What’s (probably) coming next in SMB SMB Core Dev team

Microsoft Corporation

Big things in flight

Compression Security QUIC

Question breaks

Compress SMB payloads

Better perf over narrow/congested networks

Good at large, inefficient data formats

Shipped (partial story) in 19H1 aka 1903

Compression

Pattern 0: All-zero

Pattern 1: [0-255]…

Pattern 2: Not Compressible

Data Patterns Used

SMB Compression Demo

Client negotiates for compression via negotiate context:

Server responds with compression algorithm(s) XPRESS, XPRESS Huffman, LZNT1, PATTERN_V1:

Negotiation

Algorithm Id 1Algorithm Count Algorithm Id 2

2 Byte 2 Byte 2 Byte

Selected

Algorithm Count

Selected

Algorithm ID 1

2 Byte

Selected

Algorithm ID 2

2 Byte

New, compact transform header for SMB Compression

Current transform header is 52 bytes and not 8-byte aligned

Compress and Decompress

Reserved 1* Reserved 2*Algorithm

Protocol ID 8B

16B

Original Message Size

When compressing & encrypting, nest the transform headers

Compressing encrypted packets means bad compression ratio, so force encryption after compression

Interop

SMB Encryption

Transform Header

SMB Compression

Transform Header

SMB2 HEADER and

other payload …

Data Pattern 1, Seq Write, End-to-end throughput (Gbps)

11

0

20

40

60

80

100

120

140

160

180

1 2 3 4

Series1 Series2

Data Pattern 1, Seq Write, CPU Usage (%)

12

0

10

20

30

40

50

60

70

80

90

1 2 3 4

Series1 Series2 Series3 Series4

Data Pattern 1, Seq Write, Total Network Usage to Transmit 1TB of Data (GB)

13

0

200

400

600

800

1000

1200

1 2 3 4

Series1 Series2

Sampled for CopyFile()

Usage customizable via registry

No user interfaces or management yet

Documented in Open Protocol Spec

Windows implementation details

Questions about compression?

Accelerated Signing

RDMA Signing and Encryption

Security

Historical: SMB 3.1.1 client only supported CMAC

Irony: encryption perf better than signing

Now: Adding AES-GMACBetter perf algorithm

Nonce with each packet improves replay attack prevention

Signature validation moved to lower layers for faster rejection

Accelerated Signing

Client will support AES128-GMAC

Append neg context (ID = 0x0008) algorithm count & algorithm IDs:

Server selects algorithm, responds:

Negotiate

Algorithm Count Algorithm Id 1 Algorithm Id 2

2 Byte 2 Byte 2 Byte

0x0001 Selected Algorithm ID

2 Byte

Historical: enabling sign/encrypt on SMB Direct Disabled RDMA direct placement

Tanked performance, worse than TCP!

Hard to diagnose

Irritates a valuable customer persona: security focused

Now: Separating sign/seal of RDMA payload from SMB message

Not free, but much better

RDMA Signing and Encryption

Perf gain over current packet-based encrypted traffic

Planned design:Encrypt RDMA buffer

Include signature in SMB payload

Improved sign and encrypt in RDMA

Signature and

NonceTransform Descriptor

Signature

Length

Signature

Offset

Nonce

Length

Nonce

Offset

Original Message SizeReserved

1

Reserved

2

Channel

Offset

Channel

Length

Channel

(V1 or V1 Invalidate)

SMB2 HEADER SMB2 REQ WRITE RDMA Descriptor

8B

16B

24B

Questions about security?

Google-derived

Internet-ready

Secure-by-default MitM protection

IETF standardized (someday)

Low latency, low congestion

UDP/443, but H2 and TCP-like

“QUIC” stands for nothing ¯\_(ツ)_/¯

QUIC

SMB over QUIC Demo

Upsides:

Prevents server spoofing via server cert

QUIC connection always protected by TLS encryption

Avoid being blocked by providers – 443, not 445

SMB basically unchanged, QUIC becomes VPN-like

Downsides:

Edge network-centric

Much lower perf than even SMB-encrypted

NTLM likely for SMB

SMB over QUIC upsides/downsides

QUIC connection latency reduction: 0-RTT

SMB over TCP

SMB_COM_NEGOTIATE Request

SMB2_NEGOTIATE Response

DNS Query

DNS response

TCP SYN/ACK

TCP SYN

TCP ACK

DNS: 1 RTT

to Name

Server

TCP: 1

RTT

SMB

Session

Setup

Pre-resolve

TCP Fast Open

SMB over QUIC

QUIC Request / SMB_COM_NEGOTIATE Request

SMB2_NEGOTIATE Response

DNS Query

DNS response

QUIC Reply

QUIC Request

DNS: 1 RTT

to Name

Server

QUIC:

Handshake

Including

TLS

SMB

Session

Setup

Pre-resolve

SMB/QUIC: Components

WSK SMBDTDI QUIC

MRXSMB

MRXSMB20MRXSMB10

RDBSS

Multichannel / Signing / Encryption / Compression

TCP NDK/RDMA

UDP

Multiplexing

TLS

Congestion Control

NICRNIC

WSKSMBD TDIQUIC

TCPNDK/RDMA

UDP

Multiplexing

TLS

Congestion Control

RNICNIC

SRVNET/SRVADMIN

SRV (SMB 1.0) SRV20 (SMB 2.x)

Multichannel / Signing / Encryption / Compression

Local File SystemApplication

QUICK will be another protocol option used side by side with WSK and RDMA

Try WSK/RDMA, sleep 100ms, try QUIC, x10

Usage customizable via registry

NTLM very likely for SMB Looking into alternatives like KDC Proxy, others

No user interfaces or management yet, but ADCS can deploy certificates

Windows implementation details

Questions about QUIC?

Native support for FileNormalizedNameInformation

Directory Caching EnhancementsWindows clients can now cache much larger directories ~ 500K entries.

Will attempt directory queries with 1 MB buffers to reduce round trips and improve performance

Important note to implementers: do not fail when seeing new SMB capabilities, just ignore

Other changes

Thanks!

Don’t forget those surveys :)

© Copyright Microsoft Corporation. All rights reserved.