It's neither a standard nor a protocol, but everyone's doing it.
In this presentation, we'll begin by describing the use cases where Multi-Chassis Link Aggregation, or MLAG, can be used to improve the reliability of your network. This will lead into a detailed discussion of how MLAG works as well as what pitfalls you'll need to avoid. Then, we'll explore the interactions with other system components such as LACP, Spanning Tree, and IGMP. Finally, we'll present about how to configure and monitor MLAG in Cumulus Linux.
Xây dụng và kết hợp Kafka, Druid, Superset để đua vào ứng dụng phân tích dữ l...Đông Đô
Tìm hiểu các kỹ thuật liên quan đến hadoop và thiết kết hệ thống. Xây dụng và kết hợp Kafka, Druid, Superset để đua vào ứng dụng phân tích dữ liệu timeserie và OLAP
It's neither a standard nor a protocol, but everyone's doing it.
In this presentation, we'll begin by describing the use cases where Multi-Chassis Link Aggregation, or MLAG, can be used to improve the reliability of your network. This will lead into a detailed discussion of how MLAG works as well as what pitfalls you'll need to avoid. Then, we'll explore the interactions with other system components such as LACP, Spanning Tree, and IGMP. Finally, we'll present about how to configure and monitor MLAG in Cumulus Linux.
Xây dụng và kết hợp Kafka, Druid, Superset để đua vào ứng dụng phân tích dữ l...Đông Đô
Tìm hiểu các kỹ thuật liên quan đến hadoop và thiết kết hệ thống. Xây dụng và kết hợp Kafka, Druid, Superset để đua vào ứng dụng phân tích dữ liệu timeserie và OLAP
In this webinar, we started the discussion with the basic concepts of firewall in mikrotik. We then focusing on firewall mangle as it is said in title.
we discussed three most-used mangle action on mikrotik routerOS, they are: mark-packet, mark-connection, mark-routing. each mangle action has its own example case of its usage.
The recording is available on youtube (GLC Networks Channel): https://www.youtube.com/channel/UCI611_IIkQC0rsLWIFIx_yg
Hệ thống phân tích tình trạng giao thông: Ứng dụng công cụ xử lý dữ liệu lớn...Viet-Trung TRAN
Today, the accelerating development in traveling demand and the number of vehicle circulating on the roads in Viet Nam‟s densely populated cities has been putting the transportation infrastructure under high pressure. The traffic congestion consecutively occurs especially in the rush hours. Besides, the public‟s conception as participating in transportation also directly have detrimental impacts on this burning issue.
With the widespread growth of GPS satellite located equipment, especially according to the circulars 91/2009/ND-CP of Viet Nam Transportation Ministry, the vehicles must be equipped monitoring facilitates which send transportation information continuously to the converging data centers. In fact, there is massive amount of transportation data being directed to these centers per second, hence it consists of features of “big data” – a key word which is used for huge and complicated sets of data. Thereby, it is impossible for traditional data processing to tackle this problem.
The ultimate goal of this graduation thesis is to build a system which is capable to process, analysis consecutive blocks of GPS data in real-time and then show the information about transportation state of roads and provide capacity of finding the fastest way in time-dependent spatial networks. With this information, the participants can chose an appropriate route to avoid traffic jam and the managers can schedule for developing policies of infrastructure, therefore making great contribution to tackling traffic congestion and giving a boost for the development of the society.
This graduation thesis will show the result of study process, requirement analyzing, real-time big data processing system installing and designing, putting the reduction of traffic jam in realistic perspective..
Slides from the June 4th, 2019 webinar, introducing ProSBC.
In October 2017, TelcoBridges took the bold step to offer FreeSBC, a software-based session border controller product, to the market. Since then, over 10 million sessions of FreeSBC software have been downloaded by thousands of users around the globe. Many of those sessions are now in production or various stages of evaluation. During that time, we at TelcoBridges have been listening carefully to customer feedback and working diligently on a product development roadmap to implement those suggestions. The result is ProSBC, an enhanced session border controller offering that fits many more use cases in both service provider and enterprise applications. Today - We’re pleased to share with you an overview of ProSBC, explain its features, capabilities, target markets and use cases.
Nhận viết luận văn Đại học , thạc sĩ - Zalo: 0917.193.864
Tham khảo bảng giá dịch vụ viết bài tại: vietbaocaothuctap.net
Download luận văn thạc sĩ ngành công nghệ thông tin với đề tài: Phát hiện xâm nhập theo thời gian thực trong mạng internet của vạn vật, cho các bạn làm luận văn tham khảo
My (quite boring) slides on what we needed to do in Janus to support multiple streams of the same type (e.g., 3 video streams) on the same PeerConnection.
A Proxy Server is computer that functions as an intermediary between a web browser (such as Internet
Explorer) and the Internet. Proxy servers help improve web performance by storing a copy of frequently
used webpages. When a browser requests a webpage stored in the proxy server's collection (its cache),
it is provided by the proxy server, which is faster than going to the web. Proxy servers also help improve
security by filtering out some web content and malicious software.
A Proxy Server is a server (a computer system or an application) that acts as an intermediary for
requests from clients seeking resources from other servers.
[Advantech] ADAM-3600 open vpn setting Tutorial step by step Ming-Hung Hseih
This is tutorial how to configure VPN client on IOT gateway ADAM-3600.
•Build up OpenVPN server/client
•ADAM-3600 OpenVPN setting
•ADAM-3600 OpenVPN : 3G + DDNS + public dynamic IP
Presented at LISA18: https://www.usenix.org/conference/lisa18/presentation/babrou
This is a technical dive into how we used eBPF to solve real-world issues uncovered during an innocent OS upgrade. We'll see how we debugged 10x CPU increase in Kafka after Debian upgrade and what lessons we learned. We'll get from high-level effects like increased CPU to flamegraphs showing us where the problem lies to tracing timers and functions calls in the Linux kernel.
The focus is on tools what operational engineers can use to debug performance issues in production. This particular issue happened at Cloudflare on a Kafka cluster doing 100Gbps of ingress and many multiple of that egress.
Palestra realizada por Toronto Garcez aka torontux durante a 3a. edição da Nullbyte Security Conference em 26 de novembro de 2016.
Resumo:
O objetivo da apresentação é demonstrar de forma prática, o passo-a-passo para criar uma botnet com roteadores wi-fi e/ou embarcados em geral. Será demonstrado o desenvolvimento de um comando e controle e a utilização de firmwares "backdorados" para tornar dispositivos em bots.
In this webinar, we started the discussion with the basic concepts of firewall in mikrotik. We then focusing on firewall mangle as it is said in title.
we discussed three most-used mangle action on mikrotik routerOS, they are: mark-packet, mark-connection, mark-routing. each mangle action has its own example case of its usage.
The recording is available on youtube (GLC Networks Channel): https://www.youtube.com/channel/UCI611_IIkQC0rsLWIFIx_yg
Hệ thống phân tích tình trạng giao thông: Ứng dụng công cụ xử lý dữ liệu lớn...Viet-Trung TRAN
Today, the accelerating development in traveling demand and the number of vehicle circulating on the roads in Viet Nam‟s densely populated cities has been putting the transportation infrastructure under high pressure. The traffic congestion consecutively occurs especially in the rush hours. Besides, the public‟s conception as participating in transportation also directly have detrimental impacts on this burning issue.
With the widespread growth of GPS satellite located equipment, especially according to the circulars 91/2009/ND-CP of Viet Nam Transportation Ministry, the vehicles must be equipped monitoring facilitates which send transportation information continuously to the converging data centers. In fact, there is massive amount of transportation data being directed to these centers per second, hence it consists of features of “big data” – a key word which is used for huge and complicated sets of data. Thereby, it is impossible for traditional data processing to tackle this problem.
The ultimate goal of this graduation thesis is to build a system which is capable to process, analysis consecutive blocks of GPS data in real-time and then show the information about transportation state of roads and provide capacity of finding the fastest way in time-dependent spatial networks. With this information, the participants can chose an appropriate route to avoid traffic jam and the managers can schedule for developing policies of infrastructure, therefore making great contribution to tackling traffic congestion and giving a boost for the development of the society.
This graduation thesis will show the result of study process, requirement analyzing, real-time big data processing system installing and designing, putting the reduction of traffic jam in realistic perspective..
Slides from the June 4th, 2019 webinar, introducing ProSBC.
In October 2017, TelcoBridges took the bold step to offer FreeSBC, a software-based session border controller product, to the market. Since then, over 10 million sessions of FreeSBC software have been downloaded by thousands of users around the globe. Many of those sessions are now in production or various stages of evaluation. During that time, we at TelcoBridges have been listening carefully to customer feedback and working diligently on a product development roadmap to implement those suggestions. The result is ProSBC, an enhanced session border controller offering that fits many more use cases in both service provider and enterprise applications. Today - We’re pleased to share with you an overview of ProSBC, explain its features, capabilities, target markets and use cases.
Nhận viết luận văn Đại học , thạc sĩ - Zalo: 0917.193.864
Tham khảo bảng giá dịch vụ viết bài tại: vietbaocaothuctap.net
Download luận văn thạc sĩ ngành công nghệ thông tin với đề tài: Phát hiện xâm nhập theo thời gian thực trong mạng internet của vạn vật, cho các bạn làm luận văn tham khảo
My (quite boring) slides on what we needed to do in Janus to support multiple streams of the same type (e.g., 3 video streams) on the same PeerConnection.
A Proxy Server is computer that functions as an intermediary between a web browser (such as Internet
Explorer) and the Internet. Proxy servers help improve web performance by storing a copy of frequently
used webpages. When a browser requests a webpage stored in the proxy server's collection (its cache),
it is provided by the proxy server, which is faster than going to the web. Proxy servers also help improve
security by filtering out some web content and malicious software.
A Proxy Server is a server (a computer system or an application) that acts as an intermediary for
requests from clients seeking resources from other servers.
[Advantech] ADAM-3600 open vpn setting Tutorial step by step Ming-Hung Hseih
This is tutorial how to configure VPN client on IOT gateway ADAM-3600.
•Build up OpenVPN server/client
•ADAM-3600 OpenVPN setting
•ADAM-3600 OpenVPN : 3G + DDNS + public dynamic IP
Presented at LISA18: https://www.usenix.org/conference/lisa18/presentation/babrou
This is a technical dive into how we used eBPF to solve real-world issues uncovered during an innocent OS upgrade. We'll see how we debugged 10x CPU increase in Kafka after Debian upgrade and what lessons we learned. We'll get from high-level effects like increased CPU to flamegraphs showing us where the problem lies to tracing timers and functions calls in the Linux kernel.
The focus is on tools what operational engineers can use to debug performance issues in production. This particular issue happened at Cloudflare on a Kafka cluster doing 100Gbps of ingress and many multiple of that egress.
Palestra realizada por Toronto Garcez aka torontux durante a 3a. edição da Nullbyte Security Conference em 26 de novembro de 2016.
Resumo:
O objetivo da apresentação é demonstrar de forma prática, o passo-a-passo para criar uma botnet com roteadores wi-fi e/ou embarcados em geral. Será demonstrado o desenvolvimento de um comando e controle e a utilização de firmwares "backdorados" para tornar dispositivos em bots.
Handy Networking Tools and How to Use ThemSneha Inguva
When I joined the networking team at DigitalOcean a few years ago, I dove into an entirely different world of software-defined networking in the data center. Virtual switches, networking protocols — these were concepts that I had encountered at the surface level before — but now I frequently found myself debugging them. With time, I came to rely on a variety of Linux networking tools for introspecting, troubleshooting, and examining network state. In this talk, I’ll share some of my favorite Linux networking tools and discuss scenarios in which they are quite helpful.
OSTU - Sake Blok on Packet Capturing with TsharkDenny K
Sake Blok, a Wireshark/Ethereal devotee since 1999, works as a Research & Development Engineer for ion-ip in the Netherlands (http://www.ionip.com) . His company provides solutions to customers who want to deliver their applications to users in a fast, secure, efficient and scalable manner. Sake\'s main focus is to take new products for a spin in their test environment, design custom solutions for customers and troubleshoot the problems customers might encounter while using ion-ip solutions. Two years ago (2006), Sake started to add the functionality he was missing to Wireshark. He also started to fix Wireshark-bugs that were reported on Bugzilla. This work on Wireshark resulted in an invitation from Gerald Combs to join the Wireshark Core Development Team in 2007.
OSSNA 2017 Performance Analysis Superpowers with Linux BPFBrendan Gregg
Talk by Brendan Gregg for OSSNA 2017. "Advanced performance observability and debugging have arrived built into the Linux 4.x series, thanks to enhancements to Berkeley Packet Filter (BPF, or eBPF) and the repurposing of its sandboxed virtual machine to provide programmatic capabilities to system tracing. Netflix has been investigating its use for new observability tools, monitoring, security uses, and more. This talk will be a dive deep on these new tracing, observability, and debugging capabilities, which sooner or later will be available to everyone who uses Linux. Whether you’re doing analysis over an ssh session, or via a monitoring GUI, BPF can be used to provide an efficient, custom, and deep level of detail into system and application performance.
This talk will also demonstrate the new open source tools that have been developed, which make use of kernel- and user-level dynamic tracing (kprobes and uprobes), and kernel- and user-level static tracing (tracepoints). These tools provide new insights for file system and storage performance, CPU scheduler performance, TCP performance, and a whole lot more. This is a major turning point for Linux systems engineering, as custom advanced performance instrumentation can be used safely in production environments, powering a new generation of tools and visualizations."
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
The Metaverse and AI: how can decision-makers harness the Metaverse for their...Jen Stirrup
The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives?
How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.
2. Tempesta Technologies
Custom software development in:
●
high performance network traffic processing
e.g. WAF mentioned in Gartner magic quadrant
https://www.ptsecurity.com/ww-en/products/af/
●
Databases
e.g. MariaDB SQL System-Versioned Tables
https://mariadb.com/kb/en/library/system-versioned-tables/
https://mariadb.com/conference/session/querying-data-previous-
point-time
Developing Tempesta FW – open source Linux
Application Delivery Controller (ADC)
3. Tempesta FW:
Application Delivery Controller (ADC)
https://www.netdevconf.org/2.1/session.html?krizhanovsky
HTTP(S) reverse proxy
filtering
●
HTTP DDoS mitigation
●
Web Application Firewall
built into the TCP/IP stack
up to 1.8M HTTP RPS
on 4 cores
4. Disclamer
We’re sceptic about QUIC…
https://github.com/tempesta-tech/tempesta/issues/724
...but I did my best to figure out why QUIC is good
The talk isn’t about QUIC benefits, there are many other talks (see
references)
...instead it’s about how does it work
Not a comprehensive description…
...instead, just how to learn and debug the protocol
5. Why QUIC?
QUIC is ~7% of Internet traffic, 98% of them to Google
Has QUIC: Google, Amazon, Fastly, LiteSpeed Technologies
Adopting: CloudFlare, Mellanox (UDP offload on NICs)
https://www.netdevconf.org/0x12/session.html?udp-segmentation-offload
Middleboxes slowly learn about QUIC
Highlights:
●
Performance: no OSI layers - each layer knows about each other
●
A UDP-based TCP replacement
●
no head-of-line blocking
●
0-RTT handshakes
6. Current state
Still in draft state (IETF meeting 103, Nov 6-7, 2018)
$ grep TBD *.txt|wc -l
23
Several server implementations
Chrome seems the only usable client
Wireshark knows about QUIC
7. Head-of-line blocking (the long story)
HTTP/2 solves HTTP/1 HoL blocking
...so no need many TCP connections
...so 1 TCP connection introduces HoL
blocking
...so multi-stream QUIC replaces TCP
BTW: SCTP solves HoL problem for 11 years
https://en.wikipedia.org/wiki/Stream_Control_Tr
ansmission_Protocol#Features
SCTP is implemented by many libraries and OS
kernels
8. Why not SCTP and/or DTLS?
QUIC FAQ for Geeks
https://docs.google.com/document/d/1lmL9EF6qKrk7gbazY8bIdvq3Pno2
Xj_l_YShP40GLQE/edit
SCTP and DTLS were not designed to minimize latency, and this is
significantly apparent even during the connection establishment phases.
Several of the techniques that QUIC is experimenting with would be
difficult technically to incorporate into existing standards. As an
example, each of these other protocols require several round trips to
establish a connection, which is at odds with our target of 0-RTT
connectivity overhead.
Middleboxes alre also against updating standards
9. Why not TCP Fast Open + TLS 1.3?
TLS 1.3 (used by QUIC anyway): 0/1-RTT handshakes
TCP Fast Open (RFC 7413, default in Linux): 0-RTT
●
does not detect duplicate SYN segments (RFC 7413 6.1)
●
1st
data segment size <= MSS (RFC 7413 6.2)
●
TCP HoL blocking still exists
source: https://lwn.net/Articles/508865/
11. QUIC & TLS 1.3
draft-ietf-quic-applicability-03.txt
draft-ietf-quic-tls-16.txt: ”Rather than a strict layering,
these two protocols are co-dependent”
TLS record = QUIC packet (no need for TLS dynamic records)
12. QUIC in the wild
Chrome, ver. >= 63
google-chrome
--enable-quic
# tcpdump -i wlp1s0 -X -s0 -nn -vvv
udp port 443 and host www.google.com
17. Connection upgrade: HTTP header Alt-Svc
draft-ietf-quic-http-16.txt, RFC 7838
ALTSVC HTTP/2 frame also can be used
Format seems changing
"headers": [
":status: 200",
"accept-ranges: bytes",
"content-type: image/png",
...
"alt-svc: quic=":443"; ma=2592000; v="44,43,39,35""
],
18. Fallback to TCP
Some middleboxes frop UDP (draft-ietf-quic-applicability-03.txt)
# iptables -A OUTPUT -p udp --dport 443 -j DROP
# tcpdump -i wlp1s0 -nn -q host www.google.com
192.168.1.67.54512 > 64.233.165.103.443: tcp 78
192.168.1.67.54512 > 64.233.165.103.443: tcp 46
…
19. Packet headers
Long header – to establish connection contexts
●
Initial, handshake, retry
Short header – after that
Version negotiation – for unsupported version in ClientHello
20. QUIC long header
{D,S}CIL = {Destination,Source} Connection ID Length
Version=0: version negotiation w/ list of supported versions
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+
|1| type(7) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Version (32) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|DCIL(4)|SCIL(4)|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Connection ID (0/32..144) ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Connection ID (0/32..144) ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length (i) ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Packet Number (8/16/32) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
21. QUIC short header
Connection ID
●
Survive NAT rebindings of UDP ports
●
Connection migration (draft-deconinck-quic-multipath-01.txt)
Bits description: “this section should be removed”
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+
|0|K|1|1|0|R R R|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Connection ID (0.144) ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Packet Number (8/16/32) ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
24. QUIC handshake
Crypto tags
●
CCS – Common Certificate Set
●
AEAD – authentication & encryption algorithm
●
KEXS – key exchange method
●
…and many others
25. QUIC: 0-RTT resumption
draft-ietf-quic-applicability-03.txt: 2 data copies are possible (~TFO)
0-RTT (draft-ietf-quic-tls-16.txt)
●
Protection with earlier or handshake keys
ClientHello
(0-RTT Application Data) -------->
ServerHello
{EncryptedExtensions}
{Finished}
<-------- [Application Data]
{Finished} -------->
[Application Data] <-------> [Application Data]
26. Streams
A “message” abstraction
Separate control streams from application data streams
A packet may include frames for different streams
A UDP datagram may include several packets
Length-encoded integers (in most significant bits)
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+
|Stream Type (8)|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length (i) ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type (8) | Frame Payload (*) ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
27. Stream life
Somewhat close to TCP connections
RST → RST_STREAM frame
FIN → CONNECTION_CLOSE or
APPLICATION_CLOSE frames
PING → keepalive probe
BLOCKED,STREAM_BLOCKED →
zero window announcement
o
| Create Stream (Sending)
| Create Bidirectional Stream (Receiving)
v
+-------+
| Ready | Send RST_STREAM
| |-----------------------.
+-------+ |
| |
| Send STREAM / |
| STREAM_BLOCKED |
| |
| Create Bidirectional |
| Stream (Receiving) |
v |
+-------+ |
| Send | Send RST_STREAM |
| |---------------------->|
+-------+ |
| |
| Send STREAM + FIN |
v v
+-------+ +-------+
| Data | Send RST_STREAM | Reset |
| Sent |------------------>| Sent |
+-------+ +-------+
| |
| Recv All ACKs | Recv ACK
v v
+-------+ +-------+
| Data | | Reset |
| Recvd | | Recvd |
+-------+ +-------+
29. HTTP headers compression
QPACK (~HPACK in HTTP/2, draft-ietf-quic-qpack-03.txt)
●
Shares Huffman encoding tables among asynchronous streams
●
Static & dynamic tables
●
Uses designated stream for the synchronization
30. QUIC: packet loss
draft-ietf-quic-recovery-16.txt
RTO, TLP, Fast & early retransmit, {S,F}ACK loss
recovery
ACK frames: for packets, retransmitted packet has a
new number
●
retransmitted frames with the same offset and
length (like TCP)
●
like TCP: delayed piggybacked ACKs
●
Like SACK: ACK blocks (no reneging)
Explicit Congestion Notification (ECN) [RFC3168]
32. QUIC: congestion control
Chromium is a monster: BBR, CUBIC, PRR, slow start etc.
draft-ietf-quic-recovery-16.txt
NewReno (cwnd in bytes), slow start
Packets pacing
●
Packetization delays to bundle multiple frames
Frames
MAX_DATA, MAX_STREAM_DATA
33. Security considerations
Volumetric DDoS: opaque UDP traffic just like UDP flood
●
Middlebox filtration: ClientHello + Connection ID tracking
Aplification DDoS: minimal packet length for ClientHello
Stream fragmentation & reassembly → memory overcommit
34. QUIC in the kernel
User-space for rapid prototyping
The sendfile() problem (solved by kTLS for TLS)
● setsockopt(sd, SOL_UDP, UDP_ULP, "quic", sizeof("quic") - 1);
setsockopt(sd, SOL_QUIC, QUIC_CTX, &quic_ctx, sizeof(quic_ctx));
●
recvmsg() / sendmsg() - read/write frames vector
High CPU usage (ACK & Ko copies to user-space)
System wide memory accounting for all processes and connections
NIC acceleration (crypto offload, UDP segmentation offload)
First simple implementation (TBD): handshakes are in user-space
36. References: documents
Current IETF drafts: https://datatracker.ietf.org/wg/quic/
QUIC Working Group: https://quicwg.org/
Discussions & open issues: https://github.com/quicwg/base-drafts/issues
Known implementations:
https://github.com/quicwg/base-drafts/wiki/Implementations
37. References: good to read & watch
“The QUIC Transport Protocol:Design and Internet-Scale Deployment”,
https://static.googleusercontent.com/media/research.google.com/en//pubs/archiv
e/46403.pdf
“QUIC: Developing and Deploying a TCP Replacement for the Web”,
https://www.netdevconf.org/0x12/session.html?quic-developing-and-deploying-a-
tcp-replacement-for-the-web
QUIC FAQ for Geeks,
https://docs.google.com/document/d/1lmL9EF6qKrk7gbazY8bIdvq3Pno2Xj_l_Y
ShP40GLQE/edit
https://en.wikipedia.org/wiki/QUIC
Thoughts on how to support QUIC in (lib)curl,
https://github.com/curl/curl/wiki/QUIC