Internet DRAFT - draft-you-encrypted-traffic-management
draft-you-encrypted-traffic-management
Network Working Group J. You
Internet-Draft C. Xiong
Intended status: Informational Huawei
Expires: April 21, 2016 October 19, 2015
The Effect of Encrypted Traffic on the QoS Mechanisms in Cellular
Networks
draft-you-encrypted-traffic-management-00
Abstract
This document provides a detailed description of the QoS mechanisms
of the 3GPP network and why encrypted IP traffic makes current QoS
management mechanisms almost useless. Finally, we propose some ideas
to solve this conflict to allow QoS mechanisms to be applied to
encrypted IP traffic whilst maintaining the confidentiality of the IP
traffic.
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 21, 2016.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
You & Xiong Expires April 21, 2016 [Page 1]
Internet-Draft User-group based Policy October 2015
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Abbreviations and acronyms . . . . . . . . . . . . . . . 3
2.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4
3. The Influence of Encryption on the QoS Management . . . . . . 4
3.1. IPsec/VPN Tunnel-based IP Layer Encryption Effect . . . . 5
3.2. IMS/SIP Session Service Encryption Effect . . . . . . . . 6
3.3. HTTP Encryption Effect . . . . . . . . . . . . . . . . . 6
4. Potential Co-operative Information between Application and
Network . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.1. Application to Network . . . . . . . . . . . . . . . . . 7
4.2. Network to Application . . . . . . . . . . . . . . . . . 8
5. Potential Bandwidth Optimization Methods . . . . . . . . . . 8
5.1. Intelligent Heuristic Method . . . . . . . . . . . . . . 8
5.2. Legacy Protocol Extension . . . . . . . . . . . . . . . . 9
5.3. New Substrate Protocol . . . . . . . . . . . . . . . . . 9
6. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . 10
7. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 10
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
8.1. Normative References . . . . . . . . . . . . . . . . . . 10
8.2. Informative References . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction
Encryption of internet traffic is to prevent pervasive monitoring and
protect customer privacy. Historically, Secure Sockets Layer (SSL) /
Transport Layer Security (TLS) were earlier used in financial
services to encrypt a subset of Internet traffic, especially
financial transactions. However, the shift away from unencrypted
traffic towards encrypted traffic is accelerating in recent years
[I-D.mm-wg-effect-encrypt] due to concerns about privacy. Google
offered end-to-end encryption for Gmail since 2010, and switched all
searches over to HTTPS in 2013. YouTube traffic is carried via HTTPS
(or QUIC) since 2014. Also, the Snowden revelations [RFC7258]
[RFC7624] seem to cause an upward surge in encrypted traffic. A
You & Xiong Expires April 21, 2016 [Page 2]
Internet-Draft User-group based Policy October 2015
large number of operators began requiring encryption for all XMPP
traffic in May 2014 [XMPP].
However, the prevalence of encryption impacts current network
services, such as policy control, load balancing, etc. The network
services may be less efficient or totally unavailable in the case of
fully encrypted traffic. QoS handling is the most important part of
the 3GPP radio resource management. 3GPP networks have limited radio
and transmission resources and need to strictly schedule the
utilization of radio and transmit resources using different
granularity of bearers to provide and ensure Quality of Service (QoS)
for the IP traffic. Different bearers with different QoS parameters
will provide different QoS handling for the IP flows on each bearer.
Different IP flows can share the same bearer; IP flows on the same
bearer will receive the same QoS handling of the 3GPP network. With
this binding mechanism, the 3GPP network can provide any IP flow with
its required QoS handling. Therefore, the 3GPP network firstly needs
to know the IP flow information and its QoS requirements. If this
information is unknown, possibly as a result of encryption applied to
the IP flow, the 3GPP network will discard this IP flow or handle the
IP flow with default QoS.
2. Terminology
2.1. Abbreviations and acronyms
AF: Application Function
ARP: Allocation and retention priority
EPS: Evolved packet System
IMS: IP Multimedia Subsystem
PCRF: Policy and Charging Rules Function
QCI: QoS Class Identifier
QoS: Quality of Service
SDF: Service Data Flow
SIP: Session Initiation Protocol
SLA: Service-Level Agreement
URL: Uniform/Universal Resource Locator
You & Xiong Expires April 21, 2016 [Page 3]
Internet-Draft User-group based Policy October 2015
2.2. Definitions
This section contains definitions for terms used frequently
throughout this document. However, many additional definitions can
be found in [3GPP 23.203]
ARP: The Allocation and Retention Priority for the service data
flow consisting of the priority level, the pre-emption capability
and the pre-emption vulnerability.
IP CAN bearer: An IP transmission path of defined capacity, delay
and bit error rate, etc.
GBR bearer: An IP CAN bearer with reserved (guaranteed) bitrate
resources.
Non-GBR bearer: An IP CAN bearer with no reserved (guaranteed)
bitrate resources.
QoS class identifier: A scalar that is used as a reference to a
specific packet forwarding behavior (e.g. packet loss rate, packet
delay budget) to be provided to a SDF.
QoS: It contains the QoS class identifier and the data rate for a
service data flow.
Service data flow: An aggregate set of packet flows that matches a
service data flow template.
Service data flow template: The set of service data flow filters
that contains a set of packet flow header parameter values/ranges
used to identify one or more of the packet flows.
3. The Influence of Encryption on the QoS Management
EPS provides different levels of QoS guarantee for IP services. Any
IP service can be identified by one or more Service Data Flows (SDFs)
of the transfer data. A SDF can be identified by one or more IP Flow
Filters, and a SDF is transferred through an EPS bearer. By
implementing the QoS of EPS bearer, it can realize the QoS of SDF,
and realize the QoS of IP services. The EPS bearer is one type of
logical transport channel between the UE to Packet Gateway (PGW).
In general, if the cellular network cannot know the SDF of one IP
service in advance or the content type of the transmission data and
its QoS requirements, the SDF of the IP service is usually mapped to
the Default Bearer with the Default QoS or is mapped to a poor ARP
(Allocation and retention priority) dedicated EPS (Evolved packet
You & Xiong Expires April 21, 2016 [Page 4]
Internet-Draft User-group based Policy October 2015
System) Bearer with default QCI or is discarded because of the
unknown service information of the SDF based on the predefined
operators rules.
Through our analysis of impacted services in the case of encrypted
traffic, we find that the impacted services can be categorized into
three types based on the level of dependence to content visibility:
A: Low-level dependence
A service that is low-level dependent on the content visibility
means the service can be effective providing with flow type (e.g.
stream ID) rather than parsing the content itself. The typical
services of low-level dependence are IPsec/VPN tunnel, load
balancing, etc.
B: Middle-level dependence
A service that is middle-level dependent on the content visibility
means the service can be effective providing with access metadata
(e.g. domain name, URI) besides flow type rather than parsing the
content itself entirely. Through the metadata different access
features can be distinguished, thus appropriate actions could be
enforced based on these features. For example, illegal websites
can be filtered. The typical services of middle-level dependence
are IMS/SIP service, parental controls, etc.
C: High-level dependence
A service that is high-level dependent on the content visibility
means the service can be effective requiring analysis of content
itself, even interaction procedure. The typical services of high-
level dependence are web acceleration, video caching, which
usually requires user access behavior and detailed video content
(e.g. encoding format). In the case of encrypted traffic, this
kind of service will not be available.
3.1. IPsec/VPN Tunnel-based IP Layer Encryption Effect
In this case, the internal real port number is invisible to cellular
network and the tunnel-based IP traffic is usually mapped to the
Default Bearer with Default QoS or to a dedicated EPS bearer with
poor ARP and the same default QCI. If the VPN is from a big
customer, the special tunnel-based IP traffics are mapped to a
special dedicated EPS bearer with special QoS according the
predefined rules and SLA (Service-Level Agreement). This might
result in more dedicated EPS bearers with different QoS used to
You & Xiong Expires April 21, 2016 [Page 5]
Internet-Draft User-group based Policy October 2015
transport the different tunneled-IP traffic with different QoS
requirements.
3.2. IMS/SIP Session Service Encryption Effect
The cellular network can beforehand obtain the IP 5-tuple information
of SDF of the voice, video and data parts and the content type of
each SDF during the Offer/Answer signalling interaction if the
signalling connection between the IMS/SIP UA (User Agent) and IMS/SIP
server is plaintext without encryption. Alternatively, the IMS/SIP
Server or the AF (Application Function) in the server can actively
tell the cellular network via the Rx interface to the PCRF (Policy
and Charging Rule Function) [3GPP 23.203] all the voice, video and
data SDF information even when the signalling connection is
encrypted. Even if the transmission of voice, video media above the
transport layer is encrypted, such as using SRTP (Secure Real-time
Transport Protocol), the cellular network can realize SDF detection
and further can guarantee the SDF with the correct ARP and QoS
control because the IP Flow information is known by the cellular
network beforehand.
If the cellular network cannot obtain prior SDF information on the
voice, video and data part of the session because the signalling
connection is encrypted and the server/AF does not provide the SDF
information, if the voice and video use different IP flows, the
cellular network still can identify the SDF type through using
intelligent heuristic algorithms which can identify the difference
content type by the transmission span of two successive packets,
packet size and other information. After the cellular network
identifies the SDF information of voice, video and other (data)
parts, the cellular network can realize the corresponding QoS control
and ARP and ensure the whole session's QoS.
3.3. HTTP Encryption Effect
Currently HTTP 1.1 is the most widely used service/application
protocol and it is expected to be widely replaced by HTTP 2 in the
near future. HTTP supports transport of various types of data in a
single TCP connection. Due to a single TCP connection corresponding
to a single SDF, and different types of data and services are
transmitted on the same TCP connection, the result is traditional
SDF-based mapping SDFs transmitting different types of content/data
to different EPS Bearers with different QoS and ARP no longer works
well or is applicable for the cellular network. Instead, cellular
network operators evolve and adopt new types of QoS-related
acceleration technologies to realize and improve the user's
experience. Therefore, Mobile CDN technology, Mobile Video
Optimization technology, Mobile Web Optimization, Anti-Virus, Anti-
You & Xiong Expires April 21, 2016 [Page 6]
Internet-Draft User-group based Policy October 2015
Spoofing, Parent Control technology and all kinds of value-added
technologies emerge and are widely used. These technologies can
reduce the transport cost of cellular network and at the same time
can greatly improve mobile user video and web browsing experience.
When HTTP2 and HTTP1.1 use TLS to encrypt the TCP connection, the
widely used Web acceleration and value-added technologies no longer
work well. The usual result is the HTTPS connection is mapped to the
Default Bearer with Default QoS or dedicated EPS bearer with default
QCI and poor ARP. Therefore, there is no guarantee for the different
services provided by HTTPS websites. One exception is if there is a
SLA/cooperation agreement, then the cellular network can map the TCP
connection of the HTTPS website to a dedicated EPS bearer with
special QoS, then the QoS for the HTTS website may be improve
respectively with the special dedicated EPS Bearer and the specific
QoS.
4. Potential Co-operative Information between Application and Network
4.1. Application to Network
A SDF is mapped to a specific QoS EPS Bearer, and SDFs associated
with different IP services can be mapped to the same EPS Bearer with
the same QoS parameters (namely QCI (QoS Class Identifier) and ARP
(Allocation and retention priority)) [PCC].
So application could provide the service level (i.e. per SDF) QoS
parameters such as QCI and APR to indicate how certain service/
application traffic shall be treated in the operator's network. For
example, given that the categories in table 1 map to GBR and non-GBR
resources, with a priority level, it seems cleaner to reveal just the
resource type and priority. This also seems possible to encode in a
space similar to the QCI.
You & Xiong Expires April 21, 2016 [Page 7]
Internet-Draft User-group based Policy October 2015
Table 1: Standardized QCI characteristics
+------+----------------+-----------------+
| QCI | Resource Type | Priority Level |
+------+----------------+-----------------+
| 1 | | 2 |
+------+ +-----------------+
| 2 | | 4 |
+------+ +-----------------+
| 3 | | 3 |
+------+ GBR +-----------------+
| 4 | | 5 |
+------+ +-----------------+
| 65 | | 0.7 |
+------+ +-----------------+
| 66 | | 2 |
+------+----------------+-----------------+
| 5 | | 1 |
+------+ +-----------------+
| 6 | | 6 |
+------+ +-----------------+
| 7 | | 7 |
+------+ +-----------------+
| 8 | Non-GBR | 8 |
+------+ +-----------------+
| 9 | | 9 |
+------+ +-----------------+
| 69 | | 0.5 |
+------+ +-----------------+
| 70 | | 5.5 |
+------+----------------+-----------------+
4.2. Network to Application
The network could provide the application with the real time
information about the throughput estimated to be available at the
radio downlink interface between a UE and the base station the UE
connects to, which is discussed in
[I-D.flinck-mobile-throughput-guidance].
5. Potential Bandwidth Optimization Methods
5.1. Intelligent Heuristic Method
By collection and convergence of the information of packet interval,
packet size, port number, protocol type etc, the intelligent
heuristic algorithm can guess correctly some the types of the content
of the packet transmission as mentioned in previous chapter of IMS/
SIP session type communication.
You & Xiong Expires April 21, 2016 [Page 8]
Internet-Draft User-group based Policy October 2015
This method can be implemented in the mostly widely deployed Apache
and or nginx HTTP Server package without destroying any current
protocols. This method requires the OTT to deploy the modified
Apache/nginx HTTP Server and an intelligent heuristic algorithm
running in the cellular network to identify the dynamically changed
content type of the encrypted HTTPS connection.
5.2. Legacy Protocol Extension
Regarding to the low-level dependence services, existing protocols
could be extended in order to carry flow type, for example, enhancing
TLS header.
A new TCP option to identify the encrypted content type has certain
feasibility, but it may have problems when passing through some
existing middleboxes.
For DSCP method, it requires OTTs to set the right DSCP field of
outer IP packet corresponding to different content types in the
encrypted TLS connection. But the DSCP value may be modified by the
routers from the OTT to the cellular network.
5.3. New Substrate Protocol
New substrate protocols over existing transport layers, such as UDP,
TCP, are considered to carry flow information in order to make
middle-level dependence service effective.
Developing UDP-based substrate protocols to enable transport
evolution is a hot topic in IETF recently. The QUIC protocol from
Google falls into this space; however, QUIC is not aiming to solve
the encrypted traffic management. One major issue with UDP-based
substrate is middleboxes may block UDP or limit rate. SPUD-like
[I-D.hildebrand-spud-prototype] UDP-based substrate could be a
potential method to allow traffic management while using transport
protocols. How middleboxes trust the information exposed by the
endpoints should be considered.
However today's Internet is full of middleboxes that may interfere
with the information sent in IP packets and TCP segments. "Is it
still possible to extend TCP?" [ExtendTCP] shows the limitation
imposed on TCP extensions by middleboxes behaviors, such as TCP
options removed or updated, the source and destination port numbers
translated by NATs. Though we can still extend TCP to support
middle-level dependence services, extensions are very constrained as
it needs to take into account middleboxes behaviors.
You & Xiong Expires April 21, 2016 [Page 9]
Internet-Draft User-group based Policy October 2015
6. Conclusion
In this draft the importance of QoS in the cellular network service
is discussed and the basic QoS management concept in the EPS system
is described. Regarding to the low/middle-level dependence services,
the challenges for potential traffic management methods for encrypted
traffic are analyzed. Furthermore, possible IETF standardization
work (i.e. legacy protocol extensions and new substrates) is explored
in order to solve the conflict between user privacy and traffic
management.
7. Acknowledgement
The editors would like to thank Ted Hardie and Dan Druta for their
useful comments.
8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May
2014, <http://www.rfc-editor.org/info/rfc7258>.
[RFC7624] Barnes, R., Schneier, B., Jennings, C., Hardie, T.,
Trammell, B., Huitema, C., and D. Borkmann,
"Confidentiality in the Face of Pervasive Surveillance: A
Threat Model and Problem Statement", RFC 7624,
DOI 10.17487/RFC7624, August 2015,
<http://www.rfc-editor.org/info/rfc7624>.
8.2. Informative References
[ExtendTCP]
Honda, M., Nishida, Y., Raiciu, C., Greenhalgh, A.,
Handley, M., and H. Tokuda, "Is it Still Possible to
Extend TCP", IMC'11 Page(s): 2-4, November 2011.
[I-D.flinck-mobile-throughput-guidance]
Jain, A., Terzis, A., Flinck, H., Sprecher, N.,
Swaminathan, S., and K. Smith, "Mobile Throughput Guidance
Inband Signaling Protocol", draft-flinck-mobile-
throughput-guidance-03 (work in progress), September 2015.
You & Xiong Expires April 21, 2016 [Page 10]
Internet-Draft User-group based Policy October 2015
[I-D.hildebrand-spud-prototype]
Hildebrand, J. and B. Trammell, "Substrate Protocol for
User Datagrams (SPUD) Prototype", draft-hildebrand-spud-
prototype-03 (work in progress), March 2015.
[I-D.mm-wg-effect-encrypt]
Moriarty, K. and A. Morton, "Effect of Ubiquitous
Encryption", draft-mm-wg-effect-encrypt-02 (work in
progress), July 2015.
[PCC] "3GPP TS 23.203, "Policy and charging control
architecture"", 2015.
[XMPP] ""XMPP switches on mandatory encryption"
(http://lwn.net/Articles/599647/)", May 2014.
Authors' Addresses
Jianjie You
Huawei
101 Software Avenue, Yuhuatai District
Nanjing, 210012
China
Email: youjianjie@huawei.com
Chunshan Xiong
Huawei
No.3, Xin-Xi Rd., Haidian District
Beijing, 100085
China
Email: sam.xiongchunshan@huawei.com
You & Xiong Expires April 21, 2016 [Page 11]