Chasing Eme: Arguments For An End-Middle-End Internet
Connection establishment in the Internet has remained unchanged from its original design in the 1970s: first, the path between the communicating endpoints is assumed to always be open. It is assumed that an endpoint can reach any other endpoint by simply sending a packet addressed to the destination. This assumption is no longer borne out in practice: Network Address Translators (NATs) prevent all hosts from being addressed, firewalls prevent all packets from being delivered, and middleboxes transparently intercept packets without endpoint knowledge. Second, the Internet strives to deliver all packets addressed to a destination regardless of whether the packet is ultimately desired by the destination or not. Denial of Service (DoS) attacks are therefore commonplace, and the Internet remains vulnerable to flash worms. This thesis presents the End-Middle-End (EME) requirements for connection establishment that the modern Internet should satisfy, and explores the design space of a signaling-based architecture that meets these requirements with minimal changes to the existing Internet. In so doing, this thesis proposes solutions to three real-world problems. First, it focuses on the problem of TCP NAT Traversal, where endpoints behind their respective NATs today cannot establish a direct TCP connection with each other due to default NAT behavior. It presents a set of techniques, called STUNT, that solves this problem without any changes to NATs or to existing operating systems. In STUNT, the communicating endpoints use signaling to coordinate the creation of NAT state that then enables a direct TCP connection. The second problem this thesis focuses on is that of mitigating unwanted traffic on the Internet, such as DoS attacks and worms, originating from botnets. It presents a simple architecture, called ShutUp, that mitigates unwanted traffic in a completely End-to-End (E2E) manner without requiring any changes to the network. Trusted code near the source of unwanted traffic, for instance in the virtualization layer, network card, or nearby router, responds to signals from the destination by taking corrective action. Finally, this thesis focuses on the broader problem of establishing connections that adhere to all applicable network policy, including access control, multihomed route control, and middlebox usage -- all open problems in today's Internet. This thesis presents the NUTSS architecture which takes into account policy set by all stakeholders, including both the endpoints and the middle networks. NUTSS uses name-based signaling to negotiate high-level policy before connection establishment, and couples it to address-based signaling for efficient enforcement during the connection lifetime. NUTSS does not change the protocol stack and can be deployed incrementally. Solving each of the aforementioned problems requires a departure from the original Internet architecture. Yet in this thesis clean-slate solutions are expressly avoided in favor of evolutionary changes. The central argument of this thesis is that solving a wide range of architectural shortcomings of today's Internet, and incremental deployment are not mutually exclusive.
dissertation or thesis