article

An end-middle-end approach to connection establishment

Authors:
Saikat Guha

Cornell University, Ithaca, NY

Cornell University, Ithaca, NY
View Profile

,
Paul Francis

Cornell University, Ithaca, NY

Cornell University, Ithaca, NY
View Profile

ACM SIGCOMM Computer Communication Review Volume 37 Issue 4October 2007pp 193–204https://doi.org/10.1145/1282427.1282403

Published:27 August 2007Publication History

ACM SIGCOMM Computer Communication Review

Abstract

The current model for flow establishment in the Internet: DNS Names, IP addresses, and transport ports, is inadequate. Not all of the problem is due to the small IPv4 address space and resulting NAT boxes. Even where global addresses exist, firewalls cannot glean enough information about a flow from packet headers, and so often err, typically by being over-conservative: disallowing flows that might otherwise be allowed. This paper presents a novel architecture, protocol design, and implementation, for flow establishment in the Internet. The architecture, called NUTSS, takes into account the combined policies of endpoints and network providers. While NUTSS borrows liberally from other proposals (URI-like naming, signaling to manage ephemeral IPv4 or IPv6 data flows), NUTSS is unique in that it couples overlay signaling with data-path signaling. NUTSS requires no changes to existing protocol stacks, and combined with recent NAT traversal techniques, works with IPv4 and existing NAT/firewalls. This paper describes NUTSS and shows how it satisfies a wide range of "end-middle-end"network requirements, including access control, middlebox steering, multi-homing, mobility, and protocol negotiation.

References

Akamai Technologies, Inc. Akamai: How it works.Google Scholar
Andersen, D. Mayday: Distributed filtering for internet services. In Proceedings of the USITS '03 (Seattle, WA, Mar. 2003). Google ScholarDigital Library
Antisip SARL. The eXtended osip library.Google Scholar
Argyraki, K., and Cheriton, D. R. Active Internet Traffic Filtering: Real-Time Response to Denial-of-Service Attacks. In Proceedings of the 2005 USENIX Annual Technical Conference (Anaheim, CA, Apr. 2005). Google ScholarDigital Library
Ballani, H., Chawathe, Y., Ratnasamy, S., Roscoe, T., and Shenker, S. Off by Default! In Proceedings of the HotNets'05 (College Park, MD, Nov. 2005).Google Scholar
BMC Software. Marimba Product Line.Google Scholar
Calhoun, P. R., Loughney, J., Arkko, J., Guttman, E., and Zorn, G. RFC 3588: Diameter Base Protocol, Sept. 2003. Google ScholarDigital Library
Cisco Systems, I. Cisco IOS Security Configuration Guide (Release 12.4). Cisco Press, 2006, ch. Access Control Lists: Overview and Guidelines, pp. 429--436.Google Scholar
Cisco Systems, I. Cisco IOS Security Configuration Guide (Release 12.4). Cisco Press, 2006, ch. Firewall Support for SIP, pp. 587--600.Google Scholar
Crowcroft, J., Hand, S., Mortier, R., Roscoe, T., and Warfield, A. Plutarch: An Argument for Network Pluralism. In Proceedings of the SIGCOMM '03 Workshops (Karlsruhe, Germany, Aug. 2003). Google ScholarDigital Library
(Ed.), R. B., Zhang, L., Berson, S., Herzog, S., and Jamin, S. RFC 2205: Resource ReSerVation Protocol (RSVP), Sept. 1997.Google Scholar
Fall, K. A Delay-Tolerant Network Architecture for Challenged Internets. In Proceedings of SIGCOMM '03 (Karlsruhe, Germany, Aug. 2003). Google ScholarDigital Library
Ford, B., Strauss, J., Lesniewski-Laas, C., Rhea, S., Kaashoek, F., and Morris, R. Persistent Personal Names for Globally Connected Mobile Devices. In Proceedings of the OSDI '06 (Seattle, WA, Nov. 2004). Google ScholarDigital Library
Francis, P. Firebreak: An IP Perimeter Defense Architecture. Tech. Rep. cul.cis/TR2006-2060, Cornell University, Ithaca, NY, 2006.Google Scholar
Francis, P., and Gummadi, R. IPNL: A NAT-extended internet architecture. In Proceedings of the SIGCOMM '01 (San Diego, CA, Aug. 2001). Google ScholarDigital Library
Fraunhofer Fokus. CPLEd - A CPL Editor.Google Scholar
Fraunhofer Fokus. SIP Express Router.Google Scholar
Freedman, M. J., Lakshminarayanan, K., and Mazières, D. OASIS: Anycast for Any Service. In Proceedings of NSDI'06 (San Jose, CA, May 2006). Google ScholarDigital Library
GENI planning group. GENI: Global Environment for Network Innovations.Google Scholar
Gritter, M., and Cheriton, D. R. An Architecture for Content Routing Support in the Internet. In Proceedings of the USITS '01 (San Francisco, CA, Mar. 2001). Google ScholarDigital Library
Guha, S., and Francis, P. Characterization and Measurement of TCP Traversal through NATs and Firewalls. In Proceedings of the 2005 Internet Measurement Conference (New Orleans, LA, Oct. 2005). Google ScholarDigital Library
Guha, S., and Francis, P. Identity Trail: Covert Surveillance Using DNS. In Proceedings of 7th Workshop on Privacy Enhancing Technologies (Ottawa, Canada, June 2007). Google ScholarDigital Library
Hain, T. RFC 2993: Architectural Implications of NAT, Nov. 2000. Google ScholarDigital Library
Hautakorpi, J., Camarillo, G., Penfield, R. F., Hawrylyshen, A., and Bhatia, M. Internet draft: Requirements from SIP (Session Initiation Protocol) Session Border Control Deployments, Apr. 2007. Work in progress. draft-ietf-sipping-sbc-funcs-03.txt.Google Scholar
Hua Chu, Y., Rao, S. G., Seshan, S., and Zhang, H. A case for end system multicast. IEEE Journal on Selected Areas in Communications 20, 8 (Oct. 2002), 1456--1471. Google ScholarDigital Library
Huici, F., and Handley, M. An Edge-to-Edge Filtering Architecture Against DoS. ACM SIGCOMM Computer Communications Review 37, 2 (Apr. 2007), 41--50. Google ScholarDigital Library
Keromytis, A. D., Misra, V., and Rubenstein, D. SOS: secure overlay services. SIGCOMM Comput. Commun. Rev. 32, 4 (2002), 61--72. Google ScholarDigital Library
Koponen, T., Chawla, M., Chun, B.-G., Ermolinskiy, A., Kim, K. H., Shenker, S., and Stioca, I. A Data-Oriented (and Beyond) Network Architecture. In Proceedings of SIGCOMM'07 (Kyoto, Japan, Aug. 2007). Google ScholarDigital Library
Lennox, J., Wu, X., and Schulzrinne, H. RFC 3880: Call Processing Language (CPL): A Language for User Control of Internet Telephony Services, Oct. 2004.Google Scholar
Mahajan, R., Bellovin, S. M., Floyd, S., Ioannidis, J., Paxson, V., and Shenker, S. Controlling High Bandwidth Aggregates in the Network. ACM Computer Communications Review 32, 3 (July 2002), 62--73. Google ScholarDigital Library
Mannie, E. RFC 3945: Generalized Multi-Protocol Label Switching (GMPLS) Architecture, Oct. 2004.Google Scholar
Marshall, W. RFC 3133: Private Session Initiation Protocol (SIP) Extensions for Media Authorization, Jan. 2003. Google ScholarDigital Library
Microsoft Corporation. UPnP - Universal Plug and Play Internet Gateway Device v1.01, Nov. 2001.Google Scholar
Mirković, J., Prier, G., and Reiher, P. Attacking DDoS at the Source. In Proceedings of ICNP'02 (Paris, France, Nov. 2002). Google ScholarDigital Library
Moskowitz, R., and Nikander, P. RFC 4423: Host Identity Protocol (HIP) Architecture, May 2006.Google Scholar
Ng, T. S. E., Stoica, I., and Zhang, H. A Waypoint Service Approach to Connect Heterogeneous Internet Address Spaces. In Proceedings of USENIX Annual Technical Conference (Monterey, CA, June 2002). Google ScholarDigital Library
Nissenbaum, H. Privacy as Contextual Integrity. Washington Law Review 79, 1 (Feb. 2004), 119--158.Google Scholar
Nordmark, E., and Bagnulo, M. Internet draft: Level 3 multihoming shim protocol, Nov. 2006. draft-ietf-shim6-proto-07.txt. Work in progress.Google Scholar
OpenSSL Team. The Open Source toolkit for SSL/TLS.Google Scholar
Ramasubramanian, V., and Sirer, E. G. CoDoNS: The Design and Implementation of a Next Generation Name Service for the Internet. In Proceedings of SIGCOMM'04 (Portland, OR, August 2004). Google ScholarDigital Library
Ramsdell, B. RFC 3851: Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification, July 2004.Google Scholar
Rosenberg, J. RFC 3856: A Presence Event Package for the Session Initiation Protocol (SIP), Aug. 2004.Google Scholar
Rosenberg, J., Mahy, R., and Huitema, C. Internet draft: TURN - Traversal Using Relay NAT, Mar. 2006. Work in progress.Google Scholar
Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and Schooler, E. RFC 3261: SIP Session Initiation Protocol, June 2002. Google ScholarDigital Library
Rosenberg, J., Weinberger, J., Huitema, C., and Mahy, R. RFC 3489: STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs), Mar. 2003. Google ScholarDigital Library
Sailer, R., Zhang, X., Jaeger, T., and van Doorn, L. Design and Implementation of a TCG-based Integrity Measurement Architecture. In Proceedings of 13th USENIX Security Symposium (San Diego, CA, Aug. 2004), pp. 223--238. Google ScholarDigital Library
Saint-Andre, P. RFC 3290: Extensible Messaging and Presence Protocol (XMPP): Core, Oct. 2004.Google Scholar
Stiemerling, M., Quittek, J., and Taylor, T. MIDCOM Protocol Semantics, June 2004. Work in progress.Google Scholar
Stoica, I., Adkins, D., Zhuang, S., Shenker, S., and Surana, S. Internet Indirection Infrastructure. In Proceedings of the SIGCOMM '02 (Pittsburgh, PA, Aug. 2002). Google ScholarDigital Library
Technical Specification Group Core Network and Terminals. 3GPP TS 29.207: Policy control over Go interface, Sept. 2005.Google Scholar
Trusted Computing Group. TPM Specification Version 1.2.Google Scholar
Tschudin, C., and Gold, R. SelNet: A Translating Underlay Network. Tech. Rep. 2003--020, Uppsala University, Uppsala, Sweden, Nov. 2001.Google Scholar
Venkataraman, V., Francisy, P., and Calandrino, J. Chunkyspread: Multitree Unstructured Peer-to-Peer Multicast. In Proceedings of the IPTPS '06 (Santa Barbara, CA, Feb. 2006).Google Scholar
VeriSign Inc. Security (SSL Certificates), Communications, and Information Services.Google Scholar
Vixie, P., Thomson, S., Rekhter, Y., and Bound, J. RFC 2136: Dynamic Updates in the Domain Name System, Dec. 1997. Google ScholarDigital Library
von Ahn, L., Blum, M., Hopper, N. J., and Langford, J. CAPTCHA: Using Hard AI Problems For Security. In Proceedings of EUROCRYPT'03 (Warsaw, Poland, May 2003). Google ScholarDigital Library
Walfish, M., Balakrishnan, H., and Shenker, S. Untangling the Web from DNS. In Proceedings of the NSDI '04 (San Francisco, CA, Mar. 2004). Google ScholarDigital Library
Walfish, M., Stribling, J., Krohn, M., Balakrishnan, H., Morris, R., and Shenker, S. Middleboxes No Longer Considered Harmful. In Proceedings of the OSDI '04 (San Francisco, CA, Dec. 2004). Google ScholarDigital Library
Wang, X., and Reiter, M. K. Defending Against Denial-of-Service Attacks with Puzzle Auctions. In SP '03: Proceedings of the 2003 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2003), IEEE Computer Society, p. 78. Google ScholarDigital Library
Wroclawski, J. The MetaNet: White Paper. In Proceedings of Workshop on Research Directions for the Next Generation Internet (Vienna, VA, May 1997).Google Scholar
Yaar, A., Perrig, A., and Song, D. SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks. In IEEE Symposium on Security and Privacy (Pittsburgh, PA, May 2004), pp. 130--143.Google ScholarCross Ref
Yang, X., Wetherall, D., and Anderson, T. A DoS-limiting Network Architecture. In Proceedings of the SIGCOMM '05 (Philadelphia, PA, Aug. 2005). Google ScholarDigital Library
Zhang, B., Wang, W., Jamin, S., Massey, D., and Zhang, L. Universal IP multicast delivery. Computer Networks, special issue on Overlay Distribution Structures and their Applications 50, 6 (Apr. 2006), 781--806. Google ScholarDigital Library
Zimmermann, P. R. The official PGP user's guide. MIT Press, Cambridge, MA, 1995. Google ScholarDigital Library

Index Terms

An end-middle-end approach to connection establishment
1. Networks
  1. Network protocols
    1. Network protocol design

Recommendations

An end-middle-end approach to connection establishment
SIGCOMM '07: Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications

The current model for flow establishment in the Internet: DNS Names, IP addresses, and transport ports, is inadequate. Not all of the problem is due to the small IPv4 address space and resulting NAT boxes. Even where global addresses exist, firewalls ...
Read More
An evolutionary approach to improve end-to-end performance in tcp/ip networks
Read More
End-to-end multicast congestion control and avoidance
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM SIGCOMM Computer Communication Review Volume 37, Issue 4
October 2007
420 pages
ISSN:0146-4833
DOI:10.1145/1282427
Issue’s Table of Contents
SIGCOMM '07: Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
August 2007
432 pages
ISBN:9781595937131
DOI:10.1145/1282380
General Chairs:
Jun Murai
Keio University, Japan
,
Kenjiro Cho
IIJ, Japan
Copyright © 2007 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 27 August 2007
Check for updates
Author Tags
NUTSS
end-middle-end
off-path
on-path
signaling
Qualifiers
- article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 50
  Total Citations
  View Citations
- 1,008
  Total Downloads
- Downloads (Last 12 months)48
- Downloads (Last 6 weeks)5
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

An end-middle-end approach to connection establishment

ACM SIGCOMM Computer Communication Review

Abstract

References

Cited By

Index Terms

Recommendations

An end-middle-end approach to connection establishment

An evolutionary approach to improve end-to-end performance in tcp/ip networks

End-to-end multicast congestion control and avoidance