[e2e] TCP spoofing in overlay networks
Joe Touch
touch at ISI.EDU
Thu Mar 3 13:48:41 PST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David Borman wrote:
| It's been done and shipping for several years with all Cray X1 systems.
| The CNS (Cray Network Server) proxies TCP connections between the Cray
| and the outside world. This allows the Cray <-> CNS connection to use
| 64K MTUs and larger TCP windows over the fibre channel connection, and
| the CNS then deals with all the small 1500 byte packets coming from the
| outside world. Yes, this does break the end-to-end model. You have two
| TCP connections, one between the Cray and the CNS, and another between
| the CNS and the remote host. The CNS mainly passes data between the two
| endpoints, and uses NAT internally so to the Cray and the remote host,
| they think they are talking directly to each other, when in reality
| they are both talking to the CNS. Cray has done a good job over the
| years of making the CNS as transparent as possible. The performance
| benefit outweighs any issues of the corner cases that occasionally pop
| up. You can find documentation on the CNS by going to the CrayDoc
website:
| http://www.cray.com/cgi-bin/swpubs/craydoc30/craydoc.cgi
| and searching for "CNS".
|
| -David Borman
This seems less significant in how it violates things; what you do
inside what is arguably an 'end system' is your business. If you
terminate the data at the CNS's TCP, and relay it internally, whether by
TCP or anything else, that seems your perogative.
Agreed, it does still 'break' things, and certainly makes the window
management challenging, but all three TCPs on your end (your
source/sink, and both sides of the proxy) are arguably inside the same
'end system' in this case, no? If so, that's easier to handle (you can
coordinate the window changes out-of-band) than dealing with a
third-party proxy elsewhere in the path.
Joe
| On Mar 1, 2005, at 9:31 PM, Jonathan Shapiro wrote:
|
|> I recently had occaision to read a few papers about the practice of
|> "TCP spoofing" over satellite links---i.e inserting a proxy prior to
|> the satellite link to provide TCP feedback to the sender, effectively
|> splitting into two TCP sessions connected in tandem. I was wondering
|> if anyone had ever proposed a similar idea to improve TCP throughput
|> in overlay networks over terestrial links.
|>
|> /jonathan shapiro
|
|
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCJ4Y5E5f5cImnZrsRAlS+AKCyFkqASPkIzAlZ2eMgoiLsRm+9JwCglWss
dys2ZHxWkHgQrXdMSQLO6hc=
=JEgK
-----END PGP SIGNATURE-----
More information about the end2end-interest
mailing list