A Path Layer for the Internet: Enabling Network Operations on Encrypted Protocols

Mirja Kuehlewind, Tobias Buehler, Brian Trammell, Stephan Neuhaus, Roman Muenstenr, Godred Fairhurst

Research output: Contribution to conferencePaper

3 Citations (Scopus)

Abstract

The deployment of encrypted transport protocols imposes new challenges for network operations. Key in-network functions such as those implemented by firewalls and passive measurement devices currently rely on information exposed by the transport layer. Encryption, in addition to improving privacy, helps to address ossification of network protocols caused by middleboxes that assume certain information to be present in the clear. However, “encrypting it all” risks diminishing the utility of these middleboxes for the traffic management tasks for which they were designed. A middlebox cannot use what it cannot see.

We propose an architectural solution to this issue, by intro- ducing a new “path layer” for transport-independent, in-band signaling between Internet endpoints and network elements on the paths between them, and using this layer to reinforce the boundary between the hop-by-hop network layer and the end-to- end transport layer. We define a path layer header on top of UDP to provide a common wire image for new, encrypted transports. This path layer header provides information to a transport- independent on-path state machine that replaces stateful handling currently based on exposed header flags and fields in TCP; it enables explicit measurability of transport layer performance; and offers extensibility by sender-to-path and path-to-receiver communications for diagnostics and management. This provides not only a replacement for signals that are not available with encrypted traffic, but also allows integrity-protected, enhanced signaling under endpoint control. We present an implementation of this wire image integrated with the QUIC protocol, as well as a basic stateful middlebox built on Vector Packet Processing (VPP) provided by FD.io.
Original languageEnglish
DOIs
Publication statusPublished - 30 Nov 2017
EventIEEE/IFIP International Conference on Network and Service Management - Tokyo, Japan
Duration: 26 Nov 201730 Nov 2017

Conference

ConferenceIEEE/IFIP International Conference on Network and Service Management
Abbreviated titleCNSM
CountryJapan
CityTokyo
Period26/11/1730/11/17

Keywords

  • PLUS
  • Tranport
  • Internet flow interactivity

Fingerprint Dive into the research topics of 'A Path Layer for the Internet: Enabling Network Operations on Encrypted Protocols'. Together they form a unique fingerprint.

  • Cite this

    Kuehlewind, M., Buehler, T., Trammell, B., Neuhaus, S., Muenstenr, R., & Fairhurst, G. (2017). A Path Layer for the Internet: Enabling Network Operations on Encrypted Protocols. Paper presented at IEEE/IFIP International Conference on Network and Service Management, Tokyo, Japan. https://doi.org/10.23919/CNSM.2017.8255973