TCP Fast Open Sivasankar Radhakrishnan ! , Yuchung Cheng ! , Jerry - - PowerPoint PPT Presentation

tcp fast open
SMART_READER_LITE
LIVE PREVIEW

TCP Fast Open Sivasankar Radhakrishnan ! , Yuchung Cheng ! , Jerry - - PowerPoint PPT Presentation

Jun 25, 2023 660 likes •868 views

TCP Fast Open Sivasankar Radhakrishnan ! , Yuchung Cheng ! , Jerry Chu ! , Arvind Jain ! , Barath Raghavan ! ! Google Inc. UC San Diego ! ICSI ACM CoNEXT 2011 8 December 2011 Web Page Load Performance Web transfer latency Web object Avg !

slide-1
SLIDE 1

TCP Fast Open

Sivasankar Radhakrishnan !§, Yuchung Cheng!, Jerry Chu!, Arvind Jain!, Barath Raghavan!

8 December 2011 ACM CoNEXT 2011

! Google Inc. § UC San Diego ! ICSI

slide-2
SLIDE 2

HTTP Persistent Connections

Reuses TCP connections for multiple transactions Widely deployed (92% connections support it)

> 33% of requests still use new connections (cold requests)

[Chrome, Yahoo CDN] statistics

Web Page Load Performance

Avg ! 7.3KB Median ! 2.4KB

Web transfer latency

HTTP response transfer ! 1-3 RTTs TCP connection setup – 1 RTT overhead

2

Web object

slide-3
SLIDE 3

TCP Handshake Cost

10 20 30 40 50 60 70 80 90 100 0.1 1 10 CDF [%] HTTP Transaction Network Latency [s] Cold Req Cold Req no Hsk (sim) All Req

Up to 25% of latency of cold requests

3

Chrome Browser Logs – 1 month, billions of requests, opt in users

slide-4
SLIDE 4

TCP Fast Open

Allows data exchange during TCP handshake

4

slide-5
SLIDE 5

In An Ideal World

RFC 793 – TCP specification

Allows including data in SYN packets Forbids processing data until handshake completes

5

SYN + Data SYN-ACK ACK Data Client Server Process data immediately Send response during handshake 1 3 Include request in SYN 2

slide-6
SLIDE 6

Duplicate SYN Packets

Network duplicates a SYN packet w/ data Packet gets replayed at the server if previous connection state is not retained Acceptable for idempotent requests

Large number of applications can use the feature Application level measures for additional safety Already required today – users refresh slow pages causing duplicate requests

6

slide-7
SLIDE 7

Server Resource Exhaustion

7

SYN + HTTP request SYN + HTTP request

Bogus requests consume CPU and memory at the server Threshold pending TCP Fast Open connections at server Fallback to regular TCP if threshold is exceeded

. . .

slide-8
SLIDE 8

Amplified Reflection Attack

8

SYN-ACK and HTTP response

Small SYN packet triggers N response packets to victim

SYN + HTTP request Victim Attacker srcIP = victim dstIP = victim

slide-9
SLIDE 9

TCP Fast Open Cookie

8 – 16 byte token Granted and validated by servers

Permission to send request in SYN packet to the server

Validates IP ownership of client Encrypts IP address of client using a server secret key Expires after a timeout set by server Transmitted via TCP options

9

slide-10
SLIDE 10

Client Server SYN + TFO Cookie request SYN-ACK + TFO Cookie Generate cookie 1 3 Request cookie

  • n regular TCP

connection 2 Cache cookie for server IP

slide-11
SLIDE 11

Client Server Validate cookie Process data SYN + TFO cookie + Data SYN-ACK TFO connection 4 5 ACK Data Send response during handshake 6 SYN + TFO Cookie request SYN-ACK + TFO Cookie Generate cookie 1 3 Request cookie

  • n regular TCP

connection 2 Cache cookie for server IP

slide-12
SLIDE 12

Amplified Reflection Attack

TFO Cookie validates client IP address Attacker first has to compromise the host to access cookie Straw man solution (does not require TFO cookies): Defer sending server response until 3WHS completes Server may still process request on receipt of SYN w/ data

12

slide-13
SLIDE 13

Middlebox Concerns

13

Behavior with new TCP options or SYN w/ data SYN-ACK SYN Data Client Server Timeout (RTO cached) 1 3 SYN w/ data dropped 2 SYN + TFO cookie + Data Data retransmitted

TCP 3-way handshake fallback always available

slide-14
SLIDE 14

Implementation

Kernel – Linux 2.6.34

2000 lines of modifications to TCP stack Congestion control not directly affected, only connection setup is changed AES functions from CryptoAPI for cookie operations

Applications

Client – Chrome browser

  • !"#$%&'( and !"#$)!*'( system calls with new MSG_TFO flag

Chrome supports TCP Fast Open since mid 2010

Server – Apache

Socket option to enable TCP Fast Open on listen socket

14

slide-15
SLIDE 15

Evaluation

Metric – Page Load Time (PLT) Web page replay tool – 2 modes

Record – saves DNS and web pages accessed Replay – serves as proxy and serves requests locally

  • Testbed: 1 x Intel Core 2 Quad CPU 2.4GHz, 8 GB RAM
  • Dummynet

Emulate different RTTs – 20ms, 100ms, 200ms 4Mbps downlink, 256Kbps uplink, 128KB buffer

Persistent HTTP connections – enabled

15

slide-16
SLIDE 16

4 4 5 7 10 6 7 16 11 18 11 41 amazon.com nytimes.com wsj.com TCP Wikipedia Page

% Improvement due to TCP Fast Open

RTT = 20ms RTT = 100ms RTT = 200ms

Up to 41 % improvement in PLT

Page Load Time

16

slide-17
SLIDE 17

Related Work

17

T/TCP TCPCT – Rapid Restart ASAP Motivating application Transactional RPC DNSSEC & Web Web Additional State Per client counter Per client TCB on server None Pros/Cons Insecure; Incompatible with server farms Per client state; so incompatible with server farms More generality; computational

  • verhead
slide-18
SLIDE 18

Conclusion

TCP Fast Open enables safe data exchange during TCP handshake Incrementally deployable, backwards compatible, middlebox friendly 5 – 40% improvement in page load time

Ongoing work

Published IETF draft

http://tools.ietf.org/html/draft-cheng-tcpm-fastopen-01

In the process of deploying at Google Patch for Linux kernel (soon to be published)

18

slide-19
SLIDE 19

Thank You

19