Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for...
-
Upload
morris-abner-fox -
Category
Documents
-
view
215 -
download
0
Transcript of Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for...
![Page 1: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/1.jpg)
Connection Migration: Why & How
Hari BalakrishnanNetworks and Mobile Systems Group
MIT Lab for Computer Science
http://nms.lcs.mit.edu/
Joint work with Alex Snoeren & Dave Andersen
![Page 2: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/2.jpg)
Anatomy of a connection
• Connection defined by IPA:PortA IPB:PortB
• An IP address does not identify a host; it only identifies a network interface
• Is this a good definition of a connection?
Some socket onbreeze.lcs.mit.edu
www.cnn.com’sHTTP service (port)
18.31.0.83:5678 207.25.71.23:80
![Page 3: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/3.jpg)
Problem #1: Host mobility
• Cerf’s comment from DoD Internet paper:“If a host were to move, its network (and host) addresses would change and this would affect the connection identifiers used by the TCP. This is rather like a problem called "dynamic reconnection" which has plagued network designers since the inception of the ARPANET project in 1968.”
• Two options today for connections: Terminate and retry Somehow preserve IP address and continue
• “Horizontal” mobility isn’t quite enough...
![Page 4: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/4.jpg)
Vertical mobility: Seamless inter-provider movement
In-building & In-room
Campus-Area Packet Radio
Metro-Area
Regional-Area/”wireless cable”
![Page 5: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/5.jpg)
Problem #2: Unreliable components
• What happens to a bound connection on failure or unresponsiveness?
cnn.com
• Individual components rather unreliable
• Replicate for improved reliability and availability
![Page 6: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/6.jpg)
Possible solutions
• 1. Force constant IP address for end-point Mobile IP Layer-N switches with “Virtual IPs”
• 2. Make names routable All packets identify destination by name, which
serves as routing identifier Intentional naming (late binding), TRIAD
• 3. In-band migration Don’t confound end-point and routing identifiers!
![Page 7: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/7.jpg)
Home AgentIntercepts
pkts
Address constancy: Mobile IP
Foreign Agent (FA)
Mobile Host
Correspondent Hosts
Temporary address dtmp
changes with mobility
D
“Tunnel” to FA
D
dFA
“Detunnel” to Don addr dtmp
D
D
![Page 8: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/8.jpg)
Why Mobile IP isn’t right
• Requires additional network support and infrastructure (HA, FA, authentication,…)
• Triangle routing even for “local” interactions
• Many types of mobile applications Connections that don’t care for seamlessness Connection initiators Both initiators and responders
• Ingress filtering reverse tunneling too!
• Vertical mobility can’t be properly handled
• Applications can’t be made aware of mobility
![Page 9: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/9.jpg)
Address constancy: Layer-N switching
Client
But we want: Global distribution
With work can solve: Local distribution
![Page 10: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/10.jpg)
Name-based routing (example)
[service = camera][building = NE43
[room = 510]]
[service = camera][building = NE43
[room = 510]]
Intentional name
Late binding: integrate resolution and message routingLate binding: integrate resolution and message routing
image
Lookup
Intentional name resolvers
form an overlay network
![Page 11: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/11.jpg)
What should a connection be?
• Between communicating applications, not network interfaces
• Should be possible for an application to easily change network interface of connection: While preserving good unicast routes Securely
• Should not require a priori knowledge of valid network interfaces
• Dynamism should not affect semantics or correctness, nor worsen reliability
If done right, can solve both problems at once!
![Page 12: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/12.jpg)
Migrate overview
Name server
Migrating Hostfoo.bar.edu
Location Query(DNS Lookup)
Connection Initiation
Location Update(Dynamic DNS Update)
Connection Migration
xxx.xxx.xxx.xxxyyy.yyy.yyy.yyy
FixedHost
![Page 13: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/13.jpg)
Problems
• Consistency of name mapping
• Correctness Handling packet losses around time of movement What if someone else gets your old address?
• Security Connection hijacking Denial-of-service protection
• Semantics How to maintain semantics of connection sequence
across different nodes?
![Page 14: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/14.jpg)
Dynamic name mappings
• Zero TTL on A-records for migratable names
• Use Dynamic DNS (RFC 2136, 2137) for Internet names
• Potential problems: Race condition between name update and movement
• Simply retry! This isn’t a new failure mode What about old BIND implementations?
• Pray that they’ll vanish off the face of the earth What about extra DNS load?
• What load? Ask Akamai!
![Page 15: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/15.jpg)
Migrating a connection
• Initiate migration from new network address Identify previous connection with token, on SYN Secure token to protect against hijacking Requires some state machine changes to guarantee
correctness
• Preserves service model to application
• Handles “middle boxes” Works with most NATs, PEPs, stateful firewalls
• Requires changes to transport protocol Kernel TCP, SCTP, RTP (linked library)
![Page 16: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/16.jpg)
TCP ConnectionMigration
1. Initial SYN
2. SYN/ACK
3. ACK (with data)
4. Normal data transfer
5. Migrate SYN
6. Migrate SYN/ACK
7. ACK (with data)
![Page 17: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/17.jpg)
TCP ConnectionMigration
1. Initial SYN
2. SYN/ACK
3. ACK (with data)
4. Normal data transfer
5. Migrate SYN
6. Migrate SYN/ACK
7. ACK (with data)
![Page 18: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/18.jpg)
TCP ConnectionMigration
1. Initial SYN
2. SYN/ACK
3. ACK (with data)
4. Normal data transfer
5. Migrate SYN
6. Migrate SYN/ACK
7. ACK (with data)
![Page 19: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/19.jpg)
Two correctness issues
• SYN uses 1 byte of sequence space; what should SYN ACK value be set to? Needed to correctly handle lost segments
• What if someone else gets your previous address? Peer TCP will reset connection
![Page 20: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/20.jpg)
Correctness: SYN ACK corresponds to data
1. Initial SYN
2. SYN/ACK
3. ACK (with data)
4. Normal data transfer
5. Migrate SYN
6. Migrate SYN/ACK
7. ACK (with data)
![Page 21: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/21.jpg)
Modified TCP State Machine
MIGRATE_WAIT2MSL timeout
recv
: SY
N (
mig
rate
T, R
)se
nd: S
YN
, AC
K
recv:
RST
appl:
migrate
send:
SYN (migr
ate T, R
)recv: SYN (migrate T, R)
send: SYN, ACK
• 2 new transitions between existing states
- and -• 1 new state
handles potential race condition due to rapid readdressing
![Page 22: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/22.jpg)
Securing the Migration
• Problem: Increased vulnerability to hijacking Ingress filtering (RFC 2827) doesn’t help Attacker only needs token and sequence space
• Solution: Keep the token secret Negotiate it using Diffie-Hellman exchange (Elliptic-Curve
DH) Use sequence numbers to prevent replay Complete crypto exchange in SYN handshake
• Result: Connections are as secure as standard TCP Use IPsec or SSH for real security
![Page 23: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/23.jpg)
Semantics of multi-machine migration
• Sequence spaces across different machines may not have same application-layer semantics
7801-9000ACK 9000
![Page 24: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/24.jpg)
One solution: Soft-state synchronzation
• Technique for static content (e.g., file)
• Information about mapping between filename and TCP initial sequence periodically disseminated
7801-9000ACK 9000
HealthMonitor
foo.mp3 ISN = I Token = T caddr = Ca
cport = Cp
preload-tcb
![Page 25: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/25.jpg)
Implementation
• Use application-specific stream mapper to map between sequence space and app (e.g., HTTP range requests)
HTTP GET parser/creator
HTTP header parser/stripper
Data relay
Responsehandler
BackendHTTPserver
HTTP rangerequest
ResponseTo client
• Stream mapper involved in initial connection processing and in re-establishment
Clientrequest
![Page 26: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/26.jpg)
Experiment #1: Mobility
FixedBasestation
FixedServer
100Mbps Ethernet
MobileLocation 1
19.2KbpsModem
MobileLocation 2
19.2KbpsModem
…then moves to a new location
Mobile client initiates a transfer…
![Page 27: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/27.jpg)
Migration Trace
SYN/ACK
BufferedPackets
(old address)
Migrate SYN
![Page 28: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/28.jpg)
A Lossy Trace with SACK
SYN/ACK
Migrate SYN
BufferedPackets
(old address)
ACKw/SACK
![Page 29: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/29.jpg)
Experiment #2: Failover works!
0.000 cl.1065 > sA.8080: . ack 0505 win 31856
----> (Erroneous) sA death pronouncement issued
0.080 sA.8080 > cl.1065: P 0505:1953(1448) ack 1 win 31856
----> Successful connection migration to sB
0.095 sB.1033 > cl.1065: S 0:0(0) win 0 <migrate PRELOAD 1>
0.096 cl.1065 > sB.1033: S 0:0(0) ack 1953 win 32120
0.142 sB.1033 > cl.1065: . ack 1 win 32120
----> Continued data transmission from sA (Reset by client)
0.174 sA.8080 > cl.1065: P 0505:1953(1448) ack 1 win 31856
0.174 cl.1065 > sA.8080: R 1:1(0) win 0
----> Resumed data transmission from sB
0.241 sB.1033 > cl.1065: P 1953:3413(1460) ack 1 win 32120...
![Page 30: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/30.jpg)
Oscillations aren’t a problem
![Page 31: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/31.jpg)
Summary
• Host mobility and service failover are examples of the same fundamental problem: Connections must be between applications
• The Migrate architecture enables connections to be separated from, and move between, IP addresses
• Mobility & service failover are both really end-to-end issues!
• Got code?
![Page 32: Connection Migration: Why & How Hari Balakrishnan Networks and Mobile Systems Group MIT Lab for Computer Science Joint work with.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649e375503460f94b27967/html5/thumbnails/32.jpg)
Migrate code for Linux 2.2 available from:
http://nms.lcs.mit.edu/software/
Migrate project Web page:
http://nms.lcs.mit.edu/projects/migrate/
Networks and Mobile Systems