CONCLUSIONS¶
IPX-Ps are at the core of the IPX ecosystem, allowing their customers to achieve global connectivity for their end-users. A view into this opaque ecosystem using public available data is not possible, as IPX-Ps intentionally separate their operations from the public Internet. In this paper, we provide the first deep dive analysis into the operations of a real-world IPX-P, with a large platform serving customers in 19 countries. As services across different IPXPs are generally consistent, and rely on the same basic functions that we explore in this paper, we argue that our insights provide a valuable peak into this hidden operational ecosystem.
IPX提供商(IPX-P)位于IPX生态系统的核心位置,使其客户能够为终端用户实现全球互联。由于IPX-P有意将其运营活动与公共互联网隔离,因而通过公开数据来洞察该高度封闭的生态系统几乎不可能。在本文中,我们首次对一个真实世界中IPX-P的运营进行了深入剖析,该平台规模庞大,为来自19个国家的客户提供服务。鉴于不同IPX-P之间的服务通常保持一致,且依赖于本文所探讨的基本功能,我们认为,本研究所揭示的见解为理解这一隐秘的运营生态系统提供了重要的窗口。
We show how the IPX-P benefits from the flexibility of the IPX model to create tailored solutions for its customers, which include IoT providers or MNOs. We build a complex dataset to capture operations over the basic functions of the IPX-P, including SCCP signaling, Diameter Signaling, and GTP signaling. These allow us to dissect the data roaming service, both for MNOs and IoT providers. We characterize the traffic and performance of the main infrastructures of the IPX-P, and provide implications for its operations, as well as for the IPX-P’s customers.
我们展示了该IPX-P如何利用IPX模型的灵活性,为其客户(包括物联网服务提供商和移动网络运营商)量身定制网络解决方案。我们构建了一个复杂的数据集,涵盖该IPX-P的关键运营活动,包括SCCP信令、Diameter信令和GTP信令等,从而能够细致地解析其面向MNO和物联网服务提供商的数据漫游服务。我们进一步对IPX-P核心基础设施所承载的流量及其性能进行了刻画,并探讨其对IPX-P自身以及其客户运营的影响。
Our analysis leaves several open questions for the community to consider. Though the IPX ecosystem was meant to come with intrinsic security (via the deliberate separation with from the public Internet), there are many well-known weaknesses in the current SS7 and Diameter signaling platforms (e.g., roaming signaling equipment unsecured in the public Internet [12], advanced IPX network protocol vulnerabilities [25]) that translate into attacks on end-user privacy or on critical IoT platforms. This brings the obvious challenge of addressing these vulnerabilities in current operational systems, as well as building upon this knowledge to design better solution for next generation signaling platform for data roaming in 5G and beyond. Specifically, the 5G System architecture specifies a Security Edge Protection Proxy (SEPP) as the entity sitting at the perimeter of the MNO for protecting control plane messages, thus replacing the Diameter or SS7 routers from previous generations. The SEPP is meant to enforce inter-MNO security on the N32 interface, and tackle many of the existing vulnerabilities of the existing signaling systems. As we start deploying operational 5G networks, ensuring that the specified requirements for these proxies are met is an important challenge. Privacy in the IPX ecosystem is of paramount importance, especially as cellular IoT devices often underpin critical services that should be protected. These requirements for security, privacy and confidentiality both within the IPX ecosystem (between MNOs and IPX-Ps), and between the IPX ecosystem and the wired Internet bring to light the need for proactive approaches to monitoring the health of the ecosystem, thus tackling anomalies, malicious or unintended.
然而,我们的分析也为学术界和业界提出了若干值得深入研究的开放性问题。尽管IPX生态系统通过与公共互联网的物理隔离设计而具备一定的内在安全性,但现有SS7与Diameter信令系统仍存在诸多已知的安全漏洞(例如,面向公共互联网暴露的漫游信令设备 [12],以及复杂的IPX网络协议漏洞 [25]),这些安全缺陷可能被利用来攻击终端用户隐私或关键物联网平台。因此,如何在现有运营系统中修复这些漏洞,并基于此设计面向未来数据漫游信令平台(如5G及后续系统)的更优方案,成为亟需应对的挑战。
值得关注的是, 5G系统架构已引入“安全边界保护代理”(SEPP)这一实体,作为运营商边界上的关键组件,用于保护控制面的信令消息。SEPP旨在通过N32接口实现跨MNO的安全通信,取代上一代网络中的Diameter或SS7信令路由器, 从而应对现有系统中存在的诸多漏洞。随着5G网络的逐步部署,确保这些安全组件严格按照标准规范落地,将是现实中的一项关键任务。在IPX生态系统中保护隐私具有至关重要的意义,尤其是在蜂窝物联网设备越来越多地被用于支撑关键服务的背景下更是如此。因此,无论是在IPX生态系统内部(MNO与IPX-P之间),还是在IPX生态系统与有线互联网之间,关于安全性、隐私性与保密性的要求,都凸显出亟需采取主动的监控与健康评估机制,以及时识别并应对系统异常、恶意或非预期行为。
Furthermore, our work also brings to light the need for novel business models within the IPX ecosystem. We argue that the cellular ecosystem needs to draw from the success of the peering fabric within the public Internet, where the benefits of peering are well known among Internet Service Providers (ISPs) and Content Delivery Networks (CDNs), particularly when it comes to public peering via an Internet Exchange Point (IXP). This established practice in the wired Internet has not yet been fully translated to the mobile Internet [26], where currently only two major IXPs (i.e., AMS-IX and Equinix) offer the mobile peering service, even when more people are connecting to the Internet over cellular connections than fixed broadband. We highlight the need to build a new dynamic of interaction within the ecosystem that would ensure trust among MNOs to guarantee optimal performance for the end-user (e.g., enable local breakout roaming), as well as privacy and confidentiality.
此外,我们的研究也揭示了在IPX生态系统中引入新型商业模式的必要性。我们认为, 蜂窝网络生态系统应当借鉴公共互联网中成熟的对等互联(peering)机制,尤其是在互联网服务提供商(ISP)与内容分发网络(CDN)之间通过互联网交换点(IXP)实现公共对等互联所带来的广泛效益 。然而,这种在有线互联网中已被广泛实践的机制尚未被充分引入移动互联网。截至目前,仅有两个主要的IXP(即AMS-IX和Equinix)提供移动网络的对等互联服务,尽管如今通过蜂窝网络接入互联网的用户数量已超过固定宽带接入用户。我们强调,应在现有生态系统中建立一种新的动态交互机制,以在MNO之间建立信任,从而确保终端用户获得最优性能(例如实现本地中断漫游, Local Breakout, LBO),同时保障数据的隐私性与保密性。
Mobile Peering 解释
“我们认为,蜂窝网络生态系统应当借鉴公共互联网中成熟的对等互联(peering)机制,尤其是在互联网服务提供商(ISP)与内容分发网络(CDN)之间通过互联网交换点(IXP)实现公共对等互联所带来的广泛效益。然而,这种在有线互联网中已被广泛实践的机制尚未被充分引入移动互联网”
虽然在传统的互联网(比如ISP和CDN之间)对等互联已非常成熟,但移动网络(比如MNO之间)还没普遍采用类似的IXP对等机制。这是一种尚未充分发展的合作方式,有潜力提升全球移动网络性能和互联效率。
IXP
我们在本文中经常看见 "IP-X", 但是什么是 "IXP" 呢?
IXP: Internet Exchange Point(互联网交换点)
IXP 是一个物理基础设施,它允许多个互联网服务提供商(ISP)、内容提供商(CDN)、云服务商等网络在中立场所进行直接互联(peering),以便交换流量。这种互联方式可以绕开传统的第三方转接路径,提高网络效率并降低延迟与成本
假设用户A使用ISP-A,用户B使用ISP-B,如果A和B都通过一个IXP对等互联,那么当A给B发送数据时,数据可以直接通过IXP交换出去,而不需要先绕行第三方运营商(比如Tier-1提供商),这大大减少了绕行距离和费用