What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP...
Transcript of What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP...
![Page 1: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/1.jpg)
![Page 2: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/2.jpg)
What’s (probably) coming next in SMB SMB Core Dev team
Microsoft Corporation
![Page 3: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/3.jpg)
Big things in flight
Compression Security QUIC
![Page 4: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/4.jpg)
Question breaks
![Page 5: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/5.jpg)
Compress SMB payloads
Better perf over narrow/congested networks
Good at large, inefficient data formats
Shipped (partial story) in 19H1 aka 1903
Compression
![Page 6: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/6.jpg)
Pattern 0: All-zero
Pattern 1: [0-255]…
Pattern 2: Not Compressible
Data Patterns Used
![Page 7: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/7.jpg)
SMB Compression Demo
![Page 8: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/8.jpg)
Client negotiates for compression via negotiate context:
Server responds with compression algorithm(s) XPRESS, XPRESS Huffman, LZNT1, PATTERN_V1:
Negotiation
Algorithm Id 1Algorithm Count Algorithm Id 2
2 Byte 2 Byte 2 Byte
Selected
Algorithm Count
Selected
Algorithm ID 1
2 Byte
Selected
Algorithm ID 2
2 Byte
![Page 9: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/9.jpg)
New, compact transform header for SMB Compression
Current transform header is 52 bytes and not 8-byte aligned
Compress and Decompress
Reserved 1* Reserved 2*Algorithm
Protocol ID 8B
16B
Original Message Size
![Page 10: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/10.jpg)
When compressing & encrypting, nest the transform headers
Compressing encrypted packets means bad compression ratio, so force encryption after compression
Interop
SMB Encryption
Transform Header
SMB Compression
Transform Header
SMB2 HEADER and
other payload …
![Page 11: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/11.jpg)
Data Pattern 1, Seq Write, End-to-end throughput (Gbps)
11
0
20
40
60
80
100
120
140
160
180
1 2 3 4
Series1 Series2
![Page 12: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/12.jpg)
Data Pattern 1, Seq Write, CPU Usage (%)
12
0
10
20
30
40
50
60
70
80
90
1 2 3 4
Series1 Series2 Series3 Series4
![Page 13: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/13.jpg)
Data Pattern 1, Seq Write, Total Network Usage to Transmit 1TB of Data (GB)
13
0
200
400
600
800
1000
1200
1 2 3 4
Series1 Series2
![Page 14: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/14.jpg)
Sampled for CopyFile()
Usage customizable via registry
No user interfaces or management yet
Documented in Open Protocol Spec
Windows implementation details
![Page 15: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/15.jpg)
Questions about compression?
![Page 16: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/16.jpg)
Accelerated Signing
RDMA Signing and Encryption
Security
![Page 17: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/17.jpg)
Historical: SMB 3.1.1 client only supported CMAC
Irony: encryption perf better than signing
Now: Adding AES-GMACBetter perf algorithm
Nonce with each packet improves replay attack prevention
Signature validation moved to lower layers for faster rejection
Accelerated Signing
![Page 18: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/18.jpg)
Client will support AES128-GMAC
Append neg context (ID = 0x0008) algorithm count & algorithm IDs:
Server selects algorithm, responds:
Negotiate
Algorithm Count Algorithm Id 1 Algorithm Id 2
2 Byte 2 Byte 2 Byte
0x0001 Selected Algorithm ID
2 Byte
![Page 19: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/19.jpg)
Historical: enabling sign/encrypt on SMB Direct Disabled RDMA direct placement
Tanked performance, worse than TCP!
Hard to diagnose
Irritates a valuable customer persona: security focused
Now: Separating sign/seal of RDMA payload from SMB message
Not free, but much better
RDMA Signing and Encryption
![Page 20: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/20.jpg)
Perf gain over current packet-based encrypted traffic
Planned design:Encrypt RDMA buffer
Include signature in SMB payload
Improved sign and encrypt in RDMA
Signature and
NonceTransform Descriptor
Signature
Length
Signature
Offset
Nonce
Length
Nonce
Offset
Original Message SizeReserved
1
Reserved
2
Channel
Offset
Channel
Length
Channel
(V1 or V1 Invalidate)
SMB2 HEADER SMB2 REQ WRITE RDMA Descriptor
8B
16B
24B
![Page 21: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/21.jpg)
Questions about security?
![Page 22: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/22.jpg)
Google-derived
Internet-ready
Secure-by-default MitM protection
IETF standardized (someday)
Low latency, low congestion
UDP/443, but H2 and TCP-like
“QUIC” stands for nothing ¯\_(ツ)_/¯
QUIC
![Page 23: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/23.jpg)
SMB over QUIC Demo
![Page 24: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/24.jpg)
![Page 25: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/25.jpg)
Upsides:
Prevents server spoofing via server cert
QUIC connection always protected by TLS encryption
Avoid being blocked by providers – 443, not 445
SMB basically unchanged, QUIC becomes VPN-like
Downsides:
Edge network-centric
Much lower perf than even SMB-encrypted
NTLM likely for SMB
SMB over QUIC upsides/downsides
![Page 26: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/26.jpg)
QUIC connection latency reduction: 0-RTT
![Page 27: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/27.jpg)
SMB over TCP
SMB_COM_NEGOTIATE Request
SMB2_NEGOTIATE Response
DNS Query
DNS response
TCP SYN/ACK
TCP SYN
TCP ACK
DNS: 1 RTT
to Name
Server
TCP: 1
RTT
SMB
Session
Setup
Pre-resolve
TCP Fast Open
![Page 28: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/28.jpg)
SMB over QUIC
QUIC Request / SMB_COM_NEGOTIATE Request
SMB2_NEGOTIATE Response
DNS Query
DNS response
QUIC Reply
QUIC Request
DNS: 1 RTT
to Name
Server
QUIC:
Handshake
Including
TLS
SMB
Session
Setup
Pre-resolve
![Page 29: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/29.jpg)
SMB/QUIC: Components
WSK SMBDTDI QUIC
MRXSMB
MRXSMB20MRXSMB10
RDBSS
Multichannel / Signing / Encryption / Compression
TCP NDK/RDMA
UDP
Multiplexing
TLS
Congestion Control
NICRNIC
WSKSMBD TDIQUIC
TCPNDK/RDMA
UDP
Multiplexing
TLS
Congestion Control
RNICNIC
SRVNET/SRVADMIN
SRV (SMB 1.0) SRV20 (SMB 2.x)
Multichannel / Signing / Encryption / Compression
Local File SystemApplication
QUICK will be another protocol option used side by side with WSK and RDMA
![Page 30: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/30.jpg)
Try WSK/RDMA, sleep 100ms, try QUIC, x10
Usage customizable via registry
NTLM very likely for SMB Looking into alternatives like KDC Proxy, others
No user interfaces or management yet, but ADCS can deploy certificates
Windows implementation details
![Page 31: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/31.jpg)
Questions about QUIC?
![Page 32: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/32.jpg)
Native support for FileNormalizedNameInformation
Directory Caching EnhancementsWindows clients can now cache much larger directories ~ 500K entries.
Will attempt directory queries with 1 MB buffers to reduce round trips and improve performance
Important note to implementers: do not fail when seeing new SMB capabilities, just ignore
Other changes
![Page 33: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/33.jpg)
Thanks!
Don’t forget those surveys :)
![Page 34: What’s (probably) coming next in SMB - .NET Framework...SMBD QUIC TDI WSK NDK/RDMA TCP UDP Multiplexing TLS Congestion Control RNIC SRVNET/SRVADMIN SRV (SMB 1.0) SRV20 (SMB 2.x)](https://reader036.fdocuments.us/reader036/viewer/2022071606/6142ffbb7bbb8b3311172d67/html5/thumbnails/34.jpg)
© Copyright Microsoft Corporation. All rights reserved.