SNA:%20Sourceless%20Network%20Architecture

1
SNA Sourceless Network Architecture

• Jon Crowcroft, Marcelo Bagnulo
• Jon.Crowcroft_at_cl.cam.ac.uk, marcelo_at_it.uc3m.es

2
Why are there src addrs in datagrams?

• 0 1 2
  3
• 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2
  3 4 5 6 7 8 9 0 1
• -----------------------
  ---------
• Version IHL Type of Service
  Total Length
• -----------------------
  ---------
• Identification Flags
  Fragment Offset
• -----------------------
  ---------
• Time to Live Protocol
  Header Checksum
• -----------------------
  ---------
• Source Address
  
• -----------------------
  ---------
• Destination Address
  
• -----------------------
  ---------
• Options
  Padding
• -----------------------
  ---------
• Example Internet Datagram
  Header
• Remember this? (RFC 791? )

3
So why is there a src adr there?

• Its a Datagram, Stupid
• So Not all higher layers want to send something
  back!
• Indeed, UDP doesnt
• (oh, ok RTP might? but RTP has its own src id
  mechanism (including auth))
• But by the time recipitient gets pkt
• What makes you think src is still where it
  said it was?
• Indeed, NATs mean it isnt/wasnt

4
Some people want to do xx

• IPv4 addresses conflate things in a number of
  horrible ways
• Routing hintsInterface Specification
• Part of Transport Multiplex Id (aks flow,
  5-tuple, pre-deep-pkt-inspection god)
• Ingress Police Key
• Xx addresses (88, 44)
• Before and After X LocatorIdentifier
• Only one intepretation
• Or real 1 addr realm 2 addr
• E.g. route to egress point in realm 1, then
  switch to route to realm 2 addr
• (and poss. Rewrite source now to be source of
  inter-realm router)

5
Why are there src addrs in datagrams?

• 0 1 2
  3
• 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2
  3 4 5 6 7 8 9 0 1
• -----------------------
  ---------
• Version IHL Type of Service
  Total Length
• -----------------------
  ---------
• Identification Flags
  Fragment Offset
• -----------------------
  ---------
• Time to Live Protocol
  Header Checksum
• -----------------------
  ---------
• Destination Identifier or
  Next Realm Addr
• -----------------------
  ---------
• Destination Locator or
  This Realm Addr
• -----------------------
  ---------
• Options
  Padding
• -----------------------
  ---------
• Internet SNA Header
• We have 2 32 bit fields can be routeable IP
  addresses in different realms or could be IDLoc
  (ID could be HIP or other), or actually anything
  you want..

6
Whats good about this?

• Get 232 Internets right now
• Packets still forwarded by all core routers
• and around 60 of ingress routers
• Can do mobile right immediately
• Can do multihoming right immediately
• Can do multipath right immediately
• articulation point (inter-realm) is visible to
  end system (unlike in map or encap)
• Dont need IPv6 ever ? or ?
• (modulo next slide? )

7
What are the problems with this?

• Transports that do want to answer
• TCP, RPC (DNS/SNMP), SCTP, RTP/UDP
• ICMP
• Mistakes, errors, bad stuff
• Ingress Policing
• Net to End signaling in general

8
What are the problems with this 1?

• Transports that do want to answer
• We argue they need to answer
• a transport entity
• A network identity, not a location
• Furthermore, we can implement lite with
• Shim, proxy, or new transport noop.
• Fix to TCP is 4 lines of code
• Much of the shim6,sixone,hip work applies
  immediately
• Transport Setup needs to send Handle used to
  lookup 44/SNA dst FQDN
• DNS or LISP or other new Server can return
  FQDN-SNA Mappings
• Subsequent packets can do cookie thing (viz SCTP)

9
What are the problems with this 2?

• ICMP
• 4 important(ish) cases
• Redirect is link local so triv.
• Echo is an application so can mod (and not on
  fast path)
• Errors (unreachables) were always a bad idea
  (except maybe port unreachable, which is an
  application/transport
• MTU discovery- can do by sending fragsizeexceed
  to destination
• In legacy case (if you must) source can always
  start with a few IPv4 source addr (locator)
  packets intermingled just to elicit some of the
  required answers (e.g. MTU discovery, or
  traceroute legacy support)
• Note, misdirected ICMP errors can be handled,
  because they include sufficient of the original
  packet that caused the problem, that an
  unintended receiver can (and will in most popular
  known end system Oss) discard

10
What are the problems with this 3?

• Ingress Policing
• Can do at ingress link local (or theres only one
  host on xDSL line ?
• Or you have transport info
• Have source identifier in transport that matters
  (i.e. anyone you want to DOS attack will ignore
  you if you dont have an identifier, in the new
  packet
• so only if you put one there do you get to go
  towards source, but you need a source id to be
  TCP-SNA compliant so you give away your idso
  game over.

11
Multi- transport

• So I now have a transport multiplex with 2 64 bit
  idloc
• but can wildcard the loc part to do multi-
• (for now, can put it 1 hop away too i.e. in
  access router, and proxy for the state similar
  to tcp header compression)?
• M (Mark-Handley, Mobile, Multihome, Multipath,
  Mom-n-Pop, Me
• This does mobile seamlessly
• This lets me do multi-home
• And multi-path
• And each end gets to see which part of the
  multi-path each packet arrived over
• (or is lost or ECN marked)
• Multicast currently uses source address as hook
  to build trees
• so multicast routing would have to be SNA aware
• And map an id to a loc and build a loc based
  tree
• Or just stay with IPv4 source address
• which is fine because most multicast apps are RTP
  based, and RTP isnt broken the way TCP is w.r.t.
  what it thinks is the originator of data
• So RTP/UDP multicast apps work ok if source
  changes or traffic is multipath so dont need
  the SNA change to incentive fixing?

12
Security Architectural Considerations
Considered Harmless

• I think the security considerations are done in
  HIP and Shim6 and other places
• Of course, someone (not me) better check the
  details are right ?
• Im a purist in the end-to-end race
• Source addresses shouldnt be in the net layer
  because not all ULPs want them
• Giving away your source IPv4 to any tom, dick or
  harry (or alice, bob and carol) seems a bit
  careless ?
• Others have already argued source addresses
  considered harmful for security viz
  http//www.tml.tkk.fi/pnr/publications/nordsec200
  1.ps
• Debugging the Net just got a tad harder
• Interworking with all the other
  v4/v6/lisp/nat-traversal/sixone folks is going to
  be exponentially harder (but more for them then
  this? )

13
Questions?

• What next?
• I can write this for bsd n linux in about a
  day.Should I?
• Three things needed now, 1 later
• SNA-RK (Relay Kink bit like NATSwap)
• SNA-P (Proxy, in or next to host to do legacy
  tcp)
• SNA-IL (Identifier Location mapping service ? )
• SNA-TCHI (Transports Communicating with Host IDs)
• Richard Black can probably do this in about 3
  minutes (Microsoft) should I ask him/them if
  they are interested in playing?
• Acknowledgements
• Mark Handleys unpublished 44 draft, Trilogy
  Project and IMDEA researchers input
• RFC2110

14
The only good NAT 21st century Vax