ABSTRACT
The current model for flow establishment in the Internet: DNS Names, IP addresses, and transport ports, is inadequate. Not all of the problem is due to the small IPv4 address space and resulting NAT boxes. Even where global addresses exist, firewalls cannot glean enough information about a flow from packet headers, and so often err, typically by being over-conservative: disallowing flows that might otherwise be allowed. This paper presents a novel architecture, protocol design, and implementation, for flow establishment in the Internet. The architecture, called NUTSS, takes into account the combined policies of endpoints and network providers. While NUTSS borrows liberally from other proposals (URI-like naming, signaling to manage ephemeral IPv4 or IPv6 data flows), NUTSS is unique in that it couples overlay signaling with data-path signaling. NUTSS requires no changes to existing protocol stacks, and combined with recent NAT traversal techniques, works with IPv4 and existing NAT/firewalls. This paper describes NUTSS and shows how it satisfies a wide range of "end-middle-end"network requirements, including access control, middlebox steering, multi-homing, mobility, and protocol negotiation.
- Akamai Technologies, Inc. Akamai: How it works.Google Scholar
- Andersen, D. Mayday: Distributed filtering for internet services. In Proceedings of the USITS '03 (Seattle, WA, Mar. 2003). Google ScholarDigital Library
- Antisip SARL. The eXtended osip library.Google Scholar
- Argyraki, K., and Cheriton, D. R. Active Internet Traffic Filtering: Real-Time Response to Denial-of-Service Attacks. In Proceedings of the 2005 USENIX Annual Technical Conference (Anaheim, CA, Apr. 2005). Google ScholarDigital Library
- Ballani, H., Chawathe, Y., Ratnasamy, S., Roscoe, T., and Shenker, S. Off by Default! In Proceedings of the HotNets'05 (College Park, MD, Nov. 2005).Google Scholar
- BMC Software. Marimba Product Line.Google Scholar
- Calhoun, P. R., Loughney, J., Arkko, J., Guttman, E., and Zorn, G. RFC 3588: Diameter Base Protocol, Sept. 2003. Google ScholarDigital Library
- Cisco Systems, I. Cisco IOS Security Configuration Guide (Release 12.4). Cisco Press, 2006, ch. Access Control Lists: Overview and Guidelines, pp. 429--436.Google Scholar
- Cisco Systems, I. Cisco IOS Security Configuration Guide (Release 12.4). Cisco Press, 2006, ch. Firewall Support for SIP, pp. 587--600.Google Scholar
- Crowcroft, J., Hand, S., Mortier, R., Roscoe, T., and Warfield, A. Plutarch: An Argument for Network Pluralism. In Proceedings of the SIGCOMM '03 Workshops (Karlsruhe, Germany, Aug. 2003). Google ScholarDigital Library
- (Ed.), R. B., Zhang, L., Berson, S., Herzog, S., and Jamin, S. RFC 2205: Resource ReSerVation Protocol (RSVP), Sept. 1997.Google Scholar
- Fall, K. A Delay-Tolerant Network Architecture for Challenged Internets. In Proceedings of SIGCOMM '03 (Karlsruhe, Germany, Aug. 2003). Google ScholarDigital Library
- Ford, B., Strauss, J., Lesniewski-Laas, C., Rhea, S., Kaashoek, F., and Morris, R. Persistent Personal Names for Globally Connected Mobile Devices. In Proceedings of the OSDI '06 (Seattle, WA, Nov. 2004). Google ScholarDigital Library
- Francis, P. Firebreak: An IP Perimeter Defense Architecture. Tech. Rep. cul.cis/TR2006-2060, Cornell University, Ithaca, NY, 2006.Google Scholar
- Francis, P., and Gummadi, R. IPNL: A NAT-extended internet architecture. In Proceedings of the SIGCOMM '01 (San Diego, CA, Aug. 2001). Google ScholarDigital Library
- Fraunhofer Fokus. CPLEd - A CPL Editor.Google Scholar
- Fraunhofer Fokus. SIP Express Router.Google Scholar
- Freedman, M. J., Lakshminarayanan, K., and Mazières, D. OASIS: Anycast for Any Service. In Proceedings of NSDI'06 (San Jose, CA, May 2006). Google ScholarDigital Library
- GENI planning group. GENI: Global Environment for Network Innovations.Google Scholar
- Gritter, M., and Cheriton, D. R. An Architecture for Content Routing Support in the Internet. In Proceedings of the USITS '01 (San Francisco, CA, Mar. 2001). Google ScholarDigital Library
- Guha, S., and Francis, P. Characterization and Measurement of TCP Traversal through NATs and Firewalls. In Proceedings of the 2005 Internet Measurement Conference (New Orleans, LA, Oct. 2005). Google ScholarDigital Library
- Guha, S., and Francis, P. Identity Trail: Covert Surveillance Using DNS. In Proceedings of 7th Workshop on Privacy Enhancing Technologies (Ottawa, Canada, June 2007). Google ScholarDigital Library
- Hain, T. RFC 2993: Architectural Implications of NAT, Nov. 2000. Google ScholarDigital Library
- Hautakorpi, J., Camarillo, G., Penfield, R. F., Hawrylyshen, A., and Bhatia, M. Internet draft: Requirements from SIP (Session Initiation Protocol) Session Border Control Deployments, Apr. 2007. Work in progress. draft-ietf-sipping-sbc-funcs-03.txt.Google Scholar
- Hua Chu, Y., Rao, S. G., Seshan, S., and Zhang, H. A case for end system multicast. IEEE Journal on Selected Areas in Communications 20, 8 (Oct. 2002), 1456--1471. Google ScholarDigital Library
- Huici, F., and Handley, M. An Edge-to-Edge Filtering Architecture Against DoS. ACM SIGCOMM Computer Communications Review 37, 2 (Apr. 2007), 41--50. Google ScholarDigital Library
- Keromytis, A. D., Misra, V., and Rubenstein, D. SOS: secure overlay services. SIGCOMM Comput. Commun. Rev. 32, 4 (2002), 61--72. Google ScholarDigital Library
- Koponen, T., Chawla, M., Chun, B.-G., Ermolinskiy, A., Kim, K. H., Shenker, S., and Stioca, I. A Data-Oriented (and Beyond) Network Architecture. In Proceedings of SIGCOMM'07 (Kyoto, Japan, Aug. 2007). Google ScholarDigital Library
- Lennox, J., Wu, X., and Schulzrinne, H. RFC 3880: Call Processing Language (CPL): A Language for User Control of Internet Telephony Services, Oct. 2004.Google Scholar
- Mahajan, R., Bellovin, S. M., Floyd, S., Ioannidis, J., Paxson, V., and Shenker, S. Controlling High Bandwidth Aggregates in the Network. ACM Computer Communications Review 32, 3 (July 2002), 62--73. Google ScholarDigital Library
- Mannie, E. RFC 3945: Generalized Multi-Protocol Label Switching (GMPLS) Architecture, Oct. 2004.Google Scholar
- Marshall, W. RFC 3133: Private Session Initiation Protocol (SIP) Extensions for Media Authorization, Jan. 2003. Google ScholarDigital Library
- Microsoft Corporation. UPnP - Universal Plug and Play Internet Gateway Device v1.01, Nov. 2001.Google Scholar
- Mirković, J., Prier, G., and Reiher, P. Attacking DDoS at the Source. In Proceedings of ICNP'02 (Paris, France, Nov. 2002). Google ScholarDigital Library
- Moskowitz, R., and Nikander, P. RFC 4423: Host Identity Protocol (HIP) Architecture, May 2006.Google Scholar
- Ng, T. S. E., Stoica, I., and Zhang, H. A Waypoint Service Approach to Connect Heterogeneous Internet Address Spaces. In Proceedings of USENIX Annual Technical Conference (Monterey, CA, June 2002). Google ScholarDigital Library
- Nissenbaum, H. Privacy as Contextual Integrity. Washington Law Review 79, 1 (Feb. 2004), 119--158.Google Scholar
- Nordmark, E., and Bagnulo, M. Internet draft: Level 3 multihoming shim protocol, Nov. 2006. draft-ietf-shim6-proto-07.txt. Work in progress.Google Scholar
- OpenSSL Team. The Open Source toolkit for SSL/TLS.Google Scholar
- Ramasubramanian, V., and Sirer, E. G. CoDoNS: The Design and Implementation of a Next Generation Name Service for the Internet. In Proceedings of SIGCOMM'04 (Portland, OR, August 2004). Google ScholarDigital Library
- Ramsdell, B. RFC 3851: Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification, July 2004.Google Scholar
- Rosenberg, J. RFC 3856: A Presence Event Package for the Session Initiation Protocol (SIP), Aug. 2004.Google Scholar
- Rosenberg, J., Mahy, R., and Huitema, C. Internet draft: TURN - Traversal Using Relay NAT, Mar. 2006. Work in progress.Google Scholar
- Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and Schooler, E. RFC 3261: SIP Session Initiation Protocol, June 2002. Google ScholarDigital Library
- Rosenberg, J., Weinberger, J., Huitema, C., and Mahy, R. RFC 3489: STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs), Mar. 2003. Google ScholarDigital Library
- Sailer, R., Zhang, X., Jaeger, T., and van Doorn, L. Design and Implementation of a TCG-based Integrity Measurement Architecture. In Proceedings of 13th USENIX Security Symposium (San Diego, CA, Aug. 2004), pp. 223--238. Google ScholarDigital Library
- Saint-Andre, P. RFC 3290: Extensible Messaging and Presence Protocol (XMPP): Core, Oct. 2004.Google Scholar
- Stiemerling, M., Quittek, J., and Taylor, T. MIDCOM Protocol Semantics, June 2004. Work in progress.Google Scholar
- Stoica, I., Adkins, D., Zhuang, S., Shenker, S., and Surana, S. Internet Indirection Infrastructure. In Proceedings of the SIGCOMM '02 (Pittsburgh, PA, Aug. 2002). Google ScholarDigital Library
- Technical Specification Group Core Network and Terminals. 3GPP TS 29.207: Policy control over Go interface, Sept. 2005.Google Scholar
- Trusted Computing Group. TPM Specification Version 1.2.Google Scholar
- Tschudin, C., and Gold, R. SelNet: A Translating Underlay Network. Tech. Rep. 2003--020, Uppsala University, Uppsala, Sweden, Nov. 2001.Google Scholar
- Venkataraman, V., Francisy, P., and Calandrino, J. Chunkyspread: Multitree Unstructured Peer-to-Peer Multicast. In Proceedings of the IPTPS '06 (Santa Barbara, CA, Feb. 2006).Google Scholar
- VeriSign Inc. Security (SSL Certificates), Communications, and Information Services.Google Scholar
- Vixie, P., Thomson, S., Rekhter, Y., and Bound, J. RFC 2136: Dynamic Updates in the Domain Name System, Dec. 1997. Google ScholarDigital Library
- von Ahn, L., Blum, M., Hopper, N. J., and Langford, J. CAPTCHA: Using Hard AI Problems For Security. In Proceedings of EUROCRYPT'03 (Warsaw, Poland, May 2003). Google ScholarDigital Library
- Walfish, M., Balakrishnan, H., and Shenker, S. Untangling the Web from DNS. In Proceedings of the NSDI '04 (San Francisco, CA, Mar. 2004). Google ScholarDigital Library
- Walfish, M., Stribling, J., Krohn, M., Balakrishnan, H., Morris, R., and Shenker, S. Middleboxes No Longer Considered Harmful. In Proceedings of the OSDI '04 (San Francisco, CA, Dec. 2004). Google ScholarDigital Library
- Wang, X., and Reiter, M. K. Defending Against Denial-of-Service Attacks with Puzzle Auctions. In SP '03: Proceedings of the 2003 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2003), IEEE Computer Society, p. 78. Google ScholarDigital Library
- Wroclawski, J. The MetaNet: White Paper. In Proceedings of Workshop on Research Directions for the Next Generation Internet (Vienna, VA, May 1997).Google Scholar
- Yaar, A., Perrig, A., and Song, D. SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks. In IEEE Symposium on Security and Privacy (Pittsburgh, PA, May 2004), pp. 130--143.Google ScholarCross Ref
- Yang, X., Wetherall, D., and Anderson, T. A DoS-limiting Network Architecture. In Proceedings of the SIGCOMM '05 (Philadelphia, PA, Aug. 2005). Google ScholarDigital Library
- Zhang, B., Wang, W., Jamin, S., Massey, D., and Zhang, L. Universal IP multicast delivery. Computer Networks, special issue on Overlay Distribution Structures and their Applications 50, 6 (Apr. 2006), 781--806. Google ScholarDigital Library
- Zimmermann, P. R. The official PGP user's guide. MIT Press, Cambridge, MA, 1995. Google ScholarDigital Library
Index Terms
- An end-middle-end approach to connection establishment
Recommendations
An end-middle-end approach to connection establishment
The current model for flow establishment in the Internet: DNS Names, IP addresses, and transport ports, is inadequate. Not all of the problem is due to the small IPv4 address space and resulting NAT boxes. Even where global addresses exist, firewalls ...
Comments