draft-ietf-tcpm-converters-11.txt   draft-ietf-tcpm-converters-12.txt 
TCPM Working Group O. Bonaventure, Ed. TCPM Working Group O. Bonaventure, Ed.
Internet-Draft Tessares Internet-Draft Tessares
Intended status: Experimental M. Boucadair, Ed. Intended status: Experimental M. Boucadair, Ed.
Expires: March 30, 2020 Orange Expires: April 6, 2020 Orange
S. Gundavelli S. Gundavelli
Cisco Cisco
S. Seo S. Seo
Korea Telecom Korea Telecom
B. Hesmans B. Hesmans
Tessares Tessares
September 27, 2019 October 04, 2019
0-RTT TCP Convert Protocol 0-RTT TCP Convert Protocol
draft-ietf-tcpm-converters-11 draft-ietf-tcpm-converters-12
Abstract Abstract
This document specifies an application proxy, called Transport This document specifies an application proxy, called Transport
Converter, to assist the deployment of TCP extensions such as Converter, to assist the deployment of TCP extensions such as
Multipath TCP. This proxy is designed to avoid inducing extra delay Multipath TCP. This proxy is designed to avoid inducing extra delay
when involved in a network-assisted connection (that is, 0-RTT). when involved in a network-assisted connection (that is, 0-RTT).
This specification assumes an explicit model, where the proxy is This specification assumes an explicit model, where the proxy is
explicitly configured on hosts. explicitly configured on hosts.
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 30, 2020. This Internet-Draft will expire on April 6, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 28 skipping to change at page 2, line 28
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. The Problem . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. The Problem . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Network-Assisted Connections: The Rationale . . . . . . . 4 1.2. Network-Assisted Connections: The Rationale . . . . . . . 4
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 6 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 6
3. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 6 3. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1. Functional Elements . . . . . . . . . . . . . . . . . . . 6 3.1. Functional Elements . . . . . . . . . . . . . . . . . . . 7
3.2. Theory of Operation . . . . . . . . . . . . . . . . . . . 9 3.2. Theory of Operation . . . . . . . . . . . . . . . . . . . 9
3.3. Sample Examples of Outgoing Converter-Assisted Multipath 3.3. Data Processing at the Transport Converter . . . . . . . 12
TCP Connections . . . . . . . . . . . . . . . . . . . . . 13 3.4. Sample Examples of Outgoing Converter-Assisted Multipath
3.4. Sample Example of Incoming Converter-Assisted Multipath TCP Connections . . . . . . . . . . . . . . . . . . . . . 14
TCP Connection . . . . . . . . . . . . . . . . . . . . . 14 3.5. Sample Example of Incoming Converter-Assisted Multipath
4. The Convert Protocol (Convert) . . . . . . . . . . . . . . . 15 TCP Connection . . . . . . . . . . . . . . . . . . . . . 16
4.1. The Convert Fixed Header . . . . . . . . . . . . . . . . 16 4. The Convert Protocol (Convert) . . . . . . . . . . . . . . . 17
4.2. Convert TLVs . . . . . . . . . . . . . . . . . . . . . . 17 4.1. The Convert Fixed Header . . . . . . . . . . . . . . . . 17
4.2.1. Generic Convert TLV Format . . . . . . . . . . . . . 17 4.2. Convert TLVs . . . . . . . . . . . . . . . . . . . . . . 18
4.2.2. Summary of Supported Convert TLVs . . . . . . . . . . 17 4.2.1. Generic Convert TLV Format . . . . . . . . . . . . . 18
4.2.3. The Info TLV . . . . . . . . . . . . . . . . . . . . 18 4.2.2. Summary of Supported Convert TLVs . . . . . . . . . . 19
4.2.4. Supported TCP Extensions TLV . . . . . . . . . . . . 19 4.2.3. The Info TLV . . . . . . . . . . . . . . . . . . . . 20
4.2.5. Connect TLV . . . . . . . . . . . . . . . . . . . . . 20 4.2.4. Supported TCP Extensions TLV . . . . . . . . . . . . 20
4.2.6. Extended TCP Header TLV . . . . . . . . . . . . . . . 22 4.2.5. Connect TLV . . . . . . . . . . . . . . . . . . . . . 21
4.2.7. The Cookie TLV . . . . . . . . . . . . . . . . . . . 22 4.2.6. Extended TCP Header TLV . . . . . . . . . . . . . . . 23
4.2.8. Error TLV . . . . . . . . . . . . . . . . . . . . . . 23 4.2.7. The Cookie TLV . . . . . . . . . . . . . . . . . . . 23
4.2.8. Error TLV . . . . . . . . . . . . . . . . . . . . . . 24
5. Compatibility of Specific TCP Options with the Conversion 5. Compatibility of Specific TCP Options with the Conversion
Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
5.1. Base TCP Options . . . . . . . . . . . . . . . . . . . . 26 5.1. Base TCP Options . . . . . . . . . . . . . . . . . . . . 27
5.2. Window Scale (WS) . . . . . . . . . . . . . . . . . . . . 27 5.2. Window Scale (WS) . . . . . . . . . . . . . . . . . . . . 28
5.3. Selective Acknowledgments . . . . . . . . . . . . . . . . 27 5.3. Selective Acknowledgments . . . . . . . . . . . . . . . . 28
5.4. Timestamp . . . . . . . . . . . . . . . . . . . . . . . . 28 5.4. Timestamp . . . . . . . . . . . . . . . . . . . . . . . . 29
5.5. Multipath TCP . . . . . . . . . . . . . . . . . . . . . . 28 5.5. Multipath TCP . . . . . . . . . . . . . . . . . . . . . . 29
5.6. TCP Fast Open . . . . . . . . . . . . . . . . . . . . . . 28 5.6. TCP Fast Open . . . . . . . . . . . . . . . . . . . . . . 29
5.7. TCP User Timeout . . . . . . . . . . . . . . . . . . . . 29 5.7. TCP User Timeout . . . . . . . . . . . . . . . . . . . . 30
5.8. TCP-AO . . . . . . . . . . . . . . . . . . . . . . . . . 29 5.8. TCP-AO . . . . . . . . . . . . . . . . . . . . . . . . . 30
5.9. TCP Experimental Options . . . . . . . . . . . . . . . . 29 5.9. TCP Experimental Options . . . . . . . . . . . . . . . . 30
6. Interactions with Middleboxes . . . . . . . . . . . . . . . . 29 6. Interactions with Middleboxes . . . . . . . . . . . . . . . . 31
7. Security Considerations . . . . . . . . . . . . . . . . . . . 30 7. Security Considerations . . . . . . . . . . . . . . . . . . . 31
7.1. Privacy & Ingress Filtering . . . . . . . . . . . . . . . 30 7.1. Privacy & Ingress Filtering . . . . . . . . . . . . . . . 32
7.2. Authorization . . . . . . . . . . . . . . . . . . . . . . 31 7.2. Authorization . . . . . . . . . . . . . . . . . . . . . . 32
7.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 32 7.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 33
7.4. Traffic Theft . . . . . . . . . . . . . . . . . . . . . . 32 7.4. Traffic Theft . . . . . . . . . . . . . . . . . . . . . . 33
7.5. Multipath TCP-specific Considerations . . . . . . . . . . 33 7.5. Multipath TCP-specific Considerations . . . . . . . . . . 34
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34
8.1. Convert Service Port Number . . . . . . . . . . . . . . . 33 8.1. Convert Service Port Number . . . . . . . . . . . . . . . 34
8.2. The Convert Protocol (Convert) Parameters . . . . . . . . 34 8.2. The Convert Protocol (Convert) Parameters . . . . . . . . 35
8.2.1. Convert Versions . . . . . . . . . . . . . . . . . . 34 8.2.1. Convert Versions . . . . . . . . . . . . . . . . . . 35
8.2.2. Convert TLVs . . . . . . . . . . . . . . . . . . . . 34 8.2.2. Convert TLVs . . . . . . . . . . . . . . . . . . . . 35
8.2.3. Convert Error Messages . . . . . . . . . . . . . . . 35 8.2.3. Convert Error Messages . . . . . . . . . . . . . . . 36
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 36 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 37
9.1. Normative References . . . . . . . . . . . . . . . . . . 36 9.1. Normative References . . . . . . . . . . . . . . . . . . 37
9.2. Informative References . . . . . . . . . . . . . . . . . 38 9.2. Informative References . . . . . . . . . . . . . . . . . 39
Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 41 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 42
Appendix B. Example Socket API Changes to Support the 0-RTT Appendix B. Example Socket API Changes to Support the 0-RTT
Convert Protocol . . . . . . . . . . . . . . . . . . 43 Convert Protocol . . . . . . . . . . . . . . . . . . 44
B.1. Active Open (Client Side) . . . . . . . . . . . . . . . . 43 B.1. Active Open (Client Side) . . . . . . . . . . . . . . . . 44
B.2. Passive Open (Converter Side) . . . . . . . . . . . . . . 43 B.2. Passive Open (Converter Side) . . . . . . . . . . . . . . 44
Appendix C. Some Design Considerations . . . . . . . . . . . . . 44 Appendix C. Some Design Considerations . . . . . . . . . . . . . 45
Appendix D. Differences with SOCKSv5 . . . . . . . . . . . . . . 45 Appendix D. Address Preservation vs. Address Sharing . . . . . . 46
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 47 D.1. Address Preservation . . . . . . . . . . . . . . . . . . 46
Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 48 D.2. IPv4 Address Sharing . . . . . . . . . . . . . . . . . . 47
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 49 Appendix E. Differences with SOCKSv5 . . . . . . . . . . . . . . 48
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 50
Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 52
1. Introduction 1. Introduction
1.1. The Problem 1.1. The Problem
Transport protocols like TCP evolve regularly [RFC7414]. TCP has Transport protocols like TCP evolve regularly [RFC7414]. TCP has
been improved in different ways. Some improvements such as changing been improved in different ways. Some improvements such as changing
the initial window size [RFC6928] or modifying the congestion control the initial window size [RFC6928] or modifying the congestion control
scheme can be applied independently on clients and servers. Other scheme can be applied independently on clients and servers. Other
improvements such as Selective Acknowledgments [RFC2018] or large improvements such as Selective Acknowledgments [RFC2018] or large
skipping to change at page 6, line 27 skipping to change at page 6, line 29
This document is organized as follows. First, Section 3 provides a This document is organized as follows. First, Section 3 provides a
brief explanation of the operation of Transport Converters. Then, brief explanation of the operation of Transport Converters. Then,
Section 4 describes the Convert Protocol. Section 5 discusses how Section 4 describes the Convert Protocol. Section 5 discusses how
Transport Converters can be used to support different TCP extensions. Transport Converters can be used to support different TCP extensions.
Section 6 then discusses the interactions with middleboxes, while Section 6 then discusses the interactions with middleboxes, while
Section 7 focuses on the security considerations. Section 7 focuses on the security considerations.
Appendix B describes how a TCP stack would need to support the Appendix B describes how a TCP stack would need to support the
protocol described in this document. Appendix C records some protocol described in this document. Appendix C records some
considerations that impacted the design of the protocol. Appendix D considerations that impacted the design of the protocol. Appendix E
provides a comparison with SOCKS proxies that are already used to provides a comparison with SOCKS proxies that are already used to
deploy Multipath TCP in some cellular networks (Section 2.2 of deploy Multipath TCP in some cellular networks (Section 2.2 of
[RFC8041]). [RFC8041]).
2. Conventions and Definitions 2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119][RFC8174] when, and only when, they appear in all 14 [RFC2119][RFC8174] when, and only when, they appear in all
skipping to change at page 7, line 34 skipping to change at page 7, line 40
| |
customer-facing interface : Internet-facing interface customer-facing interface : Internet-facing interface
| |
Figure 1: A Transport Converter Proxies Data between Pairs of TCP Figure 1: A Transport Converter Proxies Data between Pairs of TCP
Connections Connections
"Client" refers to a software instance embedded on a host that can "Client" refers to a software instance embedded on a host that can
reach a Transport Converter via its customer-facing interface. The reach a Transport Converter via its customer-facing interface. The
"Client" can initiate connections via a Transport Converter (referred "Client" can initiate connections via a Transport Converter (referred
to as outgoing connections (Section 3.3)). Also, the "Client" can to as outgoing connections (Section 3.4)). Also, the "Client" can
accept incoming connections via a Transport Converter (referred to as accept incoming connections via a Transport Converter (referred to as
incoming connections (Section 3.4)). incoming connections (Section 3.5)).
Transport Converters can be operated by network operators or third Transport Converters can be operated by network operators or third
parties. Nevertheless, this document focuses on the single parties. Nevertheless, this document focuses on the single
administrative deployment case where the entity offering the administrative deployment case where the entity offering the
connectivity service to a client is also the entity which owns and connectivity service to a client is also the entity which owns and
operates the Transport Converter. operates the Transport Converter.
A Transport Converter can be embedded in a standalone device or be A Transport Converter can be embedded in a standalone device or be
activated as a service on a router. How such function is enabled is activated as a service on a router. How such function is enabled is
deployment-specific. A sample deployment is depicted in Figure 2. deployment-specific. A sample deployment is depicted in Figure 2.
skipping to change at page 10, line 25 skipping to change at page 10, line 25
Server in the payload of the SYN sent to the Transport Converter to Server in the payload of the SYN sent to the Transport Converter to
minimize connection establishment delays. The Transport Converter minimize connection establishment delays. The Transport Converter
maintains two connections that are combined together: maintains two connections that are combined together:
o the upstream connection is the one between the Client and the o the upstream connection is the one between the Client and the
Transport Converter. Transport Converter.
o the downstream connection is between the Transport Converter and o the downstream connection is between the Transport Converter and
the Server. the Server.
The control messages, discussed in Section 4, establish state in the
Transport Converter that will enable it to proxy between the two TCP
connections. These control messages are destined to the Transport
Convert and are, thus, removed by the Converter when proxying between
the two connections.
Any user data received by the Transport Converter over the upstream Any user data received by the Transport Converter over the upstream
(or downstream) connection is proxied over the downstream (or (or downstream) connection is proxied over the downstream (or
upstream) connection. In particular, if the initial SYN message upstream) connection. In particular, if the initial SYN message
contains data in its payload (e.g., [RFC7413]), that data MUST be contains data in its payload (e.g., [RFC7413]), that data MUST be
placed right after the Convert TLVs when generating the SYN. placed right after the Convert TLVs when generating the SYN.
The Converter associates a lifetime with state entries used to bind The Converter associates a lifetime with state entries used to bind
an upstream connection with its downstream connection. an upstream connection with its downstream connection.
A Transport Converter may operate in address preservation or address
sharing modes (e.g., Section 5.4 of
[I-D.nam-mptcp-deployment-considerations]). Which behavior to use by
a Transport Converter is deployment-specific. If address sharing
mode is enabled, the Transport Converter MUST adhere to REQ-2 of
[RFC6888] which implies a default "IP address pooling" behavior of
"Paired" (as defined in Section 4.1 of [RFC4787]) must be supported.
This behavior is meant to avoid breaking applications that depend on
the source address remaining constant.
Figure 5 illustrates the establishment of an outgoing TCP connection Figure 5 illustrates the establishment of an outgoing TCP connection
by a Client through a Transport Converter. by a Client through a Transport Converter.
Transport Transport
Client Converter Server Client Converter Server
| | | | | |
|SYN [->Server:port]| SYN | |SYN [->Server:port]| SYN |
|------------------>|--------------------->| |------------------>|--------------------->|
|<------------------|<---------------------| |<------------------|<---------------------|
| SYN+ACK [ ] | SYN+ACK | | SYN+ACK [ ] | SYN+ACK |
skipping to change at page 11, line 27 skipping to change at page 11, line 11
The Client sends a SYN destined to the Transport Converter. The The Client sends a SYN destined to the Transport Converter. The
payload of this SYN contains the address and port number of the payload of this SYN contains the address and port number of the
Server. The Transport Converter does not reply immediately to this Server. The Transport Converter does not reply immediately to this
SYN. It first tries to create a TCP connection towards the target SYN. It first tries to create a TCP connection towards the target
Server. If this upstream connection succeeds, the Transport Server. If this upstream connection succeeds, the Transport
Converter confirms the establishment of the connection to the Client Converter confirms the establishment of the connection to the Client
by returning a SYN+ACK and the first bytes of the bytestream contain by returning a SYN+ACK and the first bytes of the bytestream contain
information about the TCP options that were negotiated with the information about the TCP options that were negotiated with the
Server. Also, a state entry is instantiated for this connection. Server. Also, a state entry is instantiated for this connection.
This state entry is used by the Converter to handle subsequent This state entry is used by the Converter to handle subsequent
messages belonging to the connection. Note that the Converter messages belonging to the connection.
silently ignores Non-SYN messages that do not match an active state
entry.
The connection can also be established from the Internet towards a The connection can also be established from the Internet towards a
Client via a Transport Converter (Figure 6). This is typically the Client via a Transport Converter (Figure 6). This is typically the
case when an application on the Client listens to a specific port case when an application on the Client listens to a specific port
(the Client hosts an application server, typically). When the (the Client hosts an application server, typically). When the
Converter receives an incoming SYN from a remote host, it checks if Converter receives an incoming SYN from a remote host, it checks if
it can provide the conversion service for the destination IP address it can provide the conversion service for the destination IP address
and destination port number of that SYN. If the check fails, the and destination port number of that SYN. If the check fails, the
packet is silently ignored by the Converter. If the check is packet is silently ignored by the Converter. If the check is
successful, the Converter inserts the source IP address and source successful, the Converter inserts the source IP address and source
skipping to change at page 13, line 7 skipping to change at page 12, line 36
(excessive retransmissions, reception of an RST segment, etc.), then (excessive retransmissions, reception of an RST segment, etc.), then
the Converter should force the tear-down of the upstream (or the Converter should force the tear-down of the upstream (or
downstream) connection. downstream) connection.
The same reasoning applies when the upstream connection ends. In The same reasoning applies when the upstream connection ends. In
this case, the Converter should also terminate the downstream this case, the Converter should also terminate the downstream
connection by using FIN segments. If the downstream connection connection by using FIN segments. If the downstream connection
terminates with the exchange of FIN segments, the Converter should terminates with the exchange of FIN segments, the Converter should
initiate a graceful termination of the upstream connection. initiate a graceful termination of the upstream connection.
3.3. Sample Examples of Outgoing Converter-Assisted Multipath TCP 3.3. Data Processing at the Transport Converter
As mentioned in Section 3.2, the Transport Converter acts as a TCP
proxy between the upstream connection (i.e., between the Client and
the Transport Converter) and the downstream connection (i.e., between
the Transport Converter and the Server).
The control messages, discussed in Section 4, establish state
(called, transport session entry) in the Transport Converter that
will enable it to proxy between the two TCP connections.
The Transport Converter uses the transport session entry to proxy
packets belonging to the connection. An implementation example of a
transport session entry for TCP connections is shown in Figure 7.
(C,c) <--> (T,t), (S,s), Lifetime
Where:
* C and c are the source IP address and source port number
used by the Client for the usptream connection.
* S and s are the Server's IP address and port number.
* T and t are the source IP address and source port number
used by the Transport Converter to proxy the connection.
* Lifetime is the validity lifetime of the entry as assigned
by the Converter.
Figure 7: An Example of Transport Session Entry (TCP)
Note that for the Multipath TCP case, the Transport Converter
identifies an MPTCP connection by means, e.g., of the token assigned
to the MPTCP connection. Subflows can be added or deleted during the
lifetime of an MPTCP connection between a Client and a Transport
Converter. The identification of each subflow that belongs to an
MPTCP connection are also part of the transport session entry. An
implementation example of a transport session entry maintained by a
Transport Converter for Multipath TCP connections is shown in
Figure 7. As a reminder, the Convert TLVs are only exchanged during
the establishment of the initial subflow.
token, {(C1,c1), .., (Cn, cn)} <--> (T,t), (S,s), Lifetime
Where:
* Token is a locally unique identifier given to a (upstream)
multipath connection by the Transport Converter.
* Ci and ci are the source IP address and source port number
used by the Client for a subflow of a (upstream) Multipath TCP
connection.
* S and s are the Server's IP address and port number.
* T and t are the source IP address and source port number
used by the Transport Converter to proxy the connection.
* Lifetime is the validity lifetime of the entry as assigned
by the Converter.
Figure 8: An Example of Transport Session Entry (Multipath TCP)
Clients send packets bound to connections eligible to the conversion
service to the provisioned Transport Converter using TBA as
destination port number. This applies for both control messages and
data. Additional information is supplied by Clients to the Transport
Converter by means of Convert messages as detailed in Section 4.
User data can be included in SYN or non-SYN messages. User data is
unambiguously distinguished from Convert TLVs by a Transport
Converter owing to the Total Length field in the Convert messages
(Section 4.1). These Convert TLVs are destined to the Transport
Convert and are, thus, removed by the Transport Converter when
proxying between the two connections.
Upon receipt of a Non-SYN (or a secondary subflow for Multipath TCP)
on port number TBA by the Transport Converter from a Client, the
Converter checks if the packet matches an active transport session
entry. If no entry is found, the Transport Converter MUST silently
ignore the packet. If an entry is found, the user data is proxied to
the Server using the information stored in the corresponding
transport session entry. For example,
o In reference to Figure 7, the Transport Converter proxies the data
received from (C, c) downstream using (T,t) as source transport
address and (S,s) as destination transport address.
o In reference to Figure 8, the Transport Converter proxies the data
received from a new subflow of an existing Multipath TCP
connection (Cn, cn) downstream using (T,t) as source transport
address and (S,s) as destination transport address.
A similar process happens for data sent from the Server. The
Converter acts as a TCP proxy and sends the data to the Client
relying upon the information stored in a transport session entry.
A Transport Converter may operate in address preservation mode (that
is, the Converter does not rewrite the source IP address (i.e.,
C==T)) or address sharing mode (that is, an address pool is shared
among all Clients serviced by the Converter (i.e., C!=T)); refer to
Appendix D for more details. Which behavior to use by a Transport
Converter is deployment-specific. If address sharing mode is
enabled, the Transport Converter MUST adhere to REQ-2 of [RFC6888]
which implies a default "IP address pooling" behavior of "Paired" (as
defined in Section 4.1 of [RFC4787]) must be supported. This
behavior is meant to avoid breaking applications that depend on the
source address remaining constant.
3.4. Sample Examples of Outgoing Converter-Assisted Multipath TCP
Connections Connections
As an example, let us consider how the Convert protocol can help the As an example, let us consider how the Convert protocol can help the
deployment of Multipath TCP. We assume that both the Client and the deployment of Multipath TCP. We assume that both the Client and the
Transport Converter support Multipath TCP, but consider two different Transport Converter support Multipath TCP, but consider two different
cases depending on whether the Server supports Multipath TCP or not. cases depending on whether the Server supports Multipath TCP or not.
As a reminder, a Multipath TCP connection is created by placing the As a reminder, a Multipath TCP connection is created by placing the
MP_CAPABLE (MPC) option in the SYN sent by the Client. MP_CAPABLE (MPC) option in the SYN sent by the Client.
Figure 7 describes the operation of the Transport Converter if the Figure 9 describes the operation of the Transport Converter if the
Server does not support Multipath TCP. Server does not support Multipath TCP.
Transport Transport
Client Converter Server Client Converter Server
|SYN, | | |SYN, | |
|MPC [->Server:port]| SYN, MPC | |MPC [->Server:port]| SYN, MPC |
|------------------>|--------------------->| |------------------>|--------------------->|
|<------------------|<---------------------| |<------------------|<---------------------|
| SYN+ACK,MPC [.] | SYN+ACK | | SYN+ACK,MPC [.] | SYN+ACK |
|------------------>|--------------------->| |------------------>|--------------------->|
| ACK, MPC | ACK | | ACK, MPC | ACK |
| ... | ... | | ... | ... |
Figure 7: Establishment of a Multipath TCP Connection Through a Figure 9: Establishment of a Multipath TCP Connection Through a
Transport Converter towards a Server that Does Not Support Multipath Transport Converter towards a Server that Does Not Support Multipath
TCP TCP
The Client tries to initiate a Multipath TCP connection by sending a The Client tries to initiate a Multipath TCP connection by sending a
SYN with the MP_CAPABLE option (MPC in Figure 7). The SYN includes SYN with the MP_CAPABLE option (MPC in Figure 9). The SYN includes
the address and port number of the target Server, that are extracted the address and port number of the target Server, that are extracted
and used by the Transport Converter to initiate a Multipath TCP and used by the Transport Converter to initiate a Multipath TCP
connection towards this Server. Since the Server does not support connection towards this Server. Since the Server does not support
Multipath TCP, it replies with a SYN+ACK that does not contain the Multipath TCP, it replies with a SYN+ACK that does not contain the
MP_CAPABLE option. The Transport Converter notes that the connection MP_CAPABLE option. The Transport Converter notes that the connection
with the Server does not support Multipath TCP and returns the with the Server does not support Multipath TCP and returns the
extended TCP header received from the Server to the Client. extended TCP header received from the Server to the Client.
Note that, if the TCP connection fails for some reason, the Converter Note that, if the TCP connection fails for some reason, the Converter
tears down the Multipath TCP connection by transmitting a tears down the Multipath TCP connection by transmitting a
MP_FASTCLOSE. Likewise, if the Multipath TCP connection ends with MP_FASTCLOSE. Likewise, if the Multipath TCP connection ends with
the transmission of DATA_FINs, the Converter terminates the TCP the transmission of DATA_FINs, the Converter terminates the TCP
connection by using FIN segments. As a side note, given that with connection by using FIN segments. As a side note, given that with
Multipath TCP, RST only has the scope of the subflow and will only Multipath TCP, RST only has the scope of the subflow and will only
close the concerned subflow but not affect the remaining subflows, close the concerned subflow but not affect the remaining subflows,
the Converter does not terminate the TCP connection upon receipt of the Converter does not terminate the TCP connection upon receipt of
an RST over a Multipath subflow. an RST over a Multipath subflow.
Figure 8 considers a Server that supports Multipath TCP. In this Figure 10 considers a Server that supports Multipath TCP. In this
case, it replies to the SYN sent by the Transport Converter with the case, it replies to the SYN sent by the Transport Converter with the
MP_CAPABLE option. Upon reception of this SYN+ACK, the Transport MP_CAPABLE option. Upon reception of this SYN+ACK, the Transport
Converter confirms the establishment of the connection to the Client Converter confirms the establishment of the connection to the Client
and indicates to the Client that the Server supports Multipath TCP. and indicates to the Client that the Server supports Multipath TCP.
With this information, the Client has discovered that the Server With this information, the Client has discovered that the Server
supports Multipath TCP natively. This will enable the Client to supports Multipath TCP natively. This will enable the Client to
bypass the Transport Converter for the subsequent Multipath TCP bypass the Transport Converter for the subsequent Multipath TCP
connections that it will initiate towards this Server. connections that it will initiate towards this Server.
Transport Transport
skipping to change at page 14, line 30 skipping to change at page 16, line 17
|SYN, | | |SYN, | |
|MPC [->Server:port]| SYN, MPC | |MPC [->Server:port]| SYN, MPC |
|------------------>|--------------------->| |------------------>|--------------------->|
|<------------------|<---------------------| |<------------------|<---------------------|
|SYN+ACK, | SYN+ACK, MPC | |SYN+ACK, | SYN+ACK, MPC |
|MPC [MPC supported]| | |MPC [MPC supported]| |
|------------------>|--------------------->| |------------------>|--------------------->|
| ACK, MPC | ACK, MPC | | ACK, MPC | ACK, MPC |
| ... | ... | | ... | ... |
Figure 8: Establishment of a Multipath TCP Connection Through a Figure 10: Establishment of a Multipath TCP Connection Through a
Converter Towards an MPTCP-capable Server Converter Towards an MPTCP-capable Server
3.4. Sample Example of Incoming Converter-Assisted Multipath TCP 3.5. Sample Example of Incoming Converter-Assisted Multipath TCP
Connection Connection
An example of an incoming Converter-assisted Multipath TCP connection An example of an incoming Converter-assisted Multipath TCP connection
is depicted in Figure 9. In order to support incoming connections is depicted in Figure 11. In order to support incoming connections
from remote hosts, the Client may use PCP [RFC6887] to instruct the from remote hosts, the Client may use PCP [RFC6887] to instruct the
Transport Converter to create dynamic mappings. Those mappings will Transport Converter to create dynamic mappings. Those mappings will
be used by the Transport Converter to intercept an incoming TCP be used by the Transport Converter to intercept an incoming TCP
connection destined to the Client and convert it into a Multipath TCP connection destined to the Client and convert it into a Multipath TCP
connection. connection.
Typically, the Client sends a PCP request to the Converter asking to Typically, the Client sends a PCP request to the Converter asking to
create an explicit TCP mapping for (internal IP address, internal create an explicit TCP mapping for (internal IP address, internal
port number). The Converter accepts the request by creating a TCP port number). The Converter accepts the request by creating a TCP
mapping (internal IP address, internal port number, external IP mapping (internal IP address, internal port number, external IP
skipping to change at page 15, line 31 skipping to change at page 17, line 17
| | | | | |
|<--------------------|<-------------------| |<--------------------|<-------------------|
|SYN, | SYN | |SYN, | SYN |
|MPC[Remote Host:port]| | |MPC[Remote Host:port]| |
|-------------------->|------------------->| |-------------------->|------------------->|
| SYN+ACK, MPC | SYN+ACK | | SYN+ACK, MPC | SYN+ACK |
|<--------------------|<-------------------| |<--------------------|<-------------------|
| ACK, MPC | ACK | | ACK, MPC | ACK |
| ... | ... | | ... | ... |
Figure 9: Establishment of an Incoming Multipath TCP Connection Figure 11: Establishment of an Incoming Multipath TCP Connection
through a Transport Converter through a Transport Converter
It is out of scope of this document to define specific Convert TLVs It is out of scope of this document to define specific Convert TLVs
to manage incoming connections. These TLVs can be defined in a to manage incoming connections. These TLVs can be defined in a
separate document. separate document.
4. The Convert Protocol (Convert) 4. The Convert Protocol (Convert)
This section defines the Convert protocol (Convert, for short) This section defines the Convert protocol (Convert, for short)
messages that are exchanged between a Client and a Transport messages that are exchanged between a Client and a Transport
Converter. Converter.
By default, the Transport Converter listens on TCP port number TBA By default, the Transport Converter listens on TCP port number TBA
for Convert messages from Clients. for Convert messages from Clients.
Clients send packets bound to connections eligible to the conversion
service to the provisioned Transport Converter using TBA as
destination port number. This applies for both control messages and
data. Additional information is supplied by Clients to the Transport
Converter by means of Convert messages as detailed in the following
sub-sections.
Convert messages may appear only in a SYN, SYN+ACK, or ACK. Convert messages may appear only in a SYN, SYN+ACK, or ACK.
Convert messages MUST be included as the first bytes of the Convert messages MUST be included as the first bytes of the
bytestream. All Convert messages starts with a 32 bits long fixed bytestream. All Convert messages starts with a 32 bits long fixed
header (Section 4.1) followed by one or more Convert TLVs (Type, header (Section 4.1) followed by one or more Convert TLVs (Type,
Length, Value) (Section 4.2). Length, Value) (Section 4.2).
User data can be included in SYN or non-SYN messages. User data is
unambiguously distinguished from Convert TLVs owing to the Total
Length field in the Convert messages.
4.1. The Convert Fixed Header 4.1. The Convert Fixed Header
The Convert Protocol uses a 32 bits long fixed header that is sent by The Convert Protocol uses a 32 bits long fixed header that is sent by
both the Client and the Transport Converter over each established both the Client and the Transport Converter over each established
connection. This header indicates both the version of the protocol connection. This header indicates both the version of the protocol
used and the length of the Convert message. used and the length of the Convert message.
The Client and the Transport Converter MUST send the fixed-sized The Client and the Transport Converter MUST send the fixed-sized
header, shown in Figure 10, as the first four bytes of the header, shown in Figure 12, as the first four bytes of the
bytestream. bytestream.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| Version | Total Length | Unassigned | | Version | Total Length | Unassigned |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
Figure 10: The Fixed-Sized Header of the Convert Protocol Figure 12: The Fixed-Sized Header of the Convert Protocol
The Version is encoded as an 8 bits unsigned integer value. This The Version is encoded as an 8 bits unsigned integer value. This
document specifies version 1. Version 0 is reserved by this document document specifies version 1. Version 0 is reserved by this document
and MUST NOT be used. and MUST NOT be used.
The Total Length is the number of 32 bits word, including the header, The Total Length is the number of 32 bits word, including the header,
of the bytestream that are consumed by the Convert messages. Since of the bytestream that are consumed by the Convert messages. Since
Total Length is also an 8 bits unsigned integer, those messages Total Length is also an 8 bits unsigned integer, those messages
cannot consume more than 1020 bytes of data. This limits the number cannot consume more than 1020 bytes of data. This limits the number
of bytes that a Transport Converter needs to process. A Total Length of bytes that a Transport Converter needs to process. A Total Length
skipping to change at page 17, line 14 skipping to change at page 18, line 37
Data added by the Convert protocol to the TCP bytestream is Data added by the Convert protocol to the TCP bytestream is
unambiguously distinguished from payload data by the Total Length unambiguously distinguished from payload data by the Total Length
field in the Convert messages. field in the Convert messages.
4.2. Convert TLVs 4.2. Convert TLVs
4.2.1. Generic Convert TLV Format 4.2.1. Generic Convert TLV Format
The Convert protocol uses variable length messages that are encoded The Convert protocol uses variable length messages that are encoded
using the generic TLV format depicted in Figure 11. using the generic TLV format depicted in Figure 13.
The length of all TLVs used by the Convert protocol is always a The length of all TLVs used by the Convert protocol is always a
multiple of four bytes. All TLVs are aligned on 32 bits boundaries. multiple of four bytes. All TLVs are aligned on 32 bits boundaries.
All TLV fields are encoded using the network byte order. All TLV fields are encoded using the network byte order.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| Type | Length | Value ... | | Type | Length | Value ... |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
// ... (optional) Value // // ... (optional) Value //
+---------------------------------------------------------------+ +---------------------------------------------------------------+
Figure 11: Convert Generic TLV Format Figure 13: Convert Generic TLV Format
The Length field covers Type, Length, and Value fields. It is The Length field covers Type, Length, and Value fields. It is
expressed in units of 32 bits words. If necessary, Value MUST be expressed in units of 32 bits words. If necessary, Value MUST be
padded with zeroes so that the length of the TLV is a multiple of 32 padded with zeroes so that the length of the TLV is a multiple of 32
bits. bits.
A given TLV MUST only appear once on a connection. If two or more A given TLV MUST only appear once on a connection. If two or more
instances of the same TLV are exchanged over a Convert connection, instances of the same TLV are exchanged over a Convert connection,
the associated TCP connections MUST be closed. the associated TCP connections MUST be closed.
skipping to change at page 18, line 16 skipping to change at page 19, line 29
| Type | Hex | Length | Description | | Type | Hex | Length | Description |
+------+-----+----------+------------------------------------------+ +------+-----+----------+------------------------------------------+
| 1 | 0x1 | 1 | Info TLV | | 1 | 0x1 | 1 | Info TLV |
| 10 | 0xA | Variable | Connect TLV | | 10 | 0xA | Variable | Connect TLV |
| 20 | 0x14| Variable | Extended TCP Header TLV | | 20 | 0x14| Variable | Extended TCP Header TLV |
| 21 | 0x15| Variable | Supported TCP Extensions TLV | | 21 | 0x15| Variable | Supported TCP Extensions TLV |
| 22 | 0x16| Variable | Cookie TLV | | 22 | 0x16| Variable | Cookie TLV |
| 30 | 0x1E| Variable | Error TLV | | 30 | 0x1E| Variable | Error TLV |
+------+-----+----------+------------------------------------------+ +------+-----+----------+------------------------------------------+
Figure 12: The TLVs used by the Convert Protocol Figure 14: The TLVs used by the Convert Protocol
Type 0x0 is a reserved valued. Implementations MUST discard messages Type 0x0 is a reserved valued. Implementations MUST discard messages
with such TLV. with such TLV.
The Client typically sends in the first connection it established The Client typically sends in the first connection it established
with a Transport Converter the Info TLV (Section 4.2.3) to learn its with a Transport Converter the Info TLV (Section 4.2.3) to learn its
capabilities. Assuming the Client is authorized to invoke the capabilities. Assuming the Client is authorized to invoke the
Transport Converter, the latter replies with the Supported TCP Transport Converter, the latter replies with the Supported TCP
Extensions TLV (Section 4.2.4). Extensions TLV (Section 4.2.4).
skipping to change at page 18, line 39 skipping to change at page 20, line 7
established with the final server, the Transport Converter replies established with the final server, the Transport Converter replies
with the Extended TCP Header TLV (Section 4.2.6). If not, the with the Extended TCP Header TLV (Section 4.2.6). If not, the
Transport Converter returns an Error TLV (Section 4.2.8) and then Transport Converter returns an Error TLV (Section 4.2.8) and then
closes the connection. closes the connection.
When an error is encountered an Error TLV with the appropriate error When an error is encountered an Error TLV with the appropriate error
code MUST be returned by the Transport Converter. code MUST be returned by the Transport Converter.
4.2.3. The Info TLV 4.2.3. The Info TLV
The Info TLV (Figure 13) is an optional TLV which can be sent by a The Info TLV (Figure 15) is an optional TLV which can be sent by a
Client to request the TCP extensions that are supported by a Client to request the TCP extensions that are supported by a
Transport Converter. It is typically sent on the first connection Transport Converter. It is typically sent on the first connection
that a Client establishes with a Transport Converter to learn its that a Client establishes with a Transport Converter to learn its
capabilities. Assuming a Client is entitled to invoke the Transport capabilities. Assuming a Client is entitled to invoke the Transport
Converter, the latter replies with the Supported TCP Extensions TLV Converter, the latter replies with the Supported TCP Extensions TLV
described in Section 4.2.4. described in Section 4.2.4.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| Type=0x1 | Length | Zero | | Type=0x1 | Length | Zero |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
Figure 13: The Info TLV Figure 15: The Info TLV
4.2.4. Supported TCP Extensions TLV 4.2.4. Supported TCP Extensions TLV
The Supported TCP Extensions TLV (Figure 14) is used by a Transport The Supported TCP Extensions TLV (Figure 16) is used by a Transport
Converter to announce the TCP options for which it provides a Converter to announce the TCP options for which it provides a
conversion service. A Transport Converter SHOULD include in this conversion service. A Transport Converter SHOULD include in this
list the TCP options that it accepts from Clients; these options are list the TCP options that it accepts from Clients; these options are
included by the Transport Converter in the SYN packets that it sends included by the Transport Converter in the SYN packets that it sends
to initiate connections. to initiate connections.
Each supported TCP option is encoded with its TCP option Kind listed Each supported TCP option is encoded with its TCP option Kind listed
in the "TCP Parameters" registry maintained by IANA. in the "TCP Parameters" registry maintained by IANA.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| Type=0x15 | Length | Unassigned | | Type=0x15 | Length | Unassigned |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| Kind #1 | Kind #2 | ... | | Kind #1 | Kind #2 | ... |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
/ ... / / ... /
/ / / /
+---------------------------------------------------------------+ +---------------------------------------------------------------+
Figure 14: The Supported TCP Extensions TLV Figure 16: The Supported TCP Extensions TLV
TCP option Kinds 0, 1, and 2 defined in [RFC0793] are supported by TCP option Kinds 0, 1, and 2 defined in [RFC0793] are supported by
all TCP implementations and thus MUST NOT appear in this list. all TCP implementations and thus MUST NOT appear in this list.
The list of Supported TCP Extensions is padded with 0 to end on a 32 The list of Supported TCP Extensions is padded with 0 to end on a 32
bits boundary. bits boundary.
For example, if the Transport Converter supports Multipath TCP, For example, if the Transport Converter supports Multipath TCP,
Kind=30 will be present in the Supported TCP Extensions TLV that it Kind=30 will be present in the Supported TCP Extensions TLV that it
returns in response to Info TLV. returns in response to Info TLV.
4.2.5. Connect TLV 4.2.5. Connect TLV
The Connect TLV (Figure 15) is used to request the establishment of a The Connect TLV (Figure 17) is used to request the establishment of a
connection via a Transport Converter. This connection can be from or connection via a Transport Converter. This connection can be from or
to a Client. to a Client.
The 'Remote Peer Port' and 'Remote Peer IP Address' fields contain The 'Remote Peer Port' and 'Remote Peer IP Address' fields contain
the destination port number and IP address of the Server, for the destination port number and IP address of the Server, for
outgoing connections. For incoming connections destined to a Client outgoing connections. For incoming connections destined to a Client
serviced via a Transport Converter, these fields convey the source serviced via a Transport Converter, these fields convey the source
port number and IP address. port number and IP address.
The Remote Peer IP Address MUST be encoded as an IPv6 address. IPv4 The Remote Peer IP Address MUST be encoded as an IPv6 address. IPv4
skipping to change at page 20, line 45 skipping to change at page 21, line 52
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| | | |
| Remote Peer IP Address (128 bits) | | Remote Peer IP Address (128 bits) |
| | | |
| | | |
+---------------------------------------------------------------+ +---------------------------------------------------------------+
/ TCP Options (Variable) / / TCP Options (Variable) /
/ ... / / ... /
+---------------------------------------------------------------+ +---------------------------------------------------------------+
Figure 15: The Connect TLV Figure 17: The Connect TLV
The 'TCP Options' field is a variable length field that carries a The 'TCP Options' field is a variable length field that carries a
list of TCP option fields (Figure 16). Each TCP option field is list of TCP option fields (Figure 18). Each TCP option field is
encoded as a block of 2+n bytes where the first byte is the TCP encoded as a block of 2+n bytes where the first byte is the TCP
option Kind and the second byte is the length of the TCP option as option Kind and the second byte is the length of the TCP option as
specified in [RFC0793]. The minimum value for the TCP option Length specified in [RFC0793]. The minimum value for the TCP option Length
is 2. The TCP options that do not include a length sub-field, i.e., is 2. The TCP options that do not include a length sub-field, i.e.,
option types 0 (EOL) and 1 (NOP) defined in [RFC0793] MUST NOT be option types 0 (EOL) and 1 (NOP) defined in [RFC0793] MUST NOT be
placed inside the TCP options field of the Connect TLV. The optional placed inside the TCP options field of the Connect TLV. The optional
Value field contains the variable-length part of the TCP option. A Value field contains the variable-length part of the TCP option. A
length of two indicates the absence of the Value field. The TCP length of two indicates the absence of the Value field. The TCP
options field always ends on a 32 bits boundary after being padded options field always ends on a 32 bits boundary after being padded
with zeros. with zeros.
skipping to change at page 21, line 21 skipping to change at page 22, line 28
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
| TCPOpt kind | TCPOpt Length | Value (opt) | .... | | TCPOpt kind | TCPOpt Length | Value (opt) | .... |
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
| .... | | .... |
+---------------------------------------------------------------+ +---------------------------------------------------------------+
| ... | | ... |
+---------------------------------------------------------------+ +---------------------------------------------------------------+
Figure 16: The TCP Options Field Figure 18: The TCP Options Field
Upon reception of a Connect TLV, and absent any policy (e.g., rate- Upon reception of a Connect TLV, and absent any policy (e.g., rate-
limit) or resource exhaustion conditions, a Transport Converter limit) or resource exhaustion conditions, a Transport Converter
attempts to establish a connection to the address and port that it attempts to establish a connection to the address and port that it
contains. The Transport Converter MUST use by default the TCP contains. The Transport Converter MUST use by default the TCP
options that correspond to its local policy to establish this options that correspond to its local policy to establish this
connection. These are the options that it advertises in the connection. These are the options that it advertises in the
Supported TCP Extensions TLV. Supported TCP Extensions TLV.
Upon reception of an extended Connect TLV, and absent any rate limit Upon reception of an extended Connect TLV, and absent any rate limit
skipping to change at page 22, line 7 skipping to change at page 23, line 10
The Transport Converter may discard a Connect TLV request for various The Transport Converter may discard a Connect TLV request for various
reasons (e.g., authorization failed, out of resources, invalid reasons (e.g., authorization failed, out of resources, invalid
address type). An error message indicating the encountered error is address type). An error message indicating the encountered error is
returned to the requesting Client (Section 4.2.8). In order to returned to the requesting Client (Section 4.2.8). In order to
prevent denial-of-service attacks, error messages sent to a Client prevent denial-of-service attacks, error messages sent to a Client
SHOULD be rate-limited. SHOULD be rate-limited.
4.2.6. Extended TCP Header TLV 4.2.6. Extended TCP Header TLV
The Extended TCP Header TLV (Figure 17) is used by the Transport The Extended TCP Header TLV (Figure 19) is used by the Transport
Converter to send to the Client the extended TCP header that was Converter to send to the Client the extended TCP header that was
returned by the Server in the SYN+ACK packet. This TLV is only sent returned by the Server in the SYN+ACK packet. This TLV is only sent
if the Client sent a Connect TLV to request the establishment of a if the Client sent a Connect TLV to request the establishment of a
connection. connection.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| Type=0x14 | Length | Unassigned | | Type=0x14 | Length | Unassigned |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
/ Returned Extended TCP header / / Returned Extended TCP header /
/ ... / / ... /
+---------------------------------------------------------------+ +---------------------------------------------------------------+
Figure 17: The Extended TCP Header TLV Figure 19: The Extended TCP Header TLV
The Returned Extended TCP header field is a copy of the extended The Returned Extended TCP header field is a copy of the extended
header that was received in the SYN+ACK by the Transport Converter. header that was received in the SYN+ACK by the Transport Converter.
The Unassigned field MUST be set to zero by the sender and ignored by The Unassigned field MUST be set to zero by the sender and ignored by
the receiver. These bits are available for future use [RFC8126]. the receiver. These bits are available for future use [RFC8126].
4.2.7. The Cookie TLV 4.2.7. The Cookie TLV
The Cookie TLV (Figure 18 is an optional TLV which use is similar to The Cookie TLV (Figure 20 is an optional TLV which use is similar to
the TCP Fast Open Cookie [RFC7413]. A Transport Converter may want the TCP Fast Open Cookie [RFC7413]. A Transport Converter may want
to verify that a Client can receive the packets that it sends to to verify that a Client can receive the packets that it sends to
prevent attacks from spoofed addresses. This verification can be prevent attacks from spoofed addresses. This verification can be
done by using a Cookie that is bound to, for example, the IP done by using a Cookie that is bound to, for example, the IP
address(es) of the Client. This Cookie can be configured on the address(es) of the Client. This Cookie can be configured on the
Client by means that are outside of this document or provided by the Client by means that are outside of this document or provided by the
Transport Converter as follows. Transport Converter as follows.
A Transport Converter that has been configured to use the optional A Transport Converter that has been configured to use the optional
Cookie TLV MUST verify the presence of this TLV in the payload of the Cookie TLV MUST verify the presence of this TLV in the payload of the
skipping to change at page 23, line 10 skipping to change at page 24, line 14
If the received SYN did not contain a Cookie TLV, and cookie If the received SYN did not contain a Cookie TLV, and cookie
validation is required, the Transport Converter should compute a validation is required, the Transport Converter should compute a
Cookie bound to this Client address and return a Convert message Cookie bound to this Client address and return a Convert message
containing the fixed header, an Error TLV set to "Missing Cookie" and containing the fixed header, an Error TLV set to "Missing Cookie" and
the computed Cookie and close the connection. The Client will react the computed Cookie and close the connection. The Client will react
to this error by storing the received Cookie in its cache and attempt to this error by storing the received Cookie in its cache and attempt
to reestablish a new connection to the Transport Converter that to reestablish a new connection to the Transport Converter that
includes the Cookie TLV. includes the Cookie TLV.
The format of the Cookie TLV is shown in Figure 18. The format of the Cookie TLV is shown in Figure 20.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| Type=0x16 | Length | Zero | | Type=0x16 | Length | Zero |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
/ Opaque Cookie / / Opaque Cookie /
/ ... / / ... /
+---------------------------------------------------------------+ +---------------------------------------------------------------+
Figure 18: The Cookie TLV Figure 20: The Cookie TLV
4.2.8. Error TLV 4.2.8. Error TLV
The Error TLV (Figure 19) is meant to provide information about some The Error TLV (Figure 21) is meant to provide information about some
errors that occurred during the processing of a Convert message. errors that occurred during the processing of a Convert message.
This TLV has a variable length. Upon reception of an Error TLV, a This TLV has a variable length. Upon reception of an Error TLV, a
Client MUST close the associated connection. Client MUST close the associated connection.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+----------------+--------------+ +---------------+---------------+----------------+--------------+
| Type=0x1E | Length | Error Code | Value | | Type=0x1E | Length | Error Code | Value |
+---------------+---------------+----------------+--------------+ +---------------+---------------+----------------+--------------+
// ... (optional) Value // // ... (optional) Value //
+---------------------------------------------------------------+ +---------------------------------------------------------------+
Figure 19: The Error TLV Figure 21: The Error TLV
Different types of errors can occur while processing Convert Different types of errors can occur while processing Convert
messages. Each error is identified by an Error Code represented as messages. Each error is identified by an Error Code represented as
an unsigned integer. Four classes of error codes are defined: an unsigned integer. Four classes of error codes are defined:
o Message validation and processing errors (0-31 range): returned o Message validation and processing errors (0-31 range): returned
upon reception of an invalid message (including valid messages but upon reception of an invalid message (including valid messages but
with invalid or unknown TLVs). with invalid or unknown TLVs).
o Client-side errors (32-63 range): the Client sent a request that o Client-side errors (32-63 range): the Client sent a request that
skipping to change at page 26, line 16 skipping to change at page 27, line 21
o Connection Reset (96): This error indicates that the final o Connection Reset (96): This error indicates that the final
destination responded with an RST packet. The Value field MUST be destination responded with an RST packet. The Value field MUST be
set to zero. set to zero.
o Destination Unreachable (97): This error indicates that an ICMP o Destination Unreachable (97): This error indicates that an ICMP
destination unreachable, port unreachable, or network unreachable destination unreachable, port unreachable, or network unreachable
was received by the Transport Converter. The Value field MUST was received by the Transport Converter. The Value field MUST
echo the Code field of the received ICMP message. echo the Code field of the received ICMP message.
Figure 20 summarizes the different error codes. Figure 22 summarizes the different error codes.
+-------+------+-----------------------------------------------+ +-------+------+-----------------------------------------------+
| Error | Hex | Description | | Error | Hex | Description |
+-------+------+-----------------------------------------------+ +-------+------+-----------------------------------------------+
| 0 | 0x00 | Unsupported Version | | 0 | 0x00 | Unsupported Version |
| 1 | 0x01 | Malformed Message | | 1 | 0x01 | Malformed Message |
| 2 | 0x02 | Unsupported Message | | 2 | 0x02 | Unsupported Message |
| 3 | 0x03 | Missing Cookie | | 3 | 0x03 | Missing Cookie |
| 32 | 0x20 | Not Authorized | | 32 | 0x20 | Not Authorized |
| 33 | 0x21 | Unsupported TCP Option | | 33 | 0x21 | Unsupported TCP Option |
| 64 | 0x40 | Resource Exceeded | | 64 | 0x40 | Resource Exceeded |
| 65 | 0x41 | Network Failure | | 65 | 0x41 | Network Failure |
| 96 | 0x60 | Connection Reset | | 96 | 0x60 | Connection Reset |
| 97 | 0x61 | Destination Unreachable | | 97 | 0x61 | Destination Unreachable |
+-------+------+-----------------------------------------------+ +-------+------+-----------------------------------------------+
Figure 20: Convert Error Values Figure 22: Convert Error Values
5. Compatibility of Specific TCP Options with the Conversion Service 5. Compatibility of Specific TCP Options with the Conversion Service
In this section, we discuss how several standard track TCP options In this section, we discuss how several standard track TCP options
can be supported through the Convert protocol. The non-standard can be supported through the Convert protocol. The non-standard
track options and the experimental options will be discussed in other track options and the experimental options will be discussed in other
documents. documents.
5.1. Base TCP Options 5.1. Base TCP Options
skipping to change at page 31, line 35 skipping to change at page 32, line 46
If the authentication succeeds, the Converter returns a cookie to the If the authentication succeeds, the Converter returns a cookie to the
Client. Subsequent Connect messages will be authorized as a function Client. Subsequent Connect messages will be authorized as a function
of the content of the Cookie TLV. of the content of the Cookie TLV.
In deployments where network-assisted connections are not allowed In deployments where network-assisted connections are not allowed
between hosts of a domain (i.e., hairpinning), the Converter may be between hosts of a domain (i.e., hairpinning), the Converter may be
instructed to discard such connections. Hairpinned connections are instructed to discard such connections. Hairpinned connections are
thus rejected by the Transport Converter by returning an Error TLV thus rejected by the Transport Converter by returning an Error TLV
set to "Not Authorized". Absent explicit configuration otherwise, set to "Not Authorized". Absent explicit configuration otherwise,
hairpinning is enabled by the Converter (see Figure 21. hairpinning is enabled by the Converter (see Figure 23.
<===Network Provider===> <===Network Provider===>
+----+ from X1:x1 to X2':x2' +-----+ X1':x1' +----+ from X1:x1 to X2':x2' +-----+ X1':x1'
| C1 |>>>>>>>>>>>>>>>>>>>>>>>>>>>>>--+--- | C1 |>>>>>>>>>>>>>>>>>>>>>>>>>>>>>--+---
+----+ | v | +----+ | v |
| v | | v |
| v | | v |
| v | | v |
+----+ from X1':x1' to X2:x2 | v | X2':x2' +----+ from X1':x1' to X2:x2 | v | X2':x2'
| C2 |<<<<<<<<<<<<<<<<<<<<<<<<<<<<<--+--- | C2 |<<<<<<<<<<<<<<<<<<<<<<<<<<<<<--+---
+----+ +-----+ +----+ +-----+
Converter Converter
Note: X2':x2' may be equal to Note: X2':x2' may be equal to
X2:x2 X2:x2
Figure 21: Hairpinning Example Figure 23: Hairpinning Example
See below for authorization considerations that are specific for See below for authorization considerations that are specific for
Multipath TCP. Multipath TCP.
7.3. Denial of Service 7.3. Denial of Service
Another possible risk is the amplification attacks since a Transport Another possible risk is the amplification attacks since a Transport
Converter sends a SYN towards a remote Server upon reception of a SYN Converter sends a SYN towards a remote Server upon reception of a SYN
from a Client. This could lead to amplification attacks if the SYN from a Client. This could lead to amplification attacks if the SYN
sent by the Transport Converter were larger than the SYN received sent by the Transport Converter were larger than the SYN received
skipping to change at page 36, line 20 skipping to change at page 37, line 20
| 2 | 0x02 | Unsupported Message | [This-RFC]| | 2 | 0x02 | Unsupported Message | [This-RFC]|
| 3 | 0x03 | Missing Cookie | [This-RFC]| | 3 | 0x03 | Missing Cookie | [This-RFC]|
| 32 | 0x20 | Not Authorized | [This-RFC]| | 32 | 0x20 | Not Authorized | [This-RFC]|
| 33 | 0x21 | Unsupported TCP Option | [This-RFC]| | 33 | 0x21 | Unsupported TCP Option | [This-RFC]|
| 64 | 0x40 | Resource Exceeded | [This-RFC]| | 64 | 0x40 | Resource Exceeded | [This-RFC]|
| 65 | 0x41 | Network Failure | [This-RFC]| | 65 | 0x41 | Network Failure | [This-RFC]|
| 96 | 0x60 | Connection Reset | [This-RFC]| | 96 | 0x60 | Connection Reset | [This-RFC]|
| 97 | 0x61 | Destination Unreachable | [This-RFC]| | 97 | 0x61 | Destination Unreachable | [This-RFC]|
+-------+------+-----------------------------------+-----------+ +-------+------+-----------------------------------+-----------+
Figure 22: The Convert Error Codes Figure 24: The Convert Error Codes
9. References 9. References
9.1. Normative References 9.1. Normative References
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, [RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, DOI 10.17487/RFC0793, September 1981, RFC 793, DOI 10.17487/RFC0793, September 1981,
<https://www.rfc-editor.org/info/rfc793>. <https://www.rfc-editor.org/info/rfc793>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
skipping to change at page 40, line 16 skipping to change at page 41, line 16
Shelby, "Performance Enhancing Proxies Intended to Shelby, "Performance Enhancing Proxies Intended to
Mitigate Link-Related Degradations", RFC 3135, Mitigate Link-Related Degradations", RFC 3135,
DOI 10.17487/RFC3135, June 2001, DOI 10.17487/RFC3135, June 2001,
<https://www.rfc-editor.org/info/rfc3135>. <https://www.rfc-editor.org/info/rfc3135>.
[RFC6181] Bagnulo, M., "Threat Analysis for TCP Extensions for [RFC6181] Bagnulo, M., "Threat Analysis for TCP Extensions for
Multipath Operation with Multiple Addresses", RFC 6181, Multipath Operation with Multiple Addresses", RFC 6181,
DOI 10.17487/RFC6181, March 2011, DOI 10.17487/RFC6181, March 2011,
<https://www.rfc-editor.org/info/rfc6181>. <https://www.rfc-editor.org/info/rfc6181>.
[RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and
P. Roberts, "Issues with IP Address Sharing", RFC 6269,
DOI 10.17487/RFC6269, June 2011,
<https://www.rfc-editor.org/info/rfc6269>.
[RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix
Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011,
<https://www.rfc-editor.org/info/rfc6296>.
[RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and
P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, P. Selkirk, "Port Control Protocol (PCP)", RFC 6887,
DOI 10.17487/RFC6887, April 2013, DOI 10.17487/RFC6887, April 2013,
<https://www.rfc-editor.org/info/rfc6887>. <https://www.rfc-editor.org/info/rfc6887>.
[RFC6928] Chu, J., Dukkipati, N., Cheng, Y., and M. Mathis, [RFC6928] Chu, J., Dukkipati, N., Cheng, Y., and M. Mathis,
"Increasing TCP's Initial Window", RFC 6928, "Increasing TCP's Initial Window", RFC 6928,
DOI 10.17487/RFC6928, April 2013, DOI 10.17487/RFC6928, April 2013,
<https://www.rfc-editor.org/info/rfc6928>. <https://www.rfc-editor.org/info/rfc6928>.
skipping to change at page 45, line 7 skipping to change at page 46, line 13
header, the Convert protocol supports the utilization of a Cookie header, the Convert protocol supports the utilization of a Cookie
that is placed in the SYN payload. This provides the same level of that is placed in the SYN payload. This provides the same level of
protection as a TFO Cookie in environments were such protection is protection as a TFO Cookie in environments were such protection is
required. required.
Error messages are not included in RST segments but sent in the Error messages are not included in RST segments but sent in the
bytestream. Implementors have indicated that processing such bytestream. Implementors have indicated that processing such
segments on clients was difficult on some platforms. This change segments on clients was difficult on some platforms. This change
simplifies client implementations. simplifies client implementations.
Appendix D. Differences with SOCKSv5 Appendix D. Address Preservation vs. Address Sharing
The Transport Converter is provided with instructions about the
behavior to adopt with regards to the processing of source addresses
of outgoing packets. The following sub-sections discusses two
deployment models for illustration purposes. It is out of the scope
of this document to make a recommendation.
D.1. Address Preservation
In this model, the visible source IP address of a packet proxied by a
Transport Converter to a Server is an IP address of the end host
(Client). No dedicated IP address pool is provisioned to the
Transport Converter.
For Multipath TCP, the Transport Converter preserves the source IP
address used by the Client when establishing the initial subflow.
Data conveyed in secondary subflows will be proxied by the Transport
Converter using the source IP address of the initial subflow. An
example of a proxied Multipath TCP connection with address
preservation is shown in Figure 25.
Transport
Client Converter Server
@:C1,C2 @:Tc @:S
|| | |
|src:C1 SYN dst:Tc|src:C1 dst:S|
|-------MPC [->S:port]------->|-------SYN------->|
|| | |
||dst:C1 src:Tc|dst:C1 src:S|
|<---------SYN/ACK------------|<-----SYN/ACK-----|
|| | |
|src:C1 dst:Tc|src:C1 dst:S|
|------------ACK------------->|-------ACK------->|
| | |
|src:C2 ... dst:Tc| ... |
||<-----Secondary Subflow---->|src:C1 dst:S|
|| |-------data------>|
| .. | ... |
Legend:
Tc: IP address used by the Transport Converter on its customer-facing
interface.
Figure 25: Example of Address Preservation
The Transport Converter must be on the forwarding path of incoming
traffic. Because the same (destination) IP address is used for both
proxied and non-proxied connections, the Transport Converter should
not drop incoming packets it intercepts if no matching entry is found
for the packets. Unless explicitly configured otherwise, such
packets are forwarded according to the instructions of a local
forwarding table.
D.2. IPv4 Address Sharing
A pool of global IPv4 addresses is provisioned to the Transport
Converter along with possible instructions about the address sharing
ratio to apply (see Appendix B of [RFC6269]). An address is thus
shared among multiple clients.
Likewise, rewriting the source IPv6 prefix [RFC6296] may be used to
ease redirection of incoming IPv6 traffic towards the appropriate
Transport Converter. A pool of IPv6 prefixes is then provisioned to
the Transport Converter for this purpose.
Adequate forwarding policies are enforced so that traffic destined to
an address of such pool is intercepted by the appropriate Transport
Converter. Unlike Appendix D.1, the Transport Converter drops
incoming packets which do match an active transport session entry.
An example is shown in Figure 26.
Transport
Client Converter Server
@:C @:Tc|Te @:S
| | |
|src:C dst:Tc|src:Te dst:S|
|-------SYN [->S:port]------->|-------SYN------->|
| | |
|dst:C src:Tc|dst:Te src:S|
|<---------SYN/ACK------------|<-----SYN/ACK-----|
| | |
|src:C dst:Tc|src:Te dst:S|
|------------ACK------------->|-------ACK------->|
| | |
| ... | ... |
Legend:
Tc: IP address used by the Transport Converter for its customer-facing
interface.
Te: IP address used by the Transport Converter for its Internet-facing
interface.
Figure 26: Address Sharing
Appendix E. Differences with SOCKSv5
At a first glance, the solution proposed in this document could seem At a first glance, the solution proposed in this document could seem
similar to the SOCKS v5 protocol [RFC1928] which is used to proxy TCP similar to the SOCKS v5 protocol [RFC1928] which is used to proxy TCP
connections. The Client creates a connection to a SOCKS proxy, connections. The Client creates a connection to a SOCKS proxy,
exchanges authentication information and indicates the destination exchanges authentication information and indicates the destination
address and port of the final server. At this point, the SOCKS proxy address and port of the final server. At this point, the SOCKS proxy
creates a connection towards the final server and relays all data creates a connection towards the final server and relays all data
between the two proxied connections. The operation of an between the two proxied connections. The operation of an
implementation based on SOCKSv5 is illustrated in Figure 23. implementation based on SOCKSv5 is illustrated in Figure 27.
Client SOCKS Proxy Server Client SOCKS Proxy Server
--------------------> -------------------->
SYN SYN
<-------------------- <--------------------
SYN+ACK SYN+ACK
--------------------> -------------------->
ACK ACK
--------------------> -------------------->
skipping to change at page 46, line 40 skipping to change at page 49, line 40
--------------------> -------------------->
Data1 Data1
--------------------> -------------------->
Data1 Data1
<-------------------- <--------------------
Data2 Data2
<-------------------- <--------------------
Data2 Data2
Figure 23: Establishment of a TCP connection through a SOCKS proxy Figure 27: Establishment of a TCP connection through a SOCKS proxy
without authentication without authentication
The Convert protocol also relays data between an upstream and a The Convert protocol also relays data between an upstream and a
downstream connection, but there are important differences with downstream connection, but there are important differences with
SOCKSv5. SOCKSv5.
A first difference is that the Convert protocol exchanges all control A first difference is that the Convert protocol exchanges all control
information during the three-way handshake. This reduces the information during the three-way handshake. This reduces the
connection establishment delay compared to SOCKS that requires two or connection establishment delay compared to SOCKS that requires two or
more round-trip-times before the establishment of the downstream more round-trip-times before the establishment of the downstream
 End of changes. 54 change blocks. 
125 lines changed or deleted 307 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/