can we pay for what we get in 3g data access? acm mobicom 2012 istanbul, turkey chunyi peng,...

Can We Pay for What We Get in 3G Data Access?

ACM MOBICOM 2012

Istanbul, Turkey

Chunyi Peng, Guan-Hua Tu, Chi-Yu Li, Songwu LuUniversity of California, Los Angeles

Mobile Data Access is Popular

Internet

62% US broadband users with wireless data plans;1.2 billion global users for mobile web.

C PENG (UCLA) @ MOBICOM'12

2

Mobile Data Accounting

InternetCellular Network

$$$

Usage-based charging based on data volume

e.g., $15 for 200MB for AT&T iPhone

Accounting: How much data is actually used?


3

Accounting in 3G Networks

Internet

3G Cellular Network

BS

RNC SGSN GGSN

UE

VOP_RAW

VOP

Alice

Policy


4

• Accounting done at SGSN/GGSN • Accounting policy defined by carriers

InternetBS

RNC SGSN GGSN

UE

VOP_RAW

Alice

Policy

2 Issues in 3G Accounting

Question: VUE = VOP?

1. VUE ≠ VOP_RAW?(accounting architecture)

VUE

2. VOP_RAW ≠ VOP?

(policy practice)

VOP


5

Contributions

First work to assess mobile data accounting Largely successful, but pathological cases do exist Study accounting discrepancy between the operator’s log

and the user’s record Identify 2 extreme cases

WE PAY FOR WHAT WE DO NOT GET WE GET WHAT WE DO NOT PAY FOR

Explore root causes limitation in accounting architecture Loopholes in policy practice

Suggest remedies


6

Methodology

Conduct experiments over 2 US carriers Partial validation with 3rd US carrier and 2 operators

in China and Taiwan Both extreme and common cases

Use Android phones for mobile data access in various test scenarios

Accessing accounting records VOP from operators #1: Dial-in for the remaining monthly data usage #2: Online itemized data usage

BillAudit: logging usage VUE @smartphones


7

The Rest of Talk

“Overcharging” Extreme cases Average cases Root cause: limitation in 3G accounting architecture

“Undercharging” Root cause: Loopholes in policy enforcement

“Gray” areas Discussion and summary


8

WE PAY FOR WHAT WE DO NOT GET9

Extreme Case: No Signal

DL-NS experiment over UDP

(1) Issue a UDP-based service

(2) Move to a blind zone ✗✗(3) UDP traffic for t mins (rate: s)

VUE VOPVSR

Server3G Network

VOP_RAWVUE

✗

Result:s = 50Kbps, t = 10 mins VOP ≈ VSR= 50K x10 x 60/8 = 3.75MB VUE ≈ 0 UEs PAY FOR WHAT THEY DO NOT GET.


10

S = 50 Kbps

Time (hours)

How Bad the Gap Can Be?

Gap = VOP – VUE ≈ S × T UDP source S: 50Kbps ~ 8Mbps Duration T: 1min ~ 6 hours

lasts at least three hours!

Observed gap reaches 450MB (t = 1h, s = 1Mbps)! Operator-I, t = 1min

Source Rate (Mbps)


11

Root Cause12

RNC SGSN GGSN

VUE ---

✗

✗

VOP

3G accounting decision takes local view at SGSN/GGSN, w/o using feedback from end-host.


12

Still-Bad Case: Even With Signals

DL-NS experiments with different signal strength

(1) Issue a UDP-based service

(2) Move to a blind zone✗

(3) UDP traffic for t mins (rate: s)

VUEVOP VSR

(2) Stay in different zones✗

Server3G Network

RSSI (dBm)

-113

-105

-90Strong-Signal (SS-zone)

Weak-Signal (W-zone)

Weaker-Signal (WR-zone)No-Signal (NS-zone)


13

Gap Exists Even With Signals!

S , GapRSSI , Gap Cause: Packet drops over radio link.

Source Rate (Kbps)UEs PAY FOR WHAT THEY DO NOT GET,

though wireless link exists!

(Kbps)


14

Still-Bad Case: Intermittent Signals

When users lose signals for a while but recover them shortly

The gap exists with transient lost links Buffering and retransmission over radio links may

reduce the gap (see the paper) UEs PAY FOR WHAT THEY DO NOT GET, when

they temporarily (10+ seconds) lose wireless links!


15

So Terrible In Reality?

Good news: Probably not!

TCP/App control will teardown it (adjust its incoming rate)

✗

Gap for DL-NS over TCP: 2.9 ~ 50KB

✗

VOP--

16

RNC SGSN GGSN

VUE ---

✗

✗

VOP

✗


16

Application Behaviors

DL-NS tests with 5 applications: Web, Skype, YouTube, PPS streaming, VLC streaming

over VPN

Web Skype YouTube PPS VLC

Med (MB) -0.03 0.88 0.23 3.30 2.97

Min (MB) 0.00 0.40 0.20 0.72 1.45

Max (MB) -0.04 0.99 0.34 4.3 29.9

Mobile accounting is largely successful in practice.Users may occasionally be overcharged

It depends on when and how app control works.


17

Real User Performance

Two-week usage for 7 users

Operator-I Operator-II

User 1 2 3 4 5 6 7 (1day)

Apps. Map StockGame

Skype, PPS etc.

YouTube, PPS

Ebook - YouTube, PPS

VUE 194.2 270.3 124.6 900.2 121.7 47.1 72.4

VOP 192.6 270.0 129.4 948.4 120.9 47.3 77.6

Gap -1.8 -0.3 4.8 48.2 -0.8 0.2 5.2

-0.9% -0.1% 3.9% 5.3% -0.6% 0.4% 7.2%

YouTube on the train to NYC.


18

3 Views on “Overcharging”

Optimistic view: not too bad in reality, no fix Built-in TCP/application control is sufficient

Alternative (Operator’s) view: not to intend to account the data volume to end-hosts, but the one traversing the core network, no need to fix Security: What if that the data is not what users want? Audit: How to guarantee that inside accounting is correct?

Conservative view: need to fix it Users should pay for what they get 3G accounting architecture should not depend on external

control


19

Proposals

Exploit feedback from devices in accounting decision E.g., using info already collected by cellular networks

VRNC_unsent VOPVOP - VRNC_unsent20

RNC SGSN GGSN


20

WE GET WHAT WE DO NOT PAY FOR21

Loopholes in Accounting Policy Practice

BS

RNC SGSN GGSN

VOP_RAW

VOP

Policy Policy: Free DNS Service

VOP (DNS) = 0

Loophole: • A DNS flow should be identified by five tuples (src_addr, dest_addr, src_port, dest_port, protocol ID)• But only dest_port (+ protocol ID) is used in practice

Policy + Loophole

any fake DNS message, or any real data packet using DNS port (53), can be free of charge!

VOP (ANY-over-DNS) = 0


22

Our Findings

Free DNS policy enforcement Operator-I: Packets via port 53 are free Operator-II: Packets via UDP+Port 53 are free

Exploit “DNS tunneling” for free data access Proxy server (outside 3G network) relays packets

to/from UE via Port-53 Observed: Free data access > 200MB, VOP = 0 No sign to limit “free” data volume


23

More on Operator Policy

Other carriers 3rd US carrier: free DNS by June 2012, no free after July China/Taiwan carriers: no free DNS service at all Accounting policy is operator specific

Other free or differential-pricing policies Free Internet access to a given website

Hack: web redirection for free Internet access Free access via a specific Access Point Name (APN)

Hack: use this APN, not the default APN Unlimited plans/discounts for Facebook access

Similar to web redirection if we can evade Facebook (probably not)


24

Discussion and Proposals

Operators have freedom to define their own policy Flexibility to compete in the market

Gap between policy and policy enforcement Should be conflict free Otherwise, policy may open loopholes unanticipated

Simplest fix: stop free DNS service Negligible DNS traffic volume in normal cases Other options:

DNS server authentication Quota Message integrity check

Policy


25

“GRAY” ACCOUNTING AREAS26

Effect of Middle-boxes

Middle-boxes lead to inconsistent accounting views at the core network and the end host Pay for the uplink to a non-existing host due to

FTP/HTTP proxy

Invalid link

VOP > 0

RNC SGSN GGSN Middle-boxMiddle-box

✗

✗✔


27

Packet Drops over the Internet

Misbehaviors over the Internet can incur extra mobile data charging Packet drops over the internet increases volume within

cellular networks

28

VOP TCP ReTX

RNC SGSN GGSN


28

Overhead for Wanted Content

VOP covers protocol overhead and app. signaling HTTP redirection: #redirection , VOP Email: significant protocol overhead for sending a short

email Skype: significant protocol management overhead

VOP covers Ads, or whatever users may not expect Hidden cost for free-version applications with more Ads? Security issue?

Content-centric charging?


29

Beyond Accounting

Revisit charging/accounting design principles Cooperate with Internet?

Segmented charging for one data service? Who should pay?

Receiver-based, sender-based, or both (current practice)?

For what?

Volume? Content? Part of content? What if using different pricing schemes?


30

Discussion and Future Work

Revisit accounting architecture What failures and losses should be handled? What mechanisms are indispensable for given failures? When and how does the end host report delivery

losses? How to ensure that the feedback information is secure

and trustworthy? How many mechanisms should be placed into the

future cellular network standards? Policy and policy enforcement


31

Summary

First assessment of mobile data accounting system over operational 3G networks Largely successful, but also exceptions

Accounting discrepancy between the operator’s log and the user’s record Identify two extreme cases:

WE PAY FOR WHAT WE DO NOT GET WE GET WHAT WE DO NOT PAY FOR

Explore root cause in accounting architecture & policy Propose remedy suggestions

Many research issues ahead e.g., security, auditing, pricing, …


32

can we pay for what we get in 3g data access? acm mobicom 2012 istanbul, turkey chunyi peng,...

Documents

mins v op v sr

s v ue v op v sr server

mb v ue

accounting records v

g network v op

accounting architecture

v op v ue s t udp source

rnc sgsnggsn v ue