A collaborative approach to encrypted traffic
As networks become more complex, so too does encryption, a key capability for secure internet traffic. So how will it be possible for networks to keep up with security and privacy? We dive into MASQUE, a collaborative solution that ensures a smooth deployment of encrypted traffic and improves user experience.
The deployment of encrypted protocols on the internet is moving rapidly. This is good news as encryption is important to secure internet traffic and protect user privacy. Unfortunately, this rapid deployment takes away some of the capabilities which proved effective in improving Quality of Experience (QoE) for users – for example, network assisted rapid loss recovery, and domain specific congestion control.
Keeping up with this rapid change for the internet protocol landscape bears costs for those managing the networks. Day by day, operators are losing the awareness of traffic traversing through their networks while still being kept accountable for traffic optimization, network management, policy enforcement, as well as regulatory rules of governments and demands by society.
We believe that it is possible to bring back those capabilities and keep end-to-end security and privacy unaffected, but it requires new solutions and ways of thinking. Our solution here includes new proxying features based on the end-to-end encrypted QUIC transport protocol to identify, enhance, and manage encrypted traffic in mobile networks – using a collaborative and therefore even more powerful approach.
The evolution of encryption
The internet protocol stack evolution has been affected by developments in several areas. Services consumed over the internet have grown in volume and evolved from simple web page access to online cloud gaming, video conferencing, 4K video streaming, remote control, and more. Powerful end user devices, faster internet and mobile connectivity, and innovation in applications and services have paved the way. Evolution has also happened at the server end – robust, reliable, and intelligent service deployment over cloud environment, as well as new architectures like microservices, are just two examples of such developments in the IT industry.
Another observation in the internet evolution is the increasing deployment of encryption, both in applications and in transport layer protocols. The use of HTTPS for web traffic is up almost 200 percent in the last three years. QUIC, a new fully encrypted transport protocol, is expected to complete IETF standardization in 2020. In November of 2019, around 10 percent of internet traffic consisted of proprietary QUIC versions from companies such as Google and Facebook . In previous blog posts, we explained how QUIC can become a vehicle for transport protocol evolution and how it’s suitable for achieving the goals of the 5G network architecture.
Pervasive encryption is a necessary evolution of internet architecture, both to secure traffic and protect user privacy. Encryption at transport protocol, however, takes away some of the capabilities which have proved effective in improving Quality of Experience (QoE) for users and keeping the network management viable. Lower layer information (below the transport layer) is often not sufficient to troubleshoot a network when user experience is degraded. The reduced visibility of the transport protocol information limits the understanding of application and traffic demands on the network, or at least makes it harder and more expensive. Encryption also means network operators lose awareness of the traffic traversing through their networks.
Still, network operators are kept accountable for traffic optimization, network management, policy enforcement and need to comply with regulatory rules. We believe that it is possible to bring back those capabilities and keep end-to-end security and privacy unaffected, but it requires new solutions and ways of thinking. Our solution here includes new proxying features based on the end-to-end encrypted QUIC transport protocol to identify, enhance, and manage encrypted traffic in mobile networks – using a collaborative and therefore even more powerful approach.
We, at Ericsson, support end-to-end encryption to increase both user privacy and traffic security. At the same time, it’s essential for network service providers to be able to provide even better user QoE and manage their networks effectively. To this end, we’ve taken an active role in the IETF community to evolve the QUIC protocol, and now, we have taken the next step by initiating MASQUE (Multiplexed Application Substrate over QUIC Encryption) together with service providers and content providers. A Birds-of-a-Feather (BoF) meeting on this was held at the IETF 107 virtual meeting in March 2020 and a working group has been approved to be formed in IETF.
For QUIC, the discussions we’ve been driving on measurement and management of encrypted traffic resulted in the inclusion of the so-called spinbit – one bit that is exposed in the QUIC packet header to enable connection Round Trip Time (RTT) measurements for passive observers in the network. We have also been investigating supportive technologies like virtual AQM to make buffer management more effective, based on the latency information that can be derived from the QUIC spinbit. However, the spinbit is only one specific mechanism for one specific protocol that exposes one specific piece of information. We believe more explicit cooperation between the mobile terminals and the network will help to further improve the service the network can provide to the users.
MASQUE offers a framework to use QUIC as substrate to open a tunnel to network proxy nodes. Such a proxy node, or MASQUE server, can offer various services like QUIC proxy, UDP proxy or IP-forwarding. In addition, the QUIC-based tunneling also enables secure communication between an endpoint and the proxy. This is an opportunity to offer additional services like faster loss recovery by the proxy, exposure of up-to-date network information that can help to assist congestion control, or even in-network bandwidth aggregation of multiple access links.
Let us explain this in more detail.
Unpacking MASQUE: how it works
In contrast to typical proxies that are deployed today, which may intercept the application or transport connection transparently, the MASQUE framework is based on a QUIC tunnel approach that operates with full consent from the service or application on the mobile terminal. This approach improves security in two ways:
First, any information that is exchanged between the proxy and the mobile terminal or application is protected by the QUIC encryption of the tunnel connection and effectively not even detectable by a potentially untrusted network segment in between.
Second, rather than intercepting any connection at the proxy, there are now two layers of connections – a tunnel connection between the proxy and the mobile terminal and the end-to-end connection between the mobile terminal and the target server with an own, unmodified end-to-end security context that guarantees confidentiality, source authentication, and integrity between the endpoints. This setup is show in Figure 1 below.
A mobile terminal or application can have pre-configured knowledge of a what MASQUE server to connect to, or it can use a discovery mechanism such as the ones identified in the IETF draft Discovery Mechanism for QUIC-based, Non-transparent Proxy Services. The first step of a MASQUE session is that the mobile terminal establishes a tunnel connection with the MASQUE server. Within this tunnel, the mobile terminal can instruct the MASQUE server to forward traffic to a target server which optionally may be aware of the MASQUE server.
Further, the mobile terminal can use this setup and direct connection to the MASQUE server to request various in-network support services. This new design approach, where explicit consent in requesting a service is required, enables proxy services without breaking the end-to-end principle of the transport and application layers.
The MASQUE framework can be used in mobile networks (both in 4G and 5G networks), specifically at Packet Core by either having a QUIC-based proxy as a new optional functionality in Packet Data Network Gateway (PGW-U) / User Plane Function (UPF), either as a logical function in PGW-U/UPF, an internal Service Function (SF), or as an external SF (possibly co-located with PGW-U/UPF) – see figure 2.
A MASQUE server or function with its in-band communication channel to the mobile terminal allows the operator’s network to provide in-network assistance (support services) to the applications in the mobile terminal for optimizing QoE. Such in-network assistances can be advisory by providing information about the current network state or actively support if requested by the mobile terminal, for example. The UPF has an aggregated view on the access networks, hence it has a better view of the network conditions than a single mobile terminal or the server the terminal is connected to. Therefore, a MASQUE server at UPF can, for example, advise the application on the configuration of congestion control or transport-parameters suitable to the 3GPP access network the mobile terminal is connected to.
Figure 3 shows how the MASQUE setup can, for example, improve performance when the tunnelled network segment, between the mobile terminal and MASQUE server, has a lossy path.
In this case, the mobile terminal did not only request pure forwarding but also support for local recovery utilizing the reliable data stream service of the QUIC tunnel. Even though link layer loss is a rare event in 5G radio access network, the loss can still occur due to buffer overflow, reordering or late loss due to excessive retransmission tries. Our proof-of-concept implementation of MASQUE is based on the MVFST open source QUIC implementation from Facebook and is currently not optimized for overhead or proxy performance. Figure 3 shows nearly a cut down by half for the download speed with the MASQUE support as loss packets can be retransmitted locally with only small delays. This is only one situation where the MASQUE framework can provide benefits and a standardization effort would enable larger scale deployment in both the network and the terminals and thereby enable a larger space for such optimizations and future innovations.
We see the collaborative approach MASQUE offers as a solution to improve both user data security and enable network assistance for better QoE. We work closely with the other stakeholders in the MASQUE working group to achieve a smooth gradual deployment of encrypted traffic in order to keep network management viable and improve user experience, even for encrypted traffic using potential network assisted services.
Read our blog post Encryption in virtualized 5G environments.
Learn about how to keep 5G data secure with software probes.