A Path Layer for the Internet: Enabling Network Operations on Encrypted Protocols

Mirja Kuehlewind, Tobias Buehler, Brian Trammell, Stephan Neuhaus, Roman Muenstenr, Godred Fairhurst

Research output: Contribution to conferencePaper

1 Citation (Scopus)

Abstract

The deployment of encrypted transport protocols imposes new challenges for network operations. Key in-network functions such as those implemented by firewalls and passive measurement devices currently rely on information exposed by the transport layer. Encryption, in addition to improving privacy, helps to address ossification of network protocols caused by middleboxes that assume certain information to be present in the clear. However, “encrypting it all” risks diminishing the utility of these middleboxes for the traffic management tasks for which they were designed. A middlebox cannot use what it cannot see.

We propose an architectural solution to this issue, by intro- ducing a new “path layer” for transport-independent, in-band signaling between Internet endpoints and network elements on the paths between them, and using this layer to reinforce the boundary between the hop-by-hop network layer and the end-to- end transport layer. We define a path layer header on top of UDP to provide a common wire image for new, encrypted transports. This path layer header provides information to a transport- independent on-path state machine that replaces stateful handling currently based on exposed header flags and fields in TCP; it enables explicit measurability of transport layer performance; and offers extensibility by sender-to-path and path-to-receiver communications for diagnostics and management. This provides not only a replacement for signals that are not available with encrypted traffic, but also allows integrity-protected, enhanced signaling under endpoint control. We present an implementation of this wire image integrated with the QUIC protocol, as well as a basic stateful middlebox built on Vector Packet Processing (VPP) provided by FD.io.
Original languageEnglish
DOIs
Publication statusPublished - 30 Nov 2017
EventIEEE/IFIP International Conference on Network and Service Management - Tokyo, Japan
Duration: 26 Nov 201730 Nov 2017

Conference

ConferenceIEEE/IFIP International Conference on Network and Service Management
Abbreviated titleCNSM
CountryJapan
CityTokyo
Period26/11/1730/11/17

Fingerprint

Internet
Network protocols
Wire
Network layers
Cryptography
Communication
Processing

Keywords

  • PLUS
  • Tranport
  • Internet flow interactivity

Cite this

Kuehlewind, M., Buehler, T., Trammell, B., Neuhaus, S., Muenstenr, R., & Fairhurst, G. (2017). A Path Layer for the Internet: Enabling Network Operations on Encrypted Protocols. Paper presented at IEEE/IFIP International Conference on Network and Service Management, Tokyo, Japan. https://doi.org/10.23919/CNSM.2017.8255973

A Path Layer for the Internet: Enabling Network Operations on Encrypted Protocols. / Kuehlewind, Mirja; Buehler, Tobias; Trammell, Brian; Neuhaus, Stephan; Muenstenr, Roman; Fairhurst, Godred.

2017. Paper presented at IEEE/IFIP International Conference on Network and Service Management, Tokyo, Japan.

Research output: Contribution to conferencePaper

Kuehlewind, M, Buehler, T, Trammell, B, Neuhaus, S, Muenstenr, R & Fairhurst, G 2017, 'A Path Layer for the Internet: Enabling Network Operations on Encrypted Protocols' Paper presented at IEEE/IFIP International Conference on Network and Service Management, Tokyo, Japan, 26/11/17 - 30/11/17, . https://doi.org/10.23919/CNSM.2017.8255973
Kuehlewind M, Buehler T, Trammell B, Neuhaus S, Muenstenr R, Fairhurst G. A Path Layer for the Internet: Enabling Network Operations on Encrypted Protocols. 2017. Paper presented at IEEE/IFIP International Conference on Network and Service Management, Tokyo, Japan. https://doi.org/10.23919/CNSM.2017.8255973
Kuehlewind, Mirja ; Buehler, Tobias ; Trammell, Brian ; Neuhaus, Stephan ; Muenstenr, Roman ; Fairhurst, Godred. / A Path Layer for the Internet: Enabling Network Operations on Encrypted Protocols. Paper presented at IEEE/IFIP International Conference on Network and Service Management, Tokyo, Japan.
@conference{7cb81d474f4b493199f7b21b01b50b4e,
title = "A Path Layer for the Internet: Enabling Network Operations on Encrypted Protocols",
abstract = "The deployment of encrypted transport protocols imposes new challenges for network operations. Key in-network functions such as those implemented by firewalls and passive measurement devices currently rely on information exposed by the transport layer. Encryption, in addition to improving privacy, helps to address ossification of network protocols caused by middleboxes that assume certain information to be present in the clear. However, “encrypting it all” risks diminishing the utility of these middleboxes for the traffic management tasks for which they were designed. A middlebox cannot use what it cannot see.We propose an architectural solution to this issue, by intro- ducing a new “path layer” for transport-independent, in-band signaling between Internet endpoints and network elements on the paths between them, and using this layer to reinforce the boundary between the hop-by-hop network layer and the end-to- end transport layer. We define a path layer header on top of UDP to provide a common wire image for new, encrypted transports. This path layer header provides information to a transport- independent on-path state machine that replaces stateful handling currently based on exposed header flags and fields in TCP; it enables explicit measurability of transport layer performance; and offers extensibility by sender-to-path and path-to-receiver communications for diagnostics and management. This provides not only a replacement for signals that are not available with encrypted traffic, but also allows integrity-protected, enhanced signaling under endpoint control. We present an implementation of this wire image integrated with the QUIC protocol, as well as a basic stateful middlebox built on Vector Packet Processing (VPP) provided by FD.io.",
keywords = "PLUS, Tranport, Internet flow interactivity",
author = "Mirja Kuehlewind and Tobias Buehler and Brian Trammell and Stephan Neuhaus and Roman Muenstenr and Godred Fairhurst",
note = "This work is related to new standardisation proposed at the IETF standards meeting.; IEEE/IFIP International Conference on Network and Service Management, CNSM ; Conference date: 26-11-2017 Through 30-11-2017",
year = "2017",
month = "11",
day = "30",
doi = "10.23919/CNSM.2017.8255973",
language = "English",

}

TY - CONF

T1 - A Path Layer for the Internet: Enabling Network Operations on Encrypted Protocols

AU - Kuehlewind, Mirja

AU - Buehler, Tobias

AU - Trammell, Brian

AU - Neuhaus, Stephan

AU - Muenstenr, Roman

AU - Fairhurst, Godred

N1 - This work is related to new standardisation proposed at the IETF standards meeting.

PY - 2017/11/30

Y1 - 2017/11/30

N2 - The deployment of encrypted transport protocols imposes new challenges for network operations. Key in-network functions such as those implemented by firewalls and passive measurement devices currently rely on information exposed by the transport layer. Encryption, in addition to improving privacy, helps to address ossification of network protocols caused by middleboxes that assume certain information to be present in the clear. However, “encrypting it all” risks diminishing the utility of these middleboxes for the traffic management tasks for which they were designed. A middlebox cannot use what it cannot see.We propose an architectural solution to this issue, by intro- ducing a new “path layer” for transport-independent, in-band signaling between Internet endpoints and network elements on the paths between them, and using this layer to reinforce the boundary between the hop-by-hop network layer and the end-to- end transport layer. We define a path layer header on top of UDP to provide a common wire image for new, encrypted transports. This path layer header provides information to a transport- independent on-path state machine that replaces stateful handling currently based on exposed header flags and fields in TCP; it enables explicit measurability of transport layer performance; and offers extensibility by sender-to-path and path-to-receiver communications for diagnostics and management. This provides not only a replacement for signals that are not available with encrypted traffic, but also allows integrity-protected, enhanced signaling under endpoint control. We present an implementation of this wire image integrated with the QUIC protocol, as well as a basic stateful middlebox built on Vector Packet Processing (VPP) provided by FD.io.

AB - The deployment of encrypted transport protocols imposes new challenges for network operations. Key in-network functions such as those implemented by firewalls and passive measurement devices currently rely on information exposed by the transport layer. Encryption, in addition to improving privacy, helps to address ossification of network protocols caused by middleboxes that assume certain information to be present in the clear. However, “encrypting it all” risks diminishing the utility of these middleboxes for the traffic management tasks for which they were designed. A middlebox cannot use what it cannot see.We propose an architectural solution to this issue, by intro- ducing a new “path layer” for transport-independent, in-band signaling between Internet endpoints and network elements on the paths between them, and using this layer to reinforce the boundary between the hop-by-hop network layer and the end-to- end transport layer. We define a path layer header on top of UDP to provide a common wire image for new, encrypted transports. This path layer header provides information to a transport- independent on-path state machine that replaces stateful handling currently based on exposed header flags and fields in TCP; it enables explicit measurability of transport layer performance; and offers extensibility by sender-to-path and path-to-receiver communications for diagnostics and management. This provides not only a replacement for signals that are not available with encrypted traffic, but also allows integrity-protected, enhanced signaling under endpoint control. We present an implementation of this wire image integrated with the QUIC protocol, as well as a basic stateful middlebox built on Vector Packet Processing (VPP) provided by FD.io.

KW - PLUS

KW - Tranport

KW - Internet flow interactivity

U2 - 10.23919/CNSM.2017.8255973

DO - 10.23919/CNSM.2017.8255973

M3 - Paper

ER -