networking in your pocket
play

Networking In Your Pocket How the Linux networking stack is made to - PowerPoint PPT Presentation

Oct 26, 2022 •8 likes •298 views

Google Proprietary + Confidential Networking In Your Pocket How the Linux networking stack is made to work on Android devices netdev1.1, Seville, 2016-02-10 {lorenzo,ek}@google.com Google Proprietary + Confidential Proprietary + Confidential

  1. Google Proprietary + Confidential Networking In Your Pocket How the Linux networking stack is made to work on Android devices netdev1.1, Seville, 2016-02-10 {lorenzo,ek}@google.com

  2. Google Proprietary + Confidential Proprietary + Confidential Agenda Mobile device networking Android routing architecture Current state of kernel features Looking forward Proprietary + Confidential Proprietary + Confidential

  3. Google Proprietary + Confidential Proprietary + Confidential Mobile device networking Proprietary + Confidential Proprietary + Confidential

  4. Google Proprietary + Confidential !=

  5. Google Proprietary + Confidential Moves Does not move Multiple networks Fixed network attachment points Many link types Mostly Ethernet Captive portals, disconnected networks, … Managed connectivity Varying network quality Stable, high-quality connectivity Limited power Plenty of power Limited / metered bandwidth Plenty of bandwidth Network bounds performance High performance Single-user High scalability Per-app networking Virtualization

  6. Google Proprietary + Confidential Network stack challenges ● Device is connected to multiple networks most of the time ○ VoLTE, Wi-Fi, mobile data/MMS... ● Need fast, seamless network handover ○ Close TCP connections when network disconnects or apps spin ○ Sockets bound on pre-switch network must stay on it until torn down ● IPv6 as a first class citizen ○ >60% of Android devices on US cell networks have IPv6 ● Low power usage ● Android 6.0 still supports devices running 3.4 (!) kernels :-(

  7. Google Proprietary + Confidential Features users expect ● Captive portal detection/login in background ○ Receive chat messages while you log in to free wifi ● Avoid disconnected networks ○ Use a wifi camera and access the Internet at the same time ○ Don’t use a wifi AP that has no backhaul or has an Internet outage ● Provide network selection APIs to apps ○ MMS app needs to bring up MMS when on wifi ○ Wireless printer /camera app needs to prefer wifi over mobile data ● Data usage tracking ● Per-application, per-user VPN ● Per-network permissions

  8. Google Proprietary + Confidential Simple example When a user manually selects a network that has no Internet access (e.g., wireless printer), the user is asked whether they want to stay connected to that network. Internet access continues on mobile data until user decides to connect, at which point default device connectivity switches to wifi. Requires the ability to send traffic on wifi while the rest of the system is using mobile data.

  9. Google Proprietary + Confidential Proprietary + Confidential Android routing architecture Proprietary + Confidential Proprietary + Confidential

  10. Google Proprietary + Confidential Implementing the strong host model This is a hard requirement: networks don’t route each other’s traffic. But: ● Can’t bind() to IP address and use source routing ○ On a dual-stack network, at least 3-4 addresses on each interface ○ With IPv6 autoconf, addresses can appear at any time ○ Appropriate source address depends on DNS lookup and RFC6724 ● Can’t SO_BINDTODEVICE to interface ○ Network can have more than one interface (e.g., 464xlat) ● Can’t use iptables to change routing after the fact ○ Local NAT breaks getsockname() , MTU/MSS selection, IPv6… ● Can’t use namespaces ○ Would need to copy IP addresses between namespaces ○ At the time, interfaces could only be in one namespace

  11. Google Proprietary + Confidential Android connectivity architecture ● Based on available Linux primitives and weak host model ● Multiple routing tables using routing rules ● Network API concept loosely equivalent to IETF “Provisioning domain” ● Connections bound to networks via socket marks ○ Implicit on connect() or incoming SYN packet ○ Explicit due to application API usage ● Per-application routing (e.g., VPN) using in-kernel per-UID routing On Android, each app is its own UID ○ Like xt_owner , only works until sock_orphan is called ○

  12. Google Proprietary + Confidential Routing tables ● One routing table per interface ○ Routes from different interfaces don’t stomp on each other ○ A “network” has 1 or more Interfaces ○ main routing table only used in special cases ( never by apps) ● ip rules select networks ○ Switch between networks = change lowest-priority ip rule ○ Select network = match rule ○ Criteria: ■ Socket mark ■ Bound / specified interface (for SO_BINDTODEVICE / in6_pktinfo ) ■ Incoming interface for tethering ● Completely independent from IP addresses, which can change all the time

  13. Google Proprietary + Confidential Socket marks ● Used to bind sockets to networks ○ Mark matches rule which selects routing table ● Outgoing traffic: SO_MARK requires CAP_NET_ADMIN ○ Network selection APIs pass socket fd to netd process for marking ○ Shim libc so that connect() , etc. pass socket to netd as well Per-process default socket mark might help here ■ ● Incoming connections: ○ fwmark applied to incoming SYN packet via iptables rules ○ Mark written back into socket mark by kernel on accept() ● Currently contain: ○ Network ID ○ Permissions (SYSTEM / CHANGE_NETWORK_STATE / NONE) ○ VPN protect bit

  14. Google Proprietary + Confidential No IP addresses... 0: from all lookup local 10000: from all fwmark 0xc0000/0xd0000 lookup legacy_system 11000: from all iif tun0 lookup local_network 12000: from all fwmark 0xc00d7/0xcffff lookup tun0 12000: from all fwmark 0x0/0x20000 uidrange 0-99999 lookup tun0 13000: from all fwmark 0x10063/0x1ffff lookup local_network 13000: from all fwmark 0x100d6/0x1ffff lookup rmnet0 13000: from all fwmark 0x100d5/0x1ffff lookup wlan0 Meaning of bits 13000: from all fwmark 0x100d7/0x1ffff uidrange 0-0 lookup tun0 13000: from all fwmark 0x100d7/0x1ffff uidrange 0-99999 lookup tun0 0x0000ffff - Network ID 14000: from all oif rmnet0 lookup rmnet0 0x00010000 - Explicit mark bit 14000: from all oif wlan0 lookup wlan0 0x00020000 - VPN protect bit 14000: from all oif tun0 uidrange 0-99999 lookup tun0 0x000c0000 - Permission bits 15000: from all fwmark 0x0/0x10000 lookup legacy_system 16000: from all fwmark 0x0/0x10000 lookup legacy_network 17000: from all fwmark 0x0/0x10000 lookup local_network 19000: from all fwmark 0xd6/0x1ffff lookup rmnet0 19000: from all fwmark 0xd5/0x1ffff lookup wlan0 21000: from all fwmark 0xd7/0x1ffff lookup wlan0 22000: from all fwmark 0x0/0xffff lookup wlan0 23000: from all fwmark 0x0/0xffff uidrange 0-0 lookup main … and no main for non-root 32000: from all unreachable

  15. Google Proprietary + Confidential Limitations ● Substantial complexity required to emulate strong host model ○ Routing rules, socket calls shimmed through netd , etc. ○ Marks are decided before routing lookup, so not always correct ■ Can’t look at mark and know what network a socket is on ■ Can’t provide seamless handover on bypassable VPNs ● Cannot reasonably support multiple networks on same interface ○ Would need to tag IP addresses, routes etc. with network ID ○ RFC7556 defines framework provisioning domain architecture ■ Working with IETF MIF working group to define API design ■ Once that’s done, implement / upstream?

  16. Google Proprietary + Confidential Proprietary + Confidential Current state of kernel features What’s upstream What’s not upstream, and can we upstream it? Proprietary + Confidential Proprietary + Confidential

  17. Google Proprietary + Confidential Socket marks ● Kernel-originated packets have zero mark ○ Replies (TCP RST, ICMP, ...) reflect socket mark of original packet ■ fwmark_reflect sysctl ● Incoming connection bound to network based on interface that got SYN ○ iptables INPUT rule marks incoming SYN ○ accept() writes skb->mark into sk->sk_mark ■ fwmark_reflect sysctl ● Upstream since 3.15

  18. Google Proprietary + Confidential IPv6 ● Uses kernel autoconf ○ Uses accept_ra_rt_table sysctl to put autoconf routes in right table ■ Not yet sent upstream ● Weak host model will happily use cell IPv6 address with wifi default route ○ During DAD ■ Upstreamed use_optimistic sysctl ○ If wifi provides default route and no address ■ Upstreamed use_oif_addrs_only sysctl

  19. Google Proprietary + Confidential VPN ● Two modes ○ Secure: unprivileged traffic forced onto VPN ○ Bypassable: traffic on VPN by default, apps can choose otherwise ● VPN apps can provide / force VPN service to specific apps only Each app is its own UID ○ ● No local NAT, which enables IPv6 support, correct MSS / getsockname , … Means that VPN must be evaluated before source address is chosen ○ Relies on per-UID routing rules - FRA_UID_{START,END} ● Sent for review in 2012, not accepted ○ Attempt again? ■ Possible alternative: 64-bit socket mark? ■

  20. Google Proprietary + Confidential Forced socket closes ● Currently use SIOCKILLADDR to close TCP connections on network switch ○ Has caused merge pain and kernel crashes when TCP code changes ○ Not flexible enough (VPN, mobile data always on…) ● SOCK_DESTROY recently upstreamed to replace it ○ Allows userspace to close individual sockets via NETLINK_SOCK_DIAG ● Future uses: ○ Better connection closing when a VPN comes up ○ Mobile data always on?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

l O O O pra de pra de P P oche P l l pra de oche oche The Pocket Opera The

l O O O pra de pra de P P oche P l l pra de oche oche The Pocket Opera The

l O O O pra de pra de P P oche P l l pra de oche oche The Pocket Opera The Pocket Opera The Pocket Opera www.operadepoche.fr Appel dAirs Association Loi 1901 03220 Chtelperron France SIREN: 482 379 146 Licences

333 views • 8 slides
PicoPix PPX2055/F7 KP-101-01 P4-X 55-Lumen Pocket Projector 55-Lumen Pocket Projector LED Pico

PicoPix PPX2055/F7 KP-101-01 P4-X 55-Lumen Pocket Projector 55-Lumen Pocket Projector LED Pico

PICO & MULTIMEDIA PROJECTORS A/V PRESENTATION PicoPix PPX2055/F7 KP-101-01 P4-X 55-Lumen Pocket Projector 55-Lumen Pocket Projector LED Pico Pocket Projector LED Pico Pocket Projector WVGA Pico Projector Maximum Brightness of 55

501 views • 5 slides
Back to the future: sockets and relational data in your (Windows) pocket Dragos Manolescu

Back to the future: sockets and relational data in your (Windows) pocket Dragos Manolescu

Back to the future: sockets and relational data in your (Windows) pocket Dragos Manolescu Microsoft, Windows Phone Engineering Hewlett-Packard Cloud Services Background APIs Performance and Health Data and Cloud RTM Networking:

578 views • 54 slides
MHCLG Pocket Park Plus - Mayes Road Linear Pocket Park design interventions Supplier Description

MHCLG Pocket Park Plus - Mayes Road Linear Pocket Park design interventions Supplier Description

MHCLG Pocket Park Plus - Mayes Road Linear Pocket Park design interventions Supplier Description 1. English Garden Statuary Penguins, geese, dog, etc. 1 2. Alastair Hunter 2 Sundial - informative, educational, social 3 3. Krishna Malla

473 views • 10 slides
Pocket Lecture Pocket Lecture Pocket Lecture Pocket Lecture Listen Audio Notes Progress

Pocket Lecture Pocket Lecture Pocket Lecture Pocket Lecture Listen Audio Notes Progress

Pocket Lecture Pocket Lecture Pocket Lecture Pocket Lecture Listen Audio Notes Progress Listen Audio Notes Progress Listen Audio Notes Progress Listen Audio Notes Progress 70% Motivation: Record your notes 0.1 Pilot Podcast What

66 views • 3 slides
New in 2013 v Out of Pocket Maximums v Pharmacy Co-Pays v Drug Management Programs v

New in 2013 v Out of Pocket Maximums v Pharmacy Co-Pays v Drug Management Programs v

2013 Plan Year 1 New in 2013 v Out of Pocket Maximums v Pharmacy Co-Pays v Drug Management Programs v Balanced Premiums 2 New in 2013 Out of Pocket Maximums v Out of Pocket Maximums will be increasing by: v $500 for

237 views • 21 slides
Gstreamer Editing Services Video Editing in your pocket (size of pocket not specified) Edward

Gstreamer Editing Services Video Editing in your pocket (size of pocket not specified) Edward

Gstreamer Editing Services Video Editing in your pocket (size of pocket not specified) Edward Hervey edward.hervey@collabora.co.uk Edward Hervey Co-founder of Collabora Multimedia FLOSS user since 1995 GStreamer Hacker since 2003

367 views • 24 slides
Using Your Network 10-07-16 Networking & You What is networking? Benefits of

Using Your Network 10-07-16 Networking & You What is networking? Benefits of

Jordan Borrell Networking & Bioengineering Program Using Your Network 10-07-16 Networking & You What is networking? Benefits of networking. Who do I network with? Family/Friends/Neighbors School Connections

395 views • 14 slides
Estimates of Medicare Beneficiaries Out-of-Pocket Drug Spending in 2006 M odeling the Impact of

Estimates of Medicare Beneficiaries Out-of-Pocket Drug Spending in 2006 M odeling the Impact of

Estimates of Medicare Beneficiaries Out-of-Pocket Drug Spending in 2006 M odeling the Impact of the MMA November 22, 2004 Figure 1 Key Research Questions How is the MMA likely to affect out-of-pocket prescription drug spending among

210 views • 18 slides
Networking Don Porter CSE 506 Networking (2 parts) Goals: Review networking basics

Networking Don Porter CSE 506 Networking (2 parts) Goals: Review networking basics

Networking Don Porter CSE 506 Networking (2 parts) Goals: Review networking basics Discuss APIs Trace how a packet gets from the network device to the application (and back) Understand Receive livelock and NAPI 4

761 views • 48 slides
Commission: Out of touch, out of date, out of pocket April 2017 Commission: Out of touch, out of

Commission: Out of touch, out of date, out of pocket April 2017 Commission: Out of touch, out of

Commission: Out of touch, out of date, out of pocket April 2017 Commission: Out of touch, out of date, out of pocket | April 2017 1 Its a truth universally accepted House prices have soared by 253% in the last Michael Bruce, CEO,

204 views • 7 slides
Pocket door slides Guas de puertas correderas giratorias Guide per ante rientranti For

Pocket door slides Guas de puertas correderas giratorias Guide per ante rientranti For

Pocket door slides Guas de puertas correderas giratorias Guide per ante rientranti For recessing pocket doors on Para puertas correderas giratorias Per porte rientranti a incasso sale entertainment centres, wall units en

409 views • 16 slides
A/V PRESENTATION 282 Multimedia Projectors www.BandH.com MP180 Pocket Projectors MPro 150 Pocket

A/V PRESENTATION 282 Multimedia Projectors www.BandH.com MP180 Pocket Projectors MPro 150 Pocket

100 Lumens 2800 lumens 3000:1 contrast ratio HDMI Connectivity 7W Speaker Microsoft Office Viewer USB, VGA, HDMI Ports 20,000 hour LED Light WVGA (854 x 480) Energy Efficient E-TORL lamp

80 views • 6 slides
NAMED DATA NETWORKING (NDN) Named Data Networking NDN BRIEF HISTORY When the Networking was

NAMED DATA NETWORKING (NDN) Named Data Networking NDN BRIEF HISTORY When the Networking was

NAMED DATA NETWORKING (NDN) Named Data Networking NDN BRIEF HISTORY When the Networking was developed in the 60s and 70s Networking was mainly used for resource sharing. IP was the effective communication protocol in place.

484 views • 29 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Networking 192.168.1. 101 By: Vince Disclaimer I am NOT a Networking expert you might ask

Networking 192.168.1. 101 By: Vince Disclaimer I am NOT a Networking expert you might ask

Networking 192.168.1. 101 By: Vince Disclaimer I am NOT a Networking expert you might ask questions that I dont know the answer to Networking is hard to teach but I know how to do your homeworks so that counts for something,

780 views • 52 slides
What have fruits got to do with technology? The case of Apple, Blackberry and Orange Surender

What have fruits got to do with technology? The case of Apple, Blackberry and Orange Surender

What have fruits got to do with technology? The case of Apple, Blackberry and Orange Surender Yerva , Zoltan Miklos, Karl Aberer Distributed Information Systems Lab EPFL, Switzerland Sogndal, Norway, WIMS 2011 May 27, 2011 Motivation

896 views • 67 slides
VIDEO 1 The Aerospace & Defense Forum Orange County Chapter November 2, 2016 rapidly

VIDEO 1 The Aerospace & Defense Forum Orange County Chapter November 2, 2016 rapidly

The Aerospace & Defense Forum Orange County Chapter November 2, 2016 On-Demand Drones for Law Enforcement VIDEO 1 The Aerospace & Defense Forum Orange County Chapter November 2, 2016 rapidly deployed command center rapidly deployed

683 views • 8 slides
Identifying Relevant Parameters to Improve WCET Analysis Jakob Zwirchmayr 2 , Pascal Sotin 2 ,

Identifying Relevant Parameters to Improve WCET Analysis Jakob Zwirchmayr 2 , Pascal Sotin 2 ,

Identifying Relevant Parameters to Improve WCET Analysis Jakob Zwirchmayr 2 , Pascal Sotin 2 , Armelle Bonenfant 2 Denis Claraz 3 , Philippe Cuenot 3 WCET Workshop Madrid, July 8, 2014 1 This work is supported by ANR W-SEPT. 2 Universit e

348 views • 17 slides
Buildroot Buildroot overview Br2-external Additional infrastructure Making embedded

Buildroot Buildroot overview Br2-external Additional infrastructure Making embedded

Introduction Buildroot Buildroot overview Br2-external Additional infrastructure Making embedded Linux easy? Conclusion A real-life example. Yann E. MORIN <yann.morin@orange.com> Embedded Linux Conference Europe 2017

624 views • 36 slides
Next Generation Directory-Based User Management for Cloud Infrastructure Nov 16, 2016 ApacheCon

Next Generation Directory-Based User Management for Cloud Infrastructure Nov 16, 2016 ApacheCon

Next Generation Directory-Based User Management for Cloud Infrastructure Nov 16, 2016 ApacheCon EU, Seville Introductions Katarina Valalikova Evolveum Shawn McKinney - Symas ApacheCon EU, Seville 2016 2 Security is Hard I had

928 views • 71 slides
Active learning Co-training 3 Subtract-average detection score Grey-scale detection score

Active learning Co-training 3 Subtract-average detection score Grey-scale detection score

Active learning Co-training 3 Subtract-average detection score Grey-scale detection score Summary Boosting is a method for learning an accurate classifiers by combining many weak classifiers. Boosting is resistant to over-fitting .

611 views • 31 slides
SYSTEM DYNAMICS: SYSTEMS THINKING AND MODELING FOR A COMPLEX WO WORLD IAP 2 2020 S ESSION J

SYSTEM DYNAMICS: SYSTEMS THINKING AND MODELING FOR A COMPLEX WO WORLD IAP 2 2020 S ESSION J

System Dynamics: Systems Thinking and 1/13/2020 Modeling for a Complex World SYSTEM DYNAMICS: SYSTEMS THINKING AND MODELING FOR A COMPLEX WO WORLD IAP 2 2020 S ESSION J ANUARY 13, 2020 James Paine System Dynamics Group MIT Sloan School

812 views • 55 slides
Entanglement entropy and Lorentz invariance in QFT Horacio Casini Instituto Balseiro, Centro

Entanglement entropy and Lorentz invariance in QFT Horacio Casini Instituto Balseiro, Centro

Entanglement entropy and Lorentz invariance in QFT Horacio Casini Instituto Balseiro, Centro Atmico Bariloche Strong subadditivity of entropy von Neumann entropy Lieb, Ruskai (1973) Strong subadditivity Additivity Subadditivity SSA +

604 views • 31 slides

More recommend