Migrate: An End-to-end Mobility Architecture for the NGI
-
Upload
telepresence -
Category
Documents
-
view
377 -
download
1
Transcript of Migrate: An End-to-end Mobility Architecture for the NGI
![Page 1: Migrate: An End-to-end Mobility Architecture for the NGI](https://reader036.fdocuments.us/reader036/viewer/2022062319/5581dbfed8b42a75268b4b85/html5/thumbnails/1.jpg)
Migrate: An End-to-end Mobility Architecture for the NGI
Hari BalakrishnanAlex Snoeren Jon Salz Dave Andersen
Frans Kaashoek
MIT Lab for Computer Sciencehttp://nms.lcs.mit.edu/
Networks and Mobile Systems
![Page 2: Migrate: An End-to-end Mobility Architecture for the NGI](https://reader036.fdocuments.us/reader036/viewer/2022062319/5581dbfed8b42a75268b4b85/html5/thumbnails/2.jpg)
iNAT Project: Motivation
• Increasing heterogeneity in the Internet Nodes: Mobiles, devices, sensors,... Links: Optical, wireless,... Services & applications: Web, telepresence,
streaming, remote device control
• Need a general solution for applications to deal with mobility and discover resources
• Need a general framework for learning about and adapting to changing network conditions
![Page 3: Migrate: An End-to-end Mobility Architecture for the NGI](https://reader036.fdocuments.us/reader036/viewer/2022062319/5581dbfed8b42a75268b4b85/html5/thumbnails/3.jpg)
iNAT Approach
• Intelligent naming and mobility Resource discovery: Intentional Naming System (INS) using
expressive names and self-configuring name resolver overlay network
Migrate: Secure connection migration + dynamic naming (this talk) Demo this evening: “vertical mobility” between 802.11 & Bluetooth
(Snoeren)
• Adaptive transmission End-system congestion management and adaptation framework
for the NGI Congestion Manager software and algorithms Demo this evening: Adaptive MPEG-4 delivery using CM & SR-
RTP protocol (Feamster & Goraczko)
![Page 4: Migrate: An End-to-end Mobility Architecture for the NGI](https://reader036.fdocuments.us/reader036/viewer/2022062319/5581dbfed8b42a75268b4b85/html5/thumbnails/4.jpg)
Migrate
• Mobility support for NGI• Goals
Handle moving nodes Handle “vertical mobility” across network technologies Handle moving applications (across hosts) Handle disconnections followed by reconnection (on-going;
Snoeren’s dissertation)
• End-to-end mobility system Architecture leverages dynamic DNS for host location Secure transport-later connection migration enables
separation of TCP connections from IP addresses
![Page 5: Migrate: An End-to-end Mobility Architecture for the NGI](https://reader036.fdocuments.us/reader036/viewer/2022062319/5581dbfed8b42a75268b4b85/html5/thumbnails/5.jpg)
Anatomy of a Connection
• Connection defined by IPA:PortAIPB:PortB
• An IP address does not identify a host; it only identifies a network interface
• Is this a good definition of a connection?
Some socket onnms.lcs.mit.edu
www.cnn.com’sHTTP service (port)
18.31.0.82:5678 207.25.71.23:80
![Page 6: Migrate: An End-to-end Mobility Architecture for the NGI](https://reader036.fdocuments.us/reader036/viewer/2022062319/5581dbfed8b42a75268b4b85/html5/thumbnails/6.jpg)
Problem: Host Mobility
• Cerf’s comment from DoD Internet paper:“If a host were to move, its network (and host) addresses would change and this would affect the connection identifiers used by the TCP. This is rather like a problem called "dynamic reconnection" which has plagued network designers since the inception of the ARPANET project in 1968.”
• Problem: Changing IP breaks TCP connections• Two options today for connections:
Terminate and retry Somehow preserve IP address and continue
• Another problem: “Horizontal” mobility isn’t quite enough...
![Page 7: Migrate: An End-to-end Mobility Architecture for the NGI](https://reader036.fdocuments.us/reader036/viewer/2022062319/5581dbfed8b42a75268b4b85/html5/thumbnails/7.jpg)
Vertical mobility: Seamless inter-network movement
In-building & In-room
Campus-Area Packet Radio
Metro-Area
Regional-AreaExample: cellular telephonyacross wide-area cellular,802.11 and BluetoothMotivations:• Energy• Capacity
![Page 8: Migrate: An End-to-end Mobility Architecture for the NGI](https://reader036.fdocuments.us/reader036/viewer/2022062319/5581dbfed8b42a75268b4b85/html5/thumbnails/8.jpg)
Possible solutions
1. Force constant IP address for end-point Mobile IP Layer-N switches with “Virtual IPs”
2. Make names routable All packets identify destination by name, which serves as
routing identifier INS approach (late binding), also in TRIAD
3. In-band migration Don’t confound end-point and routing identifiers! DNS name identifies end-point; IP address is routing ID
![Page 9: Migrate: An End-to-end Mobility Architecture for the NGI](https://reader036.fdocuments.us/reader036/viewer/2022062319/5581dbfed8b42a75268b4b85/html5/thumbnails/9.jpg)
Home AgentIntercepts
pkts
Address Constancy: Mobile IP
Foreign Agent (FA)
Mobile Host
Correspondent Hosts
Temporary address dtmp
changes with mobility
D
“Tunnel” to FA
D
dFA
“Detunnel” to Don addr dtmp
D
D
![Page 10: Migrate: An End-to-end Mobility Architecture for the NGI](https://reader036.fdocuments.us/reader036/viewer/2022062319/5581dbfed8b42a75268b4b85/html5/thumbnails/10.jpg)
The Case Against Mobile IP
• Requires additional network support and infrastructure (HA, FA, authentication,…)
• Triangle routing even for “local” interactions• Many types of mobile applications
Connections that don’t care for seamlessness Connection initiators Both initiators and responders
• Ingress filtering requires reverse tunneling too• Vertical mobility can’t be properly handled in
application-specific manner• Applications can’t be made aware of mobility
![Page 11: Migrate: An End-to-end Mobility Architecture for the NGI](https://reader036.fdocuments.us/reader036/viewer/2022062319/5581dbfed8b42a75268b4b85/html5/thumbnails/11.jpg)
What Should a Connection Be?
• Between communicating applications, not network interfaces
• Should be possible for an application to easily change network interface of connection: While preserving good unicast routes Securely
• Should not require a priori knowledge of valid network interfaces
• Dynamism should not affect semantics or correctness, nor worsen reliability (or performance)
![Page 12: Migrate: An End-to-end Mobility Architecture for the NGI](https://reader036.fdocuments.us/reader036/viewer/2022062319/5581dbfed8b42a75268b4b85/html5/thumbnails/12.jpg)
Migrate Overview
Name server
Migrating Hostfoo.bar.edu
Location Query(DNS Lookup)
Connection Initiation
Location Update(Dynamic DNS Update)
Connection MigrationSecured using Diffie-Hellman
exchange (with SYN exch)
xxx.xxx.xxx.xxxyyy.yyy.yyy.yyy
FixedHost
![Page 13: Migrate: An End-to-end Mobility Architecture for the NGI](https://reader036.fdocuments.us/reader036/viewer/2022062319/5581dbfed8b42a75268b4b85/html5/thumbnails/13.jpg)
Problems
• Consistency of name mapping
• Correctness Handling packet losses around time of movement What if someone else gets your old address?
• Security Connection hijacking Denial-of-service protection
• Semantics How to maintain semantics of connection sequence
across different nodes?
![Page 14: Migrate: An End-to-end Mobility Architecture for the NGI](https://reader036.fdocuments.us/reader036/viewer/2022062319/5581dbfed8b42a75268b4b85/html5/thumbnails/14.jpg)
Dynamic Name Mappings
• Zero TTL on A-records for migratable names• Use Dynamic DNS (RFC 2136, 2137) for Internet
names• Potential problems:
Race condition between name update and movement• Simply retry! This isn’t a new failure mode
What about extra DNS load?• Turns out low-TTL A-record appear not to affect DNS
scalability much• (See Jung, Sit, Balakrishnan, Morris; “DNS Performance
and the Effectiveness of Caching,” ACM SIGCOMM Internet Measurement Workshop, Nov. 2001.)
![Page 15: Migrate: An End-to-end Mobility Architecture for the NGI](https://reader036.fdocuments.us/reader036/viewer/2022062319/5581dbfed8b42a75268b4b85/html5/thumbnails/15.jpg)
Migrating a Connection
• Initiate migration from new network address Identify previous connection with token, on SYN Secure token to protect against hijacking Requires some state machine changes to guarantee
correctness
• Preserves service model to application
• Handles “middle boxes” Works with most NATs, PEPs, stateful firewalls
• Requires changes to transport protocol Kernel TCP, SCTP, RTP (linked library)
![Page 16: Migrate: An End-to-end Mobility Architecture for the NGI](https://reader036.fdocuments.us/reader036/viewer/2022062319/5581dbfed8b42a75268b4b85/html5/thumbnails/16.jpg)
TCP ConnectionMigration
1. Initial SYN
2. SYN/ACK
3. ACK (with data)
4. Normal data transfer
5. Migrate SYN
6. Migrate SYN/ACK
7. ACK (with data)
![Page 17: Migrate: An End-to-end Mobility Architecture for the NGI](https://reader036.fdocuments.us/reader036/viewer/2022062319/5581dbfed8b42a75268b4b85/html5/thumbnails/17.jpg)
TCP ConnectionMigration
1. Initial SYN
2. SYN/ACK
3. ACK (with data)
4. Normal data transfer
5. Migrate SYN
6. Migrate SYN/ACK
7. ACK (with data)
![Page 18: Migrate: An End-to-end Mobility Architecture for the NGI](https://reader036.fdocuments.us/reader036/viewer/2022062319/5581dbfed8b42a75268b4b85/html5/thumbnails/18.jpg)
TCP ConnectionMigration
1. Initial SYN
2. SYN/ACK
3. ACK (with data)
4. Normal data transfer
5. Migrate SYN
6. Migrate SYN/ACK
7. ACK (with data)
![Page 19: Migrate: An End-to-end Mobility Architecture for the NGI](https://reader036.fdocuments.us/reader036/viewer/2022062319/5581dbfed8b42a75268b4b85/html5/thumbnails/19.jpg)
Modified TCP State Machine
MIGRATE_WAIT2MSL timeout
recv
: SY
N (
mig
rate
T, R
)se
nd: S
YN
, AC
K
recv:
RST
appl:
migrate
send:
SYN (migr
ate T, R
)recv: SYN (migrate T, R)
send: SYN, ACK
• 2 new transitions between existing states
- and -• 1 new state
handles potential race condition due to rapid readdressing
![Page 20: Migrate: An End-to-end Mobility Architecture for the NGI](https://reader036.fdocuments.us/reader036/viewer/2022062319/5581dbfed8b42a75268b4b85/html5/thumbnails/20.jpg)
Securing the Migration
• Problem: Increased vulnerability to hijacking Ingress filtering (RFC 2827) doesn’t help Attacker only needs token and sequence space
• Solution: Keep the token secret Negotiate it using Diffie-Hellman exchange (Elliptic-Curve
DH) Use sequence numbers to prevent replay Crypto exchange completed in SYN handshake Implemented in a new TCP option
• Result: Connections are as secure as standard TCP
![Page 21: Migrate: An End-to-end Mobility Architecture for the NGI](https://reader036.fdocuments.us/reader036/viewer/2022062319/5581dbfed8b42a75268b4b85/html5/thumbnails/21.jpg)
Migration Trace with SACK
SYN/ACK
Migrate SYN
BufferedPackets
(old address)
ACKw/SACK
![Page 22: Migrate: An End-to-end Mobility Architecture for the NGI](https://reader036.fdocuments.us/reader036/viewer/2022062319/5581dbfed8b42a75268b4b85/html5/thumbnails/22.jpg)
Summary
• The Migrate architecture enables end-to-end connections to be separated from, and move between, IP addresses
• Handles host and application mobility in an end-to-end fashion
• Exports API for mobility adaptation• Current work: handling disconnections• iNAT demo this evening (Bluetooth+802.11 end-to-
end migration)• Got code?
![Page 23: Migrate: An End-to-end Mobility Architecture for the NGI](https://reader036.fdocuments.us/reader036/viewer/2022062319/5581dbfed8b42a75268b4b85/html5/thumbnails/23.jpg)
Migrate code for Linux 2.2 available from:
http://nms.lcs.mit.edu/software/
Migrate project Web page (has code, papers):
http://nms.lcs.mit.edu/migrate/
Networks and Mobile Systems