Vanishing Connections: Application Resiliency through Cross-Network TCP Migration
Computer applications are subject to a plethora of security challenges, ranging from concerns over network monitoring to avoiding expensive and damaging intrusion and compromise. A vast number of techniques exist to mitigate applications’ vulnerability to these threats: network policies can be adjusted, traffic can be rerouted, firewalls can be installed, hosts can be hardened, applications can be patched. A large body of research exists to improve the security of hosts in this context. However, for applications that have already been the subject of damaging attacks, we no longer focus primarily on security, but shift to resiliency, or the capacity of a system to complete its mission in spite of adverse cyber events. We present this work in the context of such systems, providing resilience through an extension of container live migration enabling TCP connection migration. We then present a method to traverse NATs, thereby improving the network configuration options for hosts receiving a migrating container. A comparison between this method of connection migration and existing literature is also made in the context of application resiliency. The method presented here is found to require no additional hardware dependencies, to be performed wherever container migration is already performed, does not increase latency after a migration, supports TLS-encrypted connections, and allows both container and connection rollbacks – a first in known literature.