mapping type?

• NAT mapping type defines how the NAT assign external port to each connection

29 An untold story of middleboxes in cellular networks 8/18/2011

NAT

12 TCP connections

…

Behavior of a new NAT mapping type

30 An untold story of middleboxes in cellular networks 8/18/2011

• Creates TCP connections to the server with random intervals

• Record the observed source port on server

Treated as random by existing traversal techniques Thus impossible to predict port

NOT random! Port prediction is feasible

Lessons learned

8/18/2011 An untold story of middleboxes in cellular networks 31

Firewall

IP spoofing creates security vulnerability IP spoofing should be disabled

Small TCP timeout timers waste user device energy Timer should be longer than 30 minutes

Out-of-order packet buffering hurts TCP performance Consider interaction with application carefully

NAT One NAT mapping linearly increases port # with time Port prediction is feasible

Conclusion

• We built NetPiculet, a tool that can accurately infer NAT and firewall policies in the cellular networks

• NetPiculet has been wildly deployed in hundreds of carriers around the world

• We demonstrated the negative impact of the network policies and make improvement suggestions

32 An untold story of middleboxes in cellular networks 8/18/2011

33 An untold story of middleboxes in cellular networks 8/18/2011

zgw@umich.edu

http://mobiperf.com