Network management of encrypted traffic
Vodafone Group
kevin.smith@vodafone.com
Security
Internet-Draft
Encrypted Internet traffic may pose traffic management challenges to network operators. This document recommends approaches to help manage encrypted traffic, without breaching user privacy or security.
Networks utilise various management techniques to ensure efficient throughput, congestion management, anti-SPAM and security measures. Historically these functions have utilised visibility of the Internet application layer.
This visibility is rapidly diminishing - encrypted Internet traffic is expected to continue its upward trend, driven by increased privacy
awareness, uptake by popular services, and advocacy from the , and W3C .
, and recognise that network management functions may be impacted by encryption, and that solutions to persist these management functions must not threaten user security or privacy. Such solutions can ensure the benefits of encryption do not degrade network efficiency.
This document lists such solutions, and points to evolving IETF work addressing the problem.
This document refers to network management functions that may be hindered by traffic encryption, as described in
It then describes the technical details of existing options to fully or partially persist these functions
under encryption. The guidance includes existing techniques as well as ongoing IETF work in this area.‘Encryption’ in this document typically refers to HTTP over TLS ; other forms of encryption are noted where applicable.
Finally, a summary is provided of ongoing IETF work which is investigating how network operators, origin servers and clients may co-operate in efficient traffic delivery without the need for pervasive network monitoring.
The legal, political and commercial aspects of network management are recgnised but not covered in this technical document.
Please refer to 'Network Service Provider Monitoring' in
This section involves utilisation of 'Application-based Flow Information Visible to a Network', .
The following protocols aim to support a secure and privacy-aware dialogue between client, server and the network elements. These hints can allow information item exchange between the endpoints and the network, to assist queuing mechanisms and traffic pacing that accounts for network congestion and variable connection strength. These relate to the cooperative path to endpoint signalling as discussed at the IAB SEMI and MaRNEW workshops, with the network following a more clearly-defined role in encrypted traffic delivery.
Data packets may be flagged with a traffic class (class of service). Network
operators may honour a DiffServ classification entering their network, or may choose to
override it (since it is potentially open to abuse by a service provider that classifies all its
content as high priority). The purpose is to help manage traffic and congestion in the
network.
This requires the content provider to flag data packets. This is extra work for
the provider, and it has potential for abuse if a content provider simply flags all packets with
high priorities. The network would need to know which flags to trust and which to override.
The use of DiffServ within the operator network is beneficial where the operator determines
the class of service itself; but where content is encrypted then heuristics would be needed to
predict the traffic type entering the network.
HTTP/2 allows several streams to be multiplexed over a single TCP connection. This means
that if a provider decides to send Web pages, videos, chat etc. as individual streams over
the same connection, then DiffServ would be useless as it would apply to the TCP/IP
connection as a whole. However it may be more efficient for such Web providers to serve
each content type from separate, dedicated servers – this will become clearer as HTTP/2
deployments are tuned for optimal delivery.
Explicit Congestion Notification routers can exchange congestion
notification headers to ECN compliant endpoints. This is in preference to inferring congestion
from dropped packets (e.g. in TCP). The purpose is to help manage traffic and congestion in
the network.
This solution is required to be implemented at network and service provider. The
service provider will utilise the ECN to reduce throughput until it is notified that congestion
has eased.
As with DiffServ, operators may not trust an external entity to mark packets in a
fair/consistent manner.
On entering an MPLS-compliant network , IP packets are flagged with a
’Forward Equivalence Class’ (FEC). This allows the network to make packet-forwarding
decisions according to their latency requirements. MPLS routers within the network parse
and act upon the FEC value. The FEC is set according to the source IP address and port.
The purpose is to help managing traffic and congestion in the network. This requires deployment of an MPLS ‘backbone’ with label-aware switches/ routers.
An up-to-date correspondence table between Websites (or service sites in general) and server IP address must be created. Then, the category(s) of traffic have to be consistently mapped to a set of
MPLS labels ,which entails a significant effort to setup and maintain.
Note: MPLS can specify how OSI Layer 3 (IP layer) traffic can be routed over Layer 2 (Data Link);
DiffServ only operates over Layer 3. DiffServ is potentially a less complex integration as it is
applied at the network edge servers only.
SPUD is a prototype to research how network devices on the path between endpoints can share information to improve a flow. The network involvement is outside of the end-to-end context, to minimise any privacy or security breach. The initial prototype involves grouping UDP packets into an explicit 'tube', however support of additional transport layers (such as TCP) will also be investigated.
Mobile Throughput Guidance In-band Signalling is a draft proposal to allows
the network to inform the server endpoint as to what bandwidth the TCP connection can reasonably expect. This allows the server to adapt their throughput pacing based on dynamic network conditions, which can assist mechanisms such as Adaptive Bitrate Streaming and TCP congestion control.
PCP Flowdata options defines a mechanism for a host to signal flow
characteristics to the network, and the network to signal its ability
to accommodate that flow back to the host. This allows certain network flows to receive service that is differentiated from other network flows, and may be used to establish flow priority before connection establishment. PCP Flowdata operates at IPv4/IPv6 level.
IPv6 includes a flow label header field. details how this may be used to identify flows for load balancing and multipath routing, which may be of particular use for application-layer encrypted traffic. The flow label field is part of the main header, which means it is not subject to the disadvantages of extension headers (namely their risk of being dropped by intermediary routers). The flow label may also be exposed as part of the outer IP packet in an IP tunnel, thus providing network flow information without compromising the payload.
Differentiated prIorities and Status Code-points Using Stun Signalling describes a mechanism for information exchange between an application and the network, viable only for UDP. As such it can be considered in the same bracket as SPUD
The IETF Active Queue Management and Packet Scheduling WG works on algorithms to manage network queues, with the aim of reducing packet delay and taming aggressive/misbehaving flows. This includes allowing flow sources to control their sending rates to avoid unnecessary losses (e.g. with ).
The Congestion Exposure WG makes congestion markings (based on congestion experienced in the flow) available to the network via IP headers, in order to drive capacity efficiency. The WG made an IPv6 binding before the group concluded, however it is feasible for the congestion exposure markings to also be transported by another mechanism, such as SPUD.
Heuristics can be used to map given input data to particular conclusions via some heuristic
reasoning. Examples of input data to this reasoning include IP destination address, TCP destination port,
server name from SNI, and typical traffic patterns (e.g. occurrence of IP packets and TCP segments over time).
The accuracy of heuristics depends on whether the observed traffic originates from a source
delivering a single service, or a blend of services. In
many scenarios, this makes it possible to directly classify the traffic related to a specific
server/service even when the traffic is fully encrypted.
If the server/service is co-located on an infrastructure with other services that shares the
same IP-address, the encrypted traffic cannot be directly classified. However, commercial
traffic classifiers today typically apply heuristic methods, using traffic pattern matching
algorithms to be able to identify the traffic. As an example, classifier products are able to
identify popular VoIP services using heuristic methods although the traffic is encrypted and
mostly peer-to-peer.
One idea from the IAB 'Managing Radio Networks in an Encrypted World' workshop was that of better co-operation between 3GPP mobile networks and Internet services on congestion management. . 3GPP networks are concerned with ensuring that all devices attached to a particular cell receive a fair share of radio resources. This is critical, since these resources are constrained to various licenced spectrum bands, and volatile due to signal strength variation/cell handover/interference etc. The resource sharing process occurs independently to TCP congestion management performed between the client and server connected via the mobile network: the result is that TCP may wrongly infer congestion and react accordingly, or attempt to accelerate throughput without consideration of the available radio resources. Therefore the notion is to investigate co-operation between radio and TCP congestion controls to better manage connection throughput.
The editor would like to thank the GSMA Web Working Group for their contributions, in particular to the technical solutions and network management functions; the contributions via the SAAG mailing list (Panos Kampanakis, Brian Carpenter); and Kathleen Moriarty and Al Morton for their guidance in aligning this draft with
There are no IANA considerations.
The intention of this document is to consider how to persist network management of encrypted traffic, without breaching user privacy or end-to-end security. In particular this document does not recommend any approach that intercepts or modifies client-server Transport Layer Security.
Pervasive Monitoring Is an Attack
Pervasive monitoring is a technical attack that should be mitigated in the design of IETF protocols, where possible.
Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers
Differentiated services enhancements to the Internet protocol are
intended to enable scalable service discrimination in the Internet
without the need for per-flow state and signaling at every hop.
The Addition of Explicit Congestion Notification (ECN) to IP
This memo specifies the incorporation of ECN (Explicit Congestion
Notification) to TCP and IP, including ECN's use of two bits in the
IP header.
Multiprotocol Label Switching Architecture
This document specifies the architecture for Multiprotocol Label
Switching (MPLS).
HTTP Over TLS
This memo describes how to use Transport Layer Security (TLS) to secure Hypertext Transfer Protocol (HTTP) connections over the Internet. This memo provides information for the Internet community.
Using the IPv6 Flow Label for Equal Cost Multipath Routing and Link Aggregation in Tunnels
The IPv6 flow label has certain restrictions on its use. This
document describes how those restrictions apply when using the flow
label for load balancing by equal cost multipath routing and for link
aggregation, particularly for IP-in-IPv6 tunneled traffic.
IAB statement on Internet confidentiality
IAB
Effect of Ubiquitous Encryption
IETF
Mobile Throughput Guidance Inband Signaling Protocol
IETF
IAB workshop, 'Stack Evolution in a Middlebox Internet'
IAB
Substrate Protocol for User Datagrams
IETF
Securing the Web
W3C
PCP Flowdata option
Cisco
Differentiated prIorities and Status Code-points Using Stun Signalling
Cisco
Managing Radio Networks in an Encrypted World (MaRNEW)
IAB
GSMA
Active Queue Management and Packet Scheduling (IETF WG)
IETF
Congestion Exposure (concluded IETF WG)
IETF