TCP Fast Open

Abstract: The Domain Name System (DNS) seems ideal for connectionless UDP, yet this choice results in challenges of eavesdropping that compromises privacy, source-address spoofing that simplifies denial-of-service (DoS) attacks on the server and third parties, injection attacks that exploit fragmentation, and reply-size limits that constrain key sizes and policy choices. We propose T-DNS to address these problems. It uses TCP to smoothly support large payloads and to mitigate spoofing and amplification for DoS. T-DNS uses transport-layer security (TLS) to provide privacy from users to their DNS resolvers and optionally to authoritative servers. TCP and TLS are hardly novel, and expectations about DNS suggest connections will balloon client latency and overwhelm server with state. Our contribution is to show that T-DNS significantly improves security and privacy: TCP prevents denial-of-service (DoS) amplification against others, reduces the effects of DoS on the server, and simplifies policy choices about key size. TLS protects against eavesdroppers to the recursive resolver. Our second contribution is to show that with careful implementation choices, these benefits come at only modest cost: end-to-end latency from TLS to the recursive resolver is only about 9% slower when UDP is used to the authoritative server, and 22% slower with TCP to the authoritative. With diverse traces we show that connection reuse can be frequent (60 -- 95% for stub and recursive resolvers, although half that for authoritative servers), and after connection establishment, experiments show that TCP and TLS latency is equivalent to UDP. With conservative timeouts (20 s at authoritative servers and 60 s elsewhere) and estimated per-connection memory, we show that server memory requirements match current hardware: a large recursive resolver may have 24k active connections requiring about 3.6 GB additional RAM. Good performance requires key design and implementation decisions we identify: query pipelining, out-of-order responses, TCP fast-open and TLS connection resumption, and plausible timeouts.

Abstract: Secure channel establishment protocols such as TLS are some of the most important cryptographic protocols, enabling the encryption of Internet traffic Reducing the latency (the number of interactions between parties) in such protocols has become an important design goal to improve user experience The most important protocols addressing this goal are TLS 13 over TCP Fast Open (TFO), Google’s QUIC over UDP, and QUIC[TLS] (a new design for QUIC that uses TLS 13 key exchange) over UDP There have been a number of formal security analyses for TLS 13 and QUIC, but their security, when layered with their underlying transport protocols, cannot be easily compared Our work is the first to thoroughly compare the security and availability properties of these protocols Towards this goal, we develop novel security models that permit “layered” security analysis In addition to the standard goals of server authentication and data privacy and integrity, we consider the goals of IP spoofing prevention, key exchange packet integrity, secure channel header integrity, and reset authentication, which capture a range of practical threats not usually taken into account by existing security models that focus mainly on the crypto cores of the protocols Equipped with our new models we provide a detailed comparison of the above three protocols We hope that our results will help protocol designers in their future protocol analyses and practitioners to better understand the advantages and limitations of novel secure channel establishment protocols

Abstract: Studies on the composition and nature of Internet protocols are crucial for continued research and innovation. This study used three different methods to investigate the presence and level of support for various Internet protocols. Internet traffic entering and exiting a university network was passively captured, anonymised and analysed to test protocol usage. Active tests probed the Internet's most popular websites and experiments on the default behaviour of popular client, server and mobile operating systems were performed to reconcile the findings of the passive data collection. These results are valuable to research areas, such as those using emulations and simulations, where realism is dependent on the accuracy of the underlying assumptions about Internet traffic. Prior work is leveraged to explore changes and protocol adoption trends. This study shows that the majority of Internet traffic is now encrypted. There has also been an increase in large UDP frames, which we attribute to the Google QUIC protocol. Support for TCP options such as Selective Acknowledgements (SACK) and Maximum Segment Size (MSS) can now be assumed. Explicit Congestion Notification (ECN) usage is still marginal, yet active measurement shows that many servers will support the protocol if requested. Recent IETF standards such as Multipath TCP and TCP Fast Open have small but measurable levels of adoption.