No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Understanding TCP over TCP: effects of TCP tunneling on end-to-end throughput and latency
Abstract
TCP tunnel is a technology that aggregates and transfers packets sent between end hosts as a single TCP connection. By using a TCP tunnel, the fairness among aggregated flows can be improved and several protocols can be transparently transmitted through a firewall. Currently, many applications such as SSH, VTun, and HTun use a TCP tunnel. However, since most applications running on end hosts generally use TCP, two TCP congestion controls (i.e., end-to-end TCP and tunnel TCP) operate simultaneously and interfere each other. Under certain conditions, it has been known that using a TCP tunnel severely degrades the end-to-end TCP performance. Namely, it has known that using a TCP tunnel drastically degrades the end-to-end TCP throughput for some time, which is called TCP meltdown problem. On the contrary, under other conditions, it has been known that using a TCP tunnel significantly improves the end-to-end TCP performance. However, it is still an open issue --- how, when, and why is a TCP tunnel malicious for end-to-end TCP performance? In this paper, we therefore investigate effect of TCP tunnel on end-to-end TCP performance using simulation experiments. Specifically, we quantitatively reveal effects of several factors (e.g., the propagation delay, usage of SACK option, TCP socket buffer size, and sender buffer size of TCP tunnel) on performance of end-to-end TCP and tunnel TCP.
... TCP tunnel is used for diverse purposes, including security by encryption, performance improvement by session aggregation, flexible manageability by overlay, and so on. Since many applications rely on end-to-end TCP sessions, TCP over TCP tunnel is commonly used as well in various cases, although its performance depends on conditions due to the complex interaction between upper-layer TCP and lower-layer TCP [5]. Another consideration is TCP with Network Coding (TCP/NC) presented in 2009 [6]. ...
... ACK number in ACK packet is set to the sequence number of the oldest "unseen" packet, which can be decoded when the sink receives the additional combination packets. Example of the coding process is shown in Fig. 2 Receive p 4 , send ACK=5 p 2 is received, [4], C [5] and C [6]. When a new packet comes to NC layer, the combination packets will be created and transported immediately. ...
Transmission Control Protocol (TCP) is still dominant for reliable end-to-end data transmission with congestion control over diverse types of networks although it does not perform well in goodput on lossy networks. To mitigate the goodput degradation of TCP on lossy networks, TCP with Network Coding (TCP/NC) was proposed. But it has not been well deployed because TCP/NC should be implemented in both sides of end-to-end connection; it requires considerable costs and is sometimes difficult in tiny end devices, e.g., with less memory and power. In this paper, to utilize the potential of TCP/NC more practically with no change on end-host TCP, we consider the TCP/NC tunnel that simply conveys end-to-end TCP sessions not only on a single TCP/NC session but also on cascaded TCP/NC sessions traversing a lossy network in the middle without per-session management. The simulation results by Network Simulator 3 show the benefit of the TCP/NC tunnel. In congestion scenarios with a wide range of link loss rates, the end-to-end standard TCP with multi-cascaded TCP/NC tunnel can achieve a significantly higher goodput compared to both the end-to-end TCP/NC without tunnel and the end-to-end standard TCP with single TCP/NC tunnel.
... TCP tunnel is used for diverse purposes, including security by encryption, performance improvement by flow aggregation, flexible manageability by overlay, and so on. Since the majority of applications rely on end-to-end TCP sessions, TCP over TCP tunnel is commonly used as well in various cases, although its performance depends on conditions due to the complex interaction between upper-layer TCP and lower-layer TCP [5]. ...
... The example of the coding process is shown in Fig. 3. The packets p 1 , p 2 , p 3 and p 4 are encoded to the combination packet C[1], C [2], C [3], C [4], C [5] and C [6]. When a new packet comes to NC layer, the combination packets will be created and transported immediately. ...
Transmission Control Protocol (TCP) with Network Coding (TCP/NC) was designed to recover the lost packets without TCP retransmission to improve the goodput performance in lossy networks. However, TCP/NC is too costly to be implemented in some types of end devices, e.g., with less memory and power. In addition, TCP/NC across loss-free but thin networks may waste scarce link bandwidth due to the redundant combination packets sacrificed for the lossy network. In this paper, we propose the TCP/NC tunnel to convey end-to-end TCP sessions on a single TCP/NC flow traversing a lossy network in the middle without per-flow management. The TCP/NC tunnel can mitigate the end-to-end TCP performance degradation in lossy networks without any change on end-host TCP. We implemented and validated our proposal in Network Simulator 3, based on a reinforced version of TCP/NC that we previously proposed. The results show that the proposed system can improve end-to-end TCP sessions in goodput performance on lossy networks.
... However, we cannot simply tunnel IP packets over reliable connection. This can lead to "TCP over TCP meltdown" [7] that happens when TCP congestion control from two layer interfere badly. ...
... Moreover, it has bigger potential for adoption in current networks. However, due to effects like TCP over TCP meltdown [7], it is not well suited for tunneling of non-stream protocols such as UDP. ...
Last mile link is often a bottleneck for end user. However, users typically
have multiple ways of accessing the Internet (cellular, ADSL, public Wifi).
This observation led to creation of protocols like mTCP or R-MTP. Current
bandwidth aggregation protocols are packet based. However, this is not always
practical - for example, non-TCP protocols are often blocked on firewalls.
Moreover, a lot of effort was devoted over the years into making single-path
TCP work well over various types of links. In this paper we introduce protocol
which uses multiple TCP streams to establish single reliable connection
attempting to maximize bandwidth and minimize latency.
... Secondly, if the channel has a high level of delays, a soo called TCP meltdown may occur. This term was used for the first time in (Honda et al., 2005). ...
... To check the impact of TCP overload ( Honda et al., 2005) on the functionality of TCP connections, the channel was loaded to the maximum and then its throughput was reduced to 36.6 kbps. The rate of data transmission was measured immediately afterwards. ...
Some results of designing a system for online collection of data from terrestrial recorders of global satellite navigation systems are presented. The specific features of applying VPN technologies in geophysical data collection systems in real-time mode are discussed. Two of the most popular software VPN implementations are analyzed for comparison: SSTP, available for Microsoft Windows, and the free OpenVPN package. It is shown that both variants have commensurable performance. In unstable channels with low throughput, SSTP ensures a higher capacity, and OpenVPN is more stable and better resistant to discontinuous decreases in throughput.
... However, HTTPS encapsulation increases in processing time deriving from that HTTPS is the application layer protocol. In addition, HTTPS uses TCP as a transport layer protocol, but the communication control of TCP conflicts with the communication control of the encapsulated target protocol [4], [5]. The confliction has a negative influence on the expected communication performance. ...
A wide range of communication protocols has recently been developed to address service diversification. At the same time, firewalls (FWs) are installed at the boundaries between internal networks, such as those owned by companies and homes, and the Internet. In general, FWs are configured as whitelists and release only the port corresponding to the service to be used and block communication from other ports. In a previous study, we proposed a method for traversing a FW and enabling communication by inserting a pseudo-transmission control protocol (TCP) header imitating HTTPS into a packet, which normally would be blocked by the FW. In that study, we confirmed the efficiency of the proposed method via its implementation and experiments. Even though common encapsulating techniques work on end-nodes, the previous implementation worked on the relay node assuming a router. Further, middleboxes, which overwrite L3 and L4 headers on the Internet, need to be taken into consideration. Accordingly, we re-implemented the proposed method into an end-node and added a feature countering a typical middlebox, i.e., NAPT, into our implementation. In this paper, we describe the functional confirmation and performance evaluations of both versions of the proposed method.
... It provides faster data transmission than TCP tunneling. Also, it does not suffer from TCP meltdown problem [28]. The authors show that lowering MTU size can reduce packet loss in UDP communications. ...
Cloud communication is an intrinsic aspect of cloud architecture. It is an internet-based communication that enables access to millions of cloud services. These services are provided using TCP/UDP-based communications and protected by traditional security protocols (e.g., SSL/ TLS/DTLS). However, security threats in cloud communications become the most serious issue nowadays. To address some of the shortcomings of traditional security protocols, we propose a secure cloud communication architecture (Graphene) for both TCP- and UDP-based communications. Graphene can provide security for data-in-transit and authenticity of cloud users and cloud service providers. It protects the communication channel against most common attacks such as man-in-the-middle (including eavesdropping, sniffing, identity spoofing, and data tampering), sensitive information disclosure, replay, compromised-key, repudiation, and session hijacking attacks. This work also involves the designing of a novel high-performance cloud-focused security protocol that works for both TCP and UDP communications. Especially for UDP, it uses an asynchronous re-transmission mechanism to ensure datagram delivery. This protocol efficiently utilizes the strength and speed of symmetric block encryption with Galois/Counter mode, cryptographic hash, public key cryptography, and ephemeral key-exchange. It provides faster reconnection facility for supporting frequent connectivity and dealing with connection trade-offs. The security analysis of Graphene shows promising protection against the above discussed attacks. Graphene also outperforms TLSv1.3 (the latest stable version among the SSL successors) and DTLSv1.2 (the latest stable version of datagram TLS) in performance and bandwidth consumption significantly and shows reasonable memory usage at the server side.
... To overcome HAIPE encryption, numerous approaches have been proposed to resolve this problem, but a practical solution is yet to be developed. In the literature, a TCP over TCP (TOT) [15] solution was proposed which can achieve the high performance offered by PEPs for HAIPE-encrypted TCP traffic across satellite links [16,17]. The TOT method encodes and relays the original TCP flow information across HAIPE without any modification to the existing HAIPE while preserving the same level of security. ...
... Because of the dependence of TLS on TCP, this design is layering one instance of TCP over another instance of TCP! This can cause the problem of "TCP meltdown" [25], as follows. TCP provides reliability by detecting lost packets by means of a timer, and requesting retransmission of a packet when it does not arrive in time. ...
Networks play a central role in cyber-security: networks deliver security attacks, suffer from them, defend against them, and sometimes even cause them. This article is a concise tutorial on the large subject of networks and security, written for all those interested in networking, whether their specialty is security or not. To achieve this goal, we derive our focus and organization from two perspectives. The first perspective is that, although mechanisms for network security are extremely diverse, they are all instances of a few patterns. Consequently, after a pragmatic classification of security attacks, the main sections of the tutorial cover the four patterns for providing network security, of which the familiar three are cryptographic protocols, packet filtering, and dynamic resource allocation. Although cryptographic protocols hide the data contents of packets, they cannot hide packet headers. When users need to hide packet headers from adversaries, which may include the network from which they are receiving service, they must resort to the pattern of compound sessions and overlays. The second perspective comes from the observation that security mechanisms interact in important ways, with each other and with other aspects of networking, so each pattern includes a discussion of its interactions.
... TCP meltdown was studied next by [16]. It was found that the use of Selective Acknowledgment (SACK), a TCP option initially proposed by [17], lessens the degradation of meltdown. ...
Tunneling is a networking approach to virtually encapsulate some channel of private communication within another channel, which is usually public, through means of encryption. Tunneling protocols allow for the establishment of Virtual Private Networks (VPNs) which are useful for anonymity and access to private networks behind firewalls. The many tunneling protocols generally take the form of one networking protocol being transmitted over another, or even over the same protocol. One noticeably less represented variation is TCP-over-TCP due to the overall degradation of performance which is observable as a distinct loss of overall end-to-end throughput of application data, called the goodput. This known loss of performance is a product of the multiple, nested congestion control algorithms inherent to Transmission Control Protocol (TCP) and has been coined the TCP meltdown problem. In this research, we have investigated the contributions that multiple factors play in degrading the goodput of TCP-over-TCP tunnels. Through ns-3 simulation we have studied the performance of the tunnel as we vary transfer buffer size, congestion avoidance algorithm, bandwidth of inner and outer channels, and drop rate. Our simulation is built with the ability to vary those parameters plus more for future cases. Through this analysis, we were able to find the performance of 448 different configurations, not counting experimental control cases.
... Being a TCP extension, MPTCP owns all characteristics of TCP. Tunneling TCP in MPTCP may encounter the dilemma discussed in tunneling TCP in TCP [28,29]. However, there is a distinct difference between our work and previous ones. ...
Fixed and cellular networks are two typical access networks provided by operators. Fixed access network is widely employed; nevertheless, its bandwidth is sometimes not sufficient enough to meet user bandwidth requirements. Meanwhile, cellular access network owns unique advantages of wider coverage, faster increasing link speed, more flexible deployment, and so forth. Therefore, it is attractive for operators to mitigate the bandwidth shortage by bundling these two. Actually, there have been existing schemes proposed to aggregate the bandwidth of two access networks, whereas they all have their own problems, like packet reordering or extra latency overhead. To address this problem, we design new architecture, MPTCP Tunnel , to aggregate the bandwidth of multiple heterogeneous access networks from the perspective of operators. MPTCP Tunnel uses MPTCP, which solves the reordering problem essentially, to bundle multiple access networks. Besides, MPTCP Tunnel sets up only one MPTCP connection at play which adapts itself to multiple traffic types and TCP flows. Furthermore, MPTCP Tunnel forwards intact IP packets through access networks, maintaining the end-to-end TCP semantics. Experimental results manifest that MPTCP Tunnel can efficiently aggregate the bandwidth of multiple access networks and is more adaptable to the increasing heterogeneity of access networks than existing mechanisms.
... By using a TCP tunnel, several protocols can be transparently transmitted through a firewall. Under certain conditions, it is known that the use of a TCP tunnel severely degrades the end-to-end TCP performance, which is called TCP meltdown problem [10]. ...
Persona-sized HPC clusters are widely used in many small labs, because they are cost-effective
and easy to build. Instead of adding costly new nodes to old clusters, we may try to make use of
some servers’ idle times by including them working independently on the same LAN, especially
during the night. However such extension across a firewall raises not only some security
problem with NFS but also a load balancing problem caused by heterogeneity. In this paper, we
propose a method to solve such problems using only old techniques applicable to old systems as
is, without requiring any upgrade for hardware or software. Some experimental results dealing
with heterogeneity and load balancing are presented using a two-queue overflow queuing
network problem.
... By using a TCP tunnel, several protocols can be transparently transmitted through a firewall. Under certain conditions, it is known that the use of a TCP tunnel severely degrades the end-to-end TCP performance, which is called TCP meltdown problem [10]. ...
... However, this way of working has a major drawback, as two TCP congestion controls (i.e., end-to-end TCP and tunnel TCP) operate simultaneously and can interfere each other [45]. Anyway, in networks where the propagation delay is large (satellite environments), the goodput of the end-to-end TCP flow improves [46]. ...
Applications that use the reliable Transmission Control Protocol (TCP) have a significant degradation over satellite links. This degradation is mainly a consequence of the congestion control algorithm used by standard TCP, which is not suitable for overcoming the impairments of satellite networks. To alleviate this problem, two TCP Performance Enhancing Proxies (PEPs) can be deployed at the edges of the satellite segment. Then these PEPs can use different mechanisms such as snooping, spoofing and splitting to achieve a better TCP performance. In general, these mechanisms require the manipulation of the Internet Protocol (IP) and TCP headers that generates a problem when deploying the standard IP security (IPsec) protocol. The security services that IPsec offers (encryption and/or authentication) are based on the cryptographic protection of IP datagrams, including the corresponding IP and TCP headers. As a consequence, these cryptographic protections of IPsec conflict with the mechanisms that PEPs use to enhance the TCP performance in the satellite link. In this article, we detail the reasons that cause this conflict, and we propose three different approaches to deploy IPsec in a scenario with TCP PEPs. Our proposals provide different trade‐offs between security and TCP performance in some typical scenarios that use satellite networks. Copyright © 2012 John Wiley & Sons, Ltd.
... This seems to be a result of synchronization of the multiple queues and schedulers (both at interface, network stack, and kernel level), in particular because of the TCP session used to connect Client and Server. Similar scheduling synchronization issues are presented and discussed in [9]. ...
We propose a novel method to export both interface control and data planes across different hosts, effectively enabling hardware specific control of network interfaces over the Internet, or from a host to its virtualized guests. Our solution is a major step towards distributed environments of heterogeneous communication systems, particularly relevant in the scope of custom system composition, remote development and testing, and is especially relevant when considering embedded or geographically constrained devices. Results obtained by our prototype implementation validate the effectiveness of the solution. We present a preliminary characterization of its impact, when considering traffic generation applications, when applied over an IEEE 802.11g communication medium.
The conceptual composition of a QKD link into quantum and physical channels corresponds to similar connections in the physical world and does not preclude the dual use of fibres as both a classic and quantum channel (in fact, the SECOQC network was built on existing fibre-optic cables). Viewed from a logical perspective, the network consists of more layers than just these two channels. At the lowest layer is a physical optical infrastructure which dictates the connectivity of quantum channels. The second layer contains an IP network through which post-processing point-to-point operations are performed. The third logical layer includes key relay and key management operations for the purpose of delivering keys to remote network locations. It is implemented through the same public channels over which post-processing traffic is transmitted (some of the combinations of these two layers are discussed in Chap. 5), but logically it is a separate layer. The top layer contains applications which use keys to protect traffic exchange. Considering the progress which has been achieved in combining quantum and public channels over the same fibre, practical communication can be performed over the same network infrastructure. However, logical organization of the network remains as a result of the specificity of each of these layers.
Application requirements evolve over time and the underlying protocols need to adapt. Most transport protocols evolve by negotiating protocol extensions during the handshake. Experience with TCP shows that this leads to delays of several years or more to widely deploy standardized extensions. In this paper, we revisit the extensibility paradigm of transport protocols.
We base our work on QUIC, a new transport protocol that encrypts most of the header and all the payload of packets, which makes it almost immune to middlebox interference. We propose Pluginized QUIC (PQUIC), a framework that enables QUIC clients and servers to dynamically exchange protocol plugins that extend the protocol on a per-connection basis. These plugins can be transparently reviewed by external verifiers and hosts can refuse non-certified plugins. Furthermore, the protocol plugins run inside an environment that monitors their execution and stops malicious plugins. We demonstrate the modularity of our proposal by implementing and evaluating very different plugins ranging from connection monitoring to multipath or Forward Erasure Correction. Our results show that plugins achieve expected behavior with acceptable overhead. We also show that these plugins can be combined to add their functionalities to a PQUIC connection.
Im Rahmen dieser Masterarbeit soll ein IPv6-fähiges VPN für die Abteilung Informatik der Fakultät IV der Hochschule Hannover konzipiert und umgesetzt werden. Im Rahmen der Softwareauswahl fällt die Wahl auf OpenVPN. Als Authentisierungsmethode werden X.509-Zertifikate gewählt.
This thesis describes results of study into development of a Visual Speech
Therapy tool for use in therapy of speech impediments. It describes what
Visual Speech Therapy tools are, their benefits, and what tools are available
on the market. Main focus being therapy for children and teenagers with
dysarthria, hearing problems, and functional speech impediments.
After introducing the Visual Speech Therapy programs it presents technologies
available to development of such tools, weighing their limitations and benefits
against each other and presenting the best one. It also proposes how such a
tool would be developed and used by its end users.
Lastly it suggests how to move forward with the project and develop a working
product from this proposition.
Quantum Key Distribution (QKD), based on the laws of physics rather than the computational complexity of mathematical problems, provides an information-theoretically secure way of establishing symmetrical binary keys between two geographically distant users. This paper is oriented to the practical realization of QKD public channels which are usually implemented as overlay point-to-point connections. We address the problem of minimizing the key material consumption by changing packet overhead. Our results show that the efficiency of communication in overlay QKD networks may increase when packets of larger sizes are used. However, this tuning directly affects the performance of overall communication. We evaluated this approach using an overlay network module which was implemented in the NS-3 simulator. The obtained results can be used for other overlay networks as well.
Advanced public cloud datacenters have introduced an Edge-Overlay approach for multi-tenancy. This approach depends on L2-in-L3 tunneling protocols, however, existing protocols like VXLAN have performance problems. Stateless Transport Tunneling (STT) achieves high performance communications using offloading features, but STT has poor compatibility with existing network devices because of modified semantics of the TCP header. In addition, these protocols do not provide any congestion control mechanism in traffic-intensive cloud networks. In this paper, we propose a novel tunneling protocol named "Transparent Transport Tunneling (T3)" that realizes high-performance communications with traditional network devices and supports a congestion control mechanism. Our experimental results showed that T3 achieved STT comparable throughput as well as 1/20 average queue length in a middlebox device.
Du et al. put forward a solution to solve the slow access to the campus network. This solution offered a novel approach to complete NAT Traversal of the second export of the campus network and a good idea based on virtual private network (VPN) to realize the outer network can rapidly access the campus network with any application layer protocols, e.g., HTTP, FTP. A VPN solution based on UDP tunnel and Open VPN tap interface is designed and implemented to achieve above mentioned goal in this paper. We package the OpenVPN Tap interface into a Dynamic Link Library (DLL) and program an VPN client and server in Java by calling our DLL API. Performance of the UDP-based VPN solution is evaluated and compared in a real network environment and between the campus network and the outer network. The results show that our solution is effective and can satisfy the actual requirements of network applications.
Parallel transmission is one of the popular techniques to realize huge bandwidth between two network nodes. However, in parallel transmission, many packet order inversions will be occurred when the delay difference among the routes is large, and TCP throughput will be drastically decreased under such a circumstance. In this paper, a TCP over SCTP (Stream Control Transmission Protocol) parallel transmission system is proposed to realize large TCP throughput over parallel transmission. In proposal, TCP is used in order to achieve end-to-end communication, SCTP plays a role to defeat packet inversion. Each TCP packet is encapsulated into SCTP packet at Gateway node which is located on edge of a parallel transmission section. In this paper, the proposed system is implemented on the software switch to evaluate parallel transmission. A parallel route selection algorithm is also proposed and evaluated delay difference characteristics.
<sup>A</sup>s the most widely used reliable transport in today's Internet, TCP has been extensively studied in the past. However previous research usually only considers a small or medium number of concurrent TCP flows. The TCP behavior under many competing TCP flows has not been sufficiently explored. In this paper we use extensive simulations to investigate the individual and aggregate TCP performance for a large number of concurrent TCP flows. First, we develop a simple yet realistic network model to abstract an Internet connection. Based on the model, we study the performance of a single TCP flow with many competing TCP flows by evaluating the best-known analytical model proposed in the literature. Finally, we examine the aggregate TCP behavior and derive general conclusions about overall throughput, goodput, and loss probability.