mike fisk
play

Mike Fisk mfisk@lanl.gov LANL/UCSD draft-fisk-midcom-session-00 - PowerPoint PPT Presentation

Sep 05, 2023 •313 likes •451 views

Mike Fisk mfisk@lanl.gov LANL/UCSD draft-fisk-midcom-session-00 IETF 49 Midcom BOF 1 This presentation Is about: Interactions between middleboxes and untrusted, end-host applications Is not about: (but is complementary to)

  1. Mike Fisk mfisk@lanl.gov LANL/UCSD draft-fisk-midcom-session-00 IETF 49 Midcom BOF 1

  2. This presentation • Is about: Interactions between middleboxes and untrusted, end-host applications • Is not about: (but is complementary to) Middlebox control by trusted application-layer gateways 2

  3. Man-in-the-street Definitions of a Middlebox “A pragmatic device that transparently fixes packet flows be- tween flawed endpoints.” — Engineer running a network “A flawed device that breaks transparency by impeding the flow of packets between endpoints.” — End-to-end/transparency purist — Frustrated user Examples: Firewall, NAT, TCP PEP, etc... Flawed? A question of agility: Incapable of adequately supporting a necessary protocol or policy. 3

  4. Incapable of adequately supporting a necessary protocol or policy. Adequate = securely, fairly, ... Protocol = IPv6, IPsec, window scaling, global addresses, session bundles, ... Incapable = Not under your administrative domain of control • Site’s networking group can’t manage all of site’s desktops • Desktop users can’t control the network provider’s firewall 4

  5. End-to-end Nirvana • Every end host is well-managed and supports everything nec- essary to work across every kind of network (IPv4, IPv6, Long Fat Networks, wireless, adversarial). • Deployment cost: Deploy each new feature to each host Reality • Update end hosts once every few years • All other changes made with middleboxes 5

  6. Current Trend • Network peers provide services that enable end nodes to work across every kind of network – e.g. SOCKS, RSIP, IPsec tunneling, HTTP Proxies – Clients are aware of middlebox and request functionality • Deployment cost: Deploy each framework protocol to each host and then update/manage small number of servers. – Server deals with changing policies and protocols – Clients are less well managed and trusted – Clients submit themselves to the whims of servers 6

  7. Observations Application only sees end-to-end byte stream or message pay- loads. Expectation is that packets are end-to-end, but frequently not so. Middleboxes perform transport splicing/spoofing. Why not have add a thin abstraction layer between the applica- tion and the transport protocols to provide end-to-end stream of messages over a series of transport connections? 7

  8. Future? A Session Setup Protocol Deploy a single framework protocol to each host and then up- date/manage small number of servers. • Provide end-to-end byte stream or datagram payloads • Relay data across a series of transport layer connections • Middleboxes operate only at transport endpoints; no mucking with something that is supposed to be e2e. • Applications agree (or not) to the requirements (policy) of the middlebox • Is a single, flexible framework protocol feasible? Good question. Let’s try. Encouraging thoughts: – SOCKS is used for many applications. – Who’d have thought that HTTP would be used for every- thing? (RPC, e-mail, etc.) 8

  9. Requirements • Middlebox discovery • Mutual authentication ( n -way) • Encryption (e2e or between hops) • Abstract view of e2e network connection without assuming e2e packets – Build (a series of) transport connections between middle- boxes • Compatibility with current protocols and middleboxes – Some new protocols (telephony, etc.) have more freedom • Dynamic reconfiguration (mobility, topology changes) – New middlebox in path triggers renegotiation – One or more transport hops may change (TCP Connec- tion Migration) • Minimize need for Application Layer Gateways 9

  10. End A Midpoint 1 Midpoint 1 End B Discover Midpoint Ack Discover (Midpoint, Encrypt, Authenticate) Negotiate Encryption Successful GSSAPI Exchange Ack Discover Endpoint 10

  11. Design Decisions How much of the needed functionality is already present in pro- tocols like SOCKS and SIP? New IP option for discovery. Use SOCKS as base for setting-up each transport conn? How much of this is just engineering and how much is still ex- perimental? We have experience with several point-solutions. Now we just need to generalize. Should this protocol be distinct from a protocol that allows ALG control? 11

  12. Questions? Comments? Rants? draft-fisk-midcom-session-00 mfisk@lanl.gov 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Traffic Analysis Using Streaming Queries Mike Fisk Los Alamos National Laboratory

Traffic Analysis Using Streaming Queries Mike Fisk Los Alamos National Laboratory

Traffic Analysis Using Streaming Queries Mike Fisk Los Alamos National Laboratory mfisk@lanl.gov Outline Intro to Continuous Query Systems a.k.a Streaming Databases Relevance to data networks Optimizing the evaluation of

379 views • 27 slides
Hvad er det for en fisk?! Hvad er det for en fisk?! Louis Tim Larsen, July 2014 Finish

Hvad er det for en fisk?! Hvad er det for en fisk?! Louis Tim Larsen, July 2014 Finish

Hvad er det for en fisk?! Hvad er det for en fisk?! Louis Tim Larsen, July 2014 Finish company with headquarters in Helsinki Founded in Marts 2011 ~ 60 developers, many former employees of Nokia Core focus is Linux based smart

470 views • 10 slides
Network Host Classification Using Statistical Analysis of Flow Data Alex Kent, Mike Fisk, Eugene

Network Host Classification Using Statistical Analysis of Flow Data Alex Kent, Mike Fisk, Eugene

Network Host Classification Using Statistical Analysis of Flow Data Alex Kent, Mike Fisk, Eugene Gavrilov Los Alamos National Laboratory Overview and Objectives Host/IP address profiling based on flow data over some time interval 10

460 views • 18 slides
Evolution of the LHC Computing Models Ian Fisk May 22, 2014 About Me I am a scientist with

Evolution of the LHC Computing Models Ian Fisk May 22, 2014 About Me I am a scientist with

Evolution of the LHC Computing Models Ian Fisk May 22, 2014 About Me I am a scientist with Fermilab I have spent the last 14 years working on LHC Computing problems I helped build the first Tier-2 prototype computing center in the US I was

608 views • 29 slides
Presentation Outline Technical Orientation Welcome John Fisk , Director Wallace Center

Presentation Outline Technical Orientation Welcome John Fisk , Director Wallace Center

An NGFN W An NGFN Webina binar The Price Point Conundrum: How the Sustainable Farmer Can Afford Her Own Tomato February 16, 2012 Presentation Outline Technical Orientation Welcome John Fisk , Director Wallace Center at Winrock

793 views • 47 slides
Pharmacy Robbery Presentation JoAnne Fisk Deputy Chief Biddeford Police Department What a

Pharmacy Robbery Presentation JoAnne Fisk Deputy Chief Biddeford Police Department What a

Pharmacy Robbery Presentation JoAnne Fisk Deputy Chief Biddeford Police Department What a Suspect looks for Motivation - reward v. risk Ability or opportunity Expectation of escape Low probability of detection and arrest During

384 views • 26 slides
Presentation Outline Technical Orientation Welcome John Fisk Director, Wallace Center

Presentation Outline Technical Orientation Welcome John Fisk Director, Wallace Center

An NGFN W An NGFN Webina binar Its Viable Now What? From Feasibility Study to Business Plan January 26, 2012 Presentation Outline Technical Orientation Welcome John Fisk Director, Wallace Center at Winrock International

939 views • 78 slides
THE INDIVIDUAL DEPRIVATION MEASURE Dr Kylie Fisk, Research Fellow International Women s

THE INDIVIDUAL DEPRIVATION MEASURE Dr Kylie Fisk, Research Fellow International Women s

DEVELOPING AND USING A NEW GENDER DATA TOOL: THE INDIVIDUAL DEPRIVATION MEASURE Dr Kylie Fisk, Research Fellow International Women s Development Agency Dr Helen Suich, Senior Research Fellow The Australian National University 7 th Global

651 views • 25 slides
Presentation Outline Technical Orientation | Welcome / Introduction John Fisk Wallace

Presentation Outline Technical Orientation | Welcome / Introduction John Fisk Wallace

An An NGFN W NGFN Webin binar ar FOOD BANKS AS GOOD FOOD PARTNERS December 12, 2013 Presentation Outline Technical Orientation | Welcome / Introduction John Fisk Wallace Center at Winrock International Jeff Farbman Wallace

714 views • 54 slides
Mike New man Mike New man Mike New man Mike New man Mike New man Mike New man Mike New man

Mike New man Mike New man Mike New man Mike New man Mike New man Mike New man Mike New man

Mike New man Mike New man Mike New man Mike New man Mike New man Mike New man Mike New man Mike New man SVP & Chief Financial Officer SVP & Chief Financial Officer 4Q 2002 Sales 4Q 2002 Sales Comparable Store Sales +2%

478 views • 32 slides
Diversity in Astronomy in the Coming Decade: Leveraging Partnerships with Minority Serving

Diversity in Astronomy in the Coming Decade: Leveraging Partnerships with Minority Serving

Diversity in Astronomy in the Coming Decade: Leveraging Partnerships with Minority Serving Institutions Keivan Stassun & Kelly Holley-Bockelmann Vanderbilt University Fisk University Nashville, Tennessee Fisk-Vanderbilt Masters-to-PhD

317 views • 20 slides
Summary of APMP Inputs re: CIPM MRA Review Dr Peter Fisk APMP Chair BIPM NMI Directors

Summary of APMP Inputs re: CIPM MRA Review Dr Peter Fisk APMP Chair BIPM NMI Directors

Summary of APMP Inputs re: CIPM MRA Review Dr Peter Fisk APMP Chair BIPM NMI Directors Meeting/CIPM MRA Workshop Sevres, France: 13-14 October 2015 Key questions posed: What outcomes do your NMI and your stakeholders require from the

92 views • 7 slides
Resilience of Soft-Sediment Communities after Geoduck Harvest in Samish Bay, Washington Micah

Resilience of Soft-Sediment Communities after Geoduck Harvest in Samish Bay, Washington Micah

Resilience of Soft-Sediment Communities after Geoduck Harvest in Samish Bay, Washington Micah Horwith, Department of Biology, University of Washington Fisk Bar Fisk Bar = Eelgrass = Bare = Channel Timeline 1 - Pre-harvest Geoduck crop

435 views • 41 slides
MIKE.A THE DJ Born in 1999, Mike.A is a Dj Producer Now Mike mainly produces Mainstream, from

MIKE.A THE DJ Born in 1999, Mike.A is a Dj Producer Now Mike mainly produces Mainstream, from

MIKE.A THE DJ Born in 1999, Mike.A is a Dj Producer Now Mike mainly produces Mainstream, from Montreal, Qc, Canada, with an Bigroom, and Progressive House. One of enormous repertoire of music consisting of his many singles was Paradise

274 views • 5 slides
Mike Blows (UK) mike blows@hotmail.c om 20 long ye ar s! 5000 dya ds/ tria ds/ fa milie s the

Mike Blows (UK) mike blows@hotmail.c om 20 long ye ar s! 5000 dya ds/ tria ds/ fa milie s the

T e a c hing me nta l he a lth c olle a g ue s how the ir own a tta c hme nt stra te g ie s ma y distort the ir c linic a l re sponse s a nd judg e me nts, by using vide o c lips portra ying c hild a buse . Mike Blows (UK) mike

248 views • 13 slides
Combining Formal and Distributional Models of Temporal and Intensional Semantics Mike Lewis and

Combining Formal and Distributional Models of Temporal and Intensional Semantics Mike Lewis and

Combining Formal and Distributional Models of Temporal and Intensional Semantics Mike Lewis and Mark Steedman Inference with Temporal Senantics Mike is visiting Baltimore Mike has arrived in Baltimore Mike will leave Baltimore Mike

425 views • 29 slides
Introduction to coreboot What is coreboot? How can I try it out? How can I contribute?

Introduction to coreboot What is coreboot? How can I try it out? How can I contribute?

Introduction to coreboot What is coreboot? How can I try it out? How can I contribute? What is coreboot? Firmware coreboot is fjrmware targeting multiple mainboards and processor architectures, including x86. By default, Googles

2.19k views • 17 slides
Patent Law Prof. Roger Ford October 5, 2016 Class 9 Novelty III: patent documents; priority

Patent Law Prof. Roger Ford October 5, 2016 Class 9 Novelty III: patent documents; priority

Patent Law Prof. Roger Ford October 5, 2016 Class 9 Novelty III: patent documents; priority of invention and prior invention Recap Recap Novelty framework (AIA) 102(a)(1) prior art cont: on sale otherwise

981 views • 39 slides
Introduction to DUNE Computing Eileen Berman (stealing from many people) DUNE Physics Week Nov

Introduction to DUNE Computing Eileen Berman (stealing from many people) DUNE Physics Week Nov

Introduction to DUNE Computing Eileen Berman (stealing from many people) DUNE Physics Week Nov 14, 2017 What Does This Include? LArSoft (thanks to Erica Snider) Gallery (thanks to Marc Paterno) Data Management (Storage) (thanks to

1.48k views • 76 slides
MT in LArSoft update Kyle J. Knoepfel 23 April 2019 LArSoft coordination meeting MT links

MT in LArSoft update Kyle J. Knoepfel 23 April 2019 LArSoft coordination meeting MT links

MT in LArSoft update Kyle J. Knoepfel 23 April 2019 LArSoft coordination meeting MT links https://cdcvs.fnal.gov/redmine/projects/art/wiki#Multithreaded-processing-as-of-art-3 2 4/22/19 LArSoft coordination meeting Encouraged migration

510 views • 15 slides
Better Prevent Than Cure - Defensive Programming Credits: Fresh Sources Inc. Instructor:

Better Prevent Than Cure - Defensive Programming Credits: Fresh Sources Inc. Instructor:

Better Prevent Than Cure - Defensive Programming Credits: Fresh Sources Inc. Instructor: Peter Baumann email: p.baumann@jacobs-university.de tel: -3178 office: room 88, Research 1 Cannot find REALITY.SYS. Universe halted. 320312

611 views • 27 slides
Control structure: Repetition - Part 3 01204111 Computers and Programming Cha hale lermsak Cha

Control structure: Repetition - Part 3 01204111 Computers and Programming Cha hale lermsak Cha

Control structure: Repetition - Part 3 01204111 Computers and Programming Cha hale lermsak Cha hatdokmaip ipra rai De Depart rtment of of Com omputer r Eng ngineerin ing Kas asetsart Uni niversity Revised 2018-07-18 Cliparts are

850 views • 55 slides
Hayes, Catherine (2018) Beyond Disciplinarity in Strategic Pedagogical Research - Who Do We Think

Hayes, Catherine (2018) Beyond Disciplinarity in Strategic Pedagogical Research - Who Do We Think

Hayes, Catherine (2018) Beyond Disciplinarity in Strategic Pedagogical Research - Who Do We Think We Are? In: 2nd Faculty of Education Research Day, 22 May 2018, LIVERPOOL HOPE UNIVERSITY. (Unpublished) Downloaded from:

881 views • 39 slides
The HOL theorem-proving system Michael Norrish Michael.Norrish@nicta.com.au National ICT

The HOL theorem-proving system Michael Norrish Michael.Norrish@nicta.com.au National ICT

HOL The HOL theorem-proving system Michael Norrish Michael.Norrish@nicta.com.au National ICT Australia 8 September 2004 HOL Outline Introduction History High-level description Build a HOL kernel Design philosophy Basic types Logic

1.29k views • 64 slides

More recommend