Transcript Slide 1

Can We Pay for What We Get
in 3G Data Access?
Chunyi Peng, Guan-Hua Tu, Chi-Yu Li, Songwu Lu
University of California, Los Angeles
ACM MOBICOM 2012
Istanbul, Turkey
C PENG (UCLA) @ MOBICOM'12
Mobile Data Access is Popular
2
Core
Cellular
Network Internet
62% US broadband users with wireless data plans;
1.2 billion global users for mobile web.
C PENG (UCLA) @ MOBICOM'12
Mobile Data Accounting
3
Cellular Network
$$$
Internet
Usage-based charging based on
data volume
e.g., $15 for 200MB for AT&T iPhone
Accounting: How much data
is actually used?
C PENG (UCLA) @ MOBICOM'12
Accounting in 3G Networks
4
3G Cellular Network
RNC
UE
SGSN
GGSN
Internet
BS
Alice
VOP_RAW
Policy
VOP
• Accounting done at SGSN/GGSN
• Accounting policy defined by carriers
C PENG (UCLA) @ MOBICOM'12
2 Issues in 3G Accounting
5
RNC
UE
BS
SGSN
GGSN
Question: VUE = VOP?
VUE
Alice
VOP_RAW
1. VUE ≠
Policy
VOP_RAW?(accounting
architecture)
VOP
2. VOP_RAW ≠ VOP?
(policy practice)
Internet
C PENG (UCLA) @ MOBICOM'12
Contributions
6

First work to assess mobile data accounting
Largely successful, but pathological cases do exist
 Study accounting discrepancy between the operator’s log
and the user’s record


Identify 2 extreme cases
WE PAY FOR WHAT WE DO NOT GET
 WE GET WHAT WE DO NOT PAY FOR


Explore root causes
limitation in accounting architecture
 Loopholes in policy practice


Suggest remedies
C PENG (UCLA) @ MOBICOM'12
Methodology
7

Conduct experiments over 2 US carriers
 Partial
validation with 3rd US carrier and 2 operators
in China and Taiwan
 Both extreme and common cases


Use Android phones for mobile data access in
various test scenarios
Accessing accounting records VOP from operators
 #1:
Dial-in for the remaining monthly data usage
 #2: Online itemized data usage

BillAudit: logging usage VUE @smartphones
C PENG (UCLA) @ MOBICOM'12
The Rest of Talk
8

“Overcharging”
 Extreme
cases
 Average cases
 Root cause: limitation in 3G accounting architecture

“Undercharging”
 Root


cause: Loopholes in policy enforcement
“Gray” areas
Discussion and summary
9
WE PAY FOR WHAT WE DO NOT GET
C PENG (UCLA) @ MOBICOM'12
Extreme Case: No Signal
10
✗
VUE

DL-NS experiment over UDP
VOP_RAW
3G Network
Server
Result:
(1) Issue a UDP-based service
s = 50Kbps, t = 10 mins
VOP ≈ VSR= 50K ✗
x10 x(2)
60/8
= to
3.75MB
Move
a blind zone
VUE ≈ 0
✗
UEs PAY FOR WHAT THEY
DO NOT
GET.
(3) UDP traffic
for t mins
(rate: s)
VUE
VOP
VSR
C PENG (UCLA) @ MOBICOM'12
How Bad the Gap Can Be?
11

Gap = VOP – VUE ≈ S × T
 UDP source
S: 50Kbps ~ 8Mbps
 Duration T: 1min ~ 6 hours


lasts at least three hours!
Observed gap reaches 450MB (t = 1h, s = 1Mbps)!
Operator-I, t = 1min
Source Rate (Mbps)
S = 50 Kbps
Time (hours)
C PENG (UCLA) @ MOBICOM'12
Root Cause
12
12
✗
RNC
SGSN
GGSN
✗
VUE ---
VOP
3G accounting decision takes local view at
SGSN/GGSN, w/o using feedback from end-host.
C PENG (UCLA) @ MOBICOM'12
Still-Bad Case: Even With Signals
13

DL-NS experiments with different signal strength
3G Network
RSSI (dBm)
-90
105
✗
Strong-Signal (SS-zone)
Weak-Signal (W-zone)
Server
(1) Issue a UDP-based service
(2) Move to a blind zone
(2) Stay in different zones
✗
(3) UDP traffic for t mins (rate: s)
Weaker-Signal (WR-zone) V
UE
-113
No-Signal (NS-zone)
VOP
VSR
C PENG (UCLA) @ MOBICOM'12
Gap Exists Even With Signals!
14
S , Gap
RSSI , Gap
Cause: Packet drops over radio link.

(Kbps)
Source Rate (Kbps)
UEs PAY FOR WHAT THEY DO NOT GET,
though wireless link exists!
C PENG (UCLA) @ MOBICOM'12
Still-Bad Case: Intermittent Signals
15

When users lose signals for a while but recover
them shortly

The gap exists with transient lost links
 Buffering
and retransmission over radio links may
reduce the gap (see the paper)
 UEs PAY FOR WHAT THEY DO NOT GET, when
they temporarily (10+ seconds) lose wireless links!
C PENG (UCLA) @ MOBICOM'12
So Terrible In Reality?
16

Good news: Probably not!
16
✗
✗ ✗
VUE ---
RNC
SGSN
GGSN
✗
VOP VOP--
✗
TCP/App control will teardown it (adjust its incoming rate)
Gap for DL-NS over TCP: 2.9 ~ 50KB
C PENG (UCLA) @ MOBICOM'12
Application Behaviors
17

DL-NS tests with 5 applications:
 Web,
Skype, YouTube, PPS streaming, VLC streaming
over VPN
Web Skype YouTube PPS
Med (MB) -0.03 0.88
0.23
3.30
Min (MB) 0.00
0.40
0.20
0.72
Max (MB) -0.04 0.99
0.34
4.3
VLC
2.97
1.45
29.9
Mobile accounting is largely successful in practice.
Users may occasionally be overcharged
It depends on when and how app control works.
C PENG (UCLA) @ MOBICOM'12
Real User Performance
18

Two-week usage for 7 users
Operator-I
Operator-II
User
1
2
3
Apps.
Map
Stock
Game
VUE
194.2
VOP
Gap
4
5
6
7 (1day)
Skype, YouTu Ebook
PPS
be,
etc.
PPS
-
YouTub
e, PPS
270.3
124.6
900.2
121.7
47.1
72.4
192.6
270.0
129.4
948.4
120.9
47.3
77.6
-1.8
-0.3
4.8
48.2
-0.8
0.2
5.2
-0.9%
-0.1%
3.9%
5.3%
-0.6%
0.4%
7.2%
YouTube
on the train to NYC.
C PENG (UCLA) @ MOBICOM'12
3 Views on “Overcharging”
19

Optimistic view: not too bad in reality, no fix


Built-in TCP/application control is sufficient
Alternative (Operator’s) view: not to intend to
account the data volume to end-hosts, but the one
traversing the core network, no need to fix
Security: What if that the data is not what users want?
 Audit: How to guarantee that inside accounting is correct?


Conservative view: need to fix it
Users should pay for what they get
 3G accounting architecture should not depend on external
control

C PENG (UCLA) @ MOBICOM'12
Proposals
20

Exploit feedback from devices in accounting decision
 E.g.,
using info already collected by cellular networks
VOPVOP - VRNC_unsent
VRNC_unsent
20
RNC
Packet drops
SGSN
GGSN
21
WE GET WHAT WE DO NOT PAY FOR
C PENG (UCLA) @ MOBICOM'12
22
Loopholes in Accounting Policy
Practice
RNC
SGSN
GGSN
BS
Loophole:
Policy + Loophole 
• A DNS flow should be identified by
tuples
(src_addr,
dest_addr,
anyfive
fake
DNS
message,
or anyPolicy
dest_port,
protocol
ID)port
realsrc_port,
data packet
using
DNS
• But only dest_port (+ protocol ID) is
(53),
be free of charge!
usedcan
in practice
VOP (ANY-over-DNS) = 0
VOP_RAW
Policy:
Free DNS Service
VOP
VOP (DNS) = 0
C PENG (UCLA) @ MOBICOM'12
Our Findings
23

Free DNS policy enforcement
 Operator-I:
Packets via port 53 are free
 Operator-II: Packets via UDP+Port 53 are free

Exploit “DNS tunneling” for free data access
 Proxy
server (outside 3G network) relays packets
to/from UE via Port-53
 Observed: Free data access > 200MB, VOP = 0
 No sign to limit “free” data volume
C PENG (UCLA) @ MOBICOM'12
More on Operator Policy
24

Other carriers




3rd US carrier: free DNS by June 2012, no free after July
China/Taiwan carriers: no free DNS service at all
Accounting policy is operator specific
Other free or differential-pricing policies

Free Internet access to a given website


Free access via a specific Access Point Name (APN)


Hack: web redirection for free Internet access
Hack: use this APN, not the default APN
Unlimited plans/discounts for Facebook access

Similar to web redirection if we can evade Facebook (probably not)
C PENG (UCLA) @ MOBICOM'12
Discussion and Proposals
25

Operators have freedom to define their own policy Policy


Flexibility to compete in the market
Gap between policy and policy enforcement
Should be conflict free
 Otherwise, policy may open loopholes unanticipated


Simplest fix: stop free DNS service
Negligible DNS traffic volume in normal cases
 Other options:

DNS server authentication
 Quota
 Message integrity check

26
“GRAY” ACCOUNTING AREAS
C PENG (UCLA) @ MOBICOM'12
Effect of Middle-boxes
27

Middle-boxes lead to inconsistent accounting
views at the core network and the end host
 Pay
for the uplink to a non-existing host due to
FTP/HTTP proxy
RNC
SGSN
GGSN
Middl
e-box
Invalid
✗ link
✔V
OP
>0
✗
C PENG (UCLA) @ MOBICOM'12
Packet Drops over the Internet
28

Misbehaviors over the Internet can incur extra
mobile data charging
 Packet
drops over the internet increases volume within
cellular networks
RNC
TCP ReTX
SGSN
GGSN
VOP 
Packet drops
C PENG (UCLA) @ MOBICOM'12
Overhead for Wanted Content
29

VOP covers protocol overhead and app. signaling
HTTP redirection: #redirection , VOP 
 Email: significant protocol overhead for sending a short
email
 Skype: significant protocol management overhead


VOP covers Ads, or whatever users may not expect
Hidden cost for free-version applications with more Ads?
 Security issue?


Content-centric charging?
C PENG (UCLA) @ MOBICOM'12
Beyond Accounting
30

Revisit charging/accounting design principles
 Cooperate
with Internet?
Segmented charging for one data service?
 Who should pay?
Receiver-based, sender-based, or both (current
practice)?
 For what?
Volume? Content? Part of content?
 What if using different pricing schemes?
C PENG (UCLA) @ MOBICOM'12
Discussion and Future Work
31

Revisit accounting architecture
 What
failures and losses should be handled?
 What mechanisms are indispensable for given failures?
 When and how does the end host report delivery
losses?
 How to ensure that the feedback information is secure
and trustworthy?
 How many mechanisms should be placed into the
future cellular network standards?

Policy and policy enforcement
C PENG (UCLA) @ MOBICOM'12
Summary
32

First assessment of mobile data accounting system
over operational 3G networks
 Largely

successful, but also exceptions
Accounting discrepancy between the operator’s
log and the user’s record
 Identify
two extreme cases:
 WE
PAY FOR WHAT WE DO NOT GET
 WE GET WHAT WE DO NOT PAY FOR
 Explore
root cause in accounting architecture & policy
 Propose remedy suggestions

Many research issues ahead
 e.g.,
security, auditing, pricing, …