Transcript NOMAD: TCP Socket Migration

ITINERANT: TCP Socket
Migration
Titus Winters <[email protected]>
Dan Berger <[email protected]>
CS 202: Spring ‘03
Overview





Problem Description & Motivation
Proposed Solution
Netfilter Primer
Solution Architecture
Conclusion
Problem & Motivation

TCP Sockets are identified by (saddr, sport,
daddr, dport)



+ seqno and ackno state
No standard mechanism exists to move one
end of a socket connection.
This could often be quite useful – examples
include:


Web “spray”/load balancing
Mobile & ubiquitous computing
Proposed Solution


We set out to provide primitives to
facilitate TCP socket migration on
Linux.
Goals:



Transparent to client application
Minimally Intrusive @ OS level
Extend standard socket API – minimize
learning curve for server developers
Proposed Solution (cont.)

Non-goals:


Do not address “application state”
migration.
Provide no more (or less) security than
TCP.

Higher level security ramifications considered,
but not addressed.
Netfilter Primer



“Minimally Intrusive” means no direct
kernel modifications.
Modifying the TCP state machine seems
to require kernel hacking.
Netfilter to the rescue!
What’s Netfilter?

Netfilter is a series of callback
functions within the network stack.
The API is non-portable and appeared
in linux 2.3.x


Initial design and implementation by Paul
“Rusty” Russell
Each protocol has it’s own set of
callback points. We care about IPv4.
Netfilter Concepts


A module expresses interest in being
invoked at an arbitrary subset of the
available callback points – specifying
the function and the (global) priority in
which it should be called.
That function is passed (among other
things) a handle to the packet being
processed.
Netfilter Hooks in IPv4
In
1
3
Routing Engine
2
5
Local Sockets
Application
Application
Application
Application
4
Out
In
1
Say Again?

any received packet which checksums OK.
packets destined for local sockets
foreign packets being forwarded
4: NF_IP_POST_ROUTING


Local Sockets
3: NF_IP_FORWARD


5
2: NF_IP_LOCAL_IN


2
1: NF_IP_PREROUTING


Routing Engine
3
any outbound packet
5: NF_IP_LOCAL_OUT

packets originating from local sockets
4
Out
Solution Description


A new setsockopt(2) option to initiate
migration.
A netfilter module that registers for
PREROUTING and LOCAL_OUT



Handles migration process.
Completes socket shutdown on intermediate host
(FIN/ACK)
Nicely symmetric – so the host initiating the
migration just “steps out” of the middle.
Migration Flow
S1
C
S2
Conclusion

A working proof of concept was built.



It consists of O(1000) lines of code
No kernel modifications needed
Some details were skipped to make the
schedule but could be fixed within the
current implementation:


Migration isn’t a three way handshake.
TCP/Socket options aren’t handled.
Fini
Questions?