asap: a low-latency transport layer - sigcomm
TRANSCRIPT
ASAP: A Low-Latency Transport Layer
Wenxuan Zhou, Qingxi Li, Matthew Caesar, Brighten Godfrey
Saturday, December 3, 2011
Not so fast, Internet...
• Fetching a popular website
time wget www.phdcomics.com
2
Saturday, December 3, 2011
Not so fast, Internet...
• Fetching a popular website
time wget www.phdcomics.comreal 895ms
2
Saturday, December 3, 2011
Not so fast, Internet...
• Fetching a popular website
time wget www.phdcomics.com
100%[==================>] 10,560 65.2K/s in 200ms
real 895ms
2
Saturday, December 3, 2011
Not so fast, Internet...
• Fetching a popular website
• Single packet latency
time wget www.phdcomics.com
100%[==================>] 10,560 65.2K/s in 200ms
real 895ms
ping 69.17.116.124 (www.phdcomics.com)
time=76.3ms
2
Saturday, December 3, 2011
Not so fast, Internet...
• Fetching a popular website
• Single packet latency
• Why is the web so slow?
time wget www.phdcomics.com
100%[==================>] 10,560 65.2K/s in 200ms
real 895ms
ping 69.17.116.124 (www.phdcomics.com)
time=76.3ms
2
Saturday, December 3, 2011
What’s a few hundred milliseconds?
4
sear
ches
per
use
r
[Jake Brutlag, Google, 2009]
+200ms+400ms
--- actual—— trend
0.2%
0%
-0.2%
-0.4%
-0.6%
-0.8%
-1%
week1 week2 week3 week4 week5 week6
Saturday, December 3, 2011
What’s a few hundred milliseconds?
4
sear
ches
per
use
r
[Jake Brutlag, Google, 2009]
+200ms+400ms
--- actual—— trend
0.2%
0%
-0.2%
-0.4%
-0.6%
-0.8%
-1%
week1 week2 week3 week4 week5 week6
$200 M/yr
Saturday, December 3, 2011
Protocols cause delay
Client
Local DNS
Auth. DNS
Web server
Name Resolution
6
Saturday, December 3, 2011
Protocols cause delay
Client
Local DNS
Auth. DNS
Web server
Name Resolution
6
Saturday, December 3, 2011
Protocols cause delay
Client
Local DNS
Auth. DNS
Web server
TCPHandshake
Name Resolution
6
Saturday, December 3, 2011
Protocols cause delay
Client
Local DNS
Auth. DNS
Web server
TCPHandshake
Name Resolution
6
Saturday, December 3, 2011
Protocols cause delay
Client
Local DNS
Auth. DNS
Web server
TCPHandshake
Name Resolution
6
Saturday, December 3, 2011
Local DNS
Auth. DNS
Sources of Delay
TCPHandshake
Name Resolution
Web server
Client
7
Saturday, December 3, 2011
Local DNS
Auth. DNS
Sources of Delay
TCPHandshake
Name Resolution
Waiting forFirst Byte
Web server
Client
7
Saturday, December 3, 2011
Local DNS
Auth. DNS
Sources of Delay
TCPHandshake
Name Resolution
Waiting forFirst Byte
DataTransmission
Web server
Client
7
Saturday, December 3, 2011
Local DNS
Auth. DNS
Sources of Delay
TCPHandshake
Name Resolution
Waiting forFirst Byte
DataTransmission
41.5% 20.5% 24.6% 13.4%
Web server
Client
7
Saturday, December 3, 2011
Local DNS
Auth. DNS
Sources of Delay
TCPHandshake
Name Resolution
Waiting forFirst Byte
DataTransmission
41.5% 20.5% 24.6% 13.4%
Web server
Fat pipe primarily helps here
Client
7
Saturday, December 3, 2011
Our Design: ASAPGoals:
Reduce latency
Retain security and deployability
8
Saturday, December 3, 2011
Our Design: ASAPGoals:
Reduce latency
Retain security and deployability
Key idea 1: Piggyback connection setup on name resolution
8
Saturday, December 3, 2011
Our Design: ASAPGoals:
Reduce latency
Retain security and deployability
Key idea 1: Piggyback connection setup on name resolution
Add connection information into name lookup message.
8
Saturday, December 3, 2011
Our Design: ASAPGoals:
Reduce latency
Retain security and deployability
Key idea 1: Piggyback connection setup on name resolution
Add connection information into name lookup message.
Key idea 2: Bypass handshaking
8
Saturday, December 3, 2011
Our Design: ASAPGoals:
Reduce latency
Retain security and deployability
Key idea 1: Piggyback connection setup on name resolution
Add connection information into name lookup message.
Key idea 2: Bypass handshaking
Servers respond to the request with data directly.
8
Saturday, December 3, 2011
Client
Local DNS
Auth. DNS
Our Design: ASAP
CI: connection information
Web server
9
Saturday, December 3, 2011
Client
Local DNS
Auth. DNS
Our Design: ASAP
CI: connection information
Address of “CI.x.com”?
Web server
9
Saturday, December 3, 2011
Client
Local DNS
Auth. DNS
Our Design: ASAP
CI: connection information
Address of “CI.x.com”?
Web server
9
Source IP, Source Port, Dest IP, Dest Port,
Sequence #,...HTTP GET index.html
Saturday, December 3, 2011
Client
Local DNS
Auth. DNS
Our Design: ASAP
CI: connection information
Web server
10
Saturday, December 3, 2011
Client
Local DNS
Auth. DNS
Our Design: ASAP
CI: connection information
Web server
10
Saturday, December 3, 2011
Client
Local DNS
Auth. DNS
Our Design: ASAP
Address of “CI.x.com”?
CI: connection information
Web server
10
Saturday, December 3, 2011
Client
Local DNS
Auth. DNS
Our Design: ASAP
CI: connection information
Web server
11
Saturday, December 3, 2011
Client
Local DNS
Auth. DNS
Our Design: ASAP
CI: connection information
Web server
11
Saturday, December 3, 2011
Client
Local DNS
Auth. DNS
Our Design: ASAP
CI
CI: connection information
Web server
11
Saturday, December 3, 2011
Client
Local DNS
Auth. DNS
Our Design: ASAP
CI: connection information
Web server
12
Saturday, December 3, 2011
Client
Local DNS
Auth. DNS
Our Design: ASAP
CI: connection information
Web server
12
Saturday, December 3, 2011
Client
Local DNS
Auth. DNS
Our Design: ASAP
CI: connection information
Data
Web server
12
Saturday, December 3, 2011
Client
Local DNS
Auth. DNS
Our Design: ASAP
CI: connection information
Data
Web server
12
Saturday, December 3, 2011
Client
Local DNS
Auth. DNS
Our Design: ASAP
CI: connection information
Data
Web server
12
Saturday, December 3, 2011
Client
Local DNS
Auth. DNS
Our Design: ASAP
CI: connection information
Data
Web server
12
Saturday, December 3, 2011
Client
Local DNS
Auth. DNS
ASAP ImprovementCurrent Internet
Web server
13
Saturday, December 3, 2011
Client
Local DNS
Auth. DNS
ASAP ImprovementCurrent Internet
Web server
13
Saturday, December 3, 2011
Client
Local DNS
Auth. DNS
ASAP ImprovementASAPCurrent Internet
Web server
13
Saturday, December 3, 2011
Client
Local DNS
Auth. DNS
ASAP ImprovementASAPCurrent Internet
Web server
13
Saturday, December 3, 2011
Client
Local DNS
Auth. DNS
ASAP Improvement
Time we save:
ASAPCurrent Internet
Web server
13
Saturday, December 3, 2011
Client
Local DNS
Auth. DNS
ASAP Improvement
Time we save:
ASAPCurrent Internet
Web server
13
Saturday, December 3, 2011
Client
Local DNS
Auth. DNS
ASAP Improvement
Time we save:
ASAPCurrent Internet
Web server
13
Saturday, December 3, 2011
Challenges and Solutions
14
Problem: Breaks DNS caching
Solution: Client also sends a standard DNS query
Saturday, December 3, 2011
Challenges and Solutions
14
Problem: Breaks DNS caching
Solution: Client also sends a standard DNS query
Problem: All queries traverse a single Auth. DNS
Saturday, December 3, 2011
Challenges and Solutions
14
Problem: Breaks DNS caching
Solution: Client also sends a standard DNS query
Problem: All queries traverse a single Auth. DNS
Solution: Another layer of Auth. DNS at servers
Saturday, December 3, 2011
Challenges and Solutions
14
Problem: Breaks DNS caching
Solution: Client also sends a standard DNS query
Problem: All queries traverse a single Auth. DNS
Solution: Another layer of Auth. DNS at servers
Problem: Eliminating 3-way handshake makes DoS attacks easier
Saturday, December 3, 2011
Challenges and Solutions
14
Problem: Breaks DNS caching
Solution: Client also sends a standard DNS query
Problem: All queries traverse a single Auth. DNS
Solution: Another layer of Auth. DNS at servers
Problem: Eliminating 3-way handshake makes DoS attacks easier
Solution: Hand reusable certificates to clients
Saturday, December 3, 2011
Challenges and Solutions
14
Problem: Breaks DNS caching
Solution: Client also sends a standard DNS query
Problem: All queries traverse a single Auth. DNS
Solution: Another layer of Auth. DNS at servers
Problem: Eliminating 3-way handshake makes DoS attacks easier
Solution: Hand reusable certificates to clients
Saturday, December 3, 2011
Security Problem: DoS Attack
Attacker
Victim
Web server
Web server
Web server
Web server
Reflection/Amplification DoS attack
15
Saturday, December 3, 2011
Security Problem: DoS Attack
Attacker
Victim
Web server
Web server
Web server
Web server
Reflection/Amplification DoS attack
I’m the Victim, I want this data.
15
Saturday, December 3, 2011
Security Problem: DoS Attack
Attacker
Victim
Web server
Web server
Web server
Web server
Reflection/Amplification DoS attack
I’m the Victim, I want this data.
Data
15
Saturday, December 3, 2011
Security MechanismGoal: Servers verify client’s address without adding an RTT
16
Saturday, December 3, 2011
Security MechanismGoal: Servers verify client’s address without adding an RTT
Solution: Cryptographic proofs
16
Saturday, December 3, 2011
Security MechanismGoal: Servers verify client’s address without adding an RTT
Solution: Cryptographic proofs
16
ProvenanceVerifier (PV)
Saturday, December 3, 2011
Security MechanismGoal: Servers verify client’s address without adding an RTT
Solution: Cryptographic proofs
Choices of PV:•Web server•CDN•Trusted 3rd party•…
16
ProvenanceVerifier (PV)
Saturday, December 3, 2011
Security MechanismGoal: Servers verify client’s address without adding an RTT
Solution: Cryptographic proofs
Choices of PV:•Web server•CDN•Trusted 3rd party•…
16
ProvenanceVerifier (PV)
Client
Saturday, December 3, 2011
Security MechanismGoal: Servers verify client’s address without adding an RTT
Solution: Cryptographic proofs
Web Server
Choices of PV:•Web server•CDN•Trusted 3rd party•…
16
ProvenanceVerifier (PV)
Client
Saturday, December 3, 2011
Security MechanismGoal: Servers verify client’s address without adding an RTT
Solution: Cryptographic proofs
Web Server
Choices of PV:•Web server•CDN•Trusted 3rd party•…
16
ProvenanceVerifier (PV)
Client
Saturday, December 3, 2011
Security MechanismGoal: Servers verify client’s address without adding an RTT
Solution: Cryptographic proofs
Web Server
Certificate Choices of PV:•Web server•CDN•Trusted 3rd party•…
16
ProvenanceVerifier (PV)
Client
I certify this client uses IP address xxx
Saturday, December 3, 2011
Security MechanismGoal: Servers verify client’s address without adding an RTT
Solution: Cryptographic proofs
Web Server
Certificate Choices of PV:•Web server•CDN•Trusted 3rd party•…
16
ProvenanceVerifier (PV)
Client
I certify this client uses IP address xxx
I certify this client uses IP address xxx
Saturday, December 3, 2011
Security Mechanism (cont’d)Problem: Eavesdropping
Solution: Multiple PVs
18
Saturday, December 3, 2011
Security Mechanism (cont’d)Problem: Eavesdropping
Solution: Multiple PVs
PV2
18
PV1
Saturday, December 3, 2011
Security Mechanism (cont’d)Problem: Eavesdropping
Solution: Multiple PVs
PV2
18
PV1
Saturday, December 3, 2011
Security Mechanism (cont’d)Problem: Eavesdropping
Solution: Multiple PVs
PV2
18
PV1
Saturday, December 3, 2011
Security Mechanism (cont’d)Problem: Eavesdropping
Solution: Multiple PVs
PV2
18
PV1
Saturday, December 3, 2011
Security Mechanism (cont’d)Problem: Eavesdropping
Solution: Multiple PVs
PV2
18
PV1
Attackable
Saturday, December 3, 2011
Results: Eavesdropping Defense
0%
20%
40%
60%
80%
100%
1 PV 2 PVs 3 PVs TCP
19
Attackability
TCPASAP ASAPASAP
Saturday, December 3, 2011
Results: Eavesdropping Defense
0%
20%
40%
60%
80%
100%
1 PV 2 PVs 3 PVs TCP
• One PV is vulnerable to the attacker• Two PVs reduce the attacker’s effectiveness dramatically
19
Attackability
TCPASAP ASAPASAP
Saturday, December 3, 2011
Deployability
ASAP requires changes to some parts of the Internet
But only to devices under the client’s and server’s control
Auth. DNS, End host clients, Server
This simplifies deployability
20
Saturday, December 3, 2011
Experimental Results
21
ASAP has both benefits and costs
Improved latency, at the cost of some additional processing overhead
Saturday, December 3, 2011
Experimental Results
21
ASAP has both benefits and costs
Improved latency, at the cost of some additional processing overhead
Metrics
Saturday, December 3, 2011
Experimental Results
21
ASAP has both benefits and costs
Improved latency, at the cost of some additional processing overhead
Metrics
Reduced latency
Saturday, December 3, 2011
Experimental Results
21
ASAP has both benefits and costs
Improved latency, at the cost of some additional processing overhead
Metrics
Reduced latency
Processing overhead
Saturday, December 3, 2011
Experimental Results
21
ASAP has both benefits and costs
Improved latency, at the cost of some additional processing overhead
Metrics
Reduced latency
Processing overhead
Implementation
Saturday, December 3, 2011
Experimental Results
21
ASAP has both benefits and costs
Improved latency, at the cost of some additional processing overhead
Metrics
Reduced latency
Processing overhead
Implementation
Linux Kernel
Saturday, December 3, 2011
Experimental Results
21
ASAP has both benefits and costs
Improved latency, at the cost of some additional processing overhead
Metrics
Reduced latency
Processing overhead
Implementation
Linux Kernel
User-space on planet-lab
Saturday, December 3, 2011
Results: Latency of a Download
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
1
0 0.5 1 1.5 2
fract
ion o
f tr
ials
time (seconds)
Round Trip Time
22
Saturday, December 3, 2011
Results: Latency of a Download
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
1
0 0.5 1 1.5 2
fract
ion o
f tr
ials
time (seconds)
Round Trip Time
ASAP
23
Saturday, December 3, 2011
Results: Latency of a Download
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
1
0 0.5 1 1.5 2
fract
ion o
f tr
ials
time (seconds)
Round Trip Time
ASAP
TCP
24
Saturday, December 3, 2011
Results: Latency of a Download
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
1
0 0.5 1 1.5 2
fract
ion o
f tr
ials
time (seconds)
Round Trip Time
ASAP
TCP
• ASAP provides a significant reduction in latency over TCP
24
Saturday, December 3, 2011
Results: Computational Overhead
0
0.2
0.4
0.6
0.8
1
0.1 1 10
fract
ion o
f tr
ials
time (ms)
Serv
er
PV
Clie
nt
25
Saturday, December 3, 2011
Results: Computational Overhead
0
0.2
0.4
0.6
0.8
1
0.1 1 10
fract
ion o
f tr
ials
time (ms)
Serv
er
PV
Clie
nt
25
• Client, PV, and server overheads are low• A single PV server could handle tens of millions of clients
Saturday, December 3, 2011
Related Work: TCP Fast Open
26
ASAP TCP Fast Open
Similarities
DifferencesDifferences
Bypass three way handshakeUse a security proof verifying address ownershipBypass three way handshakeUse a security proof verifying address ownership
Piggyback connection setup on name resolutionRequire changes to Auth. DNS
Name resolution not involved
Certificates for security proof (can be used across domains)
Cookies for security proof (easier to compute)
Saturday, December 3, 2011
Conclusions
27
ASAP merges functions of DNS and TCP, and eliminates 3WH to reduce latency of interactive requests
Saturday, December 3, 2011
Conclusions
27
ASAP merges functions of DNS and TCP, and eliminates 3WH to reduce latency of interactive requests
Reduces latency by up to 2 RTTs
Saturday, December 3, 2011
Conclusions
27
ASAP merges functions of DNS and TCP, and eliminates 3WH to reduce latency of interactive requests
Reduces latency by up to 2 RTTs
Retains protection against attacks
Saturday, December 3, 2011
Conclusions
27
ASAP merges functions of DNS and TCP, and eliminates 3WH to reduce latency of interactive requests
Reduces latency by up to 2 RTTs
Retains protection against attacks
Implementation:
Saturday, December 3, 2011
Conclusions
27
ASAP merges functions of DNS and TCP, and eliminates 3WH to reduce latency of interactive requests
Reduces latency by up to 2 RTTs
Retains protection against attacks
Implementation:
User-space and Kernel-space
Saturday, December 3, 2011
Conclusions
27
ASAP merges functions of DNS and TCP, and eliminates 3WH to reduce latency of interactive requests
Reduces latency by up to 2 RTTs
Retains protection against attacks
Implementation:
User-space and Kernel-space
Available at: http://www.cs.illinois.edu/~wzhou10/asap.tar.gz
Saturday, December 3, 2011
Backup: Security Mechanism
28
ProvenanceVerifier (PV)
Client
Web Server
1. {Kcpub, dc}
Saturday, December 3, 2011
Backup: Security Mechanism
28
ProvenanceVerifier (PV)
Client
Web Server
1. {Kcpub, dc}
2. PC={Kcpub, ac, t, d} Kpv
priv
Saturday, December 3, 2011