More Web Proxy on the site http://driver.im/

article

An end-middle-end approach to connection establishment

Authors:

Paul FrancisAuthors Info & Claims

ACM SIGCOMM Computer Communication Review, Volume 37, Issue 4

Pages 193 - 204

https://doi.org/10.1145/1282427.1282403

Published: 27 August 2007 Publication History

Abstract

The current model for flow establishment in the Internet: DNS Names, IP addresses, and transport ports, is inadequate. Not all of the problem is due to the small IPv4 address space and resulting NAT boxes. Even where global addresses exist, firewalls cannot glean enough information about a flow from packet headers, and so often err, typically by being over-conservative: disallowing flows that might otherwise be allowed. This paper presents a novel architecture, protocol design, and implementation, for flow establishment in the Internet. The architecture, called NUTSS, takes into account the combined policies of endpoints and network providers. While NUTSS borrows liberally from other proposals (URI-like naming, signaling to manage ephemeral IPv4 or IPv6 data flows), NUTSS is unique in that it couples overlay signaling with data-path signaling. NUTSS requires no changes to existing protocol stacks, and combined with recent NAT traversal techniques, works with IPv4 and existing NAT/firewalls. This paper describes NUTSS and shows how it satisfies a wide range of "end-middle-end"network requirements, including access control, middlebox steering, multi-homing, mobility, and protocol negotiation.

References

[1]

Akamai Technologies, Inc. Akamai: How it works.

[2]

Andersen, D. Mayday: Distributed filtering for internet services. In Proceedings of the USITS '03 (Seattle, WA, Mar. 2003).

Digital Library

[3]

Antisip SARL. The eXtended osip library.

[4]

Argyraki, K., and Cheriton, D. R. Active Internet Traffic Filtering: Real-Time Response to Denial-of-Service Attacks. In Proceedings of the 2005 USENIX Annual Technical Conference (Anaheim, CA, Apr. 2005).

Digital Library

[5]

Ballani, H., Chawathe, Y., Ratnasamy, S., Roscoe, T., and Shenker, S. Off by Default! In Proceedings of the HotNets'05 (College Park, MD, Nov. 2005).

[6]

BMC Software. Marimba Product Line.

[7]

Calhoun, P. R., Loughney, J., Arkko, J., Guttman, E., and Zorn, G. RFC 3588: Diameter Base Protocol, Sept. 2003.

Digital Library

[8]

Cisco Systems, I. Cisco IOS Security Configuration Guide (Release 12.4). Cisco Press, 2006, ch. Access Control Lists: Overview and Guidelines, pp. 429--436.

[9]

Cisco Systems, I. Cisco IOS Security Configuration Guide (Release 12.4). Cisco Press, 2006, ch. Firewall Support for SIP, pp. 587--600.

[10]

Crowcroft, J., Hand, S., Mortier, R., Roscoe, T., and Warfield, A. Plutarch: An Argument for Network Pluralism. In Proceedings of the SIGCOMM '03 Workshops (Karlsruhe, Germany, Aug. 2003).

Digital Library

[11]

(Ed.), R. B., Zhang, L., Berson, S., Herzog, S., and Jamin, S. RFC 2205: Resource ReSerVation Protocol (RSVP), Sept. 1997.

[12]

Fall, K. A Delay-Tolerant Network Architecture for Challenged Internets. In Proceedings of SIGCOMM '03 (Karlsruhe, Germany, Aug. 2003).

Digital Library

[13]

Ford, B., Strauss, J., Lesniewski-Laas, C., Rhea, S., Kaashoek, F., and Morris, R. Persistent Personal Names for Globally Connected Mobile Devices. In Proceedings of the OSDI '06 (Seattle, WA, Nov. 2004).

Digital Library

[14]

Francis, P. Firebreak: An IP Perimeter Defense Architecture. Tech. Rep. cul.cis/TR2006-2060, Cornell University, Ithaca, NY, 2006.

[15]

Francis, P., and Gummadi, R. IPNL: A NAT-extended internet architecture. In Proceedings of the SIGCOMM '01 (San Diego, CA, Aug. 2001).

Digital Library

[16]

Fraunhofer Fokus. CPLEd - A CPL Editor.

[17]

Fraunhofer Fokus. SIP Express Router.

[18]

Freedman, M. J., Lakshminarayanan, K., and Mazières, D. OASIS: Anycast for Any Service. In Proceedings of NSDI'06 (San Jose, CA, May 2006).

Digital Library

[19]

GENI planning group. GENI: Global Environment for Network Innovations.

[20]

Gritter, M., and Cheriton, D. R. An Architecture for Content Routing Support in the Internet. In Proceedings of the USITS '01 (San Francisco, CA, Mar. 2001).

Digital Library

[21]

Guha, S., and Francis, P. Characterization and Measurement of TCP Traversal through NATs and Firewalls. In Proceedings of the 2005 Internet Measurement Conference (New Orleans, LA, Oct. 2005).

Digital Library

[22]

Guha, S., and Francis, P. Identity Trail: Covert Surveillance Using DNS. In Proceedings of 7th Workshop on Privacy Enhancing Technologies (Ottawa, Canada, June 2007).

Digital Library

[23]

Hain, T. RFC 2993: Architectural Implications of NAT, Nov. 2000.

Digital Library

[24]

Hautakorpi, J., Camarillo, G., Penfield, R. F., Hawrylyshen, A., and Bhatia, M. Internet draft: Requirements from SIP (Session Initiation Protocol) Session Border Control Deployments, Apr. 2007. Work in progress. draft-ietf-sipping-sbc-funcs-03.txt.

[25]

Hua Chu, Y., Rao, S. G., Seshan, S., and Zhang, H. A case for end system multicast. IEEE Journal on Selected Areas in Communications 20, 8 (Oct. 2002), 1456--1471.

Digital Library

[26]

Huici, F., and Handley, M. An Edge-to-Edge Filtering Architecture Against DoS. ACM SIGCOMM Computer Communications Review 37, 2 (Apr. 2007), 41--50.

Digital Library

[27]

Keromytis, A. D., Misra, V., and Rubenstein, D. SOS: secure overlay services. SIGCOMM Comput. Commun. Rev. 32, 4 (2002), 61--72.

Digital Library

[28]

Koponen, T., Chawla, M., Chun, B.-G., Ermolinskiy, A., Kim, K. H., Shenker, S., and Stioca, I. A Data-Oriented (and Beyond) Network Architecture. In Proceedings of SIGCOMM'07 (Kyoto, Japan, Aug. 2007).

Digital Library

[29]

Lennox, J., Wu, X., and Schulzrinne, H. RFC 3880: Call Processing Language (CPL): A Language for User Control of Internet Telephony Services, Oct. 2004.

[30]

Mahajan, R., Bellovin, S. M., Floyd, S., Ioannidis, J., Paxson, V., and Shenker, S. Controlling High Bandwidth Aggregates in the Network. ACM Computer Communications Review 32, 3 (July 2002), 62--73.

Digital Library

[31]

Mannie, E. RFC 3945: Generalized Multi-Protocol Label Switching (GMPLS) Architecture, Oct. 2004.

[32]

Marshall, W. RFC 3133: Private Session Initiation Protocol (SIP) Extensions for Media Authorization, Jan. 2003.

Digital Library

[33]

Microsoft Corporation. UPnP - Universal Plug and Play Internet Gateway Device v1.01, Nov. 2001.

[34]

Mirković, J., Prier, G., and Reiher, P. Attacking DDoS at the Source. In Proceedings of ICNP'02 (Paris, France, Nov. 2002).

Digital Library

[35]

Moskowitz, R., and Nikander, P. RFC 4423: Host Identity Protocol (HIP) Architecture, May 2006.

[36]

Ng, T. S. E., Stoica, I., and Zhang, H. A Waypoint Service Approach to Connect Heterogeneous Internet Address Spaces. In Proceedings of USENIX Annual Technical Conference (Monterey, CA, June 2002).

Digital Library

[37]

Nissenbaum, H. Privacy as Contextual Integrity. Washington Law Review 79, 1 (Feb. 2004), 119--158.

[38]

Nordmark, E., and Bagnulo, M. Internet draft: Level 3 multihoming shim protocol, Nov. 2006. draft-ietf-shim6-proto-07.txt. Work in progress.

[39]

OpenSSL Team. The Open Source toolkit for SSL/TLS.

[40]

Ramasubramanian, V., and Sirer, E. G. CoDoNS: The Design and Implementation of a Next Generation Name Service for the Internet. In Proceedings of SIGCOMM'04 (Portland, OR, August 2004).

Digital Library

[41]

Ramsdell, B. RFC 3851: Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification, July 2004.

[42]

Rosenberg, J. RFC 3856: A Presence Event Package for the Session Initiation Protocol (SIP), Aug. 2004.

[43]

Rosenberg, J., Mahy, R., and Huitema, C. Internet draft: TURN - Traversal Using Relay NAT, Mar. 2006. Work in progress.

[44]

Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and Schooler, E. RFC 3261: SIP Session Initiation Protocol, June 2002.

Digital Library

[45]

Rosenberg, J., Weinberger, J., Huitema, C., and Mahy, R. RFC 3489: STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs), Mar. 2003.

Digital Library

[46]

Sailer, R., Zhang, X., Jaeger, T., and van Doorn, L. Design and Implementation of a TCG-based Integrity Measurement Architecture. In Proceedings of 13th USENIX Security Symposium (San Diego, CA, Aug. 2004), pp. 223--238.

Digital Library

[47]

Saint-Andre, P. RFC 3290: Extensible Messaging and Presence Protocol (XMPP): Core, Oct. 2004.

[48]

Stiemerling, M., Quittek, J., and Taylor, T. MIDCOM Protocol Semantics, June 2004. Work in progress.

[49]

Stoica, I., Adkins, D., Zhuang, S., Shenker, S., and Surana, S. Internet Indirection Infrastructure. In Proceedings of the SIGCOMM '02 (Pittsburgh, PA, Aug. 2002).

Digital Library

[50]

Technical Specification Group Core Network and Terminals. 3GPP TS 29.207: Policy control over Go interface, Sept. 2005.

[51]

Trusted Computing Group. TPM Specification Version 1.2.

[52]

Tschudin, C., and Gold, R. SelNet: A Translating Underlay Network. Tech. Rep. 2003--020, Uppsala University, Uppsala, Sweden, Nov. 2001.

[53]

Venkataraman, V., Francisy, P., and Calandrino, J. Chunkyspread: Multitree Unstructured Peer-to-Peer Multicast. In Proceedings of the IPTPS '06 (Santa Barbara, CA, Feb. 2006).

[54]

VeriSign Inc. Security (SSL Certificates), Communications, and Information Services.

[55]

Vixie, P., Thomson, S., Rekhter, Y., and Bound, J. RFC 2136: Dynamic Updates in the Domain Name System, Dec. 1997.

Digital Library

[56]

von Ahn, L., Blum, M., Hopper, N. J., and Langford, J. CAPTCHA: Using Hard AI Problems For Security. In Proceedings of EUROCRYPT'03 (Warsaw, Poland, May 2003).

Digital Library

[57]

Walfish, M., Balakrishnan, H., and Shenker, S. Untangling the Web from DNS. In Proceedings of the NSDI '04 (San Francisco, CA, Mar. 2004).

Digital Library

[58]

Walfish, M., Stribling, J., Krohn, M., Balakrishnan, H., Morris, R., and Shenker, S. Middleboxes No Longer Considered Harmful. In Proceedings of the OSDI '04 (San Francisco, CA, Dec. 2004).

Digital Library

[59]

Wang, X., and Reiter, M. K. Defending Against Denial-of-Service Attacks with Puzzle Auctions. In SP '03: Proceedings of the 2003 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2003), IEEE Computer Society, p. 78.

Digital Library

[60]

Wroclawski, J. The MetaNet: White Paper. In Proceedings of Workshop on Research Directions for the Next Generation Internet (Vienna, VA, May 1997).

[61]

Yaar, A., Perrig, A., and Song, D. SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks. In IEEE Symposium on Security and Privacy (Pittsburgh, PA, May 2004), pp. 130--143.

[62]

Yang, X., Wetherall, D., and Anderson, T. A DoS-limiting Network Architecture. In Proceedings of the SIGCOMM '05 (Philadelphia, PA, Aug. 2005).

Digital Library

[63]

Zhang, B., Wang, W., Jamin, S., Massey, D., and Zhang, L. Universal IP multicast delivery. Computer Networks, special issue on Overlay Distribution Structures and their Applications 50, 6 (Apr. 2006), 781--806.

Digital Library

[64]

Zimmermann, P. R. The official PGP user's guide. MIT Press, Cambridge, MA, 1995.

Digital Library

Cited By

Bu KLaird AYang YCheng LLuo JLi YRen K(2020)Unveiling the Mystery of Internet Packet ForwardingACM Computing Surveys10.1145/340979653:5(1-34)Online publication date: 28-Sep-2020
https://dl.acm.org/doi/10.1145/3409796
Stoenescu ROlteanu VPopovici MAhmed MMartins JBifulco RManco FHuici FSmaragdakis GHandley MRaiciu CRéveillère LHarris THerlihy M(2015)In-NetProceedings of the Tenth European Conference on Computer Systems10.1145/2741948.2741961(1-15)Online publication date: 17-Apr-2015
https://dl.acm.org/doi/10.1145/2741948.2741961
Ben-Itzhak YBarabash KCohen RLevin ARaichstein E(2015)EnforSDN: Network policies enforcement with SDN2015 IFIP/IEEE International Symposium on Integrated Network Management (IM)10.1109/INM.2015.7140279(80-88)Online publication date: May-2015
https://doi.org/10.1109/INM.2015.7140279
Show More Cited By

Index Terms

An end-middle-end approach to connection establishment
1. Networks
  1. Network protocols
    1. Network protocol design

Recommendations

An end-middle-end approach to connection establishment
SIGCOMM '07: Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications

The current model for flow establishment in the Internet: DNS Names, IP addresses, and transport ports, is inadequate. Not all of the problem is due to the small IPv4 address space and resulting NAT boxes. Even where global addresses exist, firewalls ...
An evolutionary approach to improve end-to-end performance in tcp/ip networks
End-to-end multicast congestion control and avoidance

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM SIGCOMM Computer Communication Review

ACM SIGCOMM Computer Communication Review Volume 37, Issue 4

October 2007

420 pages

ISSN:0146-4833

DOI:10.1145/1282427

Issue’s Table of Contents

SIGCOMM '07: Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
August 2007
432 pages
ISBN:9781595937131
DOI:10.1145/1282380
General Chairs:
Jun Murai
Keio University, Japan
,
Kenjiro Cho
IIJ, Japan

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 August 2007

Published in SIGCOMM-CCR Volume 37, Issue 4

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

50
Total Citations
View Citations
1,053
Total Downloads

Downloads (Last 12 months)61
Downloads (Last 6 weeks)11

Reflects downloads up to 21 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Bu KLaird AYang YCheng LLuo JLi YRen K(2020)Unveiling the Mystery of Internet Packet ForwardingACM Computing Surveys10.1145/340979653:5(1-34)Online publication date: 28-Sep-2020
https://dl.acm.org/doi/10.1145/3409796
Stoenescu ROlteanu VPopovici MAhmed MMartins JBifulco RManco FHuici FSmaragdakis GHandley MRaiciu CRéveillère LHarris THerlihy M(2015)In-NetProceedings of the Tenth European Conference on Computer Systems10.1145/2741948.2741961(1-15)Online publication date: 17-Apr-2015
https://dl.acm.org/doi/10.1145/2741948.2741961
Ben-Itzhak YBarabash KCohen RLevin ARaichstein E(2015)EnforSDN: Network policies enforcement with SDN2015 IFIP/IEEE International Symposium on Integrated Network Management (IM)10.1109/INM.2015.7140279(80-88)Online publication date: May-2015
https://doi.org/10.1109/INM.2015.7140279
Friedman RLibov AVigfusson Y(2014)MOLStreamProceedings of the 2014 IEEE 34th International Conference on Distributed Computing Systems10.1109/ICDCS.2014.36(278-287)Online publication date: 30-Jun-2014
https://dl.acm.org/doi/10.1109/ICDCS.2014.36
Paul SJain RSamaka MPan J(2014)Application delivery in multi-cloud environments using software defined networkingComputer Networks10.1016/j.comnet.2013.12.00568(166-186)Online publication date: Aug-2014
https://doi.org/10.1016/j.comnet.2013.12.005
Zhang PDurresi AJain R(2013)Cloud aided Internet mobility2013 IEEE International Conference on Communications (ICC)10.1109/ICC.2013.6655127(3688-3693)Online publication date: Jun-2013
https://doi.org/10.1109/ICC.2013.6655127
Trossen DKostopoulos A(2012)Techno-Economic Aspects of Information-Centric NetworkingJournal of Information Policy10.5325/jinfopoli.2.2012.262:1(26-50)Online publication date: 1-Jan-2012
https://doi.org/10.5325/jinfopoli.2.2012.26
Trossen DKostopoulos A(2012)Techno-Economic Aspects of Information-Centric NetworkingJournal of Information Policy10.5325/jinfopoli.2.2012.00262(26-50)Online publication date: 1-Jan-2012
https://doi.org/10.5325/jinfopoli.2.2012.0026
Dogar FSteenkiste PBarakat CTeixeira RRamakrishnan KThiran P(2012)Architecting for edge diversityProceedings of the 8th international conference on Emerging networking experiments and technologies10.1145/2413176.2413179(13-24)Online publication date: 10-Dec-2012
https://dl.acm.org/doi/10.1145/2413176.2413179
Zhang YTatipamula M(2011)A Comprehensive Long-Term Evaluation on BGP Performance2011 IEEE International Conference on Communications (ICC)10.1109/icc.2011.5962883(1-6)Online publication date: Jun-2011
https://doi.org/10.1109/icc.2011.5962883
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents