No document available.
Abstract :
[en] It is now acknowledged that the initial end-to-end paradigm of the TCP/IP architecture,where both participants in a communication would assume that all exchanged information addressed to the other participant would remain untouched in-transit, has come to an end. This evolution was caused by the progressive introduction of middleboxes, i.e., network appliancesmanipulating traffic for purposes other than packet forwarding, going from “simple” NATs to complex multi-policy traffic engineering systems that alter packets up to the application layer. Today, middleboxes are present in increasing numbers, in various kind of networks. In enterprise networks, they are reported to be as numerous as traditional network equipment]. In cellular networks, they are strategically positionned and used for various purposes (e.g.,Carrier-Grade NATs, Traffic Engineering). In home networks, they are ubiquitous, as most Customer-Premise Equipments (e.g., Home Gateways) are middleboxes. Moreover,with the increasing popularity of Network Function Virtualization (NFV) and of virtualization technologies (i.e., hypervisors, containerization, orchestrators), middlebox development and deployment is facilitated. Regrettably, middleboxes have also been shown to engender multitude of connectivity, performance, and security issues. Establishing TCP connections with Explicit Congestion Notification (ECN) enabled can lead to connectivity blackouts. Mobile carriers using middleboxes to impose aggressive timeout value for idle TCP connections increase mobile devices battery consumption. Careless TCP middleboxes can facilitate certain network attacks, and even bring new attack vectors. Furthermore, middleboxes have a negative impact on the TCP protocol, by hindering its evolution. They may modify, filter, and drop packets that do not conform to their own policies and assumptions. For instance, they may normalize TCP flows to conform to the restricted set of authorized features of their choice, hampering TCP innovation initiatives. Generally speaking, we are witnessing the ossification of the network infrastructure. Alternative transport protocols that do not rely on TCP nor UDP, such as the Datagram Congestion Control Protocol (DCCP) or the Stream Control Transmission Protocol (SCTP), despite being standardized, fail to be deployed at large scale. The situation of the application layer is similar, with HTTP being the de-facto standard. This apparent antagonism between innovation and network value is the reflect of that between the Internet stakeholders. Middleboxes are unilaterally deployed to fulfill manufacturers or network provider short-term commercial goals, while path transparency advocators have for only purpose to improve the Internet in the long-term. Because of this ongoing contention, researchers have to find devious way to produce innovation. To overcome this, protocol designers have to ensure the middlebox-proofness of their solution. For example, recent discussions lead to the choice of UDP as a lightweight substrate for new protocols. Google’s Quick Internet Connections (QUIC), currently used by Chrome browser, is a famous example of UDP-based protocol. It incorporates a multiplexed stream transport over UDP and its own application-level transport. The design of the MultiPath TCP (MPTCP) feature, also required dedicated efforts to consider all possible in-path tampering and avoid unforeseen middlebox impairments. In this thesis, we study the transport-layer ossification, we propose an intermediate classification of its factors, and we study a de-ossification strategy. First, we evaluate the feasability of UDP encapsulation to re-enable transport evolution. We show that differential treatment based on UDP wire image is not problematic, but requires fallback strategies. Second, we characterize middlebox deployment in the wild. From a dataset collected from a large-scale campaign of active probing, we extract observations of in-path packet manipulations that we process to highlight the responsible middlebox policies and the path condition that they engender. We categorize the obtained middlebox-induced path impairments based on the potential negative consequences that they create on TCP traffic, and we use the resulting classes to give insights on the deployment and prevalence of path-impairing middleboxes in the wild. In particular, we show that a substantial percentage of network paths are affected by feature or protocol-breaking middleboxes and that they are in majority located in the edge networks. We advocate for protocol designers to include a fallback mechanism carefully designed to ensure robustness to the classes of middleboxes described in this thesis. Finally, we elicit a generic model of transport-level middlebox policies, that we implement in a high-speed kernel-bypass framework. Then, we rely on the latter to replicate existing path impairments, in a controlled environment, that we leverage to study how middleboxes affect TCP Quality-of-Service.
