From: Craig M Prince (cmprince@cs.washington.edu)
Date: Mon Nov 15 2004 - 07:41:17 PST
Reading Review 11-15-2004
-------------------------
Craig Prince
The paper titled "Upgrading Transport Protocols using Untrusted Mobile
Code" proposes a framework for automatic upgrading of connection
end-points in order to support new transport protocols. Interestingly,
this upgrading is done on a per connection granularity and is accomplished
by pushing the protocol code from the sender to the receiver. A sandboxing
approach is used to protect the end-points from malicious users and ensure
that only well-bahaved code is executed.
The authors cite several interesting motivations for their work. First
their proposed system provides backward compatability because it can
always default to standard TCP for any connection. Also, since the system
allows for code downloading, it only requires one end-point to be upgraded
initially.
I liked how this article draws together several advancements in languages,
systems, and networks to provide a solution to the problem of protocol
deployment. Since we are just trying to support multiple transport
protocols we can easily create a more secure sandbox in this limited
domain and provide the necessary security.
I found several aspects of this paper a bit troubling. First, it appeared
that there were some big limitations to the types of protocols that could
be effectively implemented. There was a tension between providing
effective isolation and giving the protocols freedom. I wonder how long it
would be before this system would run into a wall where the new transport
protocols would not be able to be implemented with the given system. The
authors assume that future TCP upgrades will be similar to past
modifications; however, this probably isn't true and new proposals might
not easily fit into this framework.
Another concern I had was with the overhead of the system. At one point it
is reported that there is a 44% overhead. This seems a bit excessive,
although the authors do give some reasons for this. Also, initial
deployment of STP would require kernel upgrades of all end-points which,
as the authors admit, is difficult.
Finally, I was concerned with the possibility that malicious users could
abuse the system. For example, a malicious user could always request that
you donwload a new protocol for every connection. Even though the protocol
size is generally small (<1mb) many malicious users could consume a large
bandwidth and storage on a server by all uploading different protocol
code.
Overall, the idea of using a sandbox to allow upgradability using
untrusted code is novel; however, there are some important concerns with
the system that need to be resolved before such a system would truly be
viable.
This archive was generated by hypermail 2.1.6 : Mon Nov 15 2004 - 07:41:18 PST