DOCSLIB.ORG

Towards Secure Multipath TCP Communication

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Towards Secure Multipath TCP Communication Zeeshan Afzal | Towards Secure Multipath TCP Communication | Zeeshan Afzal | Towards Towards Secure Multipath TCP Communication Multipath TCP (MPTCP) is an extension to standard TCP that is close to being standardized. The design of the protocol is progressing, but most of the focus has so far been on its compatibility. The security aspect is confined to making sure Towards Secure that the MPTCP protocol itself offers the same security level as standard TCP. The topic of this thesis is to investigate the unexpected security implications Multipath TCP Communication raised by using MPTCP in a traditional networking environment. Today, the security middleboxes make use of different assumptions that may not be true anymore with the advent of MPTCP. 2017:12 We investigate how practical it is to evade a security middlebox by fragmenting Zeeshan Afzal and sending traffic across multiple paths using MPTCP. Realistic attack traffic generated from a tool that is also presented in this thesis is used to show that these attacks are feasible. We then go on to propose possible solutions to detect such attacks and implement them in an MPTCP proxy. The proxy aims to extend secure MPTCP performance advantages. We also investigate the MPTCP scenario where security middleboxes can only observe some of the traffic. We propose and implement an algorithm to perform intrusion detection in such situations and achieve a high detection accuracy. ISBN 978-91-7063-763-6 (print) ISBN 978-91-7063-764-3 (pdf) Faculty of Health, Science and Technology ISSN 1403-8099 Computer Science LICENTIATE THESIS | Karlstad University Studies | 2017:12 LICENTIATE THESIS | Karlstad University Studies | 2017:12 Towards Secure Multipath TCP Communication Zeeshan Afzal LICENTIATE THESIS | Karlstad University Studies | 2017:12 Towards Secure Multipath TCP Communication Zeeshan Afzal LICENTIATE THESIS Karlstad University Studies | 2017:12 urn:nbn:se:kau:diva-48172 ISSN 1403-8099 ISBN 978-91-7063-763-6 (print) ISBN 978-91-7063-764-3 (pdf) © The author Distribution: Karlstad University Faculty of Health, Science and Technology Department of Mathematics and Computer Science SE-651 88 Karlstad, Sweden +46 54 700 10 00 Print: Universitetstryckeriet, Karlstad 2017 WWW.KAU.SE Towards Secure Multipath TCP Communication Zeeshan Afzal Department of Mathematics and Computer Science Karlstad University Abstract The evolution in networking coupled with an increasing demand to improve user experience has led to different proposals to extend standard TCP. Multi- path TCP (MPTCP) is one such extension that has the potential to overcome a few inherent limitations in standard TCP. The design and deployment of the protocol is progressing, but most of the focus has so far been on its compati- bility. The security aspect is limited to making sure that the MPTCP protocol itself offers the same security level as standard TCP. The topic of this thesis is to investigate the unexpected security impli- cations raised by using MPTCP in the traditional networking environment. The Internet of today has security middleboxes that perform traffic analy- sis to detect intrusions and attacks. Such middleboxes make use of different assumptions about the traffic, e.g., traffic from a single connection always ar- rives along the same path. This along with many other assumptions may not be true anymore with the advent of MPTCP, as traffic can be fragmented and sent over multiple paths simultaneously. We investigate how practical it is to evade a security middlebox by frag- menting and sending traffic across multiple paths using MPTCP. Realistic at- tack traffic is used to evaluate such attacks against the Snort IDS to show that these attacks are feasible. We then go on to propose possible solutions to de- tect such attacks and implement them in an MPTCP proxy. The proxy aims to extend the MPTCP performance advantages to servers that only support standard TCP, while ensuring that intrusions can be detected as before. We also investigate the potential MPTCP scenario where security middleboxes only have access to some of the traffic. We propose and implement an algo- rithm to perform intrusion detection in such situations and achieve a nearly 90% detection accuracy. Another contribution of this work is a tool that converts IDS rules into synthetic attack traffic. Keywords: network security, TCP, MPTCP, IDS, Snort, edit-distance iii v Acknowledgements I would like to start by thanking the people who have enabled me to be in the position I am today. I will be forever grateful to Magnus Almgren, who I met as a student at Chalmers University of Technology. He took me under his guidance and inspired me to pursue an academic career. Judith Rossebø, who I met at ABB in Oslo during the work for my Master’s thesis, deserves a special mention for her guidance. I am thankful to my main advisor Stefan Lindskog, who trusted a young Master’s student with no previous research experience and provided valuable feedback and support throughout. I am grateful to Anna Brunstrom, Johan Garcia and all of my other co-authors for their brilliant ideas, helpful critique, and feedback. This thesis is part of a journey that started with my grandfather’s wish for me to secure a doctoral degree. Grandpa, I wish you could be here today to witness how far I have come to fulfill your dream. A special mention goes to my parents and siblings back in Pakistan for their love and support throughout my life. My family in Norway has provided unwavering support and made it easier for me to stay away from home and undertake a research career. Thank you to Noor, Ismail and Hadi for being constant sources of happiness in my life. I offer my gratitude to my fiancée Khadija for being my good luck charm and a blessing in my life. I can not help but mention Liverpool FC here. You have been there with me through both the good and bad times. Thanks for all the memories and lets make many more. You will never walk alone! Finally, I would like to thank all my colleagues at the department for the technical and non-technical discussions. The “innebandy” squad has made me appreciate another sport than football. Thanks for that. The work in this thesis was carried out in the High Quality Networked Services in a Mobile World (HITS) project, funded partly by the Knowledge Foundation of Sweden. Karlstad University, March 14, 2017 Zeeshan Afzal vii List of Appended Papers This thesis is based on the work reported in the following appended papers. I. Zeeshan Afzal and Stefan Lindskog. Multipath TCP IDS Evasion and Mitigation. In Proceedings of the 18th Information Security Conference (ISC), Trondheim, Norway, September 9–11, 2015. II. Zeeshan Afzal, Stefan Lindskog, Anna Brunstrom, and Anders Lidén. Towards Multipath TCP Aware Security Technologies. In Proceedings of the 8th IFIP International Conference on New Technologies Mobility and Security (NTMS), Larnaca, Cyprus, November 21–23, 2016. III. Zeeshan Afzal, Johan Garcia, and Stefan Lindskog. Partial Signature Matching in an MPTCP World using Insert-only Levenshtein Distance. Under Submission. IV. Zeeshan Afzal and Stefan Lindskog. IDS Rule Management Made Easy. In Proceedings of the 4th International Workshop on Systems Safety and Security (IWSSS), Ploiesti, Romania, June 30–02 July, 2016. The papers have been subjected to minor editorial changes. Comments on my Participation For all the papers, I came up with the initial idea and did most of the writing. The work was conducted together with my co-authors. Stefan Lindskog has been most influential for all the papers. • In Paper II, Anders Lidén proposed the different MPTCP proxy scenar- ios and suggested where the proxy should be placed. Anna Brunstrom provided networking and protocol support. • In Paper III, Johan Garcia proposed the insert-only Levenshtein dis- tance algorithm and wrote about it in the paper. Other Publications • Zeeshan Afzal and Stefan Lindskog. Automated Testing of IDS Rules. In Proceedings of the 6th International Workshop on Security Testing (SECTEST), Graz, Austria, April 13, 2015. • Zeeshan Afzal, Stefan Lindskog and Anders Lidén. A Multipath TCP Proxy. In Proceedings of the 11th Swedish National Computer Net- working Workshop (SNCNW), Karlstad, Sweden, May 28–29, 2015. • Zeeshan Afzal, Judith Rossebo, Batool Talha, and Mohammad Chowd- hury. A Wireless Intrusion Detection System for 802.11 Networks. In Proceedings of the IEEE International Conference on Wireless Com- munications, Signal Processing and Networking (WiSPNET), Chen- nai, India, March 23–25, 2016. ix Contents List of Appended Papers vii Introductory Summary 1 1 Introduction 3 2 Background 4 2.1 Network Security . .4 2.2 MPTCP . .5 2.2.1 MPTCP Connection and Subflows . .6 2.2.2 Transfer of Data . .6 2.2.3 Deployment . .7 2.3 Security Implications of MPTCP . .7 2.3.1 Data Fragmentation . .8 2.3.2 Independence from a Fixed Four-tuple . .9 2.3.3 Durable and Reverse Connections . .9 3 Research Objectives and Questions 9 4 Contributions 11 5 Research Methodology 12 6 Summary of Appended Papers 13 7 Concluding Remarks and Outlook 14 Paper I: Multipath TCP IDS Evasion and Mitigation 17 1 Introduction 19 1.1 Motivation and Research Questions . 20 1.2 Contribution . 21 1.3 Paper Structure . 21 2 Related Work 21 3 Background 22 3.1 Multipath Networking . 22 3.1.1 Implementation . 23 3.1.2 Initiating an MPTCP Connection . 23 3.1.3 Addition of a New Subflow . 23 3.1.4 Data Transfer using MPTCP . 24 3.2 Network Security Reflections . 24 x 3.3 Snort . 25 3.3.1 Snort Operation . 25 3.3.2 Rules . 25 4 Experimental Methodology 26 4.1 Client Side . 26 4.1.1 Snort Rules . 26 4.1.2 Rule Analyzer . 26 4.1.3 Rule Parser .
Load more

Recommended publications
  • A Measurement-Based Study of Multipath TCP Performance Over Wireless Networks
    A Measurement-based Study of MultiPath TCP Performance over Wireless Networks Yung-Chih Chen Yeon-sup Lim Richard J. Gibbens School of Computer Science School of Computer Science Computer Laboratory University of Massachusetts University of Massachusetts University of Cambridge Amherst, MA USA Amherst, MA USA Cambridge, UK [email protected] [email protected] [email protected] Erich M. Nahum Ramin Khalili Don Towsley IBM Thomas J. Watson T-Labs, Deutsche Telekom School of Computer Science Research Center Berlin, Germany University of Massachusetts Yorktown Heights, NY USA [email protected] Amherst, MA USA [email protected] berlin.de [email protected] ABSTRACT Keywords With the popularity of mobile devices and the pervasive use Multi-Path TCP; MPTCP; Congestion Control; Measure- of cellular technology, there is widespread interest in hybrid ments; Wireless; Cellular Networks; 4G; LTE; 3G; CDMA networks and on how to achieve robustness and good per- formance from them. As most smart phones and mobile de- 1. INTRODUCTION vices are equipped with dual interfaces (WiFi and 3G/4G), a promising approach is through the use of multi-path TCP, Many users with mobile devices can access the Internet which leverages path diversity to improve performance and through both WiFi and cellular networks. Typically, these provide robust data transfers. In this paper we explore the users only utilize one technology at a time: WiFi when it is performance of multi-path TCP in the wild, focusing on sim- available, and cellular otherwise. Research has also focused ple 2-path multi-path TCP scenarios.
    [Show full text]
  • The Effects of Different Congestion Control Algorithms Over Multipath Fast Ethernet Ipv4/Ipv6 Environments
    Proceedings of the 11th International Conference on Applied Informatics Eger, Hungary, January 29–31, 2020, published at http://ceur-ws.org The Effects of Different Congestion Control Algorithms over Multipath Fast Ethernet IPv4/IPv6 Environments Szabolcs Szilágyi, Imre Bordán Faculty of Informatics, University of Debrecen, Hungary [email protected] [email protected] Abstract The TCP has been in use since the seventies and has later become the predominant protocol of the internet for reliable data transfer. Numerous TCP versions has seen the light of day (e.g. TCP Cubic, Highspeed, Illinois, Reno, Scalable, Vegas, Veno, etc.), which in effect differ from each other in the algorithms used for detecting network congestion. On the other hand, the development of multipath communication tech- nologies is one today’s relevant research fields. What better proof of this, than that of the MPTCP (Multipath TCP) being integrated into multiple operating systems shortly after its standardization. The MPTCP proves to be very effective for multipath TCP-based data transfer; however, its main drawback is the lack of support for multipath com- munication over UDP, which can be important when forwarding multimedia traffic. The MPT-GRE software developed at the Faculty of Informatics, University of Debrecen, supports operation over both transfer protocols. In this paper, we examine the effects of different TCP congestion control mechanisms on the MPTCP and the MPT-GRE multipath communication technologies. Keywords: congestion control, multipath communication, MPTCP, MPT- GRE, transport protocols. 1. Introduction In 1974, the TCP was defined in RFC 675 under the Transmission Control Pro- gram name. Later, the Transmission Control Program was split into two modular Copyright © 2020 for this paper by its authors.
    [Show full text]
  • SMAPP : Towards Smart Multipath TCP-Enabled Applications
    SMAPP : Towards Smart Multipath TCP-enabled APPlications B. Hesmans ∗, G. Detal y, S. Barre y, R. Bauduin ∗, O. Bonaventure ∗ ∗ Université catholique de Louvain, Louvain-la-Neuve, Belgium y Tessares, Louvain-la-Neuve, Belgium ∗ [email protected] y [email protected] ABSTRACT applications running on a wide range of devices ranging Multipath TCP was designed and implemented as a from smartphones to datacenters. Despite or maybe due backward compatible replacement for TCP. For this rea- to its popularity, TCP continues to evolve. Multipath son, it exposes the standard socket API to the applica- TCP [7, 19] is one of the most recent TCP extensions. It tions that cannot control the utilisation of the different completely changes one of the basic design assumptions paths. This is a key feature for applications that are un- of the original TCP specification : a TCP connection aware of the multipath nature of the network. On the is always identified by a four-tuple (source and desti- contrary, this is a limitation for applications that could nation IP addresses and ports). All the packets that benefit from specific knowledge to use multiple paths are sent for such a connection always contain this four- in a way that fits their needs. As the specific knowl- tuple. An annoying consequence of this coupling is that edge of an application can not be known in advance, on a multihomed host, e.g. a smartphone with a cellular we propose a Multipath TCP path manager that dele- and a WiFi interface or a simple dual-stack PC having gates the management of the paths to the applications.
    [Show full text]
  • Multipath TCP Upstreaming
    Multipath TCP Upstreaming Mat Martineau (Intel) and Matthieu Baerts (Tessares) Plan ● Multipath TCP Overview ● First Patch Set Upstreaming Roadmap ● Advanced Features Roadmap ● Conclusion and links 2 What is MPTCP? 3 Multipath TCP (MPTCP) ● Exchange data for a single connection over different paths, simultaneously ● RFC-6824 and supported by IETF Multipath TCP (MPTCP) working group Smartphone and WiFi icons by Blurred203 and Antü Plasma under CC-by-sa, others from Tango project, public domain 4 Multipath TCP (MPTCP) ● Exchange data for a single connection over different paths, simultaneously ● RFC-6824 and supported by IETF Multipath TCP (MPTCP) working group ● More bandwidth: Smartphone and WiFi icons by Blurred203 and Antü Plasma under CC-by-sa, others from Tango project, public domain 5 Multipath TCP (MPTCP) ● Exchange data for a single connection over different paths, simultaneously ● RFC-6824 and supported by IETF Multipath TCP (MPTCP) working group ● More mobility (walk-out): Smartphone and WiFi icons by Blurred203 and Antü Plasma under CC-by-sa, others from Tango project, public domain 6 Multipath TCP (MPTCP) ● Exchange data for a single connection over different paths, simultaneously ● RFC-6824 and supported by IETF Multipath TCP (MPTCP) working group ● More mobility (walk-out): Smartphone and WiFi icons by Blurred203 and Antü Plasma under CC-by-sa, others from Tango project, public domain 7 Multipath TCP (MPTCP) ● Exchange data for a single connection over different paths, simultaneously ● RFC-6824 and supported by IETF Multipath TCP
    [Show full text]
  • "Measuring and Extending Multipath TCP"
    "Measuring and extending multipath TCP" Tran, Viet Hoang ABSTRACT TCP has been one of the most important Internet protocols since the early days of this network. The initial version of TCP assumed that (1) each device has a single interface, and (2) its network address is permanent. Today's Internet attached devices have multiple interfaces with dynamic addresses. These deployments do not match anymore the design principles of TCP. By decoupling the transport layer from the underneath IP layer, Multipath TCP brings several key benefits in a variety of use cases. However, this major TCP extension is also significantly more complex than the legacy TCP. Despite growing interests in Multipath TCP, there are still many unknowns about its behaviours and performance in the real world. Moreover, most Multipath TCP implementations are based on existing TCP stacks which are part of operating systems kernels. Therefore, it is challenging to build Multipath TCP stacks that adapt to different network scenarios and user requirements. The purpose of this thesis i... CITE THIS VERSION Tran, Viet Hoang. Measuring and extending multipath TCP. Prom. : Bonaventure, Olivier http:// hdl.handle.net/2078.1/225610 Le dépôt institutionnel DIAL est destiné au dépôt DIAL is an institutional repository for the deposit et à la diffusion de documents scientifiques and dissemination of scientific documents from émanents des membres de l'UCLouvain. Toute UCLouvain members. Usage of this document utilisation de ce document à des fin lucratives for profit or commercial purposes is stricly ou commerciales est strictement interdite. prohibited. User agrees to respect copyright L'utilisateur s'engage à respecter les droits about this document, mainly text integrity and d'auteur lié à ce document, principalement le source mention.
    [Show full text]
  • Multipath TCP: from Theory to Practice
    MultiPath TCP: From Theory to Practice Sébastien Barré, Christoph Paasch, and Olivier Bonaventure ⋆ ICTEAM, Université catholique de Louvain B-1348 Louvain-la-Neuve, Belgium {firstname.lastname}@uclouvain.be Abstract. The IETF is developing a new transport layer solution, Mul- tiPath TCP (MPTCP), which allows to efficiently exploit several Internet paths between a pair of hosts, while presenting a single TCP connection to the application layer. From an implementation viewpoint, multiplex- ing flows at the transport layer raises several challenges. We first explain how this major TCP extension affects the Linux TCP/IP stack when considering the establishment of TCP connections and the transmission and reception of data over multiple paths. Then, based on our imple- mentation of MultiPath TCP in the Linux kernel, we explain how such an implementation can be optimized to achieve high performance and report measurements showing the performance of receive buffer tuning and coupled congestion control. Keywords: TCP, multipath, implementation, measurements 1 Introduction The Internet is changing. When TCP/IP was designed, hosts had a single in- terface and only routers were equipped with several physical interfaces. Today, most hosts have more than one interface and the proliferation of smart-phones equipped with both 3G and WiFi will bring a growing number of multihomed hosts on the Internet. End-users often expect that using multihomed hosts will increase both redundancy and performance. Unfortunately, in practice this is not always the case as more than 95% of the total Internet traffic is still driven by TCP and TCP binds each connection to a single interface. This implies that TCP by itself is not capable of efficiently and transparently using the interfaces available on a multihomed host.
    [Show full text]
  • Introduction
    Securing the Mobile Ecoomy – www.neohapsis.com MULTIPATH TCP, PWNIN G TODAY’S NETWORKS W ITH TOMORROW’S PROTOCOLS . Catherine Pearce – [email protected], twitter: @secvalve ABSTRACT: MultiPath TCP (MPTCP) is an extension to TCP that enables sessions to use multiple network endpoints and multiple network paths at the same time, and to change addresses in the middle of a connection. MPTCP works transparently over most existing network infrastructure, yet very few security and network management tools can correctly interpret MPTCP streams. With MPTCP network security is changed: how do you secure traffic when you can't see it all and when the endpoint addresses change in the middle of a connection? This paper briefly discusses how MPTCP breaks assumptions about how TCP works, and how this can be used to evade security controls. We will also discuss tools and strategies for understanding and mitigating the risk of MPTCP-capable devices on a network. INTRODUCTION Ubiquitous in modern networking, with much of the world's infrastructure depending upon it, but its single path nature is a significant shortcoming in many modern uses. Where there is a need to combine the bandwidth of multiple network connections, or to roam across different network locations while maintaining a connection, TCP falls short. This has motivated both research and proposed solutions. While many proposed solutions have been revolutionary (comprising complete replacements, notably Stream Control Transmission Control Protocol (SCTP)), recent proposals have been more evolutionary extensions of TCP itself. Multipath TCP (MPTCP) is one such expansion. It adds the ability to split TCP flows over multiple network endpoints, and to change network endpoints seamlessly without dropping the connection.
    [Show full text]
  • Exploring Alternative Routes Using Multipath TCP
    EXPLORING ALTERNATIVE ROUTES USING MULTIPATH TCP by STEPHEN BRENNAN Submitted in partial fulfillment of the requirements for the degree of Master of Science Department of Electrical Engineering and Computer Science CASE WESTERN RESERVE UNIVERSITY August, 2017 CASE WESTERN RESERVE UNIVERSITY SCHOOL OF GRADUATE STUDIES We hereby approve the thesis of Stephen Brennan candidate for the degree of Master of Science*. Committee Chair Michael Rabinovich Committee Member Vincenzo Liberatore Committee Member Mark Allman Date of Defense June 5, 2017 *We also certify that written approval has been obtained for any proprietary material contained therein. Contents List of Tables iii List of Figures iii Abstract v 1 Introduction 1 1.1 Internet Routing Inefficiencies . .1 1.2 Access Link Underutilization . .2 1.3 Concept . .3 1.4 Contributions . .4 2 Background 6 2.1 Multipath TCP . .6 2.2 Mininet . 10 3 Related Work 13 3.1 Link Layer . 13 3.2 Network Layer . 14 3.3 Transport Layer . 19 3.4 Application Layer . 21 i CONTENTS CONTENTS 4 Implementation 24 4.1 Detour Daemon . 26 4.2 Path Manager . 33 4.3 Client Daemon . 37 4.4 Security Considerations . 38 5 Evaluation 40 5.1 Mininet Experiments . 41 5.2 AWS Experiment . 51 6 Future Work 53 6.1 Detour Collective . 53 6.2 Detour Traffic Attribution . 54 6.3 Dynamic Source Routing . 55 6.4 Data Scheduling . 56 6.5 0-RTT NAT Establishment . 56 7 Conclusion 58 Data 60 ii List of Tables 1 Mininet experiment throughput . 60 2 Bytes transmitted across subflows . 61 iii List of Figures 1.1 Conceptual overview of the mechanism .
    [Show full text]
  • A First Look at Real Multipath TCP Traffic
    A First Look at Real Multipath TCP Traffic B Benjamin Hesmans( ), Hoang Tran-Viet, Ramin Sadre, and Olivier Bonaventure ICTEAM, Universit´ecatholique de Louvain, Louvain-la-Neuve, Belgium [email protected] Abstract. Multipath TCP is a new TCP extension that attracts a grow- ing interest from both researchers and industry. It enables hosts to send data over several interfaces or paths and has use cases on smartphones, datacenters or dual-stack hosts. We provide the first analysis of the oper- ation of Multipath TCP on a public Internet server based on a one-week long packet trace. We analyse the main new features of Multipath TCP, namely the utilisation of subflows, the address advertisement mechanism, the data transfers and the reinjections and the connection release mech- anisms. Our results confirm that Multipath TCP operates correctly over the real Internet, despite the presence of middleboxes and that it is used over very heterogeneous paths. 1 Introduction The Transmission Control Protocol (TCP) [23] was designed when hosts were equipped with a single interface. When two hosts exchange data through a TCP connection, all packets generated by the client (resp. server) must be sent from the same IP address. This remains true even if the communicating hosts have sev- eral interfaces and thus IP addresses that could be used to improve performance or resilience. In today’s networks, this limitation is becoming a major drawback. Cellular and WiFi networks are available in most cities and smartphone users would like to be able to start a TCP connection in a WiFi hotspot and continue it later via their 3G interface.
    [Show full text]
  • MPTCP and Product Support Overview
    MPTCP and Product Support Overview Contents Introduction MPTCP Overview Background Information Session Establishment Join Additional Sub-flows Add Address Segmentation, Multipath, and Reassembly Impact on Flow Inspection Cisco Products Impacted by MPTCP ASA TCP Operations Protocol Inspection Cisco Firepower Threat Defense TCP Operations Cisco IOS Firewall Context-Based Access Control (CBAC) Zone-Based Firewall (ZBFW) ACE Cisco Products not Impacted by MPTCP Introduction This document provides an overview of Multipath TCP (MPTCP), its impact on flow inspection, and the Cisco products that are and are not affected by it. MPTCP Overview Background Information Hosts connected to the Internet or within a data center environment are often connected by multiple paths. However, when TCP is used for data transport, communication is restricted to a single network path. It is possible that some paths between the two hosts are congested, whereas alternate paths are underutilized. A more efficient use of network resources is possible if these multiple paths are used concurrently. In addition, the use of multiple connections enhances the user experience, because it provides higher throughput and improved resilience against network failures. MPTCP is a set of extensions to regular TCP that enables a single data flow to be separated and carried across multiple connections. Refer to RFC6824: TCP Extensions for Multipath Operation with Multiple Addresses for more information. As shown in this diagram, MPTCP is able to separate the 9mbps flow into three different sub-flows on the sender node, which is subsequently aggregated back into the original data flow on the receiving node. The data that enters the MPTCP connection acts exactly as it does through a regular TCP connection; the transmitted data has guaranteed an in-order delivery.
    [Show full text]
  • MP-H2: a Client-Only Multipath Solution for HTTP/2
    MP-H2: A Client-only Multipath Solution for HTTP/2 Ashkan Nikravesh Yihua Guo† Xiao Zhu Feng Qian‡ Z. Morley Mao University of Michigan – Ann Arbor †Uber Technologies, Inc. ‡University of Minnesota – Twin Cities ABSTRACT 33, 39, 44]. Multipath TCP (MPTCP [47]) is the state-of-the- MP-H2 is a client-only, HTTP-based multipath solution. It art solution of multipath transport. It is attractive in several enables an HTTP client to fetch content (an HTTP object) aspects such as application transparency, mobile-friendliness, over multiple network paths such as WiFi and cellular on and good performance. However, there are several major hur- smartphones. Compared to MPTCP, MP-H2 offers several dles that considerably slow down the deployment of MPTCP. key advantages including server transparency, middlebox First, MPTCP requires changes on both the client and the compatibility, and friendliness to CDN, anycast, and load server side at the OS kernel level. Second, many middleboxes balancing. MP-H2 strategically splits the file into byte range are not compatible with MPTCP in that they strip MPTCP requests sent over multipath, and dynamically balances the options from TCP packets [44]. Third, MPTCP is not friendly workload across all paths. Furthermore, MP-H2 leverages to many other critical protocols and infrastructures such as new features in HTTP/2 including stream multiplexing, flow Content Distribution Networks (CDN), anycast, and flow- control, and application-layer PING to boost the performance. level load balancing. For example, today’s DNS-based CDN MP-H2 also supports multi-homing where each path contacts server selection is not aware of MPTCP; as a result, the se- a different CDN server for enhanced performance.
    [Show full text]
  • Cross-Path NIDS Evasion and Countermeasures
    Calhoun: The NPS Institutional Archive Theses and Dissertations Thesis and Dissertation Collection 2016-09 "Why does MPTCP have to make things so complicated?": cross-path NIDS evasion and countermeasures Foster, Henry August Monterey, California: Naval Postgraduate School http://hdl.handle.net/10945/50546 NAVAL POSTGRADUATE SCHOOL MONTEREY, CALIFORNIA THESIS “WHY DOES MPTCP HAVE TO MAKE THINGS SO COMPLICATED?”: CROSS-PATH NIDS EVASION AND COUNTERMEASURES by Henry August Foster September 2016 Thesis Advisor: Geoffrey Xie Second Reader: Robert Beverly Approved for public release. Distribution is unlimited THIS PAGE INTENTIONALLY LEFT BLANK REPORT DOCUMENTATION PAGE Form Approved OMB No. 0704–0188 Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instruction, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden to Washington headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202–4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188) Washington DC 20503. 1. AGENCY USE ONLY (Leave Blank) 2. REPORT DATE 3. REPORT TYPE AND DATES COVERED September 2016 Master’s Thesis 06-29-2014 to 09-23-2016 4. TITLE AND SUBTITLE 5. FUNDING NUMBERS “WHY DOES MPTCP HAVE TO MAKE THINGS SO COMPLICATED?”:CROSS- PATH NIDS EVASION AND COUNTERMEASURES 6. AUTHOR(S) Henry August Foster 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8.
    [Show full text]