the peril of cellular network evolution · 2015-09-25 · recap:’mobile’network’evolu5on’...
Post on 09-Jul-2020
0 Views
Preview:
TRANSCRIPT
The Peril of Cellular Network Evolution
Chunyi Peng Fall 2015
Recap: Mobile Network Evolu5on
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 2
1G AMPS, NMT,
TACS
M1980s
analog voice
2G GSM/GPRS/EDGE
cdmaOne
1990s
Digital voice + Simple data
3G WCDMA/HSPA+ CDMA2000/EVDO
TD-‐SCDMA
2000s
Mobile broadband
APP
4G LTE
LTE-‐advanced
2010s
More and Faster
The Power of Evolu5on • Larger capacity (support more online) • Higher speed (up to 42Mbps for HSPA, 150Mbps for LTE)
• Seamless mobility support • Versa5le services (web-‐>mobile apps) • New services (eg, HD conference calls) • …
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 3
The Peril?
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 4
Double-‐Edged Evolu5on • Q1: Will the exis5ng, well-‐established techniques s5ll well support emerging features?
• Q2: Will new features bring new side-‐effects?
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 5
Network Architecture Evolu5on
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 6
Telecomm IP-‐based Internet
• Circuit-‐switching for voice
• Packet-‐switching for everything
• IP-‐based
• Circuit-‐switching for voice
• Packet-‐switching for data
2G 3G 4G
Emerging Problems in Network Evolu5on
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 7
• Circuit-‐switching for voice
• Packet-‐switching for everything
• IP-‐based
• Circuit-‐switching for voice
• Packet-‐switching for data
2G 3G 4G
Q1: Will existing techniques fail to well support emerging requirements? YES!
Q2: Will new features raise new side-effects?
Double-‐Edged Evolu5on • Q1: Will current and well-‐established technique well support new features? – From Voice to Data (2G -‐> 3G/4G)
• Mobile data charging: [mobicom’12, CCS’12, Mobisys’13, CCS’14]
• Q2: Will new features bring new side-‐effects? – From CS+PS to PS only (3G-‐>4G)
• Voice support: CSFB and VoLTE: [mobicom’13, CNS’15, CCS’15]
• Control-‐plane interacRons: [SIGCOMM’14, TON’15]
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 8
The Peril of Mobile Data Charging
Q1: Will the exis5ng, well-‐established techniques fail to well support emerging requirements?
[Mobicom’12, CCS’12, Mobisys’13, CCS’14]
Volume-‐based Charging • Essen5al to mobile operators and users
– $500B revenue – $10-‐80/month per line in USA
• What is your data plan?
• Key: data usage volume – How much? Who? Agree?
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 10
Are Our Data Bills Correct?
Three Technical Requirements on AAA • Mobile data charging: collect how much data is actually used by whom at his/her consent
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 12
Authentication The user being billed
= Who transfers data.
Authorization The user agrees to use data and pay it.
Accounting Volume should be accurate.
Background on Current Data Charging
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 13
P-GW
4G Mobile Network
HSS
Accoun5ng: How many bytes through the core?
Internet
Seemingly Simple, Sound and Solid
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 14
What’s Wrong?
What if the wireless link fails?
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 15
UDP Server ✗ U P-GW
Accoun5ng
Packet lost, but accounRng conRnues! We pay for what we do not receive!
Mobicom’12
in Real World • 450MB observed in one run (no sign of limit)
• Over-‐accoun5ng volume = rate x dura5on (no coverage)
• Observed in all the test carriers (US, China, Japan, etc)
• No coverage -‐> weak coverage (par5al loss)
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 16
WHAT’S WRONG? • Root Cause: Open-‐loop Accoun5ng, Accoun5ng before delivery
• Data: Volume = local view@core
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 17
Volume_OPERATOR ñ Volume_MOBILE = 0
U P-GW✗
WHY for Mobile Data? • Data: Volume = local view@core
• Voice: minute = local view@core – Open-‐loop accoun5ng for circuit-‐switching: OK
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 18
Volume_OPERATOR ñ Volume_MOBILE = 0
U P-GW✗
U MSC/GMSC✗
Inconsistent view due to PS
consistent
view due to CS
What if Mobility? • Over-‐accoun5ng example in LA: 71.3%
• Over-‐accoun5ng for mobility observed – @ 3 major US operators – @ 2 largest ci5es in US: New York and Los Angeles – @ freeway and local
• Cause: Inter-‐system handoff ( e.g., 3G-‐>4G) – Accoun5ng gap: 0.5~ 1.5MB per handoff
19
3G 4G
Handoff
Mobisys’13
12-mile in west LA
OP: 44.3MB Mobile: 12.7MB
71.3%
During Inter-‐system Handoff • #1: Data transmission suspends on radio link
• #2: Buffer discarded aser handoff
20
SGSN/GGSN 3G
4G S-‐GW/P-‐GW
5 to 100+ seconds
Results: 0.5-1.5MB per HO
✗ 100 - 300 KB
Handoff
THIS IS NOT THE END
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 21
Authentication The user being billed
= Who transfers data.
Authorization The user agrees to use data and pay it.
Accounting Volume should be accurate.
Benign (normal) -‐ Accoun5ng inaccuracy
Malicious atacks(exploits) -‐ AAA vulnerable
CCS’14, CCS’12
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 22
Authentication The user being billed
= Who transfers data.
User authentication via AKA
U.IP 10.0.0.1
IP allocation Bearer (GTP) established
P-GW
U.IP10.0.0.1
U
U.IP U’s bill
X
U.IP U’s bill
In charging: AuthenRcaRon bypass (IP spoofing)
WHAT’S WRONG? • IP Spoofing allowed in data packets (smart-‐end) • IP as the charging ID without secure binding (operator) – Bypass exis5ng authen5ca5on
• Free-‐uplink access using other’s IP – Real threats: two US carriers allowed IP spoofing but one via IP-‐based charging
– Status: fixed aser our report and work with both US carriers (Nov 2014)
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 23
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 24
Authorization The user agrees to use data and pay it.
PGW
U.GTP U.IPþ
þ Filtering
Outbound via authen5ca5on
Filter setup
þ FilteringInbound via implicit mapping
U
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 25
Filter: still valid (stateful)Close the app(TCP: half-open, UDP: still open)
X
U.IP
þ þ
MMS Server X
Network-‐based; 1st-‐5me only (user can’t say no)
MMS
þ þ
U
More attacks: Skype, web/video phishing [CCS12]
PGW
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 26
Accounting Volume should be accurate.
UX
P-GW
TTL = n TTL >=0 TTL =0 (dropped)
Atack idea: Make packet lost aser accoun5ng but
before end-‐to-‐end delivery
Fundamental Conflicts in PS and MDC
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 27
Packet: source and des5na5on Charging: who is authen5cated en5ty? (control plane vs. data plane)
Packet: connec5onless, no state Charging: what is the state of connec5on packets belong to (@phone vs. @network)
Packet: independent over hops Charging: Is it delivered? (at the end vs. in the middle)
PGW
U
PS Supports Data Beter
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 28
But, PS may not well support data charging that somehow follows a conven5onal CS design
Disccussion
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 29
BACKUP: MOBILE DATA CHARGING
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 30
Undercharging: “Free” Data Access • Free DNS (before Aug 2012)
– @ three US major operators – Flow-‐based charging policy, but not enforced carefully
• OP-‐I: free if via Port 53 • OP-‐II: free if UDP via Port 53
31
Core Router e.g. SGSN/GGSN
Policy: Free DNS Service
Accoun5ng
Undercharging: “Free” Data Access • Free DNS Free data access (fixed now)
– @ three US major operators – DNS tunneling
32
Core Router e.g. SGSN/GGSN
Pseudo-DNS Server Results: 200MB+ free of charge No sign of limit
Policy: Free DNS Service
Accoun5ng
Beyond DNS • Root-‐cause: differen5al policy & careless enforcement
• Solu5on: stop it or use prudent enforcement
33
Differen5al charging policy e.g., free access to one website/ via some APN, or cheaper VoIP than Web, MMS
Gap btw policy and its enforcement Bullet-‐proof design & prac5ce
Incen5ve to pay less (A\ackers or even normal users)
Bill
How Bad the Gap Can Be? • Gap ≈ Source-‐rate x dura5on
– In propor5on to UDP source rate: 50Kbps ~ 8Mbps
– In propor5on to 5me: 1min ~ 6 hour (< 3 hours)
34
0
20
40
60
0 1 2 3 4 5 6 7 8 9
Sent-‐by-‐Server Overaccoun5ng
Source-rate (Mbps), OP-I, 1min
Volu
me
(MB
)
0
20
40
60
0 1 2 3 4 5 6
OP-‐I OP-‐II
Duration (hr), source = 50Kbps
Gap Exists With Signals
35 Source Rate (Kbps)
RSSI (dBm)
-113
-105
-90 Strong-Signal (SS)
Weak-Signal (W)
Weaker-Signal (WR) No-Signal (NS)
ñ S ñ, Gapñ RSSI , Gapñ Cause: Packet drops over radio link.
Common Behaviors • Gap for TCP without signals: 2.9 ~ 50KB • Test with 5 applica5ons:
– Web, Skype, YouTube, PPS streaming, VLC streaming
• User study: gap ≤ 2% (mostly, 5-‐7% observed)
36
Web Skype YouTube PPS VLC
Med (MB) -0.03 0.88 0.23 3.30 2.97 Min (MB) 0.00 0.40 0.20 0.72 1.45 Max (MB) -0.04 0.99 0.34 4.3 29.9
Data accounting is largely successful in practice. Users may occasionally be overcharged.
top related