Neutral Net Neutrality

Yiannis Yiakoumis, Sachin Katti, and Nick McKeown

Stanford University

ABSTRACT Alexa ranking 1 10 100 1000 >5000 Should applications receive special treatment from the network? And if so, who decides which applications 10 are preferred? This discussion, known as net neutral- 8 ity, goes beyond technology and is a hot political topic. 6 In this paper we approach net neutrality from a user’s # of users 4 perspective. Through user studies, we demonstrate that 2 users do indeed want some services to receive preferen- tial treatment; and their preferences have a heavy-tail: skai.gr nbc.com cnn.com hulu.com cucirca.eu netflix.com abc.go.com a one-size-fits-all approach is unlikely to work. This speetest.net facebook.com starsports.com mail.google.com usanetwork.com espncricinfo.com ticketmaster.com suggests that users should be able to decide how their intercallonline.com ondemandkorea.com trac is treated. A crucial part to enable user prefer- Figure 1: If given the choice, which websites would home ences, is the mechanism to express them. To this end, users prioritize? The preferences have a heavy tail: 43% of we present network cookies, a general mechanism to ex- the preferences are unique, with a median popularity index press user preferences to the network. Using cookies, of 223. we prototype Boost, a user-defined fast-lane and deploy it in 161 homes. programs promise that certain trac is free from data caps (aka zero-rating). Similarly, others have proposed CCS Concepts giving some trac a fast-lane over the last mile. How- Social and professional topics Net neutrality; ever these proposals have raised concerns [23, 13] that • ! Networks Network architectures; Network proto- the consumer will ultimately be harmed. The fear is • ! cols; Cross-layer protocols; Middle boxes / network ap- that ISPs and content providers will decide which ap- pliances; Network economics; Network manageability; plications get the best service, squeezing out new ser- Home networks; vices, and creating an insurmountable barrier to entry for innovative new applications. Consequently, to pro- 1. INTRODUCTION tect users, net neutrality has devolved to “don’t do any- thing”, i.e., treat all trac the same. Net neutrality is currently a charged debate. The core We believe the debate is backwards. While many of the argument is about which applications should re- arguments are made in the name of protecting users, ceive special treatment from the network, and whether those very users do not seem to have a say in the mat- special treatment is in the best interest of users. Several ter. Specifically, if we are nervous that ISPs and content examples of special treatment already exist, for exam- providers will make decisions detrimental to users, why ple Facebook Zero [3] and T-Mobile’s Music Freedom [8] Permission to make digital or hard copies of all or part of this work for personal not let users decide for themselves how their tracis or classroom use is granted without fee provided that copies are not made or treated? Done right, this could potentially benefit ev- distributed for profit or commercial advantage and that copies bear this notice eryone: Users get what they want, ISPs provide more and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is value to their customers, and popular content gets pref- permitted. To copy otherwise, or republish, to post on servers or to redistribute to erential treatment, even if the service is small and new. lists, requires prior specific permission and/or a fee. Request permissions from We are not the first to propose involving users more [email protected]. closely and ask them what they want—others have SIGCOMM ’16, August 22 - 26, 2016, Florianopolis , Brazil pointed out the importance of users during the recent c 2016 Copyright held by the owner/author(s). Publication rights licensed to ACM. ISBN 978-1-4503-4193-6/16/08. . . $15.00 update in FCC’s Open Internet rules [31, 1]. In this DOI: http://dx.doi.org/10.1145/2934872.2934896 paper we try to advance the net neutrality debate by resolving two open questions related to users’ prefer- desired outcome [1]. ences. To tackle this challenge we present network cook- First, do users want a say over how their tracis ies—a mechanism for users to express their preferences treated by the network? After all, users might prefer to the network and to content providers. A network not to be bothered with such details, and just have the cookie—similar to HTTP cookies—is a small piece of network treat all their trac the same. To answer this data, that users can attach to their packets. A net- question, we conducted two studies of user behavior. work with appropriate information can lookup the state We prototyped a service—a user-defined fast lane called associated with this cookie and apply the desired ser- Boost and deployed it in 161 homes, during an inter- vice. Network cookies provide a simple yet expres- nal “dogfood” test of OnHub, a commercial home WiFi sive mapping abstraction to users: we can use them router built by Google. With Boost, users can decide to boost, zero-rate, or arbitrarily map any tracto which trac gets higher priority (or decide to not give any state in the network, not just a few popular pre- higher priority to any trac). They can express their configured applications. Cookies facilitate the tus- preferences through a web browser extension, either by sle between users, applications and ISPs, and respect prioritizing a specific tab, or by always prioritizing the the trust relationships between di↵erent parties. They trac from a specific website. Figure 1 summarizes the provide built-in authentication so that only authorized behavior of a fairly homogeneous1 group of users: 43% users can use a given service; revocability for users to of expressed preferences were unique, i.e., the preferred easily change their preferences or completely withdraw website was picked by only one user, while the median from a service; they respect user privacy, as users do not popularity index of prioritized websites was 223.2 While have to reveal the content, type or origin of trac get- our sample is small, it demonstrates the diverse and ting special treatment; and they protect against replay heavy-tailed nature of user preferences, and that users and spoofing attacks preventing a third-party from re- are willing to express them if it is easy to do so. To playing an overheard cookie. Perhaps most important, strengthen our results, we surveyed 1, 000 smartphone cookies are policy-free—in fact, an ISP could use cook- users about their interest and preferences in fast lanes ies to prioritize a single content provider, all the way to and zero rating services. Given the option to select let each user choose her own. By separating mechanism which application to zero-rate, users chose 106 di↵erent from policy, they enable a wide set of policies which can applications from di↵erent categories (e.g., video, au- be easily adjusted, enforced, and verified according to dio, social, news). Both studies demonstrate that user trust relationships and regulatory frameworks. Finally, preferences have a heavy tail, and suggest that a one- cookies can be practically deployed in existing net- size-fits-all approach is unlikely to work for most users. works. They are independent from packet headers and This naturally leads to the second question we wish payload, we can match against them with high accuracy to resolve: Now that we know users have diverse prefer- and regardless of content popularity, presence of encryp- ences, we need to pick (or design) a mechanism to give tion and middleboxes, or task complexity (e.g. we can them control over their preferences. In other words, boost a webpage, or a mobile application); they can be how should users express their preferences to the net- incrementally deployed by individual ISPs and applica- work? Should users express their detailed preferences, tions; and we can leverage di↵erent transport mecha- or should they pick among popular applications short- nisms to carry them (e.g. a special HTTP header, a listed by an ISP? How can the network provide pref- TLS-handshake extension, an IPv6 extension header). erential treatment to an application, without the user This user-driven approach can enable a plethora of having to reveal what the trac contains? How can network services in the future. A video application ISPs account and charge for o↵ered services? How can could ask for a short burst of high bandwidth when we audit that the parties adhere to their agreements? it runs low on bu↵ers (and risks rebu↵ering), while a And so on. All of these questions need to be addressed researcher could do the same to upload a large file be- if we are to make such a system practical. fore an upcoming deadline. Users can pay per burst, or As we will show, existing mechanisms (like Di↵Serv, get a limited monthly quota for free. Moreover, cookies DPI, or even new SDN-like approaches) do not ade- and user preferences are not bound to net neutrality— quately address the concerns raised above. This was we can use them in other scenarios to let individuals emphasized during the last FCC hearings, when pol- customize network services for their own needs. This icymakers rejected an AT&T proposal for user-driven paper takes no position on what these services should services, concerned that the mechanism itself (or the look like, or how to implement them in the network. lack of a proper one) could potentially undermine the Our goal is to simply enable users to express their traf- fic preferences to the network. 1Employees of the same company (Google), living in Our main contributions are: the same city. 1. Network cookies: a policy-free mechanism to express 2We use Alexa ranking as the popularity index. which applications get special treatment from the net- cational applications (Figure 2). Using the number of work in a trac-agnostic way ( 4). downloads in Google Play Store as a proxy for popular- 2. We advocate for a user-centric§ view on net neutrality ity, some users chose applications with 109 users (e.g. and demonstrate that this is both practical and bene- Spotify, Facebook), while others chose specialized ap- ficial. Through a user study and an online survey we plications with only a few thousands users (e.g. Indie show that preferences have a heavy tail, suggesting that 103.1, an app from a radio station with < 50k users). a one-size-fits-all approach is unlikely to work for many Current zero-rating services only allow users to choose users ( 2, 5). from among a small set of popular services; our sur- 3. Prototype§ § services that use network cookies and vey suggests this is not what a majority of users want. user preferences, including a Boost fast-lane service, and For example, Wikipedia Zero covers only 0.4% of our AnyLink, a cloud-based version of Boost which provides users’ preferences, and Music Freedom just 11.5%. We slow (instead of fast) lanes that we make publicly avail- found similar results when surveying user interest in able online ( 5). fast-lanes, and a music-only zero-rating service [12]. § In summary, our results strongly suggest users are 2. WHY A USER-DRIVEN APPROACH interested in services like fast-lanes and zero-rating, but Fast lanes and zero-rating services have been de- each user would prefer to boost or zero-rate di↵erent ployed in several countries, in cellular and last-mile res- applications. A natural question to ask is how to let idential networks. For example, Microsoft and Comcast users express their preferences to the network. We start joined forces in the US to o↵er a special service for Com- with the question: Do existing mechanisms allow users cast content to Xbox consoles. Trac went through a to correctly express their preferences to the network? dedicated, high-bandwidth and data-cap free channel. Similarly, Netflix partnered with Australian ISPs to ex- 3. EXISTING MECHANISMS DON’T empt their video trac from a home user’s monthly WORK data-caps. MusicFreedom and BingeOn are services of- Ideally, an existing mechanism would let users express fered by T-Mobile in the US to exempt a handful of their preferences and meet our requirements. Unfortu- music and video services from monthly data caps. Spo- nately, none of the commonly used mechanisms pass tify has similar partnerships with European mobile op- muster. Let’s look at the three most common ones. erators. Facebook-Zero and Wikipedia-Zero allow users Deep Packet Inspection (DPI). DPI is widely used in emerging markets to access Facebook and Wikipedia to identify a subset of trac (e.g., trac coming from a without a data-plan. The incentives for such services specific content provider) and then apply a special ser- vary—some ISPs absorb the cost for special treatment vice to it (e.g., higher bandwidth or zero-rating). DPI to di↵erentiate from competition and satisfy their cus- sits in a middlebox and typically matches trac at line- tomers, others (especially in emerging markets) do it in rate, by examining IP addresses, TCP ports, SSL’s SNI an e↵ort to familiarize their users with the Internet, and field, and packet contents. Typically, a new set of rules in some cases ISPs directly charge content providers for is added for each application and web-service. special treatment. DPI su↵ers from what we call a high transaction These services are considered controversial as they cost—adding a new preference (i.e., a new set of rules) limit user choice to a few pre-selected applications. is hard, particularly if the service is hidden inside https They often lead to regulatory complaints and even with- (which is increasingly common) or is hosted on a third- drawal of the service due to public backlash [22, 4]. party CDN (e.g., video services hosted by Akamai). As So, what do users really want? We asked 1,000 smart- a result, current DPI tools support only the most pop- phone users their preferences on zero-rating through an ular applications, and often require manual coordina- 3 online survey. 65% of users expressed interest in a ser- tion between content providers and ISPs. For example, vice that lets them choose one application that does nDPI [17], a publicly available DPI system, recognizes not count against their monthly cellular data cap, or only 23 out of 106 applications that our surveyed users not even require a data plan, which explains why these picked for zero-rating. MusicFreedom, an existing zero- services are being deployed. But when we asked them to rating service implemented using DPI, works with only choose a particular application, responses were heavy- 17 out of 51 music applications mentioned in our sur- tailed, and many users preferred websites and applica- vey [12]. Even when DPI detects an application, its tions not available for special treatment by existing ser- view is very di↵erent from a user’s view. Take cnn.com vices. Users expressed preference for applications rang- as an example. Loading its front-page generates 255 ing from social networks, video, music streaming, mes- flows and 6741 packets from 71 di↵erent servers. nDPI saging and VOIP, news sites, maps, games, and edu- marked only packets coming from CNN servers, which 3Users are aged 18-65 in the USA, surveyed via Survey- summed up to 605 packets (less than 10%)—everything Monkey in August 2015. else came from CDNs, advertisers, etc. But perhaps ti”aentcvrda all. at covered not are “tail” w ed.Ee hn h ml ubro available cus- of own number their define small cannot the restricting—ISPs is then, classes Even at di re- iii) or a needs. and use respect own marking, to to DSCP the networks path alter quire the not least in very element impractical), the proven every been for expect has meaning ii) (which pre-defined code systems a DSCP at operating each agree networks, to all applications for require Di and room i) with little would preferences Serv leaving user Expressing purposes, own customization. their for works (2 classes 64 Di we make bits, that DSCP limitations insu the deeper are mark there to believe APIs necessary ex- not the and/or posing respecting not for developers application tra their mark to websites or SDK) developers Android’s allow or not do browser re- popular Chrome and even the boundaries, the (like or network platforms to across ignore bits preferences often DSCP express set operators Network to used network. practically Di be systems, not high operating and (e.g., routers network modern the and implemented in widely in header) Although class IP latency). low specific the bandwidth, a in to bits them DSCP map 6 the (using packets the in applications Di meantime, the long in a and take high add, applications Their to new time privacy. means user costs respect transaction not low have do applications, and many accuracy, recognize to requesting struggle tools are privacy. user they hurt service might which the for, ISP prepared treatment is their special user to a reveal if popularity. works to and only type DPI in problematic, vary most they and total), in apps (106 heavy-tail a have Preferences popularity. adata-plan),whichonewouldyouchoose?” 2: Figure

is,telmtdsto SPbt uprsonly supports bits DSCP of set limited the First, or operators network blame to common is it While DPI deployment, wide their despite summary, In # of users 10 15 20 ↵ 1 5 Serv. ~ ~50

in o omnctn srpreferences. user communicating for cient facebook netflix instagram I o ol hoeasnl plcto eg aeok ontcutaantyu aacp o o vnrequire even not (or caps data your against count not to Facebook) (e.g. application single a choose could you “If

Di google maps 6 n sarayue nenlyb net- by internally used already is and ) ↵

evalw npit omr their mark to endpoints allows Serv google music whatsapp reddit is fun amazon music

↵ nine rn ehns o their for mechanism erent wikipedia tunein radio beats

hulu nyt epne rm10 mrpoeues n plcto radw ytp and type by breakdown application and users, smartphone 1000 from Responses

trivia crack ↵

evcan- Serv candy crush flipboard viber ↵

Serv soma.fm

swig ↵ c. indie103.1 - lynda.com schwab 8tracks sn a oepiil eus pca ramn nyby only them. treatment there special of networks request one two explicitly crosses to way packet no a is if and classes, tom fCNhs25flw;snigec fte through them of each sending frontpage flows; the 255 that has Recall CNN expensive. of be con- can slow plane relatively the trol through preferences user naling flows. these on match to switches pro- the control-plane grams the (e.g., Subsequently, treatment 5-tuple). special the get using should de- user flows channel—by which a (OOB) scribing to (or out-of-band flows an application which on—via plane the match control approach, centralized the preferences this tells their In agent) express 21]. to users [32, API and an applications expose of for plane and control (SDNs), flexible networks the software-defined leverage express to description. been to has flow user proach band a for of way network. Out the practical to a preferences not her is It tra classes. categorizing mechanism, marking we nal Ideally device. dependencies. this these avoid from to to coming want router home bits her manufacturer DSCP configure console reset or the software, the ask have update would device, to user the a for using charges charges stop avoid To operator to an class. this that low- to time for con- access same bits gaming the DSCP eas- legacy at the to a latency, sets of means opportunistically Think the that have sole access. not users, such do for revoke charges operators or—ily network or preferences, in users user results and special with it for conflicts worse—if ask it even can if developer even without Any service service request consent. and user’s bits DSCP the the applica- set any can tion primitives: revocation and authentication edmodo

hsapoc a w anlmttos is,sig- First, limitations. main two has approach This Di result, a As Di important, most maybe and Second, mapmyrun Netflix-Australia Wikipedia-Zero Music Freedom Facebook-Zero

action news

wwf Tns -akn,Xo games). XBox e-banking, iTunes, a o itdi ogePa tr (e.g. Store Play Google in listed Not VSraig32 Streaming AV aeoy#o apps of # Category dcto 2 Education rwe 3 Browser aig9 Gaming hts4 Photos oil12 Social mi 4 Email te 24 Other as4 Maps es12 News ↵ evi nysie sa inter- an as suited only is Serv oercn ap- recent more A ouaiy#o apps of # Popularity 0M50 14 100M-500M 0-0M28 10M-100M M1M13 1M-10M > N/A < 0M10 500M M16 1M a ↵ nobroad into c evhsno has Serv 25 a centralized controller to reprogram multiple network To prevent an unauthorized third-party from replay- switches is an expensive process. Second, giving a static ing or spoofing a cookie, each cookie is unique, signed, flow description does not work when the flow changes— and can be used only once,inwayswedescribebelow. for example, as it traverses a NAT or is encapsulated. One way to get these properties would be for the user In a home network, the flow will change at the NAT to ask the network for a new cookie every time it sends module of the home router, making the 5-tuple descrip- a packet. Clearly this would be burdensome and slow. tion invalid for the head-end router. A workaround Instead, the user requests a cookie descriptor which is would be to describe a flow only with static fields, e.g., then used to locally generate multiple cookies. Period- the server’s IP address and port, but this causes false ically, the user gets a new descriptor from the network. matches as a single server hosts content from several The workflow goes like this: The network advertises other applications. In 5 we quantify some of the limi- the special services it is o↵ering on a well-known server; tations of DPI and OOB§ using example user preferences. for example, it may advertise that it has cookies avail- able to boost any website, or only cookies to boost Ama- 3.1 From Limitations to Requirements zon Prime video. The user picks a cookie descriptor The limitations of existing approaches motivated our from the well-known server—the user might buy it, or search for a new mechanism that satisfies three funda- be entitled to a certain number per month, via coupons, mental requirements. or on whatever terms the network owner decides. Once The proposed mechanism should be simple for users the user has a cookie descriptor she can use it to gen- to understand and expressive enough to enable a vari- erate local cookies, and attach them to her packets. A ety of services (e.g., fast-lane, zero-rating and new ser- cookie descriptor typically lasts hours or days, and is vices that come along), let users choose any application renewed by the user as needed. they like, and to express a complex set of changing user To understand cookies, it helps to start by looking at preferences (e.g., a website, or a mobile application). the details of the cookie descriptor, from which cookies It should respect the tussle between di↵erent stake- are generated. holders (i.e., users, the network, content providers and struct cookie_descriptor { policymakers). In order to support many ways to ex- // a 64-bit value that identifies a cookie press preferences, and di↵erent regulatory frameworks, // descriptor and acts as a lookup key. the mechanism should be policy-free. It should not uint64_t cookie_id, force a user to reveal which content they request special // Shared key used to sign a cookie. char * key, treatment for, and prevent unauthorized parties from // Service data identify the network service requesting special treatment without the user’s permis- // the packet should receive. It can be just sion. // the name of the service (e.g., ’Boost’), Finally, the mechanism should be practical to de- // or any other information. ploy. It should not overly burden the user, the user’s char * service_data, // An optional list of attributes that chara- device or the network operator, and work well in the // cterize a cookie descriptor (e.g. when and presence of CDN, NAT, and HTTPS. It should be incre- // how to use it, whether it is valid or not). mentally deployable without requiring forklift changes char * attributes[] in network or content provider infrastructure. }; The next section introduces network cookies,a Listing 1: Cookie Descriptor mapping abstraction that meets these requirements. From this descriptor, the local host generates cookies 4. NETWORK COOKIES with the following fields: Network cookies are a policy-free mechanism allowing struct cookie { users to express their preferences to the network and to // 64-bit id copied from the descriptor. remote service and content providers. uint64_t cookie_id, // Universally unique identifier for this cookie. 4.1 Cookies uuid_t uuid, // The time a cookie was generated. Limits the A network cookie is a small piece of data that users // duration a cookie is valid, prevents reuse, attach to their packets. As a packet flows through the // and reduces state kept by the network. network, the network cookie communicates the user’s uint64_t timestamp, preferences to the devices it encounters along the way, // Message Authentication Code that verifies a // cookie and prevents spoofing. possibly all the way to the end host. Upon detection, char * signature the network and the end host lookup the cookie in a }; table to decide what service to apply to the packet (and possibly to all other packets from the same flow). Listing 2: Cookie Cookie"Descriptor" def generate_cookie(descriptor): Descriptor" value = descriptor.id + uuid() + now() DB" digest = hmac.digest(descriptor.key, value)

Cookie"Server" return value + digest

3."Agents"generate" def match_cookie(cookie): 2."User"agents"decide" cookies,"and"the"switch" cookie_desc = cookie_descriptors[cookie.id] when,"how,"and"where" matches"against"them" to"insert"a"cookie" if (!cookie_desc || !cookie_desc.is_valid_sig(cookie) || DB" !cookie_desc.is_unique_uuid(cookie.uuid) || User"Agent" abs(cookie.timestamp - now()) > NCT): return None cookie_desc.append_cookie(cookie.uuid) Cookie" Cookie5enabled"Switch"or"Middlebox" return cookie_desc

Figure 3: Workflow for a cookie-enabled service.6" Listing 3: Pseudocode for cookie generation and matching.

4.2 Cookie Workflow plications and network services involved. Let’s take a closer look at how users express their 3. Cookie Generation and Matching: The last step preferences via the cookie mechanism, and the pieces is to actually generate and match against cookies. Gen- we need to make it all work. Figure 3 shows the main eration is easy from the cookie descriptor, and the architecture. cookie is added to an outgoing packet. The network Components: The first component is the user-agent detects a cookie and verifies that it is valid by checking which has a GUI for the user to express her preferences. that (i) the cookie ID is known, (ii) the MAC digest In the background it interfaces to the network to dis- matches, (iii) the timestamp is within the “network co- cover and acquire cookie descriptors. The user-agent herency time”, and iv) that we haven’t seen the cookie also generates and adds cookies to packets. User-agents before. The network coherency time (NCT) is the max- can be integrated into an OS, browser, or in the appli- imum time we expect a packet to live within the net- cation itself (e.g., a video player or a VOIP client). The work, and is set to 5 seconds. To verify uniqueness, we second component is the well-known server where users keep a list of recently seen cookies (within NCT). If a go to acquire cookie descriptors. Finally, the network cookie is valid, the network applies the service directly switches (or middle boxes) that match against cookies (e.g., sends the packet through a high-priority queue). and apply the right service. Alternatively it can mark the DSCP bits to enforce the Workflow: Getting and using a cookie descriptor hap- service elsewhere in the network. If it fails to match, pens in three stages: it behaves as if the cookie was not there, o↵ering de- 1. Cookie Descriptor Discovery and Acquisition. fault services. We show sample code for generation and Users and their clients learn of network services through matching in Listing 3. standard discovery protocols (DHCP, mDNS) or it can be hardcoded in the application (e.g. Amazon Prime Video might know where to get special Amazon cook- 4.3 Cookie Attributes ies). Once found, the descriptor is downloaded over Some network services will need more information to an (optionally authenticated) out-of-band mechanism be supplied with a cookie. For example, a cookie might (e.g., a JSON API). For example, in a home network only be valid when the user is connected to a specific anyone who can talk to the AP might get a cookie, while WiFi network, or in a specific geographic area, or in a cellular network might require users to login first. a specific network domain. Cookies therefore carry un- 2. Cookie Insertion: There are several ways to use formatted, optional attributes, added by the network or a cookie. First to consider is when to use a cookie (and end host, to provide more service-specific information. the associated service). This can be explicitly requested We expect some cookie attributes to become by the user, or assisted by an application (e.g., a video common-place, such as client can ask for extra bandwidth if its bu↵er runs Granularity: A cookie can be applied to a packet low). Next to consider is where to add the cookie to or• a flow. By default, a cookie characterizes the flow our packets. We suggest supporting multiple choices; (5-tuple) that a packet belongs to. If set, granularity we can add it at the application layer (as an http header lists the header fields that compose the flow described for unencrypted trac or a TLS handshake extension by this cookie (e.g. 5-tuple for a TCP flow), or limit for https trac [10]); at the transport layer (TCP long it to this packet only. We can also define whether the options [9], integration with QUIC, or a custom UDP- cookie applies the desired service for the reverse flow. based header); or at the network layer (IPv6 extension Shared: When set, the cookie descriptor can be header). Choosing the right layer depends on the ap- shared• between multiple endpoints. In a home network, the home router might acquire a descriptor from the applications, and ISPs, and allow for di↵erent outcomes ISP and then act as a cache, sharing it with devices by separating the mechanism (the cookie) from the pol- connected to the home network. icy (the preference); and (iii) they can be deployed in to- Acknowledgment Cookie: When set, the remote day’s infrastructure without requiring forklift changes. server• is expected to send an acknowledgment cookie To meet these requirements, cookies exhibit specific with the response. Acknowledgment cookies can be properties which we describe below. Table 1 provides a used for di↵erent reasons, like setup necessary state on summary and compares cookies with alternative mech- the reverse path, or verify that the server received the anisms to express user preferences. cookie from the user. A server could just playback the Cookies are simple yet expressive: Cookies are original cookie sent by the user, or generate and send a conceptually simple for users to understand: “I insert new one (assuming the user shared the cookie descriptor a cookie in my packets to make specific trac faster”. with the server). They are not tied to a specific network service and can Network delivery guarantees: When set, the net- be used for QoS, zero-rating, or generally for linking work• is expected to send an acknowledgment cookie arbitrary tractoarbitrarystateandprocessing(e.g., with the reverse trac to acknowledge that it received consume a network service, identify a user or act as au- and acted upon a cookie sent by the user. It is similar thentication credentials). Cookies have low transaction with the previous attribute, but instead of the server, it cost and can express the heavy tail of user preferences, is the network that acknowledges receiving the cookie. not just a list of a few popular applications. They can Guarantees can be useful when cookies are ignored (e.g., also express high-level and complex demands,likepri- a bug in the client that creates an erroneous cookie, or oritizing a webpage or mobile application. They are a temporary loss of state in the network)—for exam- composable—users can combine multiple services (po- ple a video player could notify the user that she will tentially by di↵erent networks) by composing multiple be charged for the upcoming video. Network delivery cookies together. Finally, cookies can be cleanly del- guarantees assume that the network can modify trac egated by the users to either the content provider or between endpoints to add a cookie, and therefore de- some third party that figures out how to best use cook- pend on the transport protocol (e.g., HTTP and IPv6 ies for them. Specifically, users can choose to share their work fine, while SSL/TLS prevents third parties from cookie descriptors with their desired content providers modifying trac between endpoints. New protocols who in turn can generate cookies on their behalf and (like mcTLS [26]) enhance SSL to allow middleboxes apply them to the downlink content. Delegation still to change trac between endpoints in a trusted way. keeps the users in control while respecting any tussle Cookie Transport: A list of protocols over which a boundaries between content providers and ISPs. cookie• can be carried (e.g., HTTP, TCP, IPv6, TLS). Cookies respect tussles: Cookies respect the trust Expiration: Until when a cookie descriptor is valid. relationships between users, applications and ISPs in Expiration• dates can be used to revoke a service, and terms of privacy, accountability and authentication. also limit the risk of descriptor leakage. They are unique and can be used only once, prevent- ing an unauthorized party from spoofing or replaying 4.4 Putting Everything Together an already used cookie. Cookies are signed and provide As a concrete example, consider an ISP that o↵ers its built-in authentication during the descriptor acquisition customers a fast-lane for their high priority trac. The phase, which means that only authorized users can gen- home AP discovers that cookie descriptors are available erate a valid cookie. User privacy is respected:thenet- at http://cookie-server.com (through the DHCP lease work does not need to know what the trac is that the from the user’s ISP). The AP connects to the server cookie is attached to, allowing, for example, a user to with the user’s credentials and acquires a cookie descrip- direct a video flow to the fast-lane, without revealing tor, which is valid for one week. A browser extension the content provider or even the fact that it is a video 4 goes to http://192.168.1.1/getcookies, discovers that a flow. Cookies are also revocable by both parties: when fast-lane is available in the network, and highlights a users want to stop using a service, they just have to stop button which boosts a given website when clicked. The adding a cookie to their trac, or ask the network to extension uses the cookie descriptor to add cookies to invalidate a descriptor (in case they cannot control the outgoing packets. application); the network can similarly stop matching against a cookie to stop o↵ering a service. Revocability 4.5 Cookie Properties 4By respecting user privacy we mean that use of cookies Cookies are designed to meet three high-level require- does not require users to reveal what is their preferred ments: (i) they are simple for users to understand and content to the network. They do not add any further expressive enough to enable a variety of services and protection for information already exposed, such as des- user preferences; (ii) they respect tussles between users, tination IP address and port. is also helpful in case a descriptor gets leaked or an ap- add authentication primitives to protect acquisition of plication gets compromised. Finally, cookies are policy- cookies and provide accountability, and add attributes free: they separate mechanism from policy and enable to further define their use. Cookies themselves are tai- di↵erent outcomes in tussles depending on trust rela- lored for dataplane use. They are generated, inserted, tionships and regulatory frameworks between the dif- and matched locally on a straight-forward way, they ferent stakeholders. At the same time they are easily are unique to protect against replay attacks, and carry auditable—interested parties can monitor what trac cryptographic primitives to ensure integrity, authentic- gets special treatment by the network just by looking ity and delivery guarantees for security. at who gets access to cookie descriptors and how. Cookies can be practically deployed: Cookies 4.6 Deployment Considerations are separate entities from the tracitself (header, pay- Deployment considerations for a cookie-based service load and path). Therefore they are not a↵ected by en- will depend on the network and type of service to be cryption (https), service co-hosting (CDN and cloud- o↵ered (e.g., last-mile QoS, zero-rating). based infrastructure), or packet-mangling middleboxes To better understand scalability concerns, we built such as NAT. The network can capture complex con- a cookie-based zero-rating middlebox on top of Click texts (e.g., a webpage, a mobile application) with high and DPDK [25, 2] using an o↵-the-shelf server.5 Our accuracy. They can be used in multiple transport layers middle-box keeps two counters per IP address (one for (e.g., HTTP header, TLS handshake extension, IPv6 free and another for charged data), and enforces the header). They can also be incrementally deployed by service in software for both directions of a flow. Cookies changing only the client and the network—we do not are embedded as a special HTTP REQUEST header for depend on servers to recognize or act upon cookies. HTTP trac or TLS ClientHello extension for HTTPS. In the simplest scenario (e.g., charging, QoS over the We expect this NFV-like approach to be common for last-mile), we can detect cookies and enforce the ser- services like zero-rating and last-mile QoS deployed in vice for a flow in both directions using a single box. For edge networks, and is on par with architecture trends more involved deployments, cookies do not need to be in ISPs and mobile carriers. deployed in every switch/router in the network; an ISP For a given packet our middle-box has to perform one can look up cookies at the edge (e.g., as a Virtualized of three tasks: i) search for a potential cookie (first 2- Network Function) and then use an internal mechanism 3 packets of every flow), ii) search and verify a cookie to consume a service within the network (e.g., Di↵Serv (a packet that contains a cookie) or iii) simply map a or FlowTags [19]). Because cookies are composable, we packet to a given service (for a flow already updated can incrementally use services from di↵erent network in our system). As such, performance will depend on providers. For example, a videocall between two users trac parameters such as the number of packets per could use two cookies to get sucient bandwidth at flow, or new flows per second. both access networks, without requiring any coordina- We evaluated performance against a 15-hour tion between the two network operators. Acknowledg- anonymized trace that includes all wireless trac from ment cookies expand cookies functionality to simplify our university’s main campus, student residences, and service enforcement for reverse flows, especially for as- visitor WiFi. It contains 11.3 million HTTP(S) flows symetric paths: we can ask the server to bounce back originating from 73613 distinct IP addresses (median the cookie we sent, or generate a fresh one from a del- flow size is 50 packets, and 99-percentile for new flows egated descriptor and send it along with the downlink per second is 442).6 We connected our middlebox with a flow. Cookies also fail gracefully; when the network fails MoonGen packet generator [18] which sends flows with to match or verify a cookie, it can default to best-e↵ort cookies and monitors how fast our middlebox can for- services. Furthermore, we can enhance the cookie work- ward packets. Assuming 50-packet flows, 100K cookie flow with optional network delivery guarantees.When descriptors, and a cookie for each flow, our middle-box the network detects a cookie, it generates an “acknowl- was able to saturate a 10Gb link with 512-bytes pack- edgment” cookie from the same descriptor, and attaches ets (⇠48000 new flows per second), much more than it to the response. If the client doesn’t receive an ac- required by the university trace. Performance drops knowledgement cookie, it shows an alert to the user below line-rate for smaller packet or flow sizes (Figure asking whether she wants to continue nevertheless with 4). best e↵ort service. There are certain steps to further scale our system. While expressive, the separation of cookies and First, we can use multiple cores instead of one, and sim- cookie descriptors results in a low overhead mechanism. Cookie descriptors are exchanged over a slow and less 58-core Intel Xeon @ 2.60GHz, 128GB of RAM, 2 10Gb dynamic control plane. Therefore we can exchange ar- NIC. 6 bitrary length state without worrying about overhead, The trace was collected on Jan. 26th 2015 from 9am to 11:59pm. Cookies DPI OOB Di↵Serv arbitrary trac arbitrary state Low transaction$ cost ⇥ ⇥ Simple ⇥ & High-level preferences Composable ⇥ Expressive ⇥ ⇥ Delegetable Protection from replay, spoofing ⇥ ⇥ ⇥ Tussle Built-in Authentication Aware Respect Privacy ⇥ ⇥ ⇥ Revocable Independent from headerspace, payload, path ⇥ ⇥ ⇥ ⇥ ⇥ Deployable High Accuracy Multiple transport mechanisms ⇥ ⇥ ⇥ ⇥ Low overhead Network Delivery Guarantees ⇥ ⇥ ⇥ Table 1: Network Cookies properties and comparison with alternative mechanisms to map trac to a network service. ilarly add more than one middle-boxes to scale-out the this preference internally. deployment, along with a load-balancer that shares the Packet-based cookies: Transport protocols that trac among servers. A similar approach for software- guarantee a cookie is contained within a single packet based NAT was demonstrated to scale up to 40Gb/s (e.g., IPv6 extension header, QUIC) can further im- with six commodity servers [27]. The main challenge prove performance. First, they require less state, as to scale out cookies in a distributed deployment comes we don’t need to reassemble part of a flow before pro- from verifying uniqueness as cookies from the same de- cessing a cookie. In the extreme, if every packet car- scriptor might appear in di↵erent places (a problem ries a cookie, flow-related state is eliminated (in the known as double-spending in digital cash schemes). We expense of bandwidth overhead and higher matching can relax uniqueness verification in certain cases—for rates). Packet-based cookies can facilitate better hard- example an ISP can ensure that all cookies from a spe- ware support which follows next. cific descriptor always go through the same middle-box Hardware support for cookies: Processing cookies where uniqueness can be locally verified. An in-depth will most likely take place in software, as current equip- exploration of potential risks and methods to verify ment does not not support HMAC-style verification or uniqueness on a distributed deployment is left for fu- direct state setup for reverse flows. However, config- ture work. urable hardware [15] and hardware-software coordina- We now discuss some variations of the above deploy- tion can still be beneficial. The hardware could detect ment scenario. and forward to software only packets that contain cook- Proxy-Mode: Instead of deploying cookies in-band ies, avoiding the extra overhead for all other packets. It with trac of interest, cookies can also operate in proxy could further verify the timestamp and look the cookie mode, i.e., co-located with a web proxy through which id against a table of known descriptors, further reduc- clients send their trac. This can ease deployment (e.g., ing the amount of packets that need to go to software. the service can be deployed in existing datacenters) and Discussions with hardware vendors implied that these is particularly interesting for usecases where proxying capabilities are available today in modern hardware. overhead is not critical (e.g., zero-rating for cellular net- All in all, while deployment details will depend on the works). AnyLink ( 5) operates in proxy mode to emu- actual service and network under consideration, cook- late slower links for§ application developers. ies seem practical for a wide variety of existing usecases. Cookie DSCP mapping: Service enforcement does Furthermore, existing trends like Software Defined Net- not have! to be co-located with cookie inspection. The works, programmable hardware, and Network Function ISP can look up cookies at the edge, and then use an Virtualization will further improve their applicability internal mechanism to consume a service within the net- and performance. work (e.g., Di↵Serv, MPLS, or QCI for LTE networks) without requiring all switches to support cookies. In essence, cookies enable users to express their preference 5. BOOST: A USER-DEFINED FAST and communicate it to the network in a trusted and re- LANE vocable way, independent of the path. The network can To understand how users would like to customize then use a di↵erent mechanism to interpret and realize their network, we prototype and deploy a service called Boost, which allows users to decide which tracwill 10 can be very complex for the network to detect; what is easy for the network (e.g., the IP of a server or a spe- 8 cific flow) is often meaningless for the users. Cookies 6 with support from an agent can bridge the gap between users and networks. 4 Focusing on web trac and the application layer 10 pkts/flow gives us an easy place to start studying users’ prefer- throughput (Gbps) 2 50 pkts/flow ences, and a relatively easy deployment path. We add 100 pkts/flow 0 cookie-related functionality without requiring any ker- 1500 1024 512 256 64 packet size (bytes) nel, server, or protocol support, and we can develop and deploy actual services on top of the Chrome browser Figure 4: Matching performance for a Click-DPDK based cookie middlebox. Our prototype can provide 10Gb/s line- which work with standard HTTP(S) trac. Being close rate for 50 packet flows and 512-bytes packets using a single to the user, preferences can also capture user context: core; and process all wireless trac from a university cam- they can relate to content, as tracisstillunencrypted; pus. or take into account the active tab of the browser; and they can be further enhanced by applications: a user preference can be combined with a trigger from a video travel in the “fast lane” to their home network. Boost client running low in bu↵er. These properties are not is very simple: it sends fast-lane trac through a high browser specific, but hint towards a more generic design priority queue, and occasionally throttles non-fast-lane choice: should we place an agent closer to users and trac; it was designed to let us study user prefer- applications, or follow a more network-centric approach ences rather than as a production-ready service. Boost (e.g., place the agent at a network gateway)? We choose was deployed in 161 homes as part of early testing for the former, as it can capture user preferences and user Google’s OnHub home WiFi router. Interested readers context in a much better way. can access sample code and try a cloud-based version We insert cookies as a special HTTP header for unen- of Boost which provides slow (instead of fast) lanes at crypted trac, and as a custom TLS extension (in TLS http://anylink.stanford.edu. ClientHello messages) for HTTPS trac. To better ad- Boost consists of two elements, a daemon and server just with TLS and HTTP, we send a base64-encoded running on the home access point, and a user-facing text cookie. We intercept outgoing http(s) requests agent implemented as a Chrome browser extension. using a Chrome API, extract related metadata (e.g., 5.1 Boost Agent which tab generated it, the url in the address bar), and if it matches with user preferences we add a boost cookie The agent is a Chrome browser extension, and lets to it. While adding an http header is straightforward, users decide which trac to boost in the following ways. to add a TLS extension we had to modify Chrome’s Boost a tab. All trac from/to a specific tab is SSL/TLS library.8 boosted. The user initiates this once per tab, and it To start boosting trac, the agent issues a boost re- lasts until she closes the tab (or after an hour). quest to a well-known server using a JSON message. Always Boost a website. Trac related to a website The server responds with a boost cookie descriptor. A gets priority.7 The setting is remembered; whenever a boost event (and the related cookie descriptor) expires user visits this website the agent informs the AP for by default after one hour. To resolve conflicts when related flows. multiple clients want to boost within a household, we The browser provides an interesting vantage point. have a last one wins policy, and expect users to resolve Users can boost any trac they like, not just a short- conflicts at a human level, if this is not enough. list of popular applications; and they declare their pref- erences in an intuitive, easy-to-understand way: they 5.2 Boost Daemon and Cookie Server identify webpages they would like to boost. While easy We keep cookie descriptors at a server already known from the browser’s vantage point, it is much more com- to our Boost agents. We store them in a persistent SQL plicated if viewed from the network; all it sees is a large database and expose a JSON API for users to acquire number of flows being started. For example, in the (oth- them. We implement a python-based daemon on the erwise simple) task of loading the frontpage of cnn.com, WiFi router which sni↵strac, looks up cookies and the browser starts 255 flows to 71 di↵erent servers. This enforces the desired QoS service. Our daemon sni↵s highlights an interesting paradox: what is simple and the first 3 incoming packets for each flow; if it detects meaningful for the user (e.g., a webpage, a mobile app) a cookie, it tries to match the cookie against a known 7 We define a website by the domain at the browser’s descriptor and verifies its integrity. If this is successful, address bar, and boost all flows generated within this tab. 8Chrome uses BoringSSL, a fork of OpenSSL. 1.0 correct websites; and whether they would have been 0.8 correctly boosted by alternative implementations that 0.6 do not use cookies. As an example, we examine three CDF 0.4 preferences from our users (youtube.com, cnn.com, and best-effort 0.2 boosted skai.gr, a Greek media site). Navigating to the front- throttled 0.0 0 2 4 6 8 10 12 page of each site generates 80/3750, 255/6741, and flow completion time (sec) 83/1983 flows/packets respectively. As shown in Fig- (a) (b) ure 6(a), using cookies and our Chrome agent, we boost Figure 5: a) User interface for Boost. b) Flow completion > 90% of trac in all three cases. Our agent misses time for a 300KB flow in the presence of background trac. DNS requests and trac prefetched by Chrome. Next we compare cookies with a DPI-based design, to see if it could correctly identify and boost the same it adds this and the reverse flow to the fast lane using three websites. We use nDPI [17], a publicly available a set of standard tools in the WiFi router (iptables and DPI system which can detect more than 220 popular Linux tc). applications, protocols, and websites. We ask nDPI to To provision the path for boosted tracwei)usethe recognize and boost the websites, based on the trac high-bandwidth wireless WMM queue, and ii) throttle it sees in the network, then check to see if it identifies other trac to ensure certain capacity for boosted traf- them correctly. DPI correctly identified only 18% of fic through the last-mile connection. The actual throt- the trac when we tried to boost cnn.com, and failed tling rate depends on the capacity of the WAN con- to detect any trac for the Greek media site as it had nection which we estimate using periodic active tests. no rules for it. Moreover, nDPI occasionally matched Figure 5(b) shows a scenario for a 6Mbps connection, the wrong packets (false positives). When trying to where we throttle non-boosted tracto1Mbps. match youtube.com it also matched 12% of packets We should emphasize that our Boost prototype is far from skai.gr, as it embedded YouTube’s video player. from perfect; for example, it is not work-conserving if Finally we compare with an out-of-band (OOB) the user does not use the fast-lane. This reflects our goal mechanism that sends a flow description to a central to understand user’s preferences, rather than build the controller, asking it to boost trac matching the rule. perfect service. We plan to improve the Boost prototype OOB detects the same flows with cookies, as they both and install into more WiFi routers. detect trac in the browser (Figure 6(c)). But it su↵ers 5.3 Measurements of Users’ Preferences from false positives. To make a flow description valid across a NAT we can only use the destination IP and Our first version of Boost, which uses an out-of-band port. This leads to 40% false positives in our exam- API to communicate to the WiFi router, was made ple, as a major share of the trac comes from the same available to 400 home users, during an internal “dog- servers (e.g., CDN, ads, social sharing plugins). food” test of the OnHub home WiFi router. 161 users (40%) installed the extension in their browsers. Figure 5(a) shows a screenshot from the Boost extension while 6. DISCUSSION navigating to an online educational platform. Di↵erentiated network services are subject to mul- Figure 1 shows the websites prioritized by users, tiple factors, such as stakeholders economic incen- the number of clients that boosted a given domain, tives, regulatory frameworks, industry competition, and their popularity. Many users boosted popular US user familiriaty with Internet services, and the under- video websites (Netflix, YouTube, HBO, ABC, Fox, and lying technology. In this section we discuss the role of ESPN). The tail also includes less popular sites, such as network cookies in the wider ecosystem. a VoIP service, on-demand video services from several Cookies are policy-free: They don’t dictate what the countries, as well as a website for ticketing auctions, policy is and can enable di↵erent outcomes, all the way where a few milliseconds might help secure a ticket for from user-driven services to ones where an ISP can a popular event. Informal discussion with users also handpick a single service to di↵erentiate. Their main pinpointed interesting usecases: one user had a slow In- value comes from streamlining the process for certain ternet connection (3Mb/s) and occasionally wanted to trac to get special treatment: All we need to do is dedicate all resources to a specific task (stream a video); decide who gets access to cookie descriptors and how. another wanted to prioritize business-related calls; and First, cookies enable new policies that are not avail- a third one wanted to prioritize Netflix on his TV, but able with existing technologies. This paper discussed not Netflix on his kids tablets. one of them in depth: User-driven services. Others are also possible. For example, because cookies are inde- 5.4 Accuracy when boosting with cookies pendent from the trac itself, a third party (other than Our prototype lets us check if cookies will boost the the content provider or ISP) can pay for delivery of ar- matched matched matched 100 false 100 false 100 false

80 80 80

60 60 60

40 40 40 packets boosted (%) packets boosted (%) packets boosted (%) 20 20 20

0 0 0 cnn.com youtube.com skai.gr cnn.com youtube.com skai.gr cnn.com youtube.com skai.gr (a) Cookies (b) nDPI (c) Out-of-band Figure 6: Matching accuracy for three sample user preferences. DPI cannot capture the complexity of a website, and fails to match any trac from a less popular site. OOB can match a website with high accuracy, and respects the heavy tail of user preferences, but doesn’t work well when flows change (e.g., by NAT or encapsulation). Using coarse granularity descriptions leads to false positive matches. Cookies can serve any user preference with high accuracy and no false positives.

bitrary content (e.g., a school or non-profit could sub- egory. sidize the cost of data delivery for certain educational Small providers complain that T-Mobile ignores them videos). because they are not big enough; T-Mobile claims that Second, they can significantly accelerate and stream- it is open to everyone and uses technical limitations to line service provisioning, as any trac can be easily dif- explain delays; and the FCC wants to investigate on a ferentiated, even in relatively complex scenarios (e.g., a per-case basis, but it does not have the means to do so. video stream, with a side-chat service, and video adver- Cookies remove technical barriers and make the pro- tisements from a third-party ad-network). Streamlining cess straightforward—all an ISP has to do is give each how trac is mapped to di↵erent network policies not content provider a cookie descriptor. This makes it eas- only reduces overhead for ISPs and content providers, ier for both ISPs and content providers to coordinate. but can also lead to services which are more inclusive, Regulators can eciently audit if involved parties play transparent, and easily auditable. This can be very im- fairly. The FCC could demand that T-Mobile maintains portant, especially in an environment of mistrust among a public database with the dates for all cookie descrip- di↵erent stakeholders. tor requests, and it should be obliged to provide the Take T-Mobile’s Music Freedom program as an exam- descriptor to eligible parties within three days. This is ple.9 T-Mobile claims that any licenced music stream- similar to the FCC’s “local number portability rules,” ing provider is eligible to participate at its zero-rated which requires phone companies to complete the trans- program at no cost. But why are many services ex- fer of a phone number from one company to another cluded? After two years of operations and seven service within one business day from user’s request [20]. expansions, Music Freedom included 44 out of more than 2500 licenced online radio streaming stations [8, 6]. When we run our online user survey (August 2015), 7. RELATED WORK Music Freedom included only 17 out of 51 unique mu- Previous work in research and commercial products sic applications listed by our respondents. We believe highlighted the need to give users and applications con- that this is related with the manual and involved tech- trol over network functions, both in home and enterprise nical process to add new participants in Music Free- networks [32, 24, 29, 21, 5]. They all use derivatives of dom.10 SomaFM, a popular online radio station, spent DPI and OOB techniques, and as such inherit the limi- 18 months to become part of the program, having been tations we described in 3. FlowTags [19] use DSCP bits first ignored by T-Mobile then confronted with techni- to co-ordinate with middleboxes§ and facilitate enforce- cal limitations [28]. We experienced something similar: ment of network services in the presence of NAT and We worked with RockRadio.gr, a small regional radio similar functions. Like Di↵Serv, they lack authentica- station to help them participate in Music Freedom, but tion primitives, support only up to 64 tags, and require after three e-mails to the designated address and several full control of the path, which make them better fit for months we heard no reply from T-Mobile. These inci- enterprise networks instead of functionality across net- dents not only limit user choice, but can dramatically work boundaries. a↵ect competition between services within the same cat- The advent of HTTPS emphasized the limitations of DPI and spurred interest in how to communicate be- 9Music Freedom represents a broad range of class-based services. Similar ones have been explored for video, tween endpoints and middleboxes while preserving end- VoIP, healthcare and educational services. to-end encryption. mcTLS [26] extends TLS to allow 10According to anecdotal sources, T-Mobile uses DPI endpoints to incorporate trusted middleboxes into se- techniques to detect eligible trac for Music Freedom. cure sessions, while SPUD [7] proposes a new UDP transport layer that creates a “tube” to group multiple 8. CONCLUSION subflows between two endpoints. They both provide We live in a time of enormous focus on how to im- rich, bidirectional communication between endpoints prove the Internet, how to encourage ISPs to keep in- and the network. In contrast, cookies provide a thin- vesting to improve it, and how to ensure users continue ner interface (i.e., a mapping abstraction), but at the to have unfettered access to a broad range of services, same time are much simpler to deploy: they work along content and applications. This focus has taken place with multiple existing protocols (e.g., HTTP(S), UDP, mostly between large companies and government, with TCP), they can be incrementally deployed without the interests of network operators pitted against content modification or support from the servers, and they don’t providers. Government’s role has been to look out for require symmetric paths or new encryption schemes. us, the users. But largely, there has not been a way for Furthermore, cookies can leverage the primitives given us to take part, outside lobbying our political represen- by these protocols. For example, each cookie can have tatives. This paper tries to make two contributions to its own mcTLS context, and allow the network to mod- the debate. Network cookies provide a neutral, policy- ify it in order to provide network delivery guarantees. free mechanism to express which applications receive BlindBox [30] takes a di↵erent approach: it performs special treatment from the network, regardless of pop- deep-packet inspection directly on the encrypted trac ularity, complexity of task, or presence of middleboxes using novel encryption schemes. It is mostly tailored while providing the necessary means for authentication, for IDS and firewalls (instead of expressing user prefer- accountability and user privacy. Using network cookies ences), and the associated complexity is significant—it we advocate for a user-centric policy, where users can di- introduces a new protocol, new encryption schemes, and rectly state their preferences and look after themselves. a heavyweight process to setup the necessary encryption Our basic premise is that if users can express (and po- context for a new flow (up to 90 seconds). tentially pay for) how they want their network tracto Network capabilities [14] was a proposal to prevent be treated, then it becomes safe - in fact desirable - to DDoS attacks. Despite the di↵erent context, they are treat some trac as more important than other. perhaps the closest mechanism to network cookies. Ca- pabilities are tokens granted by a server to a client, to verify a connection between the two and signal the net- Acknowledgements work to forward it through a protected path. In con- The authors would like to thank our shepherd, Phillipa trast, cookies are granted by the network and are not Gill and anonymous Sigcomm reviewers for their feed- bounded to a specific connection—both AnyLink and back. We would also like to thank Barbara Van Boost work for any trac without requiring support Schewick and Ramesh Johari for valuable comments in from the servers. Furthermore, cookie descriptors de- early drafts of this paper, and Andreas Terzis, Ankur couple discovery, acquisition and authentication from Jain, Roshan Baliga, and all other participants for their actual trac, leading to a much lower overhead mecha- help with our Boost prototype deployment at Google. nism. This work is supported by the Open Networking Re- There is a vast literature covering net neutrality, search Center, the Platforms Lab at Stanford Univer- mostly from an economics and policy perspective. Dur- sity, AT&T and Intel. The opinions expressed in this ing recent FCC hearings, both sides of the debate talked paper are those of the authors only. favorably about user-driven prioritization [31, 1]. Net Neutrality advocates welcomed the approach, but raised 9. REFERENCES concerns on whether the actual implementation of user- [1] AT&T comments to the FCC. http: driven prioritization could limit user choice [11]. Net- //apps.fcc.gov/ecfs/document/view?id=7521679206. work cookies directly address these concerns, as they [2] Data Plane Development Kit. http://www.dpdk.org. provide a simple, policy-free mechanism, and allow reg- [3] Facebook Zero Wikipedia Entry. ulators to decide and subsequently audit the policy sim- https://en.wikipedia.org/wiki/FacebookZero. ply by monitoring who gets access to cookie descriptors [4] Netflix apologizes for undermining Net Neutrality. and how. Moreover, our user studies provide insights http://www.fastcompany.com/3045150/fast- on how to better preserve the users’ interests. feed/netflix-apologizes-for-undermining-net- neutrality-in-australia. The design of network cookies has been motivated by [5] Qualcomm StreamBoost for Home Routers. “the tussle”[16], a position that accommodating the tus- https://www.qualcomm.com/news/releases/2013/01/ sle between di↵erent Internet stakeholders is a crucial 04/qualcomm-introduces-streamboost-technology- part to the evolution of the network’s technical archi- optimize-performance-and. tecture; and of course HTTP cookies, a small piece of [6] Sound Exchange Non-Profit Organization. data that users attach to their tracwhentheyvisita [7] Substrate Protocol for User Datagrams (SPUD) website to customize their content. Prototype. https://tools.ietf.org/html/draft- hildebrand-spud-prototype-03. [8] T-Mobile Music Freedom. http://www.t- [24] H. Kim, S. Sundaresan, M. Chetty, N. Feamster, and mobile.com/o↵er/free-music-streaming.html. W. K. Edwards. Communicating with caps: Managing [9] TCP Extended Data O↵set Option (IETF Draft). usage caps in home networks. In ACM SIGCOMM https://tools.ietf.org/html/draft-ietf-tcpm-tcp-edo-03. Computer Communication Review, volume 41, pages [10] Transport Layer Security (TLS) Extensions. 470–471. ACM, 2011. http://www.iana.org/assignments/tls-extensiontype- [25] E. Kohler, R. Morris, B. Chen, J. Jannotti, and M. F. values/tls-extensiontype-values.xhtml. Kaashoek. The click modular router. ACM [11] Washington Post Article on User-Driven Transactions on Computer Systems (TOCS), Prioritization. 18(3):263–297, 2000. https://www.washingtonpost.com/news/the- [26] D. Naylor, K. Schomp, M. Varvello, I. Leontiadis, switch/wp/2014/09/15/atts-fascinating-third-way- J. Blackburn, D. R. L´opez, K. Papagiannaki, proposal-on-net-neutrality/. P. Rodriguez Rodriguez, and P. Steenkiste. [12] What is wrong with zero-rating and how to fix it. Multi-context tls (mctls): Enabling secure in-network https://medium.com/@gyiakoumis/what-is-wrong- functionality in tls. In Proceedings of the 2015 ACM with-zero-rating-and-how-to-fix-it- Conference on Special Interest Group on Data 7eb229e9e610#.5xzq2jktg. Communication, pages 199–212. ACM, 2015. [13] Why Music Freedom May Hurt Net Neutrality. [27] V. A. Olteanu, F. Huici, and C. Raiciu. Lost in http://venturebeat.com/2014/08/30/why-t-mobiles- network address translation: Lessons from scaling the music-freedom-is-hurting-net-neutrality/. world’s simplest middlebox. In Proceedings of the 2015 [14] T. Anderson, T. Roscoe, and D. Wetherall. Preventing ACM SIGCOMM Workshop on Hot Topics in internet denial-of-service with capabilities. ACM Middleboxes and Network Function Virtualization, SIGCOMM Computer Communication Review, HotMiddlebox ’15, pages 19–24, New York, NY, USA, 34(1):39–44, 2004. 2015. ACM. [15] P. Bosshart, D. Daly, G. Gibb, M. Izzard, [28] Rusty Hodge, SomaFM Founder. Unfairness in N. McKeown, J. Rexford, C. Schlesinger, D. Talayco, T-MobileˆaA˘Zs´ unmetered music streaming. A. Vahdat, G. Varghese, et al. P4: Programming http://rainnews.com/rusty-hodge-unfairness-tmobile- protocol-independent packet processors. ACM unmetered-music-streaming/. SIGCOMM Computer Communication Review, [29] J. Schulz-Zander, C. Mayer, B. Ciobotaru, S. Schmid, 44(3):87–95, 2014. and A. Feldmann. Opensdwn: Programmatic control [16] D. D. Clark, J. Wroclawski, K. R. Sollins, and over home and enterprise wifi. In Proceedings of the R. Braden. Tussle in cyberspace: defining tomorrow’s 1st ACM SIGCOMM Symposium on Software Defined internet. In ACM SIGCOMM Computer Networking Research, SOSR ’15, pages 16:1–16:12, Communication Review, volume 32, pages 347–356. New York, NY, USA, 2015. ACM. ACM, 2002. [30] J. Sherry, C. Lan, R. A. Popa, and S. Ratnasamy. [17] L. Deri, M. Martinelli, T. Bujlow, and A. Cardigliano. Blindbox: Deep packet inspection over encrypted ndpi: Open-source high-speed deep packet inspection. trac. SIGCOMM Comput. Commun. Rev., In Wireless Communications and Mobile Computing 45(5):213–226, Aug. 2015. Conference (IWCMC), 2014 International, pages [31] B. Van Schewick. Network neutrality and quality of 617–622. IEEE, 2014. service: What a non-discrimination rule should look [18] P. Emmerich, F. Wohlfart, D. Raumer, and G. Carle. like. 2014. Moongen: A scriptable high-speed packet generator. [32] Y. Yiakoumis, S. Katti, T.-Y. Huang, N. McKeown, arXiv preprint arXiv:1410.3322,2014. K.-K. Yap, and R. Johari. Putting home users in [19] S. K. Fayazbakhsh, V. Sekar, M. Yu, and J. C. Mogul. charge of their network. In Proceedings of the 2012 Flowtags: Enforcing network-wide policies in the ACM Conference on Ubiquitous Computing. presence of dynamic middlebox actions. In Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, pages 19–24. ACM, 2013. [20] FCC. Number Transfer Process. https://www.fcc.gov/consumers/guides/keeping-your- telephone-number-when-changing-service-providers. [21] A. D. Ferguson, A. Guha, C. Liang, R. Fonseca, and S. Krishnamurthi. Participatory networking: An api for application control of sdns. In ACM SIGCOMM Computer Communication Review, volume 43, pages 327–338. ACM, 2013. [22] http://consumerist.com/2012/04/16/netflix-ceo-rips- comcast-on-net-neutrality. Netflix CEO, Comcast & Net Neutrality. [23] http://www.wired.com/2015/05/backlash-facebooks- free-internet-service-grows/. Backlash against Facebook Free Internet Service grows.