Bitte benutzen Sie diese Kennung, um auf die Ressource zu verweisen: https://doi.org/10.21256/zhaw-1538
Titel: A path layer for the internet : enabling network operations on encrypted protocols
Autoren: Kühlewind, Mirja
Bühler, Tobias
Trammell, Brian
Neuhaus, Stephan
Müntener, Roman
Fairhurst, Gorry
Tagungsband: Proceedings of the International Conference on Network and Service Management (CNSM)
Angaben zur Konferenz: International Conference on Network and Service Management, Tokyo, November 26-30, 2017
Erscheinungsdatum: Nov-2017
Sprache: Englisch / English
Schlagwörter: Networking; Measurement; Encryption; Middlebox
Fachgebiet (DDC): 004: Informatik
Zusammenfassung: The deployment of encrypted transport protocols imposes new challenges for network operations. Key in-network functions such as those implemented by firewalls and passive measurement devices currently rely on information exposed by the transport layer. Encryption, in addition to improving privacy, helps to address ossification of network protocols caused by middleboxes that assume certain information to be present in the clear. However, “encrypting it all” risks diminishing the utility of these middleboxes for the traffic management tasks for which they were designed. A middlebox cannot use what it cannot see. We propose an architectural solution to this issue, by introducing a new “path layer” for transport-independent, in-band signaling between Internet endpoints and network elements on the paths between them, and using this layer to reinforce the boundary between the hop-by-hop network layer and the end-to- end transport layer. We define a path layer header on top of UDP to provide a common wire image for new, encrypted transports. This path layer header provides information to a transport- independent on-path state machine that replaces stateful handling currently based on exposed header flags and fields in TCP; it enables explicit measurability of transport layer performance; and offers extensibility by sender-to-path and path-to-receiver communications for diagnostics and management. This provides not only a replacement for signals that are not available with encrypted traffic, but also allows integrity-protected, enhanced signaling under endpoint control. We present an implementation of this wire image integrated with the QUIC protocol, as well as a basic stateful middlebox built on Vector Packet Processing (VPP) provided by FD.io.
Departement: School of Engineering
Organisationseinheit: Institut für Angewandte Informationstechnologie (InIT)
Publikationstyp: Konferenz: Paper / Conference Paper
DOI: 10.21256/zhaw-1538
ISBN: 978-3-901882-98-2
URI: https://digitalcollection.zhaw.ch/handle/11475/1892
Enthalten in den Sammlungen:Publikationen School of Engineering

Dateien zu dieser Ressource:
Datei Beschreibung GrößeFormat 
PID5022959.pdf368.12 kBAdobe PDFMiniaturbild
Öffnen/Anzeigen


Alle Ressourcen in diesem Repository sind urheberrechtlich geschützt, soweit nicht anderweitig angezeigt.