TCP Fast Open Sivasankar Radhakrishnan ! § , Yuchung Cheng ! , Jerry Chu ! , Arvind Jain ! , Barath Raghavan ! ! Google Inc. § UC San Diego ! ICSI ACM CoNEXT 2011 8 December 2011
Web Page Load Performance Web transfer latency Web object Avg ! 7.3KB � HTTP response transfer ! 1-3 RTTs Median ! 2.4KB � TCP connection setup – 1 RTT overhead � HTTP Persistent Connections � Reuses TCP connections for multiple transactions � Widely deployed (92% connections support it) � > 33% of requests still use new connections (cold requests) � [Chrome, Yahoo CDN] statistics 2
TCP Handshake Cost Chrome Browser Logs – 1 month, billions of requests, opt in users 100 90 80 70 60 CDF [%] 50 40 30 20 Cold Req Cold Req no Hsk (sim) 10 All Req 0 0.1 1 10 HTTP Transaction Network Latency [s] Up to 25% of latency of cold requests 3
TCP Fast Open Allows data exchange during TCP handshake 4
In An Ideal World Client Server SYN + Data Include request Process data 1 in SYN immediately 2 SYN-ACK Send response 3 during handshake ACK Data � RFC 793 – TCP specification � Allows including data in SYN packets � Forbids processing data until handshake completes 5
Duplicate SYN Packets � Network duplicates a SYN packet w/ data � Packet gets replayed at the server if previous connection state is not retained � Acceptable for idempotent requests � Large number of applications can use the feature � Application level measures for additional safety � Already required today – users refresh slow pages causing duplicate requests 6
Server Resource Exhaustion . . . SYN + HTTP SYN + HTTP request request � Bogus requests consume CPU and memory at the server � Threshold pending TCP Fast Open connections at server � Fallback to regular TCP if threshold is exceeded 7
Amplified Reflection Attack Attacker SYN + HTTP request srcIP = victim SYN-ACK and HTTP response Victim dstIP = victim � Small SYN packet triggers N response packets to victim 8
TCP Fast Open Cookie � 8 – 16 byte token � Granted and validated by servers � Permission to send request in SYN packet to the server � Validates IP ownership of client � Encrypts IP address of client using a server secret key � Expires after a timeout set by server � Transmitted via TCP options 9
Client Server SYN + TFO Request cookie Cookie request 1 on regular TCP Generate cookie connection 2 SYN-ACK + Cache cookie 3 TFO Cookie for server IP
Client Server SYN + TFO Request cookie Cookie request 1 on regular TCP Generate cookie connection 2 SYN-ACK + Cache cookie 3 TFO Cookie for server IP SYN + TFO 4 TFO connection cookie + Data Validate cookie Process data 5 SYN-ACK Send response 6 during handshake ACK Data
Amplified Reflection Attack � TFO Cookie validates client IP address � Attacker first has to compromise the host to access cookie Straw man solution (does not require TFO cookies): � Defer sending server response until 3WHS completes � Server may still process request on receipt of SYN w/ data 12
Middlebox Concerns Behavior with new TCP options or SYN w/ data Client Server SYN + TFO cookie + Data SYN w/ data dropped TCP 3-way 1 handshake Timeout SYN 2 (RTO cached) fallback always SYN-ACK available Data 3 retransmitted Data 13
Implementation � Kernel – Linux 2.6.34 � 2000 lines of modifications to TCP stack � Congestion control not directly affected, only connection setup is changed � AES functions from CryptoAPI for cookie operations � Applications � Client – Chrome browser !"#$%&'( and !"#$)!*'( system calls with new MSG_TFO flag � � Chrome supports TCP Fast Open since mid 2010 � Server – Apache � Socket option to enable TCP Fast Open on listen socket 14
Evaluation � Metric – Page Load Time (PLT) � Web page replay tool – 2 modes � Record – saves DNS and web pages accessed � Replay – serves as proxy and serves requests locally Testbed: 1 x Intel Core 2 Quad CPU 2.4GHz, 8 GB RAM � Dummynet � � Emulate different RTTs – 20ms, 100ms, 200ms � 4Mbps downlink, 256Kbps uplink, 128KB buffer � Persistent HTTP connections – enabled 15
Page Load Time Up to 41 % improvement in PLT % Improvement due to TCP Fast Open RTT = 20ms RTT = 100ms RTT = 200ms 41 18 16 11 11 10 7 7 6 5 4 4 amazon.com nytimes.com wsj.com TCP Wikipedia Page 16
Related Work TCPCT – Rapid T/TCP ASAP Restart Transactional RPC DNSSEC & Web Web Motivating application Per client counter Per client TCB on None Additional server State Insecure; Per client state; so More generality; Incompatible with incompatible with computational Pros/Cons server farms server farms overhead 17
Conclusion � TCP Fast Open enables safe data exchange during TCP handshake � Incrementally deployable, backwards compatible, middlebox friendly � 5 – 40% improvement in page load time Ongoing work � Published IETF draft � http://tools.ietf.org/html/draft-cheng-tcpm-fastopen-01 � In the process of deploying at Google � Patch for Linux kernel (soon to be published) 18
Thank You 19
Recommend
More recommend
