Design and evaluation for the end-to-end detection of TCP/IP header manipulation
Abstract
Understanding, measuring, and debugging IP networks, particularly across administrative domains, is challenging. One aspect of the challenge are transparent middleboxes, which are now common in today’s Internet. In-path middleboxes that modify packet headers are typically transparent to a TCP, yet can impact the end-to-end performance of its connections. Of equal importance, middleboxes cause architectural ossification that hinders network protocol evolution—new options or redefined header fields are often misconstrued, modified, or disabled. We develop TCP HICCUPS to reveal packet header manipulation to both endpoints of a TCP connection. HICCUPS adds a lightweight tamper-evident seal to TCP that is incrementally deployable and introduces no new options. HICCUPS provides an optional feature, AppSalt, that allows applications to request added protection for their connection’s integrity, making it more difficult for middleboxes to falsify integrity values. HICCUPS is implemented in both an operating system patch to the Linux TCP stack as well as a set of cross-platform user-space tools. To evaluate HICCUPS, we deploy it to a diverse set of Internet nodes spread across 197 networks and 48 countries, measuring packet header manipulations on over 26 thousand directed port/path pairs. We discover over 11 thousand instances of unique non-NAT in-path packet header modifications across those flows, all with the potential to negatively affect TCP performance.
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.Collections
Related items
Showing items related by title, author, creator and subject.
-
A Middlebox-Cooperative TCP for a non End-to-End Internet
Craven, Ryan; Beverly, Robert; Allman, Mark (2014-08);Understanding, measuring, and debugging IP networks, particularly across administrative domains, is challenging. One particularly daunting aspect of the challenge is the presence of transparent middleboxes|which are now ... -
TCP-HICCUPS
Unknown author (Monterey, California: Naval Postgraduate School., 2014);TCP-HICCUPS (Handshake-based Integrity Check of Critical Underlying Protocol Semantics) is a lightweight extension to TCP that can help it infer when it is being misinterpreted due to packet header modifications made by ... -
TCP HICCUPS Linux 3.9.4 kernel patch (supplement to Design and evaluation for the end-to-end detection of TCP/IP header manipulation)
Craven, Ryan M. (Monterey, California. Naval Postgraduate School, 2014-06-03);This patch for version 3.9.4 of the Linux kernel contains the necessary additions to enable TCP HICCUPS, a lightweight tamper-evident extension to TCP. This version of the patch was used to operate servers for the Internet ...