draft-ietf-tcpm-converters-04.txt   draft-ietf-tcpm-converters-05.txt 
TCPM Working Group O. Bonaventure, Ed. TCPM Working Group O. Bonaventure, Ed.
Internet-Draft Tessares Internet-Draft Tessares
Intended status: Experimental M. Boucadair, Ed. Intended status: Experimental M. Boucadair, Ed.
Expires: April 25, 2019 Orange Expires: August 11, 2019 Orange
S. Gundavelli S. Gundavelli
Cisco Cisco
S. Seo S. Seo
Korea Telecom Korea Telecom
October 22, 2018 B. Hesmans
Tessares
February 07, 2019
0-RTT TCP Convert Protocol 0-RTT TCP Convert Protocol
draft-ietf-tcpm-converters-04 draft-ietf-tcpm-converters-05
Abstract Abstract
This document specifies an application proxy, called Transport This document specifies an application proxy, called Transport
Converter, to assist the deployment of TCP extensions such as Converter, to assist the deployment of TCP extensions such as
Multipath TCP. This proxy is designed to avoid inducing extra delay Multipath TCP. This proxy is designed to avoid inducing extra delay
when involved in a network-assisted connection (that is, 0-RTT). when involved in a network-assisted connection (that is, 0-RTT).
This specification assumes an explicit model, where the proxy is This specification assumes an explicit model, where the proxy is
explicitly configured on hosts. explicitly configured on hosts.
-- Editorial Note (To be removed by RFC Editor) -- Editorial Note (To be removed by RFC Editor)
Please update these statements with the RFC number to be assigned to Please update these statements with the RFC number to be assigned to
this document: this document: [This-RFC]
[This-RFC]
Please update TBA statements with the port number to be assigned to Please update TBA statements with the port number to be assigned to
the Converter Protocol. the 0-RTT TCP Convert Protocol.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 11, 2019.
This Internet-Draft will expire on April 25, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1. Functional Elements . . . . . . . . . . . . . . . . . . . 5 3.1. Functional Elements . . . . . . . . . . . . . . . . . . . 6
3.2. Theory of Operation . . . . . . . . . . . . . . . . . . . 7 3.2. Theory of Operation . . . . . . . . . . . . . . . . . . . 8
3.3. Sample Examples of Outgoing Converter-Assisted Multipath 3.3. Sample Examples of Outgoing Converter-Assisted Multipath
TCP Connections . . . . . . . . . . . . . . . . . . . . . 10 TCP Connections . . . . . . . . . . . . . . . . . . . . . 11
3.4. Sample Example of Incoming Converter-Assisted Multipath 3.4. Sample Example of Incoming Converter-Assisted Multipath
TCP Connection . . . . . . . . . . . . . . . . . . . . . 11 TCP Connection . . . . . . . . . . . . . . . . . . . . . 12
4. The Converter Protocol (Convert) . . . . . . . . . . . . . . 12 4. The Convert Protocol (Convert) . . . . . . . . . . . . . . . 13
4.1. The Convert Fixed Header . . . . . . . . . . . . . . . . 12 4.1. The Convert Fixed Header . . . . . . . . . . . . . . . . 14
4.2. Convert TLVs . . . . . . . . . . . . . . . . . . . . . . 13 4.2. Convert TLVs . . . . . . . . . . . . . . . . . . . . . . 14
4.2.1. Generic Convert TLV Format . . . . . . . . . . . . . 13 4.2.1. Generic Convert TLV Format . . . . . . . . . . . . . 14
4.2.2. Summary of Supported Convert TLVs . . . . . . . . . . 14 4.2.2. Summary of Supported Convert TLVs . . . . . . . . . . 15
4.2.3. The Bootstrap TLV . . . . . . . . . . . . . . . . . . 15 4.2.3. The Info TLV . . . . . . . . . . . . . . . . . . . . 16
4.2.4. Supported TCP Extension Services TLV . . . . . . . . 15 4.2.4. Supported TCP Extensions TLV . . . . . . . . . . . . 16
4.2.5. Connect TLV . . . . . . . . . . . . . . . . . . . . . 16 4.2.5. Connect TLV . . . . . . . . . . . . . . . . . . . . . 17
4.2.6. Extended TCP Header TLV . . . . . . . . . . . . . . . 18 4.2.6. Extended TCP Header TLV . . . . . . . . . . . . . . . 19
4.2.7. Error TLV . . . . . . . . . . . . . . . . . . . . . . 18 4.2.7. The Cookie TLV . . . . . . . . . . . . . . . . . . . 19
4.2.8. Error TLV . . . . . . . . . . . . . . . . . . . . . . 20
5. Compatibility of Specific TCP Options with the Conversion 5. Compatibility of Specific TCP Options with the Conversion
Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5.1. Base TCP Options . . . . . . . . . . . . . . . . . . . . 21 5.1. Base TCP Options . . . . . . . . . . . . . . . . . . . . 23
5.2. Window Scale (WS) . . . . . . . . . . . . . . . . . . . . 22 5.2. Window Scale (WS) . . . . . . . . . . . . . . . . . . . . 24
5.3. Selective Acknowledgements . . . . . . . . . . . . . . . 22 5.3. Selective Acknowledgements . . . . . . . . . . . . . . . 24
5.4. Timestamp . . . . . . . . . . . . . . . . . . . . . . . . 23 5.4. Timestamp . . . . . . . . . . . . . . . . . . . . . . . . 25
5.5. Multipath TCP . . . . . . . . . . . . . . . . . . . . . . 23 5.5. Multipath TCP . . . . . . . . . . . . . . . . . . . . . . 25
5.6. TCP Fast Open . . . . . . . . . . . . . . . . . . . . . . 23 5.6. TCP Fast Open . . . . . . . . . . . . . . . . . . . . . . 25
5.7. TCP User Timeout . . . . . . . . . . . . . . . . . . . . 24 5.7. TCP User Timeout . . . . . . . . . . . . . . . . . . . . 26
5.8. TCP-AO . . . . . . . . . . . . . . . . . . . . . . . . . 24 5.8. TCP-AO . . . . . . . . . . . . . . . . . . . . . . . . . 26
5.9. TCP Experimental Options . . . . . . . . . . . . . . . . 25 5.9. TCP Experimental Options . . . . . . . . . . . . . . . . 26
6. Interactions with Middleboxes . . . . . . . . . . . . . . . . 25 6. Interactions with Middleboxes . . . . . . . . . . . . . . . . 26
7. Security Considerations . . . . . . . . . . . . . . . . . . . 25 7. Security Considerations . . . . . . . . . . . . . . . . . . . 27
7.1. Privacy & Ingress Filtering . . . . . . . . . . . . . . . 25 7.1. Privacy & Ingress Filtering . . . . . . . . . . . . . . . 27
7.2. Authorization . . . . . . . . . . . . . . . . . . . . . . 26 7.2. Authorization . . . . . . . . . . . . . . . . . . . . . . 28
7.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 26 7.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 28
7.4. Traffic Theft . . . . . . . . . . . . . . . . . . . . . . 27 7.4. Traffic Theft . . . . . . . . . . . . . . . . . . . . . . 28
7.5. Multipath TCP-specific Considerations . . . . . . . . . . 27 7.5. Multipath TCP-specific Considerations . . . . . . . . . . 29
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 28 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29
8.1. Convert Service Port Number . . . . . . . . . . . . . . . 28 8.1. Convert Service Port Number . . . . . . . . . . . . . . . 29
8.2. The Converter Protocol (Convert) Parameters . . . . . . . 28 8.2. The Convert Protocol (Convert) Parameters . . . . . . . . 30
8.2.1. Convert Versions . . . . . . . . . . . . . . . . . . 28 8.2.1. Convert Versions . . . . . . . . . . . . . . . . . . 30
8.2.2. Convert TLVs . . . . . . . . . . . . . . . . . . . . 28 8.2.2. Convert TLVs . . . . . . . . . . . . . . . . . . . . 30
8.2.3. Convert Error Messages . . . . . . . . . . . . . . . 29 8.2.3. Convert Error Messages . . . . . . . . . . . . . . . 31
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 30 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 32
9.1. Contributors . . . . . . . . . . . . . . . . . . . . . . 31 9.1. Contributors . . . . . . . . . . . . . . . . . . . . . . 33
10. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 32 10. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 34
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 32 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 34
11.1. Normative References . . . . . . . . . . . . . . . . . . 32 11.1. Normative References . . . . . . . . . . . . . . . . . . 34
11.2. Informative References . . . . . . . . . . . . . . . . . 33 11.2. Informative References . . . . . . . . . . . . . . . . . 35
Appendix A. Differences with SOCKSv5 . . . . . . . . . . . . . . 37 Appendix A. Differences with SOCKSv5 . . . . . . . . . . . . . . 39
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 38 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 41
1. Introduction 1. Introduction
Transport protocols like TCP evolve regularly [RFC7414]. TCP has Transport protocols like TCP evolve regularly [RFC7414]. TCP has
been improved in different ways. Some improvements such as changing been improved in different ways. Some improvements such as changing
the initial window size [RFC6928] or modifying the congestion control the initial window size [RFC6928] or modifying the congestion control
scheme can be applied independently on clients and servers. Other scheme can be applied independently on clients and servers. Other
improvements such as Selective Acknowledgements [RFC2018] or large improvements such as Selective Acknowledgements [RFC2018] or large
windows [RFC7323] require a new TCP option or to change the semantics windows [RFC7323] require a new TCP option or to change the semantics
of some fields in the TCP header. These modifications must be of some fields in the TCP header. These modifications must be
deployed on both clients and servers to be actually used on the deployed on both clients and servers to be actually used on the
Internet. Experience with the latter TCP extensions reveals that Internet. Experience with the latter TCP extensions reveals that
their deployment can require many years. [Fukuda2011] reports their deployment can require many years. Fukuda reports in
results of a decade of measurements showing the deployment of [Fukuda2011] results of a decade of measurements showing the
Selective Acknowledgements, Window Scale and TCP Timestamps. deployment of Selective Acknowledgements, Window Scale and TCP
[ANRW17] describes measurements showing that TCP Fast Open [RFC7413] Timestamps. [ANRW17] describes measurements showing that TCP Fast
(TFO) is still not widely deployed. Open (TFO) [RFC7413] is still not widely deployed.
There are some situations where the transport stack used on clients There are some situations where the transport stack used on clients
(resp. servers) can be upgraded at a faster pace than the transport (resp. servers) can be upgraded at a faster pace than the transport
stack running on servers (resp. clients). In those situations, stack running on servers (resp. clients). In those situations,
clients would typically want to benefit from the features of an clients would typically want to benefit from the features of an
improved transport protocol even if the servers have not yet been improved transport protocol even if the servers have not yet been
upgraded and conversely. In the past, Performance Enhancing Proxies upgraded and conversely. Performance Enhancing Proxies [RFC3135],
have been proposed and deployed [RFC3135] as solutions to improve TCP and other service functions have been deployed as solutions to
performance over links with specific characteristics. improve TCP performance over links with specific characteristics.
Recent examples of TCP extensions include Multipath TCP Recent examples of TCP extensions include Multipath TCP [RFC6824] or
[RFC6824][I-D.ietf-mptcp-rfc6824bis] or TCPINC TCPINC [I-D.ietf-tcpinc-tcpcrypt]. Those extensions provide features
[I-D.ietf-tcpinc-tcpcrypt]. Those extensions provide features that that are interesting for clients such as wireless devices. With
are interesting for clients such as wireless devices. With Multipath Multipath TCP, those devices could seamlessly use WLAN (Wireless
TCP, those devices could seamlessly use WLAN and cellular networks, Local Area Network) and cellular networks, for bonding purposes,
for bonding purposes, faster handovers, or better resiliency. faster handovers, or better resiliency. Unfortunately, deploying
Unfortunately, deploying those extensions on both a wide range of those extensions on both a wide range of clients and servers remains
clients and servers remains difficult. difficult.
More recently, experimentation of 5G bonding, which has very scarce More recently, experimentation of 5G bonding, which has very scarce
coverage, has been conducted into global range of the incumbent 4G coverage, has been conducted into global range of the incumbent 4G
(LTE) connectivity in newly devised clients using Multipath TCP (LTE) connectivity in newly devised clients using Multipath TCP
proxy. Even if the 5G and the 4G bonding by using Multipath TCP proxy. Even if the 5G and the 4G bonding by using Multipath TCP
increases the bandwidth to data transfer, it is as well crucial to increases the bandwidth, it is as well crucial to minimize latency
minimize latency for all the way between endhosts regardless of for all the way between endhosts regardless of whether intermediate
whether intermediate nodes are inside or outside of the mobile core. nodes are inside or outside of the mobile core. In order to handle
In order to handle uRLLC (Ultra-Reliable Low-Latency Communication) uRLLC (Ultra-Reliable Low-Latency Communication) for the next
for the next generation mobile network, Multipath TCP and its proxy generation mobile network, Multipath TCP and its proxy mechanism such
mechanism must be optimised to reduce latency. as the one used to provide Access tTaffic Steering, Switching, and
Splitting (ATSSS) must be optimised to reduce latency.
This document specifies an application proxy, called Transport This document specifies an application proxy, called Transport
Converter. A Transport Converter is a function that is installed by Converter. A Transport Converter is a function that is installed by
a network operator to aid the deployment of TCP extensions and to a network operator to aid the deployment of TCP extensions and to
provide the benefits of such extensions to clients. A Transport provide the benefits of such extensions to clients. A Transport
Converter may support conversion service for one or more TCP Converter may provide conversion service for one or more TCP
extensions. This service is provided by means of the Converter extensions. Which TCP extensions are eligible to the conversion
Protocol (Convert), that is an application layer protocol which uses service is deployment-specific. The conversion service is provided
TBA TCP port number (Section 8). by means of the 0-RTT TCP Convert Protocol (Convert), that is an
application-layer protocol which uses TCP port number TBA
(Section 8).
The Transport Converter adheres to the main principles as drawn in The Transport Converter adheres to the main principles drawn in
[RFC1919]. In particular, the Converter achieves the following: [RFC1919]. In particular, a Transport Converter achieves the
following:
o Listen for client sessions; o Listen for client sessions;
o Receive from a client the address of the final target server; o Receive from a client the address of the final target server;
o Setup a session to the final server; o Setup a session to the final server;
o Relay control messages and data between the client and the server; o Relay control messages and data between the client and the server;
o Perform access controls according to local policies. o Perform access controls according to local policies.
The main advantage of network-assisted Converters is that they enable The main advantage of network-assisted conversion services is that
new TCP extensions to be used on a subset of the end-to-end path, they enable new TCP extensions to be used on a subset of the path
which encourages the deployment of these extensions. The Transport between endpoints, which encourages the deployment of these
Converter allows the client and the server to directly negotiate TCP extensions. Furthermore, the Transport Converter allows the client
options. and the server to directly negotiate TCP options for the sake of
native support along the full path.
The Convert Protocol is a generic mechanism to provide 0-RTT The Convert Protocol is a generic mechanism to provide 0-RTT
conversion service. As a sample applicability use case, this conversion service. As a sample applicability use case, this
document specifies how the Convert Protocol applies for Multipath document specifies how the Convert Protocol applies for Multipath
TCP. It is out of scope of this document to provide a comprehensive TCP. It is out of scope of this document to provide a comprehensive
list of all potential conversion services; separate documents may be list of all potential conversion services. Applicability document
edited in the future for other conversion services upon need. may defined in the future.
This document does not assume that all the traffic is eligible to the This document does not assume that all the traffic is eligible to the
network-assisted conversion service. Only a subset of the traffic network-assisted conversion service. Only a subset of the traffic
will be forwarded to a Converter according to a set of policies. will be forwarded to a Transport Converter according to a set of
Furthermore, it is possible to bypass the Converter to connect to the policies. These policies, and how they are communicated to
servers that already support the required TCP extension. endpoints, are out of scope. Furthermore, it is possible to bypass
the Transport Converter to connect directly to the servers that
already support the required TCP extension(s).
This document assumes that a client is configured with one or a list This document assumes that a client is configured with one or a list
of Converters (e.g., [I-D.boucadair-tcpm-dhc-converter]). of Transport Converters (statically or through protocols such as
Configuration means are outside the scope of this document. [I-D.boucadair-tcpm-dhc-converter]). Configuration means are outside
the scope of this document.
This document is organized as follows. We first provide a brief This document is organized as follows. We first provide a brief
explanation of the operation of Transport Converters in Section 3. explanation of the operation of Transport Converters in Section 3.
We describe the Converter Protocol in Section 4. We discuss in We describe the Convert Protocol in Section 4. We discuss in
Section 5 how Transport Converters can be used to support different Section 5 how Transport Converters can be used to support different
TCP options. We then discuss the interactions with middleboxes TCP extensions. We then discuss the interactions with middleboxes
(Section 6) and the security considerations (Section 7). (Section 6) and the security considerations (Section 7).
Appendix A provides a comparison with SOCKS proxies that are already Appendix A provides a comparison with SOCKS proxies that are already
used to deploy Multipath TCP in some cellular networks. used to deploy Multipath TCP in some cellular networks (Section 2.2
of [RFC8041]).
2. Requirements 2. Requirements
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
[RFC2119] [RFC8174] when, and only when, they appear in all capitals, [RFC2119] [RFC8174] when, and only when, they appear in all capitals,
as shown here. as shown here.
3. Architecture 3. Architecture
3.1. Functional Elements 3.1. Functional Elements
The architecture considers three types of endhosts: The Convert Protocol considers three types of endhosts:
o Client endhosts; o Clients;
o Transport Converters; o Transport Converters;
o Server endhosts. o Servers.
A Transport Converter is a network function that relays all data A Transport Converter is a network function that relays all data
exchanged over one upstream connection to one downstream connection exchanged over one upstream connection to one downstream connection
and vice versa (Figure 1). The Converter, thus, maintains state that and vice versa (Figure 1). The Transport Converter, thus, maintains
associates one upstream connection to a corresponding downstream state that associates one upstream connection to a corresponding
connection. downstream connection.
A connection can be initiated from both sides of the Transport A connection can be initiated from both sides of the Transport
Converter (Internet-facing interface, client-facing interface). Converter (Internet-facing interface, client-facing interface).
+------------+ +------------+
<--- upstream --->| Transport |<--- downstream ---> client <- upstream ->| Transport |<- downstream ->server
| Converter | | Converter |
+------------+ +------------+
Figure 1: A Transport Converter relays data between pairs of TCP Figure 1: A Transport Converter relays data between pairs of TCP
connections connections
Transport Converters can be operated by network operators or third Transport Converters can be operated by network operators or third
parties. Nevertheless, this document focuses on the single parties. Nevertheless, this document focuses on the single
administrative deployment case where the entity offering the administrative deployment case where the entity offering the
connectivity service to a client is also the entity which owns and connectivity service to a client is also the entity which owns and
operates the Transport Converter. operates the Transport Converter.
A Transport Converter can be embedded in a standalone device or be A Transport Converter can be embedded in a standalone device or be
activated as a service on a router. How such function is enabled is activated as a service on a router. How such function is enabled is
deployment-specific (Figure 2). deployment-specific. A sample deployment is depicted in Figure 2.
+-+ +-+ +-+ +-+ +-+ +-+
Client - |R| -- |R| -- |R| - - - Server Client - |R| -- |R| -- |R| - - - Server
+-+ +-+ +-+ +-+ +-+ +-+
| |
Transport +-+
Converter |R|
+-+
|
+---------+
|Transport|
|Converter|
+---------+
Figure 2: A Transport Converter can be installed anywhere in the Figure 2: A Transport Converter can be installed anywhere in the
network network
The architecture assumes that new software will be installed on the The architecture assumes that new software will be installed on the
Client hosts and on Transport Converters. Further, the architecture Client hosts to interact with one or more Transport Converters.
allows for making use of TCP new extensions if those are supported by Further, the architecture allows for making use of TCP new extensions
a given server. even if those are not supported by a given server.
The Client is configured, through means that are outside the scope of The Client is configured, through means that are outside the scope of
this document, with the names and/or the addresses of one or more this document, with the names and/or the addresses of one or more
Transport Converters. Transport Converters and the TCP extensions that they support. The
procedure for selecting a Transport Converter among a list of
configured Transport Converters is outside the scope of this
document.
One of the benefits of this design is that different transport
protocol extensions can be used on the upstream and the downstream
connections. This encourages the deployment of new TCP extensions
until they are widely supported by servers, in particular.
The architecture does not mandate anything on the server side. The architecture does not mandate anything on the server side.
Similar to address sharing mechanisms, the architecture does not Similar to address sharing mechanisms, the architecture does not
interfere with end-to-end TLS connections between the client and the interfere with end-to-end TLS connections [RFC8446] between the
server. Client and the Server (Figure 3).
One of the benefits of this design is that different transport Client Transport Server
protocol extensions can be used on the upstream and the downstream | Converter |
connections. This encourages the deployment of new TCP extensions | | |
until they are widely supported by servers. /==========================================\
| End-to-end TLS |
\==========================================/
* TLS messages exhanged between the Client
and the Server are not shown.
Figure 3: End-to-end TLS via a Transport Converter
3.2. Theory of Operation 3.2. Theory of Operation
At a high level, the objective of the Transport Converter is to allow At a high level, the objective of the Transport Converter is to allow
the Client to use a specific extension, e.g. Multipath TCP, on a the Client to use a specific extension, e.g., Multipath TCP, on a
subset of the end-to-end path even if the Server does not support subset of the path even if the Server does not support this
this extension. This is illustrated in Figure 3 where the Client extension. This is illustrated in Figure 4 where the Client
initiates a Multipath TCP connection with the Converter (Multipath initiates a Multipath TCP connection with the Transport Converter
packets are shown with "===") while the Converter uses a regular TCP (packets belonging to the Multipath TCP connection are shown with
connection with the Server. "===") while the Transport Converter uses a regular TCP connection
with the Server.
The packets belonging to the pair of connections between the Client
and Server passing through a Transport Converter may follow a
different path than the packets directly exchanged between the Client
and the Server. Deployments should minimize the possible additional
delay by carefully selecting the location of the Transport Converter
used to reach a given destination.
Transport Transport
Client Converter Server Client Converter Server
======================> ======================>
--------------------> -------------------->
<-------------------- <--------------------
<====================== <======================
Multipath TCP packets Regular TCP packets Multipath TCP packets Regular TCP packets
Figure 3: Different TCP variants can be used on the Client-Converter Figure 4: An example of network-assisted MPTCP Connection
path and on the Converter-Server path
The packets belonging to the pair of connections between the Client
and Server passing through a Transport Converter may follow a
different path than the packets directly exchanged between the Client
and the Server. Deployments should minimize the possible additional
delay by carefully selecting the location of the Transport Converter
used to reach a given destination.
When establishing a connection, the Client can, depending on local When establishing a connection, the Client can, depending on local
policies, either contact the Server directly (e.g., by sending a TCP policies, either contact the Server directly (e.g., by sending a TCP
SYN towards the Server) or create the connection via a Transport SYN towards the Server) or create the connection via a Transport
Converter. In the latter case, which is the case we consider in this Converter. In the latter case, the Client initiates a connection
document, the Client initiates a connection towards the Transport towards the Transport Converter and indicates the IP address and port
Converter and indicates the IP address and port number of the number of the Server within the connection establishment packet.
ultimate Server inside the connection establishment packet. Doing so Doing so enables the Transport Converter to immediately initiate a
enables the Transport Converter to immediately initiate a connection connection towards that Server, without experiencing an extra delay.
towards that Server, without experiencing an extra delay. The The Transport Converter waits until the receipt of the confirmation
Transport Converter waits until the confirmation that the Server that the Server agrees to establish the connection before confirming
agrees to establish the connection before confirming it to the it to the Client.
Client.
The client places the destination address and port number of the The client places the destination address and port number of the
target Server in the payload of the SYN sent to the Converter by Server in the payload of the SYN sent to the Transport Converter to
leveraging TCP Fast Open [RFC7413]. In accordance with [RFC1919], minimize connection establishment delays. In accordance with
the Transport Converter maintains two connections that are combined [RFC1919], the Transport Converter maintains two connections that are
together: combined together:
o the upstream connection is the one between the Client and the o the upstream connection is the one between the Client and the
Transport Converter. Transport Converter.
o the downstream connection is between the Transport Converter and o the downstream connection is between the Transport Converter and
the remote Server. the Server.
Any user data received by the Transport Converter over the upstream Any user data received by the Transport Converter over the upstream
(resp., downstream) connection is relayed over the downstream (resp., (resp., downstream) connection is relayed over the downstream (resp.,
upstream) connection. upstream) connection.
Figure 4 illustrates the establishment of a TCP connection by the Figure 5 illustrates the establishment of an outbound TCP connection
Client through a Transport Converter. The information shown between by a Client through a Transport Converter. The information shown
brackets is part of the Converter Protocol described later in this between brackets denotes Convert Protocol messages described in
document. Section 4.
Figure 4 illustrates the establishment of a TCP connection by the
Client through a Transport Converter. The information shown between
brackets is part of the Converter Protocol described later in this
document.
Transport Transport
Client Converter Server Client Converter Server
--------------------> -------------------->
SYN TFO [->Server:port] SYN [->Server:port]
--------------------> -------------------->
SYN SYN
<-------------------- <--------------------
SYN+ACK SYN+ACK
<-------------------- <--------------------
SYN+ACK [ ] SYN+ACK [ ]
Figure 4: Establishment of a TCP connection through a Converter Figure 5: Establishment of a TCP connection through a Transport
Converter (1)
The Client sends a SYN destined to the Transport Converter. This SYN
contains a TFO cookie and inside its payload the addresses and ports
of the destination Server. The Transport Converter does not reply
immediately to this SYN. It first tries to create a TCP connection
towards the destination Server. If this second connection succeeds,
the Transport Converter confirms the establishment of
the connection to the Client by returning a SYN+ACK and the first The Client sends a SYN destined to the Transport Converter. The
bytes of the bytestream contain information about the TCP options payload of this SYN contains the address and port number of the
that were negotiated with the final Server. This information is sent Server. The Transport Converter does not reply immediately to this
at the beginning of the bytestream, either directly in the SYN+ACK or SYN. It first tries to create a TCP connection towards the target
in a subsequent packet. For graphical reasons, the figures in this Server. If this upstream connection succeeds, the Transport
section show that the Converter returns this information in the Converter confirms the establishment of the connection to the Client
SYN+ACK packet. An implementation could also place this information by returning a SYN+ACK and the first bytes of the bytestream contain
in a packet that it sent shortly after the SYN+ACK. information about the TCP options that were negotiated with the
Server. This information is sent at the beginning of the bytestream,
either directly in the SYN+ACK or in a subsequent packet. For
graphical reasons, the figures in this section show that the
Transport Converter returns this information in the SYN+ACK packet.
An implementation could also place this information in a packet that
it sent shortly after the SYN+ACK.
The connection can also be established from the Internet towards a The connection can also be established from the Internet towards a
Client via a Transport Converter. This is typically the case when Client via a Transport Converter. This is typically the case when an
the Client embeds a server (video server, for example). application on the Client listens to a specific port (the Client
hosts a server, typically).
The procedure described in Figure 4 assumes that the Client has
obtained a TFO cookie from the Transport Converter. This is part of
the Bootstrap procedure which is illustrated in Figure 5. The Client
sends a SYN with a TFO request option to obtain a valid cookie from
the Converter. The Converter replies with a TFO cookie in the
SYN+ACK. Once this connection has been established, the Client sends
a Bootstrap message to request the list of TCP options for which the
Transport Converter provides a conversion service.
Transport
Client Converter Server
-------------------->
SYN TFO(empty)
<--------------------
SYN+ACK TFO(cookie)
-------------------->
[Bootstrap]
<--------------------
[Supported TCP Extension Services]
Figure 5: Bootstrapping a Client connection to a Transport Converter A Transport Converter MAY operate in address preservation or address
Note that the Converter may rely on local policies to decide whether sharing modes as discussed in Section 5.4 of
it can service a given requesting Client. That is, the Converter [I-D.nam-mptcp-deployment-considerations]. Which behavior to use by
will not return a cookie for that Client. How such policies are a Transport Converter is deployment-specific. If address sharing
supplied to the Converter are out of scope. mode is enabled, the Transport Converter MUST adhere to REQ-2 of
[RFC6888] which implies a default "IP address pooling" behavior of
"Paired" (as defined in Section 4.1 of [RFC4787]) must be supported.
This behavior is meant to avoid breaking applications that depend on
the external address remaining constant.
Also, the Converter may behave in a cookie-less mode when appropriate Standard TCP ([RFC0793], Section 3.4) allows a SYN packet to carry
means are enforced at the Converter and the network in-between to data inside its payload but forbids the receiver from delivering it
protect against attacks such as spoofing and SYN flood. Under such to the application until completion of the three-way-handshake. This
deployments, the use of TFO is not required. restriction was motivated by two concerns. First, duplicate SYNs can
cause problems for some applications that rely on TCP [RFC7413].
Second, TCP suffers from SYN flooding attacks [RFC4987]. TCP Fast
Open [RFC7413] solves these two problems for applications that can
tolerate replays by using the TCP Fast Open option that includes a
cookie. However, the utilization of this option consumes space in
the limited TCP extended header. Furthermore, there are situations,
as noted in Section 7.3 of [RFC7413] where it is possible to accept
the payload of SYN packets without creating additional security risks
such as a network where addresses cannot be spoofed and the Transport
Converter only serves a set of hosts that are identified by these
addresses. For these reasons, this specification does not mandate
the use of the TCP Fast Open option when the Client sends a
connection establishment packet towards a Transport Converter. The
Convert protocol includes an optional Cookie TLV that provides
similar protection as the TCP Fast Open option without consuming
space in the extended TCP header.
3.3. Sample Examples of Outgoing Converter-Assisted Multipath TCP 3.3. Sample Examples of Outgoing Converter-Assisted Multipath TCP
Connections Connections
As an example (Figure 6), let us consider how the Convert protocol As an example, let us consider how the Convert protocol can help the
can help the deployment of Multipath TCP [RFC6824]. We assume that deployment of Multipath TCP. We assume that both the Client and the
both the Client and the Transport Converter support Multipath TCP, Transport Converter support Multipath TCP, but consider two different
but consider two different cases depending whether the Server cases depending on whether the Server supports Multipath TCP or not.
supports Multipath TCP or not. A Multipath TCP connection is created
by placing the MP_CAPABLE (MPC) option in the SYN sent by the Client. As a reminder, a Multipath TCP connection is created by placing the
MP_CAPABLE (MPC) option in the SYN sent by the Client.
Figure 6 describes the operation of the Transport Converter if the Figure 6 describes the operation of the Transport Converter if the
Server does not support Multipath TCP. Server does not support Multipath TCP.
Transport Transport
Client Converter Server Client Converter Server
--------------------> -------------------->
SYN, MPC [->Server:port] SYN, MPC [->Server:port]
--------------------> -------------------->
SYN, MPC SYN, MPC
<-------------------- <--------------------
SYN+ACK SYN+ACK
<-------------------- <--------------------
SYN+ACK,MPC [ ] SYN+ACK,MPC [.]
--------------------> -------------------->
ACK,MPC ACK,MPC
--------------------> -------------------->
ACK ACK
Figure 6: Establishment of a Multipath TCP connection through a Figure 6: Establishment of a Multipath TCP connection through a
Converter Transport Converter towards a Server that does not support Multipath
TCP
The Client tries to initiate a Multipath TCP connection by sending a The Client tries to initiate a Multipath TCP connection by sending a
SYN with the MP_CAPABLE option (MPC in Figure 6). The SYN includes SYN with the MP_CAPABLE option (MPC in Figure 6). The SYN includes
the address and port number of the final Server and the Transport the address and port number of the target Server, that are extracted
Converter attempts to initiate a Multipath TCP connection towards and used by the Transport Converter to initiate a Multipath TCP
this Server. Since the Server does not support Multipath TCP, it connection towards this Server. Since the Server does not support
replies with a SYN+ACK that does not contain the MP_CAPABLE option. Multipath TCP, it replies with a SYN+ACK that does not contain the
The Transport Converter notes that the connection with the Server MP_CAPABLE option. The Transport Converter notes that the connection
does not support Multipath TCP and returns the TCP options received with the Server does not support Multipath TCP and returns the
from the Server to the Client. extended TCP header received from the Server to the Client.
Figure 7 considers a Server that supports Multipath TCP. In this Figure 7 considers a Server that supports Multipath TCP. In this
case, it replies to the SYN sent by the Transport Converter with the case, it replies to the SYN sent by the Transport Converter with the
MP_CAPABLE option. Upon reception of this SYN+ACK, the Transport MP_CAPABLE option. Upon reception of this SYN+ACK, the Transport
Converter confirms the establishment of the connection to the Client Converter confirms the establishment of the connection to the Client
and indicates to the Client that the Server supports Multipath TCP. and indicates to the Client that the Server supports Multipath TCP.
With this information, the Client has discovered that the Server With this information, the Client has discovered that the Server
supports Multipath TCP natively. This will enable it to bypass the supports Multipath TCP natively. This will enable the Client to
Transport Converter for the next Multipath TCP connection that it bypass the Transport Converter for the subsequent Multipath TCP
will initiate towards this Server. connections that it will initiate towards this Server.
Transport Transport
Client Converter Server Client Converter Server
--------------------> -------------------->
SYN, MPC [->Server:port] SYN, MPC [->Server:port]
--------------------> -------------------->
SYN, MPC SYN, MPC
<-------------------- <--------------------
SYN+ACK, MPC SYN+ACK, MPC
<-------------------- <--------------------
SYN+ACK, MPC [ MPC supported ] SYN+ACK, MPC [ MPC supported ]
--------------------> -------------------->
ACK, MPC ACK, MPC
--------------------> -------------------->
ACK, MPC ACK, MPC
Figure 7: Establishment of a Multipath TCP connection through a Figure 7: Establishment of a Multipath TCP connection through a
converter converter towards a server that supports Multipath TCP
3.4. Sample Example of Incoming Converter-Assisted Multipath TCP 3.4. Sample Example of Incoming Converter-Assisted Multipath TCP
Connection Connection
An example of an incoming Converter-assisted Multipath TCP connection An example of an incoming Converter-assisted Multipath TCP connection
is depicted in Figure 8. In order to support incoming connections is depicted in Figure 8. In order to support incoming connections
from remote hosts, the Client may use PCP [RFC6887] to instruct the from remote hosts, the Client may use PCP [RFC6887] to instruct the
Converter to create dynamic mappings. Those mappings will be used by Transport Converter to create dynamic mappings. Those mappings will
the Converter to intercept an incoming TCP connection destined to the be used by the Transport Converter to intercept an incoming TCP
Client and convert it into a Multipath TCP connection. connection destined to the Client and convert it into a Multipath TCP
connection.
Typically, the Client sends a PCP request to the Converter asking to
create an explicit TCP mapping for (internal IP address, internal
port number). The Converter accepts the request by creating a TCP
mapping (internal IP address, internal port number, external IP
address, external port number). The external IP address and external
port number will be then advertised using an out-of-band mechanism so
that remote hosts can initiate TCP connections to the Client via the
Converter. Note that the external and internal information may be
the same.
Then, when the Converter receives an incoming SYN, it checks its
mapping table to verify if there is an active mapping matching the
destination IP address and destination port of that SYN. If an entry
is found, the Converter inserts an MP_CAPABLE option and Connect TLV
in the SYN packet, rewrites the source IP address to one of its IP
addresses and, eventually, the destination IP address and port number
in accordance with the information stored in the mapping. SYN-ACK
and ACK will be then exchanged between the Client and the Converter
to confirm the establishment of the initial subflow. The Client can
add new subflows following normal Multipath TCP procedures.
Transport Transport
Client Converter Remote Host Client Converter Remote Host
<------------------- <-------------------
SYN SYN
<------------------- <-------------------
SYN, MPC[Remote Host:port] SYN, MPC[Remote Host:port]
---------------------> --------------------->
SYN+ACK, MPC SYN+ACK, MPC
---------------------> --------------------->
SYN+ACK SYN+ACK
<--------------------- <---------------------
ACK ACK
<------------------- <-------------------
ACK, MPC ACK, MPC
Figure 8: Establishment of an Incoming TCP Connection through a Figure 8: Establishment of an Incoming TCP Connection through a
Converter Transport Converter
4. The Converter Protocol (Convert)
This section describes in details the messages that are exchanged 4. The Convert Protocol (Convert)
between a Client and a Transport Converter. The Converter Protocol
(Convert, for short) leverages the TCP Fast Open extension [RFC7413].
The Converter Protocol uses a 32 bits long fixed header that is sent This section describes the messages that are exchanged between a
by both the Client and the Transport Converter. This header Client and a Transport Converter. The Convert Protocol (Convert, for
indicates both the version of the protocol used and the length of the short) uses a 32 bits long fixed header that is sent by both the
Convert message. Client and the Transport Converter over each established connection.
This header indicates both the version of the protocol used and the
length of the Convert message.
4.1. The Convert Fixed Header 4.1. The Convert Fixed Header
The Fixed Header is used to exchange information about the version The Fixed Header is used to convey information about the version and
and length of the messages between the Client and the Transport length of the messages exchanged between the Client and the Transport
Converter. Converter.
The Client and the Transport Converter MUST send the fixed-sized The Client and the Transport Converter MUST send the fixed-sized
header shown in Figure 9 as the first four bytes of the bytestream. header, shown in Figure 9, as the first four bytes of the bytestream.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| Version | Total Length | Unassigned | | Version | Total Length | Unassigned |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
Figure 9: The fixed-sized header of the Converter protocol Figure 9: The fixed-sized header of the Convert protocol
The Version is encoded as an 8 bits unsigned integer value. This The Version is encoded as an 8 bits unsigned integer value. This
document specifies version 1. Version 0 is reserved by this document document specifies version 1. Version 0 is reserved by this document
and MUST NOT be used. and MUST NOT be used.
The Total Length is the number of 32 bits word, including the header, The Total Length is the number of 32 bits word, including the header,
of the bytestream that are consumed by the Converter protocol of the bytestream that are consumed by the Convert messages. Since
messages. Since Total Length is also an 8 bits unsigned integer, Total Length is also an 8 bits unsigned integer, those messages
those messages cannot consume more than 1020 bytes of data. This cannot consume more than 1020 bytes of data. This limits the number
limits the number of bytes that a Transport Converter needs to of bytes that a Transport Converter needs to process. A Total Length
process. A Total Length of zero is invalid and the connection MUST of zero is invalid and the connection MUST be reset upon reception of
be reset upon reception of such a header. a header with such total length.
The Unassigned field MUST be set to zero in this version of the The Unassigned field MUST be set to zero in this version of the
protocol. These bits are available for future use [RFC8126]. protocol. These bits are available for future use [RFC8126].
4.2. Convert TLVs 4.2. Convert TLVs
4.2.1. Generic Convert TLV Format 4.2.1. Generic Convert TLV Format
The Convert protocol uses variable length messages that are encoded The Convert protocol uses variable length messages that are encoded
using the generic TLV format depicted in Figure 10. All TLV fields using the generic TLV (Type, Length, Value) format depicted in
are encoded using the network byte order. Figure 10.
The length of all TLVs used by the Convert protocol is always a
multiple of four bytes. All TLVs are aligned on 32 bits boundaries.
All TLV fields are encoded using the network byte order.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| Type | Length | (optional) Value ... | | Type | Length | (optional) Value ... |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| ... (optional) Value | | ... (optional) Value |
+---------------------------------------------------------------+ +---------------------------------------------------------------+
Figure 10: Converter Generic TLV Format Figure 10: Convert Generic TLV Format
The Length field is expressed in units of 32 bits words. In general
zero padding MUST be added if the value's length in bytes can not be
expressed as 2+(4 * n).
A given TLV MUST only appear once on a connection. If two or more A given TLV MUST only appear once on a connection. If two or more
instances of the same TLV are exchanged over a Converter connection, instances of the same TLV are exchanged over a Convert connection,
the associated TCP connections MUST be closed. the associated TCP connections MUST be closed.
4.2.2. Summary of Supported Convert TLVs 4.2.2. Summary of Supported Convert TLVs
This document specifies the following Convert TLVs: This document specifies the following Convert TLVs:
+------+-----+----------+------------------------------------------+ +------+-----+----------+------------------------------------------+
| Type | Hex | Length | Description | | Type | Hex | Length | Description |
+------+-----+----------+------------------------------------------+ +------+-----+----------+------------------------------------------+
| 1 | 0x1 | 1 | Bootstrap TLV | | 1 | 0x1 | 1 | Info TLV |
| 10 | 0xA | Variable | Connect TLV | | 10 | 0xA | Variable | Connect TLV |
| 20 | 0x14| Variable | Extended TCP Header TLV | | 20 | 0x14| Variable | Extended TCP Header TLV |
| 21 | 0x15| Variable | Supported TCP Extension Services TLV | | 21 | 0x15| Variable | Supported TCP Extensions TLV |
| 22 | 0x16| Variable | Cookie TLV |
| 30 | 0x1E| Variable | Error TLV | | 30 | 0x1E| Variable | Error TLV |
+------+-----+----------+------------------------------------------+ +------+-----+----------+------------------------------------------+
Figure 11: The TLVs used by the Converter protocol Figure 11: The TLVs used by the Convert protocol
Type 0x0 is a reserved valued. Implementations MUST discard messages Type 0x0 is a reserved valued. Implementations MUST discard messages
with such TLV. with such TLV.
To establish a connection via a Transport Converter, a Client MUST The Client can request the establishment of connections to servers by
first obtain a valid TFO cookie from that Converter. This is the using the Connect TLV (Section 4.2.5). If the connection can be
bootstrap procedure during which the Client opens a connection to the
Transport Converter with an empty TFO option. According to
[RFC7413], the Transport Converter returns its cookie in the SYN+ACK.
Then the Client sends a Bootstrap TLV (Section 4.2.3) to which the
Transport Converter replies with the Supported TCP Extension Services
TLV described in Section 4.2.4.
With the TFO cookie of the Transport Converter, the Client can
request the establishment of connections to remote servers with the
Connect TLV (see Section 4.2.5). If the connection can be
established with the final server, the Transport Converter replies established with the final server, the Transport Converter replies
with the Extended TCP Header TLV and returns an Error TLV inside a with the Extended TCP Header TLV (Section 4.2.4). If not, the
RST packet (see Section 4.2.7). Transport Converter returns an Error TLV (Section 4.2.8) and then
closes the connection.
When the Transport Converter receives an incoming connection
establishment from a Client, it MUST process the TCP options found in
the SYN and the Connect TLV. In general, the Transport Converter
MUST add to the proxied SYN the TCP options that were included in the
Connect TLV. It SHOULD add to the proxied SYN the TCP options that
were included in the incoming SYN provided that it supports the
corresponding TCP extension.
There are some exceptions to these rules given the semantics of some
TCP options. First, TCP options with Kinds 0 (EOL), 1 (NOP), 2
(MSS), and 3 (WS) MUST be used according to the configuration of the
TCP stack of the Transport Converter. The Timestamps option
(Kind=10) SHOULD be used in the proxied SYN if it was present in the
incoming SYN, but the contents of the option in the proxied SYN
SHOULD be set by the Converter's stack. The MP_CAPABLE option SHOULD
be added to the proxied SYN if it was present in the incoming SYN,
but the content of the option in the proxied SYN SHOULD be set by the
Converter's stack. The TCP Fast Open cookie option SHOULD be handled
as described in Section 6.
As a general rule, when an error is encountered an Error TLV with the As a general rule, when an error is encountered an Error TLV with the
appropriate error code MUST be returned. appropriate error code MUST be returned by the Transport Converter.
4.2.3. The Bootstrap TLV 4.2.3. The Info TLV
The Bootstrap TLV (Figure 12 is sent by a Client to request the TCP The Info TLV (Figure 12) is an optional TLV which can be sent by a
extensions that are supported by a Transport Converter and for which Client to request the TCP extensions that are supported by a
it provides a conversion service. It is typically sent on the first Transport Converter. It is typically sent on the first connection
connection that a Client establishes with a Transport Converter to that a Client establishes with a Transport Converter to learn its
learn its capabilities. Assuming a Client is entitled to invoke the capabilities. Assuming a Client is entitled to invoke the Transport
Converter, this latter replies with the Supported TCP Extensions Converter, the latter replies with the Supported TCP Extensions TLV
Services TLV described in Section 4.2.4. described in Section 4.2.4.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| Type | Length | Zero | | Type=0x1 | Length | Zero |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
Figure 12: The Bootstrap TLV Figure 12: The Info TLV
4.2.4. Supported TCP Extension Services TLV 4.2.4. Supported TCP Extensions TLV
The Supported TCP Extension Services TLV (Figure 13) is used by a The Supported TCP Extensions TLV (Figure 13) is used by a Transport
Converter to announce the TCP options for which it provides a Converter to announce the TCP options for which it provides a
conversion service. Each supported TCP option is encoded with its conversion service. A Transport Converter SHOULD include in this
TCP option Kind listed in the "TCP Parameters" registry maintained by list the TCP options that it accepts from Clients and that it
IANA. includes the SYN packets that it sends to initiate connections.
Each supported TCP option is encoded with its TCP option Kind listed
in the "TCP Parameters" registry maintained by IANA.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| Type | Length | Unassigned | | Type=0x15 | Length | Unassigned |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| Kind #1 | Kind #2 | ... | | Kind #1 | Kind #2 | ... |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
/ ... / / ... /
/ / / /
+---------------------------------------------------------------+ +---------------------------------------------------------------+
Figure 13: The Supported TCP Extension Services TLV Figure 13: The Supported TCP Extensions TLV
TCP option Kinds 0, 1, and 2 defined in [RFC0793] are supported by TCP option Kinds 0, 1, and 2 defined in [RFC0793] are supported by
all TCP implementations and thus MUST NOT appear in this list. all TCP implementations and thus MUST NOT appear in this list.
The list of Supported TCP Extension Services is padded with 0 to end The list of Supported TCP Extension is padded with 0 to end on a 32
on a 32 bits boundary. bits boundary.
Typically, if the Converter only supports Multipath TCP conversion For example, if the Transport Converter supports Multipath TCP,
service, solely Kind=30 will be present in the Supported TCP Kind=30 will be present in the Supported TCP Extensions TLV that it
Extension Services TLV returned by the Converter to a requesting returns in response to Info TLV.
Client.
4.2.5. Connect TLV 4.2.5. Connect TLV
The Connect TLV (Figure 14) is used to request the establishment of a The Connect TLV (Figure 14) is used to request the establishment of a
connection via a Transport Converter. connection via a Transport Converter. This connection can be from or
to a client.
The 'Remote Peer Port' and 'Remote Peer IP Address' fields contain The 'Remote Peer Port' and 'Remote Peer IP Address' fields contain
the destination port number and IP address of the target server for the destination port number and IP address of the Server, for
an outgoing connection towards a server located on the Internet. For outgoing connections. For incoming connections destined to a Client
incoming connections destined to a client serviced via a Converter, serviced via a Transport Converter, these fields convey the source
these fields convey the source port and IP address. port number and IP address.
The Remote Peer IP Address MUST be encoded as an IPv6 address. IPv4 The Remote Peer IP Address MUST be encoded as an IPv6 address. IPv4
addresses MUST be encoded using the IPv4-Mapped IPv6 Address format addresses MUST be encoded using the IPv4-Mapped IPv6 Address format
defined in [RFC4291]. Further, Remote Peer IP address field MUST NOT defined in [RFC4291]. Further, Remote Peer IP address field MUST NOT
include multicast, broadcast, and host loopback addresses [RFC6890]. include multicast, broadcast, and host loopback addresses [RFC6890].
Connect TLVs witch such messages MUST be discarded by the Transport
Converter.
The optional 'TCP Options' field is used to specify how specific TCP We distinguish two types of Connect TLV based on their length: (1)
Options should be advertised by the Transport Converter to the final the base Connect TLV has a length of 20 bytes and contains a remote
destination of a connection. If this field is not supplied, the address and a remote port, (2) the extended Connect TLV spans more
Transport Converter MUST use the default TCP options that correspond than 20 bytes and also includes the optional 'TCP Options' field.
to its local policy. This field is used to specify how specific TCP options should be
advertised by the Transport Converter to the server.
The Connect TLV could be designed to be generic to include the DNS
name of the remote peer instead of its IP address as in SOCKS
[RFC1928]. However, that design was not adopted because it induces
both an extra load and increased delays on the Converter to handle
and manage DNS resolution requests.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| Type | Length | Remote Peer Port | | Type=0xA | Length | Remote Peer Port |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| | | |
| Remote Peer IP Address (128 bits) | | Remote Peer IP Address (128 bits) |
| | | |
| | | |
+---------------------------------------------------------------+ +---------------------------------------------------------------+
| TCP Options (Variable) | | TCP Options (Variable) |
| ... | | ... |
+---------------------------------------------------------------+ +---------------------------------------------------------------+
Figure 14: The Connect TLV Figure 14: The Connect TLV
The 'TCP Options' field is a variable length field that carries a The 'TCP Options' field is a variable length field that carries a
list of TCP option fields (Figure 15). Each TCP option field is list of TCP option fields (Figure 15). Each TCP option field is
encoded as a block of 2+n bytes where the first byte is the TCP encoded as a block of 2+n bytes where the first byte is the TCP
option Type and the second byte is the length of the TCP option as option Kind and the second byte is the length of the TCP option as
specified in [RFC0793]. The minimum value for the TCP option Length specified in [RFC0793]. The minimum value for the TCP option Length
is 2. The TCP options that do not include a length subfield, i.e., is 2. The TCP options that do not include a length subfield, i.e.,
option types 0 (EOL) and 1 (NOP) defined in [RFC0793] cannot be option types 0 (EOL) and 1 (NOP) defined in [RFC0793] MUST NOT be
placed inside the TCP options field of the Connect TLV. The optional placed inside the TCP options field of the Connect TLV. The optional
Value field contains the variable-length part of the TCP option. A Value field contains the variable-length part of the TCP option. A
length of two indicates the absence of the Value field. The TCP length of two indicates the absence of the Value field. The TCP
options field always ends on a 32 bits boundary after being padded options field always ends on a 32 bits boundary after being padded
with zeros. with zeros.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
| TCPOpt type | TCPOpt Length | Value (opt) | .... | | TCPOpt kind | TCPOpt Length | Value (opt) | .... |
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
| .... | | .... |
+---------------------------------------------------------------+ +---------------------------------------------------------------+
| ... | | ... |
+---------------------------------------------------------------+ +---------------------------------------------------------------+
Figure 15: The TCP Options field Figure 15: The TCP Options field
If a Transport Converter receives a Connect TLV with a non-empty TCP Upon reception of a Connect TLV, and absent any rate limit policy or
options field, and the Converter acceptss to process the request, it resource exhaustion conditions, a Transport Converter MUST attempt to
SHALL present those options to the destination peer in addition to establish a connection to the address and port that it contains. The
the TCP options that it would have used according to its local Transport Converter MUST use by default the TCP options that
policies. For the TCP options that are listed without an optional correspond to its local policy to establish this connection. These
value, the Converter MUST generate its own value. For the TCP are the options that it advertises in the Supported TCP Extensions
options that are included in the 'TCP Options' field with an optional TLV.
value, it SHALL copy the entire option for use in the connection with
the destination peer. This feature is required to support TCP Fast
Open.
The Converter may discard a Connect TLV request for many reasons Upon reception of an extended Connect TLV, and absent any rate limit
(e.g., bad TFO cookie, authorization failed, out of resources, policy or resource exhaustion conditions, a Transport Converter MUST
invalid address type). An error message indicating the encountered attempt to establish a connection to the address and port that it
error is returned to the requesting Client (Section 4.2.7). In order contains. It MUST include the options of the 'TCP Options' subfield
to prevent denial-of-service attacks, error messages sent to a Client in the SYN sent to the Server in addition to the TCP options that it
would have used according to its local policies. For the TCP options
that are listed without an optional value, the Transport Converter
MUST generate its own value. For the TCP options that are included
in the 'TCP Options' field with an optional value, it MUST copy the
entire option for use in the connection with the destination peer.
This feature is required to support TCP Fast Open.
The Transport Converter may discard a Connect TLV request for various
reasons (e.g., authorization failed, out of resources, invalid
address type). An error message indicating the encountered error is
returned to the requesting Client (Section 4.2.8). In order to
prevent denial-of-service attacks, error messages sent to a Client
SHOULD be rate-limited. SHOULD be rate-limited.
4.2.6. Extended TCP Header TLV 4.2.6. Extended TCP Header TLV
The Extended TCP Header TLV (Figure 16) is used by the Transport The Extended TCP Header TLV (Figure 16) is used by the Transport
Converter to send to the Client the extended TCP header that was Converter to send to the Client the extended TCP header that was
returned by the Server in the SYN+ACK packet. This TLV is only sent returned by the Server in the SYN+ACK packet. This TLV is only sent
if the Client sent a Connect TLV to request the establishment of a if the Client sent a Connect TLV to request the establishment of a
connection. connection.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| Type | Length | Unassigned | | Type=0x14 | Length | Unassigned |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| Returned Extended TCP header | | Returned Extended TCP header |
| ... | | ... |
+---------------------------------------------------------------+ +---------------------------------------------------------------+
Figure 16: The Extended TCP Header TLV Figure 16: The Extended TCP Header TLV
The Returned Extended TCP header field is a copy of the extended The Returned Extended TCP header field is a copy of the extended
header that was received in the SYN+ACK by the Transport Converter. header that was received in the SYN+ACK by the Transport Converter.
The Unassigned field MUST be set to zero by the transmitter and The Unassigned field MUST be set to zero by the transmitter and
ignored by the receiver. These bits are available for future use ignored by the receiver. These bits are available for future use
[RFC8126]. [RFC8126].
4.2.7. Error TLV 4.2.7. The Cookie TLV
The optional Error TLV (Figure 17) can be used by the Transport The Cookie TLV (Figure 17 is an optional TLV which use is similar to
Converter to provide information about some errors that occurred the TCP Fast Open Cookie [RFC7413]. A Transport Converter may want
during the processing of a request to convert a connection. This TLV to verify that its Clients can receive the packets that it sends to
appears after the Convert header in a RST segment returned by the prevent attacks from spoofed addresses. This verification can be
Transport Converter if the error is fatal and prevented the done by using a Cookie that is bound to, for example, the IP
establishment of the connection. If the error is not fatal and the address(es) of the Client. This Cookie can be configured on the
connection could be established with the final destination, then the Client by means that are outside of this document or provided by the
error TLV will be carried in the payload. Transport Converter as follows.
A Transport Converter that has been configured to use the optional
Cookie TLV MUST verify the presence of this TLV in the payload of the
received SYN. If this TLV is present, the Transport Converter MUST
validate the Cookie by means similar to those in Section 4.1.2 of
[RFC7413] (i.e., IsCookieValid). If the Cookie is valid, the
connection establishment procedure can continue. Otherwise, the
Transport Converter MUST return an Error TLV set to "Not Authorized"
and close the connection.
If the received SYN did not contain a Cookie TLV, and cookie
validation is required, the Transport Converter should compute a
Cookie bound to this Client address and return a Convert message
containing the fixed header, an Error TLV set to "Missing Cookie" and
the computed Cookie and close the connection. The Client will react
to this error by storing the received Cookie in its cache and attempt
to reestablish a new connection to the Transport Converter that
includes the Cookie.
The format of the Cookie TLV is shown in the below figure.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+
| Type=0x16 | Length | Zero |
+---------------+---------------+-------------------------------+
| Opaque Cookie |
| ... |
+---------------------------------------------------------------+
Figure 17: The Cookie TLV
4.2.8. Error TLV
The Error TLV (Figure 18) is used by the Transport Converter to
provide information about some errors that occurred during the
processing of Convert message. This TLV has a variable length. It
appears after the Convert fixed-header in the bytestream returned by
the Transport Converter. Upon reception of an Error TLV, a Client
MUST close the associated connection.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+----------------+--------------+ +---------------+---------------+----------------+--------------+
| Type | Length | Error | Value | | Type=0x1E | Length | Error code | Value |
+---------------+---------------+----------------+--------------+ +---------------+---------------+----------------+--------------+
Figure 17: The Error TLV Figure 18: The Error TLV
Different types of errors can occur while processing Convert Different types of errors can occur while processing Convert
messages. Each error is identified by a code represented as an messages. Each error is identified by an Error code represented as
unsigned integer. Four classes of errors are defined: an unsigned integer. Four classes of Error codes are defined:
o Message validation and processing errors (0-31 range): returned o Message validation and processing errors (0-31 range): returned
upon reception of an an invalid message (including valid messages upon reception of an invalid message (including valid messages but
but with invalid or unknown TLVs). with invalid or unknown TLVs).
o Client-side errors (32-63 range): the Client sent a request that o Client-side errors (32-63 range): the Client sent a request that
could not be accepted by the Converter (e.g., unsupported could not be accepted by the Transport Converter (e.g.,
operation). unsupported operation).
o Converter-side errors (64-95 range): problems encountered on the o Converter-side errors (64-95 range): problems encountered on the
Converter (e.g., lack of resources) which prevent it from Transport Converter (e.g., lack of resources) which prevent it
fulfilling the Client's request. from fulfilling the Client's request.
o Errors caused by destination server (96-127 range): the final o Errors caused by the destination server (96-127 range): the final
destination could not be reached or it replied with a reset destination could not be reached or it replied with a reset.
message.
The following error codes are defined in this document: The following error codes are defined in this document:
o Unsupported Version (0): The version number indicated in the fixed o Unsupported Version (0): The version number indicated in the fixed
header of a message received from a peer is not supported. header of a message received from a peer is not supported.
This error code MUST be generated by a Converter when it receives This error code MUST be generated by a Transport Converter when it
a request having a version number that it does not support. receives a request having a version number that it does not
support.
The value field MUST be set to the version supported by the The value field MUST be set to the version supported by the
Converter. When multiple versions are supported by the Converter, Transport Converter. When multiple versions are supported by the
it includes the list of supported version in the value field; each Transport Converter, it includes the list of supported version in
version is encoded in 8 bits. the value field; each version is encoded in 8 bits. The list of
supported versions should be padded with zeros to end on a 32 bits
boundary.
Upon receipt of this error code, the client checks whether it Upon receipt of this error code, the client checks whether it
supports one of the versions returned by the Converter. The supports one of the versions returned by the Transport Converter.
highest common supported version MUST be used by the client in The highest common supported version MUST be used by the client in
subsequent exchanges with the Converter. subsequent exchanges with the Transport Converter.
o Malformed Message (1): This error code is sent to indicate that a o Malformed Message (1): This error code is sent to indicate that a
message can not be successfully parsed and validated. message can not be successfully parsed and validated.
Typically, this error message is sent by the Converter if it Typically, this error code is sent by the Transport Converter if
receives a Connect TLV enclosing a multicast, broadcast, or it receives a Connect TLV enclosing a multicast, broadcast, or
loopback IP address. loopback IP address.
To ease troubleshooting, the value field MUST echo the received To ease troubleshooting, the value field MUST echo the received
message. The Converter and the Client MUST send a RST containing message shifted by one byte to keep to original alignment of the
this error upon reception of a malformed message. message.
o Unsupported Message (2): This error code is sent to indicate that o Unsupported Message (2): This error code is sent to indicate that
a message type is not supported by the Converter. a message type is not supported by the Transport Converter.
To ease troubleshooting, the value field MUST echo the received To ease troubleshooting, the value field MUST echo the received
message. The Converter and the Client MUST send a RST containing message shifted by one byte to keep to original alignment of the
this error upon reception of an unsupported message. message.
o Not Authorized (32): This error code indicates that the Converter o Missing Cookie (3): If a Transport Converter requires the
refused to create a connection because of a lack of authorization utilization of Cookies to prevent spoofing attacks and a Cookie
(e.g., administratively prohibited, authorization failure, etc.). TLV was not included in the Convert message, the Transport
The Value field MUST be set to zero. Converter MUST return this error to the requesting client. The
first byte of the value field MUST be set to zero and the
remaining bytes of the Error TLV contain the Cookie computed by
the Transport Converter for this Client.
This error code MUST be sent by the Converter when a request A Client which receives this error code MUST cache the received
cannot be successfully processed because the authorization failed. Cookie and include it in subsequent Convert messages sent to that
Transport Converter.
o Not Authorized (32): This error code indicates that the Transport
Converter refused to create a connection because of a lack of
authorization (e.g., administratively prohibited, authorization
failure, invalid Cookie TLV, etc.). The Value field MUST be set
to zero.
This error code MUST be sent by the Transport Converter when a
request cannot be successfully processed because the authorization
failed.
o Unsupported TCP Option (33): A TCP option that the Client o Unsupported TCP Option (33): A TCP option that the Client
requested to advertise to the final Server cannot be safely used requested to advertise to the final Server cannot be safely used.
jointly with the conversion service.
The Value field is set to the type of the unsupported TCP option. The Value field is set to the type of the unsupported TCP option.
If several unsupported TCP options were specified in the Connect If several unsupported TCP options were specified in the Connect
TLV, only one of them is returned in the Value. TLV, then the list of unsupported TCP options is returned. The
list of unsupported TCP options MUST be padded with zeros to end
on a 32 bits boundary.
o Resource Exceeded (64): This error indicates that the Transport o Resource Exceeded (64): This error indicates that the Transport
Converter does not have enough resources to perform the request. Converter does not have enough resources to perform the request.
This error MUST be sent by the Converter when it does not have This error MUST be sent by the Transport Converter when it does
sufficient resources to handle a new connection. not have sufficient resources to handle a new connection. The
Transport Converter may indicate in the Value field the suggested
delay (in seconds) that the Client SHOULD wait before soliciting
the Transport Converter for a new proxied connection. A Value of
zero corresponds to a default delay of at least 30 seconds.
o Network Failure (65): This error indicates that the Converter is o Network Failure (65): This error indicates that the Transport
experiencing a network failure to relay the request. Converter is experiencing a network failure to relay the request.
The Converter MUST send this error code when it experiences The Transport Converter MUST send this error code when it
forwarding issues to relay a connection. experiences forwarding issues to relay a connection. The
Transport Converter may indicate in the Value field the suggested
delay (in seconds) that the Client SHOULD wait before soliciting
the Transport Converter for a new proxied connection. A Value of
zero corresponds to a default delay of at least 30 seconds.
o Connection Reset (96): This error indicates that the final o Connection Reset (96): This error indicates that the final
destination responded with a RST packet. The Value field MUST be destination responded with a RST packet. The Value field MUST be
set to zero. set to zero.
o Destination Unreachable (97): This error indicates that an ICMP o Destination Unreachable (97): This error indicates that an ICMP
destination unreachable, port unreachable, or network unreachable destination unreachable, port unreachable, or network unreachable
was received by the Converter. The Value field MUST echo the Code was received by the Transport Converter. The Value field MUST
field of the received ICMP message. echo the Code field of the received ICMP message.
This error message MUST be sent by the Converter when it receives
an error message that is bound to a message it relayed previously.
Figure 18 summarizes the different error codes. Figure 19 summarizes the different error codes.
+-------+------+-----------------------------------------------+ +-------+------+-----------------------------------------------+
| Error | Hex | Description | | Error | Hex | Description |
+-------+------+-----------------------------------------------+ +-------+------+-----------------------------------------------+
| 0 | 0x00 | Unsupported Version | | 0 | 0x00 | Unsupported Version |
| 1 | 0x01 | Malformed Message | | 1 | 0x01 | Malformed Message |
| 2 | 0x02 | Unsupported Message | | 2 | 0x02 | Unsupported Message |
| 3 | 0x03 | Missing Cookie |
| 32 | 0x20 | Not Authorized | | 32 | 0x20 | Not Authorized |
| 33 | 0x21 | Unsupported TCP Option | | 33 | 0x21 | Unsupported TCP Option |
| 64 | 0x40 | Resource Exceeded | | 64 | 0x40 | Resource Exceeded |
| 65 | 0x41 | Network Failure | | 65 | 0x41 | Network Failure |
| 96 | 0x60 | Connection Reset | | 96 | 0x60 | Connection Reset |
| 97 | 0x61 | Destination Unreachable | | 97 | 0x61 | Destination Unreachable |
+-------+------+-----------------------------------------------+ +-------+------+-----------------------------------------------+
Figure 18: Convert Error Values Figure 19: Convert Error Values
5. Compatibility of Specific TCP Options with the Conversion Service 5. Compatibility of Specific TCP Options with the Conversion Service
In this section, we discuss how several standard track TCP options In this section, we discuss how several standard track TCP options
can be supported through the Converter. The non-standard track can be supported through the Convert protocol. The non-standard
options and the experimental options will be discussed in other track options and the experimental options will be discussed in other
documents. documents.
5.1. Base TCP Options 5.1. Base TCP Options
Three TCP options were initially defined in [RFC0793]: End-of-Option Three TCP options were initially defined in [RFC0793]: End-of-Option
List (Kind=0), No-Operation (Kind=1) and Maximum Segment Size List (Kind=0), No-Operation (Kind=1) and Maximum Segment Size
(Kind=2). The first two options are mainly used to pad the TCP (Kind=2). The first two options are mainly used to pad the TCP
extended header. There is no reason for a client to request a extended header. There is no reason for a client to request a
Converter to specifically send these options towards the final Transport Converter to specifically send these options towards the
destination. final destination.
The Maximum Segment Size option (Kind=2) is used by a host to The Maximum Segment Size option (Kind=2) is used by a host to
indicate the largest segment that it can receive over each indicate the largest segment that it can receive over each
connection. This value is function of the stack that terminates the connection. This value is function of the stack that terminates the
TCP connection. There is no reason for a Client to request a TCP connection. There is no reason for a Client to request a
Converter to advertise a specific MSS value to a remote server. Transport Converter to advertise a specific MSS value to a remote
server.
A Converter MUST ignore options with Kind=0, 1 or 2 if they appear in A Transport Converter MUST ignore options with Kind=0, 1 or 2 if they
a Connect TLV. It MUST NOT announce them in a Bootstrap TLV. appear in a Connect TLV. It MUST NOT announce them in a Supported
TCP Extensions TLV.
5.2. Window Scale (WS) 5.2. Window Scale (WS)
The Window Scale option (Kind=3) is defined in [RFC7323]. As for the The Window Scale option (Kind=3) is defined in [RFC7323]. As for the
MSS option, the window scale factor that is used for a connection MSS option, the window scale factor that is used for a connection
strongly depends on the TCP stack that handles the connection. When strongly depends on the TCP stack that handles the connection. When
a Converter opens a TCP connection towards a remote server on behalf a Transport Converter opens a TCP connection towards a remote server
of a Client, it SHOULD use a WS option with a scaling factor that on behalf of a Client, it SHOULD use a WS option with a scaling
corresponds to the configuration of its stack. A local configuration factor that corresponds to the configuration of its stack. A local
MAY allow for WS option in the proxied message to be function of the configuration MAY allow for WS option in the proxied message to be
scaling factor of the incoming connection. function of the scaling factor of the incoming connection.
There is no benefit from a deployment viewpoint in enabling a Client There is no benefit from a deployment viewpoint in enabling a Client
of a Converter to specifically request the utilisation of the WS of a Transport Converter to specifically request the utilisation of
option (Kind=3) with a specific scaling factor towards a remote the WS option (Kind=3) with a specific scaling factor towards a
Server. For this reason, a Converter MUST ignore option Kind=3 if it remote Server. For this reason, a Transport Converter MUST ignore
appears in a Connect TLV. It MUST NOT announce it in a Bootstrap option Kind=3 if it appears in a Connect TLV. It MUST NOT announce
TLV. it in a Supported TCP Extensions TLV.
5.3. Selective Acknowledgements 5.3. Selective Acknowledgements
Two distinct TCP options were defined to support selective Two distinct TCP options were defined to support selective
acknowledgements in [RFC2018]. This first one, SACK Permitted acknowledgements in [RFC2018]. This first one, SACK Permitted
(Kind=4), is used to negotiate the utilisation of selective (Kind=4), is used to negotiate the utilisation of selective
acknowledgements during the three-way handshake. The second one, acknowledgements during the three-way handshake. The second one,
SACK (Kind=5), carries the selective acknowledgements inside regular SACK (Kind=5), carries the selective acknowledgements inside regular
segments. segments.
The SACK Permitted option (Kind=4) MAY be advertised by a Transport The SACK Permitted option (Kind=4) MAY be advertised by a Transport
Converter in the Bootstrap TLV. In this case, Clients connected to Converter in the Supported TCP Extensions TLV. Clients connected to
this Transport Converter MAY include the SACK Permitted option in the this Transport Converter MAY include the SACK Permitted option in the
Connect TLV. Connect TLV.
The SACK option (Kind=5) cannot be used during the three-way The SACK option (Kind=5) cannot be used during the three-way
handshake. For this reason, a Transport Converter MUST ignore option handshake. For this reason, a Transport Converter MUST ignore option
Kind=5 with if it appears in a Connect TLV. It MUST NOT announce it Kind=5 if it appears in a Connect TLV. It MUST NOT announce it in a
in a Bootstrap TLV. TCP Supported Extensions TLV.
5.4. Timestamp 5.4. Timestamp
The Timestamp option was initially defined in [RFC1323] which has The Timestamp option was initially defined in [RFC1323] and later
been replaced by [RFC7323]. It can be used during the three-way refined in [RFC7323]. It can be used during the three-way handshake
handshake to negotiate the utilisation of the timestamps during the to negotiate the utilization of timestamps during the TCP connection.
TCP connection. It is notably used to improve round-trip-time It is notably used to improve round-trip-time estimations and to
estimations and to provide protection against wrapped sequence provide protection against wrapped sequence numbers (PAWS). As for
numbers (PAWS). As for the WS option, the timestamps are a property the WS option, the timestamps are a property of a connection and
of a connection and there is limited benefit in enabling a client to there is limited benefit in enabling a client to request a Transport
request a Converter to use the timestamp option when establishing a Converter to use the timestamp option when establishing a connection
connection to a remote server. Furthermore, the timestamps that are to a remote server. Furthermore, the timestamps that are used by TCP
used by TCP stacks are specific to each stack and there is no benefit stacks are specific to each stack and there is no benefit in enabling
in enabling a client to specify the timestamp value that a Converter a client to specify the timestamp value that a Transport Converter
could use to establish a connection to a remote server. could use to establish a connection to a remote server.
A Transport Converter MAY advertise the Timestamp option (Kind=8) in A Transport Converter MAY advertise the Timestamp option (Kind=8) in
the Bootstrap TLV. The clients connected to this Converter MAY the TCP Supported Extensions TLV. The clients connected to this
include the Timestamp option in the Connect TLV but without any Transport Converter MAY include the Timestamp option in the Connect
timestamp. TLV but without any timestamp.
5.5. Multipath TCP 5.5. Multipath TCP
The Multipath TCP options are defined in [RFC6824]. [RFC6824] The Multipath TCP options are defined in [RFC6824]. [RFC6824]
defines one variable length TCP option (Kind=30) that includes a defines one variable length TCP option (Kind=30) that includes a
subtype field to support several Multipath TCP options. There are subtype field to support several Multipath TCP options. There are
several operational use cases where clients would like to use several operational use cases where clients would like to use
Multipath TCP through a Converter [IETFJ16]. However, none of these Multipath TCP through a Transport Converter [IETFJ16]. However, none
use cases require the Client to specify the content of the Multipath of these use cases require the Client to specify the content of the
TCP option that the Converter should send to a remote server. Multipath TCP option that the Transport Converter should send to a
remote server.
A Transport Converter which supports Multipath TCP conversion service A Transport Converter which supports Multipath TCP conversion service
MUST advertise the Multipath TCP option (Kind=30) in the Bootstrap MUST advertise the Multipath TCP option (Kind=30) in the Supported
TLV. Clients serviced by this Converter may include the Multipath TCP Extensions TLV. Clients serviced by this Transport Converter may
TCP option in the Connect TLV but without any content. include the Multipath TCP option in the Connect TLV but without any
content.
5.6. TCP Fast Open 5.6. TCP Fast Open
The TCP Fast Open cookie option (Kind=34) is defined in [RFC7413]. The TCP Fast Open cookie option (Kind=34) is defined in [RFC7413].
There are two different usages of this option that need to be There are two different usages of this option that need to be
supported by Transport Converters. The first utilisation of the Fast supported by Transport Converters. The first utilization of the TCP
Open cookie is to request a cookie from the server. In this case, Fast Open cookie option is to request a cookie from the server. In
the option is sent with an empty cookie by the client and the server this case, the option is sent with an empty cookie by the client and
returns the cookie. The second utilisation of the Fast Open cookie the server returns the cookie. The second utilization of the TCP
is to send a cookie to the server. In this case, the option contains Fast Open cookie option is to send a cookie to the server. In this
a cookie. case, the option contains a cookie.
A Transport Converter MAY advertise the TCP Fast Open cookie option A Transport Converter MAY advertise the TCP Fast Open cookie option
(Kind=34) in the Bootstrap TLV. If a Transport Converter has (Kind=34) in the Supported TCP Extensions TLV. If a Transport
advertised the support for TCP Fast Open in its Bootstrap TLV, it Converter has advertised the support for TCP Fast Open in its
needs to be able to process two types of Connect TLV. If such a Supported TCP Extensions TLV, it needs to be able to process two
Transport Converter receives a Connect TLV with the TCP Fast Open types of Connect TLV. If such a Transport Converter receives a
cookie option that does not contain a cookie, it MUST add an empty Connect TLV with the TCP Fast Open cookie option that does not
TCP Fast Open cookie option in the SYN sent to the remote server. If contain a cookie, it MUST add an empty TCP Fast Open cookie option in
such a Transport Converter receives a Connect TLV with the TCP Fast the SYN sent to the remote server. If such a Transport Converter
Open cookie option that contains a cookie, it MUST copy the TCP Fast receives a Connect TLV with the TCP Fast Open cookie option that
Open cookie option in the SYN sent to the remote server. contains a cookie, it MUST copy the TCP Fast Open cookie option in
the SYN sent to the remote server.
The Converter may behave in address preservation or address sharing
modes as discussed in Section 5.4 of
[I-D.nam-mptcp-deployment-considerations]. Which behavior to use by
a Converter is deployment-specific. If address sharing mode is
enabled, the Converter MUST adhere to REQ-2 of [RFC6888] which
implies a default "IP address pooling" behavior of "Paired" (as
defined in Section 4.1 of [RFC4787]) must be supported. This
behavior is meant to avoid breaking applications that depend on the
external address remaining constant. Also, maintaining the same
external IP address for a client is meant to preserve the validity of
the TFO cookie.
5.7. TCP User Timeout 5.7. TCP User Timeout
The TCP User Timeout option is defined in [RFC5482]. The associated The TCP User Timeout option is defined in [RFC5482]. The associated
TCP option (Kind=28) does not appear to be widely deployed. TCP option (Kind=28) does not appear to be widely deployed.
Editor's Note: Feedback requested for the utilisation of this option
by deployed TCP stacks.
5.8. TCP-AO 5.8. TCP-AO
TCP-AO [RFC5925] provides a technique to authenticate all the packets TCP-AO [RFC5925] provides a technique to authenticate all the packets
exchanged over a TCP connection. Given the nature of this extension, exchanged over a TCP connection. Given the nature of this extension,
it is unlikely that the applications that require their packets to be it is unlikely that the applications that require their packets to be
authenticated end-to-end would want their connections to pass through authenticated end-to-end would want their connections to pass through
a converter. For this reason, we do not recommend the support of the a converter. For this reason, we do not recommend the support of the
TCP-AO option by Transport Converters. The only use cases where is TCP-AO option by Transport Converters. The only use cases where it
makes sense to combine TCP-AO and the solution in this document are could make sense to combine TCP-AO and the solution in this document
those where the TCP-AO-NAT extension [RFC6978] is in use. are those where the TCP-AO-NAT extension [RFC6978] is in use.
A Converter MUST NOT advertise the TCP-AO option (Kind=29) in the A Transport Converter MUST NOT advertise the TCP-AO option (Kind=29)
Bootstrap TLV. If a Converter receives a Connect TLV that contains in the Supported TCP Extensions TLV. If a Transport Converter
the TCP-AO option, it MUST reject the establishment of the connection receives a Connect TLV that contains the TCP-AO option, it MUST
with error code set to "Unsupported TCP Option", except if the TCP- reject the establishment of the connection with error code set to
AO-NAT option is used. "Unsupported TCP Option", except if the TCP-AO-NAT option is used.
5.9. TCP Experimental Options 5.9. TCP Experimental Options
The TCP Experimental options are defined in [RFC4727]. Given the The TCP Experimental options are defined in [RFC4727]. Given the
variety of semantics for these options and their experimental nature, variety of semantics for these options and their experimental nature,
it is impossible to discuss them in details in this document. it is impossible to discuss them in details in this document.
6. Interactions with Middleboxes 6. Interactions with Middleboxes
The Converter Protocol was designed to be used in networks that do The Convert Protocol is designed to be used in networks that do not
not contain middleboxes that interfere with TCP. We describe in this contain middleboxes that interfere with TCP. Under such conditions,
section how a Client can detect middlebox interference and stop using it is assumed that the network provider ensures that all involved on-
the Transport Converter affected by this interference. path nodes are not breaking TCP signals (e.g., strip TCP options,
discard some SYNs, etc.).
Nevertheless, and in order to allow for a robust service, this
section describes how a Client can detect middlebox interference and
stop using the Transport Converter affected by this interference.
Internet measurements [IMC11] have shown that middleboxes can affect Internet measurements [IMC11] have shown that middleboxes can affect
the deployment of TCP extensions. In this section, we only discuss the deployment of TCP extensions. In this section, we only discuss
the middleboxes that modify SYN and SYN+ACK packets since the the middleboxes that modify SYN and SYN+ACK packets since the Convert
Converter Protocol places its messages in such packets. Protocol places its messages in such packets.
Let us first consider a middlebox that removes the TFO Option from
the SYN packet. This interference will be detected by the Client
during the bootstrap procedure discussed in Section 4.2.3. A Client
should not use a Transport Converter that does not reply with the TFO
option during the Bootstrap.
Consider a middlebox that removes the SYN payload after the bootstrap Consider a middlebox that removes the SYN payload. The Client can
procedure. The Client can detect this problem by looking at the detect this problem by looking at the acknowledgement number field of
acknowledgement number field of the SYN+ACK returned by the Transport the SYN+ACK returned by the Transport Converter. The Client MUST
Converter. The Client should stop to use this Transport Converter stop to use this Transport Converter given the middlebox
given the middlebox interference. interference.
As explained in [RFC7413], some carrier-grade NATs can affect the As explained in [RFC7413], some CGNs (Carrier Grade NATs) can affect
operation of TFO if they assign different IP addresses to the same the operation of TFO if they assign different IP addresses to the
end host. Such carrier-grade NATs could affect the operation of the same end host. Such CGNs could affect the operation of the TFO
TFO Option used by the Converter Protocol. See also the discussion Option used by the Convert Protocol. As a reminder CGNs, enabled on
in Section 7.1 of [RFC7413]. the path between a Client and a Transport Converter, must adhere to
the address preservation defined in [RFC6888]. See also the
discussion in Section 7.1 of [RFC7413].
7. Security Considerations 7. Security Considerations
7.1. Privacy & Ingress Filtering 7.1. Privacy & Ingress Filtering
The Converter may have access to privacy-related information (e.g., The Transport Converter may have access to privacy-related
subscriber credentials). The Converter MUST NOT leak such sensitive information (e.g., subscriber credentials). The Transport Converter
information outside a local domain. is designed to not leak such sensitive information outside a local
domain.
Given its function and its location in the network, a Transport Given its function and its location in the network, a Transport
Converter has access to the payload of all the packets that it Converter has access to the payload of all the packets that it
processes. As such, it MUST be protected as a core IP router (e.g., processes. As such, it MUST be protected as a core IP router (e.g.,
[RFC1812]). [RFC1812]).
Furthermore, ingress filtering policies MUST be enforced at the Furthermore, ingress filtering policies MUST be enforced at the
network boundaries [RFC2827]. network boundaries [RFC2827].
This document assumes that all network attachments are managed by the This document assumes that all network attachments are managed by the
same administrative entity. Therefore, enforcing anti-spoofing same administrative entity. Therefore, enforcing anti-spoofing
filters at these network ensures that hosts are not sending traffic filters at these network ensures that hosts are not sending traffic
with spoofed source IP addresses. with spoofed source IP addresses.
7.2. Authorization 7.2. Authorization
The Converter Protocol is intended to be used in managed networks The Convert Protocol is intended to be used in managed networks where
where end hosts can be identified by their IP address. Thanks to the end hosts can be identified by their IP address.
Bootstrap procedure, the Transport Converter can verify that the
Client correctly receives packets sent by the Converter. Stronger Stronger mutual authentication schemes MUST be defined to use the
authentication schemes MUST be defined to use the Converter Protocol Convert Protocol in more open network environments. One possibility
in more open network environments; such schemes are out of scope of is to use TLS to perform mutual authentication between the client and
this document. the Converter. That is, use TLS when a Client retrieves a Cookie
from the Converter and rely on certificate-based client
authentication, pre-shared key based [RFC4279] or raw public key
based client authentication [RFC7250] to secure this connection. If
the authentication succeeds, the Converter returns a cookie whose
content may be, for example, set to a hash using as input the
representation of the Subject Public Key Info (SPKI) of the client
X.509 certificate, the Client raw public key, or the "Pre-Shared Key
(PSK) identity" used by the Client in the TLS ClientKeyExchange
message. Subsequent Connect messages will be authorized as a
function of the content of the Cookie TLV. The client MUST also
authenticate.
See below for authorization considerations that are specific for See below for authorization considerations that are specific for
Multipath TCP. Multipath TCP.
7.3. Denial of Service 7.3. Denial of Service
Another possible risk is the amplification attacks since a Transport Another possible risk is the amplification attacks since a Transport
Converter sends a SYN towards a remote Server upon reception of a SYN Converter sends a SYN towards a remote Server upon reception of a SYN
from a Client. This could lead to amplification attacks if the SYN from a Client. This could lead to amplification attacks if the SYN
sent by the Transport Converter were larger than the SYN received sent by the Transport Converter were larger than the SYN received
from the Client or if the Transport Converter retransmits the SYN. from the Client or if the Transport Converter retransmits the SYN.
To mitigate such attacks, the Transport Converter SHOULD rate limit To mitigate such attacks, the Transport Converter SHOULD rate limit
the number of pending requests for a given Client. It SHOULD also the number of pending requests for a given Client. It SHOULD also
avoid sending to remote Servers SYNs that are significantly longer avoid sending to remote Servers SYNs that are significantly longer
than the SYN received from the Client. In practice, Transport than the SYN received from the Client. Finally, the Transport
Converters SHOULD NOT advertise to a Server TCP options that were not
specified by the Client in the received SYN. Finally, the Transport
Converter SHOULD only retransmit a SYN to a Server after having Converter SHOULD only retransmit a SYN to a Server after having
received a retransmitted SYN from the corresponding Client. received a retransmitted SYN from the corresponding Client. Means to
protect against SYN flooding attacks MUST also be enabled [RFC4987].
Upon reception of a SYN that contains a valid TFO cookie and a
Connect TLV, the Transport Converter attempts to establish a TCP
connection to a remote Server. There is a risk of denial of service
attack if a Client requests too many connections in a short period of
time. Implementations SHOULD limit the number of pending connections
from a given Client. Means to protect against SYN flooding attacks
MUST also be enabled [RFC4987].
7.4. Traffic Theft 7.4. Traffic Theft
Traffic theft is a risk if an illegitimate Converter is inserted in Traffic theft is a risk if an illegitimate Converter is inserted in
the path. Indeed, inserting an illegitimate Converter in the the path. Indeed, inserting an illegitimate Converter in the
forwarding path allows traffic interception and can therefore provide forwarding path allows traffic interception and can therefore provide
access to sensitive data issued by or destined to a host. Converter access to sensitive data issued by or destined to a host. Converter
discovery and configuration are out of scope of this document. discovery and configuration are out of scope of this document.
7.5. Multipath TCP-specific Considerations 7.5. Multipath TCP-specific Considerations
Multipath TCP-related security threats are discussed in [RFC6181] and Multipath TCP-related security threats are discussed in [RFC6181] and
[RFC6824]. [RFC6824].
The operator that manages the various network attachments (including The operator that manages the various network attachments (including
the Converters) can enforce authentication and authorization policies the Transport Converters) can enforce authentication and
using appropriate mechanisms. For example, a non-exhaustive list of authorization policies using appropriate mechanisms. For example, a
methods to achieve authorization is provided hereafter: non-exhaustive list of methods to achieve authorization is provided
hereafter:
o The network provider may enforce a policy based on the o The network provider may enforce a policy based on the
International Mobile Subscriber Identity (IMSI) to verify that a International Mobile Subscriber Identity (IMSI) to verify that a
user is allowed to benefit from the aggregation service. If that user is allowed to benefit from the aggregation service. If that
authorization fails, the Packet Data Protocol (PDP) context/bearer authorization fails, the Packet Data Protocol (PDP) context/bearer
will not be mounted. This method does not require any interaction will not be mounted. This method does not require any interaction
with the Converter. with the Transport Converter.
o The network provider may enforce a policy based upon Access o The network provider may enforce a policy based upon Access
Control Lists (ACLs), e.g., at a Broadband Network Gateway (BNG) Control Lists (ACLs), e.g., at a Broadband Network Gateway (BNG)
to control the hosts that are authorized to communicate with a to control the hosts that are authorized to communicate with a
Converter. These ACLs may be installed as a result of RADIUS Transport Converter. These ACLs may be installed as a result of
exchanges, e.g. [I-D.boucadair-radext-tcpm-converter]. This RADIUS exchanges, e.g. [I-D.boucadair-radext-tcpm-converter].
method does not require any interaction with the Converter. This method does not require any interaction with the Transport
Converter.
o A device that embeds the Converter may also host a RADIUS client o A device that embeds a Transport Converter may also host a RADIUS
that will solicit an AAA server to check whether connections client that will solicit an AAA server to check whether
received from a given source IP address are authorized or not connections received from a given source IP address are authorized
[I-D.boucadair-radext-tcpm-converter]. or not [I-D.boucadair-radext-tcpm-converter].
A first safeguard against the misuse of Converter resources by A first safeguard against the misuse of Transport Converter resources
illegitimate users (e.g., users with access networks that are not by illegitimate users (e.g., users with access networks that are not
managed by the same provider that operates the Converter) is the managed by the same provider that operates the Transport Converter)
Converter to reject Multipath TCP connections received on its is the Transport Converter to reject Multipath TCP connections
Internet-facing interfaces. Only Multipath TCP connections received received on its Internet-facing interfaces. Only Multipath TCP
on the customer-facing interfaces of a Converter will be accepted. connections received on the customer-facing interfaces of a Transport
Converter will be accepted.
8. IANA Considerations 8. IANA Considerations
8.1. Convert Service Port Number 8.1. Convert Service Port Number
IANA is requested to assign a TCP port number (TBA) for the Converter IANA is requested to assign a TCP port number (TBA) for the Convert
Protocol from the "Service Name and Transport Protocol Port Number Protocol from the "Service Name and Transport Protocol Port Number
Registry" available at https://www.iana.org/assignments/service- Registry" available at https://www.iana.org/assignments/service-
names-port-numbers/service-names-port-numbers.xhtml. names-port-numbers/service-names-port-numbers.xhtml.
8.2. The Converter Protocol (Convert) Parameters 8.2. The Convert Protocol (Convert) Parameters
IANA is requested to create a new "The Converter Protocol (Convert) IANA is requested to create a new "The Convert Protocol (Convert)
Parameters" registry. Parameters" registry.
The following subsections detail new registries within "The Converter The following subsections detail new registries within "The Convert
Protocol (Convert) Parameters" registry. Protocol (Convert) Parameters" registry.
8.2.1. Convert Versions 8.2.1. Convert Versions
IANA is requested to create the "Convert versions" sub-registry. New IANA is requested to create the "Convert versions" sub-registry. New
values are assigned via Standards Action. values are assigned via Standards Action.
The initial values to be assigned at the creation of the registry are The initial values to be assigned at the creation of the registry are
as follows: as follows:
skipping to change at page 29, line 9 skipping to change at page 31, line 9
o The values in the range 192-255 can be assigned for Private Use. o The values in the range 192-255 can be assigned for Private Use.
The initial values to be assigned at the creation of the registry are The initial values to be assigned at the creation of the registry are
as follows: as follows:
+---------+--------------------------------------+-------------+ +---------+--------------------------------------+-------------+
| Code | Name | Reference | | Code | Name | Reference |
+---------+--------------------------------------+-------------+ +---------+--------------------------------------+-------------+
| 0 | Reserved | [This-RFC] | | 0 | Reserved | [This-RFC] |
| 1 | Bootstrap TLV | [This-RFC] | | 1 | Info TLV | [This-RFC] |
| 10 | Connect TLV | [This-RFC] | | 10 | Connect TLV | [This-RFC] |
| 20 | Extended TCP Header TLV | [This-RFC] | | 20 | Extended TCP Header TLV | [This-RFC] |
| 22 | Supported TCP Extension Services TLV | [This-RFC] | | 21 | Supported TCP Extension TLV | [This-RFC] |
| 22 | Cookie TLV | [This-RFC] |
| 30 | Error TLV | [This-RFC] | | 30 | Error TLV | [This-RFC] |
+---------+--------------------------------------+-------------+ +---------+--------------------------------------+-------------+
8.2.3. Convert Error Messages 8.2.3. Convert Error Messages
IANA is requested to create the "Convert Errors" sub-registry. Codes IANA is requested to create the "Convert Errors" sub-registry. Codes
in this registry are assigned as a function of the error type. Four in this registry are assigned as a function of the error type. Four
types are defined; the following ranges are reserved for each of types are defined; the following ranges are reserved for each of
these types: these types:
o Message validation and processing errors: 0-31 o Message validation and processing errors: 0-31
o Client-side errors: 32-63 o Client-side errors: 32-63
o Converter-side errors: 64-95 o Transport Converter-side errors: 64-95
o Errors caused by destination server: 96-127 o Errors caused by destination server: 96-127
The procedure for assigning values from this sub-registry is as The procedure for assigning values from this sub-registry is as
follows: follows:
o 0-191: Values in this range are assigned via Standards Action. o 0-191: Values in this range are assigned via Standards Action.
o 192-255: Values in this range are assigned via Specification o 192-255: Values in this range are assigned via Specification
Required. Required.
The initial values to be assigned at the creation of the registry are The initial values to be assigned at the creation of the registry are
as follows: as follows:
+-------+------+-----------------------------------+-----------+ +-------+------+-----------------------------------+-----------+
| Error | Hex | Description | Reference | | Error | Hex | Description | Reference |
+-------+------+-----------------------------------+-----------+ +-------+------+-----------------------------------+-----------+
| 0 | 0x00 | Unsupported Version | [This-RFC]| | 0 | 0x00 | Unsupported Version | [This-RFC]|
| 1 | 0x01 | Malformed Message | [This-RFC]| | 1 | 0x01 | Malformed Message | [This-RFC]|
| 2 | 0x02 | Unsupported Message | [This-RFC]| | 2 | 0x02 | Unsupported Message | [This-RFC]|
| 3 | 0x03 | Missing Cookie | [This-RFC]|
| 32 | 0x20 | Not Authorized | [This-RFC]| | 32 | 0x20 | Not Authorized | [This-RFC]|
| 33 | 0x21 | Unsupported TCP Option | [This-RFC]| | 33 | 0x21 | Unsupported TCP Option | [This-RFC]|
| 64 | 0x40 | Resource Exceeded | [This-RFC]| | 64 | 0x40 | Resource Exceeded | [This-RFC]|
| 65 | 0x41 | Network Failure | [This-RFC]| | 65 | 0x41 | Network Failure | [This-RFC]|
| 96 | 0x60 | Connection Reset | [This-RFC]| | 96 | 0x60 | Connection Reset | [This-RFC]|
| 97 | 0x61 | Destination Unreachable | [This-RFC]| | 97 | 0x61 | Destination Unreachable | [This-RFC]|
+-------+------+-----------------------------------+-----------+ +-------+------+-----------------------------------+-----------+
Figure 19: The Convert Error Codes Figure 20: The Convert Error Codes
9. Acknowledgements 9. Acknowledgements
Although they could disagree with the contents of the document, we Although they could disagree with the contents of the document, we
would like to thank Joe Touch and Juliusz Chroboczek whose comments would like to thank Joe Touch and Juliusz Chroboczek whose comments
on the MPTCP mailing list have forced us to reconsider the design of on the MPTCP mailing list have forced us to reconsider the design of
the solution several times. the solution several times.
We would like to thank Raphael Bauduin, Stefano Secci, Benjamin We would like to thank Raphael Bauduin, Stefano Secci, Anandatirtha
Hesmans and Anandatirtha Nandugudi for their help in preparing this Nandugudi and Gregory Vander Schueren for their help in preparing
document. Nandini Ganesh provided valuable feedback about the this document. Nandini Ganesh provided valuable feedback about the
handling of TFO and the error codes. Thanks to them. handling of TFO and the error codes. Thanks to them.
This document builds upon earlier documents that proposed various This document builds upon earlier documents that proposed various
forms of Multipath TCP proxies [I-D.boucadair-mptcp-plain-mode], forms of Multipath TCP proxies [I-D.boucadair-mptcp-plain-mode],
[I-D.peirens-mptcp-transparent] and [HotMiddlebox13b]. [I-D.peirens-mptcp-transparent] and [HotMiddlebox13b].
From [I-D.boucadair-mptcp-plain-mode]: From [I-D.boucadair-mptcp-plain-mode]:
Many thanks to Chi Dung Phung, Mingui Zhang, Rao Shoaib, Yoshifumi Many thanks to Chi Dung Phung, Mingui Zhang, Rao Shoaib, Yoshifumi
Nishida, and Christoph Paasch for their valuable comments. Nishida, and Christoph Paasch for their valuable comments.
skipping to change at page 32, line 36 skipping to change at page 34, line 36
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, [RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, DOI 10.17487/RFC0793, September 1981, RFC 793, DOI 10.17487/RFC0793, September 1981,
<https://www.rfc-editor.org/info/rfc793>. <https://www.rfc-editor.org/info/rfc793>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key
Ciphersuites for Transport Layer Security (TLS)",
RFC 4279, DOI 10.17487/RFC4279, December 2005,
<https://www.rfc-editor.org/info/rfc4279>.
[RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", RFC 4291, DOI 10.17487/RFC4291, February Architecture", RFC 4291, DOI 10.17487/RFC4291, February
2006, <https://www.rfc-editor.org/info/rfc4291>. 2006, <https://www.rfc-editor.org/info/rfc4291>.
[RFC4727] Fenner, B., "Experimental Values In IPv4, IPv6, ICMPv4, [RFC4727] Fenner, B., "Experimental Values In IPv4, IPv6, ICMPv4,
ICMPv6, UDP, and TCP Headers", RFC 4727, ICMPv6, UDP, and TCP Headers", RFC 4727,
DOI 10.17487/RFC4727, November 2006, DOI 10.17487/RFC4727, November 2006,
<https://www.rfc-editor.org/info/rfc4727>. <https://www.rfc-editor.org/info/rfc4727>.
[RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common [RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common
skipping to change at page 33, line 19 skipping to change at page 35, line 23
[RFC6824] Ford, A., Raiciu, C., Handley, M., and O. Bonaventure, [RFC6824] Ford, A., Raiciu, C., Handley, M., and O. Bonaventure,
"TCP Extensions for Multipath Operation with Multiple "TCP Extensions for Multipath Operation with Multiple
Addresses", RFC 6824, DOI 10.17487/RFC6824, January 2013, Addresses", RFC 6824, DOI 10.17487/RFC6824, January 2013,
<https://www.rfc-editor.org/info/rfc6824>. <https://www.rfc-editor.org/info/rfc6824>.
[RFC6890] Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman, [RFC6890] Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman,
"Special-Purpose IP Address Registries", BCP 153, "Special-Purpose IP Address Registries", BCP 153,
RFC 6890, DOI 10.17487/RFC6890, April 2013, RFC 6890, DOI 10.17487/RFC6890, April 2013,
<https://www.rfc-editor.org/info/rfc6890>. <https://www.rfc-editor.org/info/rfc6890>.
[RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J.,
Weiler, S., and T. Kivinen, "Using Raw Public Keys in
Transport Layer Security (TLS) and Datagram Transport
Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250,
June 2014, <https://www.rfc-editor.org/info/rfc7250>.
[RFC7413] Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP [RFC7413] Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP
Fast Open", RFC 7413, DOI 10.17487/RFC7413, December 2014, Fast Open", RFC 7413, DOI 10.17487/RFC7413, December 2014,
<https://www.rfc-editor.org/info/rfc7413>. <https://www.rfc-editor.org/info/rfc7413>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26, Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017, RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>. <https://www.rfc-editor.org/info/rfc8126>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
skipping to change at page 34, line 28 skipping to change at page 36, line 40
[I-D.boucadair-radext-tcpm-converter] [I-D.boucadair-radext-tcpm-converter]
Boucadair, M. and C. Jacquenet, "RADIUS Extensions for Boucadair, M. and C. Jacquenet, "RADIUS Extensions for
0-RTT TCP Converters", draft-boucadair-radext-tcpm- 0-RTT TCP Converters", draft-boucadair-radext-tcpm-
converter-01 (work in progress), October 2018. converter-01 (work in progress), October 2018.
[I-D.boucadair-tcpm-dhc-converter] [I-D.boucadair-tcpm-dhc-converter]
Boucadair, M., Jacquenet, C., and R. K, "DHCP Options for Boucadair, M., Jacquenet, C., and R. K, "DHCP Options for
0-RTT TCP Converters", draft-boucadair-tcpm-dhc- 0-RTT TCP Converters", draft-boucadair-tcpm-dhc-
converter-01 (work in progress), October 2018. converter-01 (work in progress), October 2018.
[I-D.ietf-mptcp-rfc6824bis]
Ford, A., Raiciu, C., Handley, M., Bonaventure, O., and C.
Paasch, "TCP Extensions for Multipath Operation with
Multiple Addresses", draft-ietf-mptcp-rfc6824bis-12 (work
in progress), October 2018.
[I-D.ietf-tcpinc-tcpcrypt] [I-D.ietf-tcpinc-tcpcrypt]
Bittau, A., Giffin, D., Handley, M., Mazieres, D., Slack, Bittau, A., Giffin, D., Handley, M., Mazieres, D., Slack,
Q., and E. Smith, "Cryptographic protection of TCP Streams Q., and E. Smith, "Cryptographic protection of TCP Streams
(tcpcrypt)", draft-ietf-tcpinc-tcpcrypt-13 (work in (tcpcrypt)", draft-ietf-tcpinc-tcpcrypt-15 (work in
progress), September 2018. progress), December 2018.
[I-D.nam-mptcp-deployment-considerations] [I-D.nam-mptcp-deployment-considerations]
Boucadair, M., Jacquenet, C., Bonaventure, O., Henderickx, Boucadair, M., Jacquenet, C., Bonaventure, O., Henderickx,
W., and R. Skog, "Network-Assisted MPTCP: Use Cases, W., and R. Skog, "Network-Assisted MPTCP: Use Cases,
Deployment Scenarios and Operational Considerations", Deployment Scenarios and Operational Considerations",
draft-nam-mptcp-deployment-considerations-01 (work in draft-nam-mptcp-deployment-considerations-01 (work in
progress), December 2016. progress), December 2016.
[I-D.olteanu-intarea-socks-6] [I-D.olteanu-intarea-socks-6]
Olteanu, V. and D. Niculescu, "SOCKS Protocol Version 6", Olteanu, V. and D. Niculescu, "SOCKS Protocol Version 6",
draft-olteanu-intarea-socks-6-04 (work in progress), draft-olteanu-intarea-socks-6-05 (work in progress),
August 2018. October 2018.
[I-D.peirens-mptcp-transparent] [I-D.peirens-mptcp-transparent]
Peirens, B., Detal, G., Barre, S., and O. Bonaventure, Peirens, B., Detal, G., Barre, S., and O. Bonaventure,
"Link bonding with transparent Multipath TCP", draft- "Link bonding with transparent Multipath TCP", draft-
peirens-mptcp-transparent-00 (work in progress), July peirens-mptcp-transparent-00 (work in progress), July
2016. 2016.
[IETFJ16] Bonaventure, O. and S. Seo, "Multipath TCP Deployment", [IETFJ16] Bonaventure, O. and S. Seo, "Multipath TCP Deployment",
IETF Journal, Fall 2016 , n.d.. IETF Journal, Fall 2016 , n.d..
skipping to change at page 36, line 45 skipping to change at page 39, line 5
Scheffenegger, Ed., "TCP Extensions for High Performance", Scheffenegger, Ed., "TCP Extensions for High Performance",
RFC 7323, DOI 10.17487/RFC7323, September 2014, RFC 7323, DOI 10.17487/RFC7323, September 2014,
<https://www.rfc-editor.org/info/rfc7323>. <https://www.rfc-editor.org/info/rfc7323>.
[RFC7414] Duke, M., Braden, R., Eddy, W., Blanton, E., and A. [RFC7414] Duke, M., Braden, R., Eddy, W., Blanton, E., and A.
Zimmermann, "A Roadmap for Transmission Control Protocol Zimmermann, "A Roadmap for Transmission Control Protocol
(TCP) Specification Documents", RFC 7414, (TCP) Specification Documents", RFC 7414,
DOI 10.17487/RFC7414, February 2015, DOI 10.17487/RFC7414, February 2015,
<https://www.rfc-editor.org/info/rfc7414>. <https://www.rfc-editor.org/info/rfc7414>.
[RFC8041] Bonaventure, O., Paasch, C., and G. Detal, "Use Cases and
Operational Experience with Multipath TCP", RFC 8041,
DOI 10.17487/RFC8041, January 2017,
<https://www.rfc-editor.org/info/rfc8041>.
[RFC8305] Schinazi, D. and T. Pauly, "Happy Eyeballs Version 2: [RFC8305] Schinazi, D. and T. Pauly, "Happy Eyeballs Version 2:
Better Connectivity Using Concurrency", RFC 8305, Better Connectivity Using Concurrency", RFC 8305,
DOI 10.17487/RFC8305, December 2017, DOI 10.17487/RFC8305, December 2017,
<https://www.rfc-editor.org/info/rfc8305>. <https://www.rfc-editor.org/info/rfc8305>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
Appendix A. Differences with SOCKSv5 Appendix A. Differences with SOCKSv5
At a first glance, the Convert solution could seem similar to the At a first glance, the solution proposed in this document could seem
SOCKS v5 protocol [RFC1928] which is used to proxy TCP connections. similar to the SOCKS v5 protocol [RFC1928] which is used to proxy TCP
The Client creates a connection to a SOCKS proxy, exchanges connections. The Client creates a connection to a SOCKS proxy,
authentication information and indicates the destination address and exchanges authentication information and indicates the destination
port of the final server. At this point, the SOCKS proxy creates a address and port of the final server. At this point, the SOCKS proxy
connection towards the final server and relays all data between the creates a connection towards the final server and relays all data
two proxied connections. The operation of an implementation based on between the two proxied connections. The operation of an
SOCKSv5 is illustrated in Figure 20. implementation based on SOCKSv5 is illustrated in Figure 21.
Client SOCKS Proxy Server Client SOCKS Proxy Server
--------------------> -------------------->
SYN SYN
<-------------------- <--------------------
SYN+ACK SYN+ACK
--------------------> -------------------->
ACK ACK
--------------------> -------------------->
skipping to change at page 37, line 51 skipping to change at page 40, line 40
--------------------> -------------------->
Data1 Data1
--------------------> -------------------->
Data1 Data1
<-------------------- <--------------------
Data2 Data2
<-------------------- <--------------------
Data2 Data2
Figure 20: Establishment of a TCP connection through a SOCKS proxy Figure 21: Establishment of a TCP connection through a SOCKS proxy
without authentication without authentication
The Converter protocol also relays data between an upstream and a The Convert protocol also relays data between an upstream and a
downstream connection, but there are important differences with downstream connection, but there are important differences with
SOCKSv5. SOCKSv5.
A first difference is that the Converter protocol leverages the TFO A first difference is that the Convert protocol leverages the TFO
option [RFC7413] to exchange all control information during the option [RFC7413] to exchange all control information during the
three-way handshake. This reduces the connection establishment delay three-way handshake. This reduces the connection establishment delay
compared to SOCKS that requires two or more round-trip-times before compared to SOCKS that requires two or more round-trip-times before
the establishment of the downstream connection towards the final the establishment of the downstream connection towards the final
destination. In today's Internet, latency is a important metric and destination. In today's Internet, latency is a important metric and
various protocols have been tuned to reduce their latency various protocols have been tuned to reduce their latency
[I-D.arkko-arch-low-latency]. A recently proposed extension to SOCKS [I-D.arkko-arch-low-latency]. A recently proposed extension to SOCKS
also leverages the TFO option [I-D.olteanu-intarea-socks-6]. also leverages the TFO option [I-D.olteanu-intarea-socks-6].
A second difference is that the Converter protocol explicitly takes A second difference is that the Convert protocol explicitly takes the
the TCP extensions into account. By using the Converter protocol, TCP extensions into account. By using the Convert protocol, the
the Client can learn whether a given TCP extension is supported by Client can learn whether a given TCP extension is supported by the
the destination Server. This enables the Client to bypass the destination Server. This enables the Client to bypass the Transport
Transport Converter when the destination supports the required TCP Converter when the destination supports the required TCP extension.
extension. Neither SOCKS v5 [RFC1928] nor the proposed SOCKS v6 Neither SOCKS v5 [RFC1928] nor the proposed SOCKS v6
[I-D.olteanu-intarea-socks-6] provide such a feature. [I-D.olteanu-intarea-socks-6] provide such a feature.
A third difference is that a Transport Converter will only accept the A third difference is that a Transport Converter will only accept the
connection initiated by the Client provided that the downstream connection initiated by the Client provided that the downstream
connection is accepted by the Server. If the Server refuses the connection is accepted by the Server. If the Server refuses the
connection establishment attempt from the Transport Converter, then connection establishment attempt from the Transport Converter, then
the upstream connection from the Client is rejected as well. This the upstream connection from the Client is rejected as well. This
feature is important for applications that check the availability of feature is important for applications that check the availability of
a Server or use the time to connect as a hint on the selection of a a Server or use the time to connect as a hint on the selection of a
Server [RFC8305]. Server [RFC8305].
A fourth difference is that the Convert protocol only allows the
client to specify the address/port of the destination server and not
a DNS name. We evaluated an alternate design for the Connect TLV
that included the DNS name of the remote peer instead of its IP
address as in SOCKS [RFC1928]. However, that design was not adopted
because it induces both an extra load and increased delays on the
Transport Converter to handle and manage DNS resolution requests.
Authors' Addresses Authors' Addresses
Olivier Bonaventure (editor) Olivier Bonaventure (editor)
Tessares Tessares
Email: Olivier.Bonaventure@tessares.net Email: Olivier.Bonaventure@tessares.net
Mohamed Boucadair (editor) Mohamed Boucadair (editor)
Orange Orange
skipping to change at page 39, line 4 skipping to change at page 41, line 44
Olivier Bonaventure (editor) Olivier Bonaventure (editor)
Tessares Tessares
Email: Olivier.Bonaventure@tessares.net Email: Olivier.Bonaventure@tessares.net
Mohamed Boucadair (editor) Mohamed Boucadair (editor)
Orange Orange
Email: mohamed.boucadair@orange.com Email: mohamed.boucadair@orange.com
Sri Gundavelli Sri Gundavelli
Cisco Cisco
Email: sgundave@cisco.com Email: sgundave@cisco.com
SungHoon Seo SungHoon Seo
Korea Telecom Korea Telecom
Email: sh.seo@kt.com Email: sh.seo@kt.com
Benjamin Hesmans
Tessares
Email: Benjamin.Hesmans@tessares.net
 End of changes. 176 change blocks. 
588 lines changed or deleted 706 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/