draft-ietf-tcpm-converters-14.txt   draft-ietf-tcpm-converters-15.txt 
TCPM Working Group O. Bonaventure, Ed. TCPM Working Group O. Bonaventure, Ed.
Internet-Draft Tessares Internet-Draft Tessares
Intended status: Experimental M. Boucadair, Ed. Intended status: Experimental M. Boucadair, Ed.
Expires: May 7, 2020 Orange Expires: August 14, 2020 Orange
S. Gundavelli S. Gundavelli
Cisco Cisco
S. Seo S. Seo
Korea Telecom Korea Telecom
B. Hesmans B. Hesmans
Tessares Tessares
November 04, 2019 February 11, 2020
0-RTT TCP Convert Protocol 0-RTT TCP Convert Protocol
draft-ietf-tcpm-converters-14 draft-ietf-tcpm-converters-15
Abstract Abstract
This document specifies an application proxy, called Transport This document specifies an application proxy, called Transport
Converter, to assist the deployment of TCP extensions such as Converter, to assist the deployment of TCP extensions such as
Multipath TCP. This proxy is designed to avoid inducing extra delay Multipath TCP. A Transport Converter may provide conversion service
when involved in a network-assisted connection (that is, 0-RTT). for one or more TCP extensions. The conversion service is provided
by means of the TCP Convert Protocol (Convert).
This specification assumes an explicit model, where the proxy is
explicitly configured on hosts.
-- Editorial Note (To be removed by RFC Editor)
Please update these statements with the RFC number to be assigned to This protocol provides 0-RTT (Zero Round-Trip Time) conversion
this document: [This-RFC] service since no extra delay is induced by the protocol compared to
connections that are not proxied. Also, the Convert Protocol does
not require any encapsulation (no tunnels, whatsoever).
Please update TBA statements with the port number to be assigned to This specification assumes an explicit model, where the Transport
the 0-RTT TCP Convert Protocol. Converter is explicitly configured on hosts.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 7, 2020.
This Internet-Draft will expire on August 14, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. The Problem . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. The Problem . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Network-Assisted Connections: The Rationale . . . . . . . 4 1.2. Network-Assisted Connections: The Rationale . . . . . . . 4
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 6 2. Differences with SOCKSv5 . . . . . . . . . . . . . . . . . . 6
3. Architecture & Behaviors . . . . . . . . . . . . . . . . . . 7 3. Conventions and Definitions . . . . . . . . . . . . . . . . . 8
3.1. Functional Elements . . . . . . . . . . . . . . . . . . . 7 4. Architecture & Behaviors . . . . . . . . . . . . . . . . . . 9
3.2. Theory of Operation . . . . . . . . . . . . . . . . . . . 9 4.1. Functional Elements . . . . . . . . . . . . . . . . . . . 9
3.3. Data Processing at the Transport Converter . . . . . . . 12 4.2. Theory of Operation . . . . . . . . . . . . . . . . . . . 11
3.3.1. Base Behavior . . . . . . . . . . . . . . . . . . . . 12 4.3. Data Processing at the Transport Converter . . . . . . . 14
3.3.2. Multipath TCP Specifics . . . . . . . . . . . . . . . 14 4.4. Address Preservation vs. Address Sharing . . . . . . . . 16
4. Sample Examples . . . . . . . . . . . . . . . . . . . . . . . 15 4.4.1. Address Preservation . . . . . . . . . . . . . . . . 16
4.1. Outgoing Converter-Assisted Multipath TCP Connections . . 15 4.4.2. Address/Prefix Sharing . . . . . . . . . . . . . . . 17
4.2. Incoming Converter-Assisted Multipath TCP Connection . . 16 5. Sample Examples . . . . . . . . . . . . . . . . . . . . . . . 18
5. The Convert Protocol (Convert) . . . . . . . . . . . . . . . 17 5.1. Outgoing Converter-Assisted Multipath TCP Connections . . 18
5.1. The Convert Fixed Header . . . . . . . . . . . . . . . . 18 5.2. Incoming Converter-Assisted Multipath TCP Connection . . 20
5.2. Convert TLVs . . . . . . . . . . . . . . . . . . . . . . 18 6. The Convert Protocol (Convert) . . . . . . . . . . . . . . . 21
5.2.1. Generic Convert TLV Format . . . . . . . . . . . . . 18 6.1. The Convert Fixed Header . . . . . . . . . . . . . . . . 22
5.2.2. Summary of Supported Convert TLVs . . . . . . . . . . 19 6.2. Convert TLVs . . . . . . . . . . . . . . . . . . . . . . 22
5.2.3. The Info TLV . . . . . . . . . . . . . . . . . . . . 20 6.2.1. Generic Convert TLV Format . . . . . . . . . . . . . 22
5.2.4. Supported TCP Extensions TLV . . . . . . . . . . . . 20 6.2.2. Summary of Supported Convert TLVs . . . . . . . . . . 23
5.2.5. Connect TLV . . . . . . . . . . . . . . . . . . . . . 21 6.2.3. The Info TLV . . . . . . . . . . . . . . . . . . . . 24
5.2.6. Extended TCP Header TLV . . . . . . . . . . . . . . . 23 6.2.4. Supported TCP Extensions TLV . . . . . . . . . . . . 24
5.2.7. The Cookie TLV . . . . . . . . . . . . . . . . . . . 24 6.2.5. Connect TLV . . . . . . . . . . . . . . . . . . . . . 25
5.2.8. Error TLV . . . . . . . . . . . . . . . . . . . . . . 24 6.2.6. Extended TCP Header TLV . . . . . . . . . . . . . . . 28
6. Compatibility of Specific TCP Options with the Conversion 6.2.7. The Cookie TLV . . . . . . . . . . . . . . . . . . . 28
Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 6.2.8. Error TLV . . . . . . . . . . . . . . . . . . . . . . 29
6.1. Base TCP Options . . . . . . . . . . . . . . . . . . . . 28 7. Compatibility of Specific TCP Options with the Conversion
6.2. Window Scale (WS) . . . . . . . . . . . . . . . . . . . . 29 Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
6.3. Selective Acknowledgments . . . . . . . . . . . . . . . . 29 7.1. Base TCP Options . . . . . . . . . . . . . . . . . . . . 32
6.4. Timestamp . . . . . . . . . . . . . . . . . . . . . . . . 29 7.2. Window Scale (WS) . . . . . . . . . . . . . . . . . . . . 33
6.5. Multipath TCP . . . . . . . . . . . . . . . . . . . . . . 30 7.3. Selective Acknowledgments . . . . . . . . . . . . . . . . 33
6.6. TCP Fast Open . . . . . . . . . . . . . . . . . . . . . . 30 7.4. Timestamp . . . . . . . . . . . . . . . . . . . . . . . . 34
6.7. TCP User Timeout . . . . . . . . . . . . . . . . . . . . 31 7.5. Multipath TCP . . . . . . . . . . . . . . . . . . . . . . 34
6.8. TCP-AO . . . . . . . . . . . . . . . . . . . . . . . . . 31 7.6. TCP Fast Open . . . . . . . . . . . . . . . . . . . . . . 34
6.9. TCP Experimental Options . . . . . . . . . . . . . . . . 31 7.7. TCP-AO . . . . . . . . . . . . . . . . . . . . . . . . . 35
7. Interactions with Middleboxes . . . . . . . . . . . . . . . . 31 8. Interactions with Middleboxes . . . . . . . . . . . . . . . . 35
8. Security Considerations . . . . . . . . . . . . . . . . . . . 32 9. Security Considerations . . . . . . . . . . . . . . . . . . . 36
8.1. Privacy & Ingress Filtering . . . . . . . . . . . . . . . 32 9.1. Privacy & Ingress Filtering . . . . . . . . . . . . . . . 36
8.2. Authorization . . . . . . . . . . . . . . . . . . . . . . 33 9.2. Authorization . . . . . . . . . . . . . . . . . . . . . . 37
8.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 34 9.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 38
8.4. Traffic Theft . . . . . . . . . . . . . . . . . . . . . . 34 9.4. Traffic Theft . . . . . . . . . . . . . . . . . . . . . . 38
8.5. Multipath TCP-specific Considerations . . . . . . . . . . 34 9.5. Authentication Considerations . . . . . . . . . . . . . . 38
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 39
9.1. Convert Service Port Number . . . . . . . . . . . . . . . 35 10.1. Convert Service Name . . . . . . . . . . . . . . . . . . 39
9.2. The Convert Protocol (Convert) Parameters . . . . . . . . 35 10.2. The Convert Protocol (Convert) Parameters . . . . . . . 39
9.2.1. Convert Versions . . . . . . . . . . . . . . . . . . 35 10.2.1. Convert Versions . . . . . . . . . . . . . . . . . . 40
9.2.2. Convert TLVs . . . . . . . . . . . . . . . . . . . . 36 10.2.2. Convert TLVs . . . . . . . . . . . . . . . . . . . . 41
9.2.3. Convert Error Messages . . . . . . . . . . . . . . . 36 10.2.3. Convert Error Messages . . . . . . . . . . . . . . . 41
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 37 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 42
10.1. Normative References . . . . . . . . . . . . . . . . . . 37 11.1. Normative References . . . . . . . . . . . . . . . . . . 42
10.2. Informative References . . . . . . . . . . . . . . . . . 39 11.2. Informative References . . . . . . . . . . . . . . . . . 44
Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 42 Appendix A. Example Socket API Changes to Support the 0-RTT
Appendix B. Example Socket API Changes to Support the 0-RTT Convert Protocol . . . . . . . . . . . . . . . . . . 47
Convert Protocol . . . . . . . . . . . . . . . . . . 44 A.1. Active Open (Client Side) . . . . . . . . . . . . . . . . 47
B.1. Active Open (Client Side) . . . . . . . . . . . . . . . . 44 A.2. Passive Open (Converter Side) . . . . . . . . . . . . . . 48
B.2. Passive Open (Converter Side) . . . . . . . . . . . . . . 45 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 49
Appendix C. Some Design Considerations . . . . . . . . . . . . . 46 Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Appendix D. Address Preservation vs. Address Sharing . . . . . . 46 Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
D.1. Address Preservation . . . . . . . . . . . . . . . . . . 46
D.2. Address/Prefix Sharing . . . . . . . . . . . . . . . . . 47
Appendix E. Differences with SOCKSv5 . . . . . . . . . . . . . . 48
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 50
Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 52 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 52
1. Introduction 1. Introduction
1.1. The Problem 1.1. The Problem
Transport protocols like TCP evolve regularly [RFC7414]. TCP has Transport protocols like TCP evolve regularly [RFC7414]. TCP has
been improved in different ways. Some improvements such as changing been improved in different ways. Some improvements such as changing
the initial window size [RFC6928] or modifying the congestion control the initial window size [RFC6928] or modifying the congestion control
scheme can be applied independently on clients and servers. Other scheme can be applied independently on clients and servers. Other
skipping to change at page 5, line 5 skipping to change at page 4, line 47
1.2. Network-Assisted Connections: The Rationale 1.2. Network-Assisted Connections: The Rationale
This document specifies an application proxy, called Transport This document specifies an application proxy, called Transport
Converter. A Transport Converter is a function that is installed by Converter. A Transport Converter is a function that is installed by
a network operator to aid the deployment of TCP extensions and to a network operator to aid the deployment of TCP extensions and to
provide the benefits of such extensions to clients. A Transport provide the benefits of such extensions to clients. A Transport
Converter may provide conversion service for one or more TCP Converter may provide conversion service for one or more TCP
extensions. Which TCP extensions are eligible to the conversion extensions. Which TCP extensions are eligible to the conversion
service is deployment-specific. The conversion service is provided service is deployment-specific. The conversion service is provided
by means of the 0-RTT TCP Convert Protocol (Convert), that is an by means of the 0-RTT TCP Convert Protocol (Convert), that is an
application-layer protocol which uses TCP port number TBA application-layer protocol which uses a dedicated TCP port number.
(Section 9).
The Convert Protocol provides 0-RTT (Zero Round-Trip Time) conversion The Convert Protocol provides 0-RTT (Zero Round-Trip Time) conversion
service since no extra delay is induced by the protocol compared to service since no extra delay is induced by the protocol compared to
connections that are not proxied. Particularly, the Convert Protocol connections that are not proxied. Particularly, the Convert Protocol
does not require extra signaling setup delays before making use of does not require extra signaling setup delays before making use of
the conversion service. The Convert Protocol does not require any the conversion service. The Convert Protocol does not require any
encapsulation (no tunnels, whatsoever). encapsulation (no tunnels, whatsoever).
The Transport Converter adheres to the main principles drawn in The Transport Converter adheres to the main principles drawn in
[RFC1919]. In particular, a Transport Converter achieves the [RFC1919]. In particular, a Transport Converter achieves the
skipping to change at page 6, line 16 skipping to change at page 6, line 6
configured with one or a list of Transport Converters (statically or configured with one or a list of Transport Converters (statically or
through protocols such as [I-D.boucadair-tcpm-dhc-converter]). through protocols such as [I-D.boucadair-tcpm-dhc-converter]).
Configuration means are outside the scope of this document. Configuration means are outside the scope of this document.
The use of a Transport Converter means that there is no end-to-end The use of a Transport Converter means that there is no end-to-end
transport connection between the client and server. This could transport connection between the client and server. This could
potentially create problems in some scenarios such as those discussed potentially create problems in some scenarios such as those discussed
in Section 4 of [RFC3135]. Some of these problems may not be in Section 4 of [RFC3135]. Some of these problems may not be
applicable, for example, a Transport Converter can inform a client by applicable, for example, a Transport Converter can inform a client by
means of Network Failure (65) or Destination Unreachable (97) error means of Network Failure (65) or Destination Unreachable (97) error
messages (Section 5.2.8) that it encounters a failure problem; the messages (Section 6.2.8) that it encounters a failure problem; the
client can react accordingly. An endpoint, or its network client can react accordingly. An endpoint, or its network
administrator, can assess the benefit provided by the Transport administrator, can assess the benefit provided by the Transport
Converter service versus the risk. This is one reason why the Converter service versus the risk. This is one reason why the
Transport Converter functionality has to be explicitly requested by Transport Converter functionality has to be explicitly requested by
an endpoint. an endpoint.
This document is organized as follows. First, Section 3 provides a This document is organized as follows. First, Section 2 provides a
brief explanation of the operation of Transport Converters. Then, brief overview of the differences between the well-known SOCKS
Section 5 describes the Convert Protocol. Section 6 discusses how protocol and the 0-RTT Convert protocol. Section 4 provides a brief
explanation of the operation of Transport Converters. Then,
Section 6 describes the Convert Protocol. Section 7 discusses how
Transport Converters can be used to support different TCP extensions. Transport Converters can be used to support different TCP extensions.
Section 7 then discusses the interactions with middleboxes, while Section 8 then discusses the interactions with middleboxes, while
Section 8 focuses on the security considerations. Section 9 focuses on the security considerations. Appendix A
describes how a TCP stack would need to support the protocol
described in this document.
Appendix B describes how a TCP stack would need to support the 2. Differences with SOCKSv5
protocol described in this document. Appendix C records some
considerations that impacted the design of the protocol. Appendix E
provides a comparison with SOCKS proxies that are already used to
deploy Multipath TCP in some cellular networks (Section 2.2 of
[RFC8041]).
2. Conventions and Definitions Several IETF protocols provide proxy services; the closest to the
0-RTT Convert protocol being the SOCKSv5 protocol [RFC1928]. This
protocol is already used to deploy Multipath TCP in some cellular
networks (Section 2.2 of [RFC8041]).
A SOCKS Client creates a connection to a SOCKS Proxy, exchanges
authentication information, and indicates the IP address and port
number of the target Server. At this point, the SOCKS Proxy creates
a connection towards the target Server and relays all data between
the two proxied connections. The operation of an implementation
based on SOCKSv5 (without authentication) is illustrated in Figure 1.
Client SOCKS Proxy Server
| | |
| --------------------> | |
| SYN | |
| <-------------------- | |
| SYN+ACK | |
| --------------------> | |
| ACK | |
| | |
| --------------------> | |
|Version=5, Auth Methods| |
| <-------------------- | |
| Method | |
| --------------------> | |
|Auth Request (unless "No auth" method negotiated)
| <-------------------- | |
| Auth Response | |
| --------------------> | |
| Connect Server:Port | --------------------> |
| | SYN |
| | <-------------------- |
| | SYN+ACK |
| <-------------------- | |
| Succeeded | |
| --------------------> | |
| Data1 | |
| | --------------------> |
| | Data1 |
| | <-------------------- |
| | Data2 |
| <-------------------- | |
| Data2 | |
...
Figure 1: Establishment of a TCP Connection through a SOCKS Proxy
Without Authentication
When SOCKS is used, an "end-to-end" connection between a Client and a
Server becomes a sequence of two TCP connections that are glued
together on the SOCKS Proxy. The SOCKS Client and Server exchange
control information at the beginning of the bytestream on the Client-
Proxy connection. The SOCKS Proxy then creates the connection with
the target Server and then glues the two connections together so that
all bytes sent by the application (Client) to the SOCKS Proxy are
relayed to the Server and vice versa.
The Convert Protocol is also used on TCP proxies that relay data
between an upstream and a downstream connection, but there are
important differences with SOCKSv5. A first difference is that the
0-RTT Convert protocol exchanges all the control information during
the initial RTT. This reduces the connection establishment delay
compared to SOCKS which requires two or more round-trip-times before
the establishment of the downstream connection towards the final
destination. In today's Internet, latency is a important metric and
various protocols have ben tuned to reduce their latency
[I-D.arkko-arch-low-latency]. A recently proposed extension to SOCKS
leverages the TFO (TCP Fast Open) option
[I-D.olteanu-intarea-socks-6] to reduce this delay.
A second difference is that the Convert Protocol explicitly takes the
TCP extensions into account. By using the Convert Protocol, the
Client can learn whether a given TCP extension is supported by the
destination Server. This enables the Client to bypass the Transport
Converter when the Server supports the required TCP extension(s).
Neither SOCKSv5 [RFC1928] nor the proposed SOCKSv6
[I-D.olteanu-intarea-socks-6] provide such a feature.
A third difference is that a Transport Converter will only confirm
the establishment of the connection initiated by the Client provided
that the downstream connection has already been accepted by the
Server. If the Server refuses the connection establishment attempt
from the Transport Converter, then the upstream connection from the
Client is rejected as well. This feature is important for
applications that check the availability of a Server or use the time
to connect as a hint on the selection of a Server [RFC8305].
A fourth difference is that the 0-RTT Convert protocol only allows
the Client to specify the IP address/port number of the destination
server and not a DNS name. We evaluated an alternate design that
included the DNS name of the remote peer instead of its IP address as
in SOCKS [RFC1928]. However, that design was not adopted because it
induces both an extra load and increased delays on the Transport
Converter to handle and manage DNS resolution requests.
3. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119][RFC8174] when, and only when, they appear in all 14 [RFC2119][RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
The information shown between brackets in the figures refers to 4. Architecture & Behaviors
Convert Protocol messages described in Section 5.
Only the exchange of control messages is depicted in the figures.
3. Architecture & Behaviors
3.1. Functional Elements 4.1. Functional Elements
The Convert Protocol considers three functional elements: The Convert Protocol considers three functional elements:
o Clients; o Clients;
o Transport Converters; o Transport Converters;
o Servers. o Servers.
A Transport Converter is a network function that proxies all data A Transport Converter is a network function that proxies all data
exchanged over one upstream connection to one downstream connection exchanged over one upstream connection to one downstream connection
and vice versa (Figure 1). The Transport Converter, thus, maintains and vice versa (Figure 2). The Transport Converter, thus, maintains
state that associates one upstream connection to a corresponding state that associates one upstream connection to a corresponding
downstream connection. downstream connection.
A connection can be initiated from both sides of the Transport A connection can be initiated from both sides of the Transport
Converter (Internet-facing interface, customer-facing interface). Converter (Internet-facing interface, customer-facing interface).
| |
: :
| |
+------------+ +------------+
Client <- upstream ->| Transport |<- downstream -> Server Client <- upstream ->| Transport |<- downstream -> Server
connection | Converter | connection connection | Converter | connection
+------------+ +------------+
| |
customer-facing interface : Internet-facing interface customer-facing interface : Internet-facing interface
| |
Figure 1: A Transport Converter Proxies Data between Pairs of TCP Figure 2: A Transport Converter Proxies Data between Pairs of TCP
Connections Connections
"Client" refers to a software instance embedded on a host that can "Client" refers to a software instance embedded on a host that can
reach a Transport Converter via its customer-facing interface. The reach a Transport Converter via its customer-facing interface. The
"Client" can initiate connections via a Transport Converter (referred "Client" can initiate connections via a Transport Converter (referred
to as outgoing connections (Section 4.1)). Also, the "Client" can to as outgoing connections). Also, the "Client" can accept incoming
accept incoming connections via a Transport Converter (referred to as connections via a Transport Converter (referred to as incoming
incoming connections (Section 4.2)). connections).
Transport Converters can be operated by network operators or third Transport Converters can be operated by network operators or third
parties. Nevertheless, this document focuses on the single parties. Nevertheless, this document focuses on the single
administrative deployment case where the entity offering the administrative deployment case where the entity offering the
connectivity service to a client is also the entity which owns and connectivity service to a client is also the entity which owns and
operates the Transport Converter. operates the Transport Converter.
A Transport Converter can be embedded in a standalone device or be A Transport Converter can be embedded in a standalone device or be
activated as a service on a router. How such function is enabled is activated as a service on a router. How such function is enabled is
deployment-specific. A sample deployment is depicted in Figure 2. deployment-specific.
+-+ +-+ +-+
Client - |R| -- |R| -- |R| - - - Server
+-+ +-+ +-+
|
+-+
|R|
+-+
|
+---------+
|Transport|
|Converter|
+---------+
R: Router
Figure 2: A Transport Converter Can Be Installed Anywhere in the
Network
The architecture assumes that new software will be installed on the The architecture assumes that new software will be installed on the
Client hosts to interact with one or more Transport Converters. Client hosts to interact with one or more Transport Converters.
Furthermore, the architecture allows for making use of new TCP Furthermore, the architecture allows for making use of new TCP
extensions even if those are not supported by a given server. extensions even if those are not supported by a given server.
A Client is configured, through means that are outside the scope of A Client is configured, through means that are outside the scope of
this document, with the names and/or the addresses of one or more this document, with the names and/or the addresses of one or more
Transport Converters and the TCP extensions that they support. The Transport Converters and the TCP extensions that they support. The
procedure for selecting a Transport Converter among a list of procedure for selecting a Transport Converter among a list of
configured Transport Converters is outside the scope of this configured Transport Converters is outside the scope of this
document. document.
One of the benefits of this design is that different transport One of the benefits of this design is that different transport
protocol extensions can be used on the upstream and the downstream protocol extensions can be used on the upstream and the downstream
connections. This encourages the deployment of new TCP extensions connections. This encourages the deployment of new TCP extensions
until they are widely supported by servers, in particular. until they are widely supported by servers, in particular.
The architecture does not mandate anything on the Server side. The architecture does not mandate anything on the Server side.
Similar to address sharing mechanisms, the architecture does not Similar to SOCKS, the architecture does not interfere with end-to-end
interfere with end-to-end TLS connections [RFC8446] between the TLS connections [RFC8446] between the Client and the Server
Client and the Server (Figure 3). In other words, end-to-end TLS is (Figure 3). In other words, end-to-end TLS is supported in the
supported in the presence of a Converter. presence of a Converter.
Client Transport Server Client Transport Server
| Converter | | Converter |
| | | | | |
/==========================================\ /==========================================\
| End-to-end TLS | | End-to-end TLS |
\==========================================/ \==========================================/
* TLS messages exchanged between the Client * TLS messages exchanged between the Client
and the Server are not shown. and the Server are not shown.
Figure 3: End-to-end TLS via a Transport Converter Figure 3: End-to-end TLS via a Transport Converter
It is out of scope of this document to elaborate on specific It is out of scope of this document to elaborate on specific
considerations related to the use of TLS in the Client-Converter considerations related to the use of TLS in the Client-Converter
connection leg to exchange Convert messages (in addition to the end- connection leg to exchange Convert messages (in addition to the end-
to-end TLS connection). to-end TLS connection).
3.2. Theory of Operation 4.2. Theory of Operation
At a high level, the objective of the Transport Converter is to allow At a high level, the objective of the Transport Converter is to allow
the use a specific extension, e.g., Multipath TCP, on a subset of the the use a specific extension, e.g., Multipath TCP, on a subset of the
path even if the peer does not support this extension. This is path even if the peer does not support this extension. This is
illustrated in Figure 4 where the Client initiates a Multipath TCP illustrated in Figure 4 where the Client initiates a Multipath TCP
connection with the Transport Converter (packets belonging to the connection with the Transport Converter (packets belonging to the
Multipath TCP connection are shown with "===") while the Transport Multipath TCP connection are shown with "===") while the Transport
Converter uses a regular TCP connection with the Server. Converter uses a regular TCP connection with the Server.
Client Transport Server Client Transport Server
skipping to change at page 9, line 44 skipping to change at page 11, line 27
| | | | | |
|==================>|--------------------->| |==================>|--------------------->|
| | | | | |
|<==================|<---------------------| |<==================|<---------------------|
| | | | | |
Multipath TCP packets Regular TCP packets Multipath TCP packets Regular TCP packets
Figure 4: An Example of 0-RTT Network-Assisted Outgoing MPTCP Figure 4: An Example of 0-RTT Network-Assisted Outgoing MPTCP
Connection Connection
The packets belonging to the pair of connections between the Client The packets belonging to a connection established through a Transport
and Server passing through a Transport Converter may follow a Converter may follow a different path than the packets directly
different path than the packets directly exchanged between the Client exchanged between the Client and the Server. Deployments should
and the Server. Deployments should minimize the possible additional minimize the possible additional delay by carefully selecting the
delay by carefully selecting the location of the Transport Converter location of the Transport Converter used to reach a given
used to reach a given destination. destination.
When establishing a connection, the Client can, depending on local When establishing a connection, the Client can, depending on local
policies, either contact the Server directly (e.g., by sending a TCP policies, either contact the Server directly (e.g., by sending a TCP
SYN towards the Server) or create the connection via a Transport SYN towards the Server) or create the connection via a Transport
Converter. In the latter case (that is, the conversion service is Converter. In the latter case (that is, the conversion service is
used), the Client initiates a connection towards the Transport used), the Client initiates a connection towards the Transport
Converter and indicates the IP address and port number of the Server Converter and indicates the IP address and port number of the Server
within the connection establishment packet. Doing so enables the within the connection establishment packet. Doing so enables the
Transport Converter to immediately initiate a connection towards that Transport Converter to immediately initiate a connection towards that
Server, without experiencing an extra delay. The Transport Converter Server, without experiencing an extra delay. The Transport Converter
skipping to change at page 10, line 22 skipping to change at page 12, line 5
establish the connection before confirming it to the Client. establish the connection before confirming it to the Client.
The Client places the destination address and port number of the The Client places the destination address and port number of the
Server in the payload of the SYN sent to the Transport Converter to Server in the payload of the SYN sent to the Transport Converter to
minimize connection establishment delays. The Transport Converter minimize connection establishment delays. The Transport Converter
maintains two connections that are combined together: maintains two connections that are combined together:
o the upstream connection is the one between the Client and the o the upstream connection is the one between the Client and the
Transport Converter. Transport Converter.
o the downstream connection is between the Transport Converter and o the downstream connection is the one between the Transport
the Server. Converter and the Server.
Any user data received by the Transport Converter over the upstream Any user data received by the Transport Converter over the upstream
(or downstream) connection is proxied over the downstream (or (or downstream) connection is proxied over the downstream (or
upstream) connection. In particular, if the initial SYN message upstream) connection. In particular, if the initial SYN message
contains data in its payload (e.g., [RFC7413]), that data MUST be contains user data in its payload (e.g., [RFC7413]), that data MUST
placed right after the Convert TLVs when generating the SYN. be placed right after the Convert TLVs when generating the SYN.
The Converter associates a lifetime with state entries used to bind
an upstream connection with its downstream connection.
Figure 5 illustrates the establishment of an outgoing TCP connection Figure 5 illustrates the establishment of an outgoing TCP connection
by a Client through a Transport Converter. by a Client through a Transport Converter.
o Note: The information shown between brackets in Figure 5 (and
other figures in the document) refers to Convert Protocol messages
described in Section 6.
Transport Transport
Client Converter Server Client Converter Server
| | | | | |
|SYN [->Server:port]| SYN | |SYN [->Server:port]| SYN |
|------------------>|--------------------->| |------------------>|--------------------->|
|<------------------|<---------------------| |<------------------|<---------------------|
| SYN+ACK [ ] | SYN+ACK | | SYN+ACK [ ] | SYN+ACK |
| ... | ... | | ... | ... |
Figure 5: Establishment of an Outgoing TCP Connection Through a Figure 5: Establishment of an Outgoing TCP Connection Through a
skipping to change at page 11, line 15 skipping to change at page 12, line 47
Server. If this upstream connection succeeds, the Transport Server. If this upstream connection succeeds, the Transport
Converter confirms the establishment of the connection to the Client Converter confirms the establishment of the connection to the Client
by returning a SYN+ACK and the first bytes of the bytestream contain by returning a SYN+ACK and the first bytes of the bytestream contain
information about the TCP options that were negotiated with the information about the TCP options that were negotiated with the
Server. Also, a state entry is instantiated for this connection. Server. Also, a state entry is instantiated for this connection.
This state entry is used by the Converter to handle subsequent This state entry is used by the Converter to handle subsequent
messages belonging to the connection. messages belonging to the connection.
The connection can also be established from the Internet towards a The connection can also be established from the Internet towards a
Client via a Transport Converter (Figure 6). This is typically the Client via a Transport Converter (Figure 6). This is typically the
case when an application on the Client listens to a specific port case when the Client hosts an application server that listens to a
(the Client hosts an application server, typically). When the specific port number. When the Converter receives an incoming SYN
Converter receives an incoming SYN from a remote host, it checks if from a remote host, it checks if it can provide the conversion
it can provide the conversion service for the destination IP address service for the destination IP address and destination port number of
and destination port number of that SYN. If the check fails, the that SYN. The Transport Converter receives this SYN because it is,
packet is silently ignored by the Converter. If the check is for example, on the path between the remote host and the Client or it
successful, the Converter inserts the source IP address and source provides address sharing service for the Client. If the check fails,
port number in the SYN packet, rewrites the source IP address to one the packet is silently ignored by the Converter. If the check is
of its IP addresses and, eventually (i.e., only when the Converter is successful, the Converter tries to initiate a TCP connection towards
configured in an address sharing mode), the destination IP address the Client from its own address and using its configured TCP options.
and port number in accordance with any information stored locally. In the SYN that corresponds to this connection attempt, the Transport
That SYN is then forwarded to the next hop. A transport session Convert inserts a TLV message that indicates the source address and
entry is created by the Converter for this connection. SYN+ACK and port number of the remote host. A transport session entry is created
ACK will be then exchanged between the Client, the Converter, and by the Converter for this connection. SYN+ACK and ACK will be then
remote host to confirm the establishment of the connection. The exchanged between the Client, the Converter, and remote host to
Converter uses the transport session entry to proxy packets belonging confirm the establishment of the connection. The Converter uses the
to the connection. transport session entry to proxy packets belonging to the connection.
Transport Remote Transport Remote
Client Converter Host (RH) Client Converter Host (RH)
| | | | | |
|SYN [<-RH IP@:port]| SYN | |SYN [<-RH IP@:port]| SYN |
|<------------------|<---------------------| |<------------------|<---------------------|
|------------------>|--------------------->| |------------------>|--------------------->|
| SYN+ACK [ ] | SYN+ACK | | SYN+ACK [ ] | SYN+ACK |
| ... | ... | | ... | ... |
Figure 6: Establishment of an Incoming TCP Connection Through a Figure 6: Establishment of an Incoming TCP Connection Through a
Transport Converter Transport Converter
skipping to change at page 12, line 22 skipping to change at page 14, line 6
as noted in Section 7.3 of [RFC7413] where it is possible to accept as noted in Section 7.3 of [RFC7413] where it is possible to accept
the payload of SYN packets without creating additional security risks the payload of SYN packets without creating additional security risks
such as a network where addresses cannot be spoofed and the Transport such as a network where addresses cannot be spoofed and the Transport
Converter only serves a set of hosts that are identified by these Converter only serves a set of hosts that are identified by these
addresses. addresses.
For these reasons, this specification does not mandate the use of the For these reasons, this specification does not mandate the use of the
TCP Fast Open option when the Client sends a connection establishment TCP Fast Open option when the Client sends a connection establishment
packet towards a Transport Converter. The Convert Protocol includes packet towards a Transport Converter. The Convert Protocol includes
an optional Cookie TLV that provides similar protection as the TCP an optional Cookie TLV that provides similar protection as the TCP
Fast Open option without consuming space in the extended TCP header. Fast Open option without consuming space in the TCP header.
In particular, this design allows for the use of longer cookies. Furthermore, this design allows for the use of longer cookies than
[RFC7413].
If the downstream (or upstream) connection fails for some reason If the downstream (or upstream) connection fails for some reason
(excessive retransmissions, reception of an RST segment, etc.), then (excessive retransmissions, reception of an RST segment, etc.), then
the Converter should force the tear-down of the upstream (or the Converter reacts by forcing the tear-down of the upstream (or
downstream) connection. downstream) connection.
The same reasoning applies when the upstream connection ends. In The same reasoning applies when the upstream connection ends with an
this case, the Converter should also terminate the downstream exchange of FIN packets. In this case, the Converter should also
connection by using FIN segments. If the downstream connection terminate the downstream connection by using FIN packets. If the
terminates with the exchange of FIN segments, the Converter should downstream connection terminates with the exchange of FIN packets,
initiate a graceful termination of the upstream connection. the Converter should initiate a graceful termination of the upstream
connection.
3.3. Data Processing at the Transport Converter
3.3.1. Base Behavior 4.3. Data Processing at the Transport Converter
As mentioned in Section 3.2, the Transport Converter acts as a TCP As mentioned in Section 4.2, the Transport Converter acts as a TCP
proxy between the upstream connection (i.e., between the Client and proxy between the upstream connection (i.e., between the Client and
the Transport Converter) and the downstream connection (i.e., between the Transport Converter) and the downstream connection (i.e., between
the Transport Converter and the Server). the Transport Converter and the Server).
The control messages, discussed in Section 5, establish state The control messages, discussed in Section 6, establish state
(called, transport session entry) in the Transport Converter that (called, transport session entry) in the Transport Converter that
will enable it to proxy between the two TCP connections. will enable it to proxy between the two TCP connections.
The Transport Converter uses the transport session entry to proxy The Transport Converter uses the transport session entry to proxy
packets belonging to the connection. An implementation example of a packets belonging to the connection. An implementation example of a
transport session entry for TCP connections is shown in Figure 7. transport session entry for TCP connections is shown in Figure 7.
(C,c) <--> (T,t), (S,s), Lifetime (C,c) <--> (T,t), (S,s), Lifetime
Where: Where:
* C and c are the source IP address and source port number * C and c are the source IP address and source port number
used by the Client for the upstream connection. used by the Client for the upstream connection.
* S and s are the Server's IP address and port number. * S and s are the Server's IP address and port number.
* T and t are the source IP address and source port number * T and t are the source IP address and source port number
used by the Transport Converter to proxy the connection. used by the Transport Converter to proxy the connection.
* Lifetime is the validity lifetime of the entry as assigned * Lifetime is the validity lifetime of the entry as assigned
by the Converter. by the Converter.
Figure 7: An Example of Transport Session Entry (TCP) Figure 7: An Example of Transport Session Entry (TCP)
Clients send packets bound to connections eligible to the conversion Clients send packets bound to connections eligible to the conversion
service to the provisioned Transport Converter using TBA as service to the provisioned Transport Converter and destination port
destination port number. This applies for both control messages and number. This applies for both control messages and data. Additional
data. Additional information is supplied by Clients to the Transport information is supplied by Clients to the Transport Converter by
Converter by means of Convert messages as detailed in Section 5. means of Convert messages as detailed in Section 6. User data can be
User data can be included in SYN or non-SYN messages. User data is included in SYN or non-SYN messages. User data is unambiguously
unambiguously distinguished from Convert TLVs by a Transport distinguished from Convert TLVs by a Transport Converter owing to the
Converter owing to the Convert Fixed Header in the Convert messages Convert Fixed Header in the Convert messages (Section 6.1). These
(Section 5.1). These Convert TLVs are destined to the Transport Convert TLVs are destined to the Transport Convert and are, thus,
Convert and are, thus, removed by the Transport Converter when removed by the Transport Converter when proxying between the two
proxying between the two connections. connections.
Upon receipt of a Non-SYN (or a secondary subflow for Multipath TCP) Upon receipt of a packet that belongs to an existing connection
on port number TBA by the Transport Converter from a Client, the between a Client and the Transport Converter the Converter proxies
Converter checks if the packet matches an active transport session the user data to the Server using the information stored in the
entry. If no entry is found, the Transport Converter MUST silently corresponding transport session entry. For example, in reference to
ignore the packet. If an entry is found, the user data is proxied to Figure 7, the Transport Converter proxies the data received from (C,
the Server using the information stored in the corresponding c) downstream using (T,t) as source transport address and (S,s) as
transport session entry. For example, in reference to Figure 7, the destination transport address.
Transport Converter proxies the data received from (C, c) downstream
using (T,t) as source transport address and (S,s) as destination
transport address.
A similar process happens for data sent from the Server. The A similar process happens for data sent from the Server. The
Converter acts as a TCP proxy and sends the data to the Client Converter acts as a TCP proxy and sends the data to the Client
relying upon the information stored in a transport session entry. relying upon the information stored in a transport session entry.
The Converter associates a lifetime with state entries used to bind
an upstream connection with its downstream connection.
Considerations that are specific to Multipath TCP are described in When Multipath TCP is used between the Client and the Transport
Section 3.3.2. Converter, the Converter maintains more state (e.g. information about
the subflows) for each Multipath TCP connection. The procedure
described above continues to apply except that the Converter needs to
manage the establishment/termination of subflows and schedule packets
among the established ones. These operations are part of the
Multipath TCP implementation. They are independent of the Convert
protocol that only processes the Convert messages in the beginning of
the bytestream.
A Transport Converter may operate in address preservation mode (that A Transport Converter may operate in address preservation mode (that
is, the Converter does not rewrite the source IP address (i.e., is, the Converter does not rewrite the source IP address (i.e.,
C==T)) or address sharing mode (that is, an address pool is shared C==T)) or address sharing mode (that is, an address pool is shared
among all Clients serviced by the Converter (i.e., C!=T)); refer to among all Clients serviced by the Converter (i.e., C!=T)); refer to
Appendix D for more details. Which behavior to use by a Transport Section 4.4 for more details. Which behavior to use by a Transport
Converter is deployment-specific. If address sharing mode is Converter is deployment-specific. If address sharing mode is
enabled, the Transport Converter MUST adhere to REQ-2 of [RFC6888] enabled, the Transport Converter MUST adhere to REQ-2 of [RFC6888]
which implies a default "IP address pooling" behavior of "Paired" (as which implies a default "IP address pooling" behavior of "Paired" (as
defined in Section 4.1 of [RFC4787]) must be supported. This defined in Section 4.1 of [RFC4787]) MUST be supported. This
behavior is meant to avoid breaking applications that depend on the behavior is meant to avoid breaking applications that depend on the
source address remaining constant. source address remaining constant.
3.3.2. Multipath TCP Specifics 4.4. Address Preservation vs. Address Sharing
Note that for the Multipath TCP case, the Convert TLVs are only The Transport Converter is provided with instructions about the
exchanged during the establishment of the initial subflow. behavior to adopt with regards to the processing of source addresses
of outgoing packets. The following sub-sections discusses two
deployment models for illustration purposes. It is out of the scope
of this document to make a recommendation.
The Transport Converter identifies an MPTCP connection by means, 4.4.1. Address Preservation
e.g., of the token assigned to the MPTCP connection (Section 2.2 of
[RFC6824]). An implementation example of an MPTCP transport session
entry maintained by a Transport Converter is shown in Figure 8. The
entry needs to be updated whenever subflows are added to, or deleted
from, the MPTCP connection.
token, {(C1,c1), .., (Cn, cn)} <--> (T,t), (S,s), Lifetime In this model, the visible source IP address of a packet proxied by a
Transport Converter to a Server is an IP address of the end host
(Client). No dedicated IP address pool is provisioned to the
Transport Converter, but the the Transport Converter is located on
the path between the Client and the Server.
Where: For Multipath TCP, the Transport Converter preserves the source IP
* Token is a locally unique identifier given to a (upstream) address used by the Client when establishing the initial subflow.
multipath connection by the Transport Converter. The token Data conveyed in secondary subflows will be proxied by the Transport
is a one-way hash of the MPTCP key. Converter using the source IP address of the initial subflow. An
* Ci and ci are the source IP address and source port number example of a proxied Multipath TCP connection with address
used by the Client for a subflow of an (upstream) MPTCP preservation is shown in Figure 8.
connection.
* S and s are the Server's IP address and port number.
* T and t are the source IP address and source port number
used by the Transport Converter to proxy the connection.
* Lifetime is the validity lifetime of the entry as assigned
by the Converter.
Figure 8: An Example of MPTCP Transport Session Entry Transport
Client Converter Server
Upon receipt of a secondary subflow by the Transport Converter from a @:C1,C2 @:Tc @:S
Client, the Converter follows the same behavior specified in || | |
Section 3.3.1 for processing Non-SYNs. For example, in reference to |src:C1 SYN dst:Tc|src:C1 dst:S|
Figure 8, the Transport Converter proxies the data received from a |-------MPC [->S:port]------->|-------SYN------->|
new subflow of an existing Multipath TCP connection (Cn, cn) || | |
downstream using (T,t) as source transport address and (S,s) as ||dst:C1 src:Tc|dst:C1 src:S|
destination transport address. |<---------SYN/ACK------------|<-----SYN/ACK-----|
|| | |
|src:C1 dst:Tc|src:C1 dst:S|
|------------ACK------------->|-------ACK------->|
| | |
|src:C2 ... dst:Tc| ... |
||<-----Secondary Subflow---->|src:C1 dst:S|
|| |-------data------>|
| .. | ... |
4. Sample Examples Legend:
Tc: IP address used by the Transport Converter on its customer-facing
interface.
4.1. Outgoing Converter-Assisted Multipath TCP Connections Figure 8: Example of Address Preservation
The Transport Converter must be on the forwarding path of incoming
traffic. Because the same (destination) IP address is used for both
proxied and non-proxied connections, the Transport Converter should
not drop incoming packets it intercepts if no matching entry is found
for the packets. Unless explicitly configured otherwise, such
packets are forwarded according to the instructions of a local
forwarding table.
4.4.2. Address/Prefix Sharing
A pool of global IPv4 addresses is provisioned to the Transport
Converter along with possible instructions about the address sharing
ratio to apply (see Appendix B of [RFC6269]). An address is thus
shared among multiple clients.
Likewise, rewriting the source IPv6 prefix [RFC6296] may be used to
ease redirection of incoming IPv6 traffic towards the appropriate
Transport Converter. A pool of IPv6 prefixes is then provisioned to
the Transport Converter for this purpose.
Adequate forwarding policies are enforced so that traffic destined to
an address of such pool is intercepted by the appropriate Transport
Converter. Unlike Section 4.4.1, the Transport Converter drops
incoming packets which do not match an active transport session
entry.
An example is shown in Figure 9.
Transport
Client Converter Server
@:C @:Tc|Te @:S
| | |
|src:C dst:Tc|src:Te dst:S|
|-------SYN [->S:port]------->|-------SYN------->|
| | |
|dst:C src:Tc|dst:Te src:S|
|<---------SYN/ACK------------|<-----SYN/ACK-----|
| | |
|src:C dst:Tc|src:Te dst:S|
|------------ACK------------->|-------ACK------->|
| | |
| ... | ... |
Legend:
Tc: IP address used by the Transport Converter for its customer-facing
interface.
Te: IP address used by the Transport Converter for its Internet-facing
interface.
Figure 9: Address Sharing
5. Sample Examples
5.1. Outgoing Converter-Assisted Multipath TCP Connections
As an example, let us consider how the Convert Protocol can help the As an example, let us consider how the Convert Protocol can help the
deployment of Multipath TCP. We assume that both the Client and the deployment of Multipath TCP. We assume that both the Client and the
Transport Converter support Multipath TCP, but consider two different Transport Converter support Multipath TCP, but consider two different
cases depending on whether the Server supports Multipath TCP or not. cases depending on whether the Server supports Multipath TCP or not.
As a reminder, a Multipath TCP connection is created by placing the As a reminder, a Multipath TCP connection is created by placing the
MP_CAPABLE (MPC) option in the SYN sent by the Client. MP_CAPABLE (MPC) option in the SYN sent by the Client.
Figure 9 describes the operation of the Transport Converter if the Figure 10 describes the operation of the Transport Converter if the
Server does not support Multipath TCP. Server does not support Multipath TCP.
Transport Transport
Client Converter Server Client Converter Server
|SYN, | | |SYN, MPC | |
|MPC [->Server:port]| SYN, MPC | |[->Server:port] | SYN, MPC |
|------------------>|--------------------->| |------------------>|--------------------->|
|<------------------|<---------------------| |<------------------|<---------------------|
| SYN+ACK,MPC [.] | SYN+ACK | | SYN+ACK,MPC [.] | SYN+ACK |
|------------------>|--------------------->| |------------------>|--------------------->|
| ACK, MPC | ACK | | ACK, MPC | ACK |
| ... | ... | | ... | ... |
Figure 9: Establishment of a Multipath TCP Connection Through a Figure 10: Establishment of a Multipath TCP Connection through a
Transport Converter towards a Server that Does Not Support Multipath Transport Converter towards a Server that does not support Multipath
TCP TCP
The Client tries to initiate a Multipath TCP connection by sending a The Client tries to initiate a Multipath TCP connection by sending a
SYN with the MP_CAPABLE option (MPC in Figure 9). The SYN includes SYN with the MP_CAPABLE option (MPC in Figure 10). The SYN includes
the address and port number of the target Server, that are extracted the address and port number of the target Server, that are extracted
and used by the Transport Converter to initiate a Multipath TCP and used by the Transport Converter to initiate a Multipath TCP
connection towards this Server. Since the Server does not support connection towards this Server. Since the Server does not support
Multipath TCP, it replies with a SYN+ACK that does not contain the Multipath TCP, it replies with a SYN+ACK that does not contain the
MP_CAPABLE option. The Transport Converter notes that the connection MP_CAPABLE option. The Transport Converter notes that the connection
with the Server does not support Multipath TCP and returns the with the Server does not support Multipath TCP and returns the
extended TCP header received from the Server to the Client. extended TCP header received from the Server to the Client.
Note that, if the TCP connection fails for some reason, the Converter Note that, if the TCP connection is reset for some reason, the
tears down the Multipath TCP connection by transmitting a Converter tears down the Multipath TCP connection by transmitting a
MP_FASTCLOSE. Likewise, if the Multipath TCP connection ends with MP_FASTCLOSE. Likewise, if the Multipath TCP connection ends with
the transmission of DATA_FINs, the Converter terminates the TCP the transmission of DATA_FINs, the Converter terminates the TCP
connection by using FIN segments. As a side note, given that with connection by using FIN segments. As a side note, given that with
Multipath TCP, RST only has the scope of the subflow and will only Multipath TCP, RST only has the scope of the subflow and will only
close the concerned subflow but not affect the remaining subflows, close the concerned subflow but not affect the remaining subflows,
the Converter does not terminate the TCP connection upon receipt of the Converter does not terminate the downstream TCP connection upon
an RST over a Multipath subflow. receipt of an RST over a Multipath subflow.
Figure 10 considers a Server that supports Multipath TCP. In this Figure 11 considers a Server that supports Multipath TCP. In this
case, it replies to the SYN sent by the Transport Converter with the case, it replies to the SYN sent by the Transport Converter with the
MP_CAPABLE option. Upon reception of this SYN+ACK, the Transport MP_CAPABLE option. Upon reception of this SYN+ACK, the Transport
Converter confirms the establishment of the connection to the Client Converter confirms the establishment of the connection to the Client
and indicates to the Client that the Server supports Multipath TCP. and indicates to the Client that the Server supports Multipath TCP.
With this information, the Client has discovered that the Server With this information, the Client has discovered that the Server
supports Multipath TCP natively. This will enable the Client to supports Multipath TCP. This will enable the Client to bypass the
bypass the Transport Converter for the subsequent Multipath TCP Transport Converter for the subsequent Multipath TCP connections that
connections that it will initiate towards this Server. it will initiate towards this Server.
Transport Transport
Client Converter Server Client Converter Server
|SYN, | | |SYN, MPC | |
|MPC [->Server:port]| SYN, MPC | |[->Server:port] | SYN, MPC |
|------------------>|--------------------->| |------------------>|--------------------->|
|<------------------|<---------------------| |<------------------|<---------------------|
|SYN+ACK, | SYN+ACK, MPC | |SYN+ACK, MPC | SYN+ACK, MPC |
|MPC [MPC supported]| | |[MPC supported] | |
|------------------>|--------------------->| |------------------>|--------------------->|
| ACK, MPC | ACK, MPC | | ACK, MPC | ACK, MPC |
| ... | ... | | ... | ... |
Figure 10: Establishment of a Multipath TCP Connection Through a Figure 11: Establishment of a Multipath TCP Connection through a
Converter Towards an MPTCP-capable Server Converter towards an MPTCP-capable Server
4.2. Incoming Converter-Assisted Multipath TCP Connection 5.2. Incoming Converter-Assisted Multipath TCP Connection
An example of an incoming Converter-assisted Multipath TCP connection An example of an incoming Converter-assisted Multipath TCP connection
is depicted in Figure 11. In order to support incoming connections is depicted in Figure 12. In order to support incoming connections
from remote hosts, the Client may use PCP [RFC6887] to instruct the from remote hosts, the Client may use PCP [RFC6887] to instruct the
Transport Converter to create dynamic mappings. Those mappings will Transport Converter to create dynamic mappings. Those mappings will
be used by the Transport Converter to intercept an incoming TCP be used by the Transport Converter to intercept an incoming TCP
connection destined to the Client and convert it into a Multipath TCP connection destined to the Client and convert it into a Multipath TCP
connection. connection.
Typically, the Client sends a PCP request to the Converter asking to Typically, the Client sends a PCP request to the Converter asking to
create an explicit TCP mapping for (internal IP address, internal create an explicit TCP mapping for (internal IP address, internal
port number). The Converter accepts the request by creating a TCP port number). The Converter accepts the request by creating a TCP
mapping (internal IP address, internal port number, external IP mapping (internal IP address, internal port number, external IP
skipping to change at page 17, line 21 skipping to change at page 21, line 9
addresses and, eventually, the destination IP address and port number addresses and, eventually, the destination IP address and port number
in accordance with the information stored in the mapping. SYN+ACK in accordance with the information stored in the mapping. SYN+ACK
and ACK will be then exchanged between the Client and the Converter and ACK will be then exchanged between the Client and the Converter
to confirm the establishment of the initial subflow. The Client can to confirm the establishment of the initial subflow. The Client can
add new subflows following normal Multipath TCP procedures. add new subflows following normal Multipath TCP procedures.
Transport Remote Transport Remote
Client Converter Host Client Converter Host
| | | | | |
|<--------------------|<-------------------| |<--------------------|<-------------------|
|SYN, | SYN | |SYN, MPC | SYN |
|MPC[Remote Host:port]| | |[Remote Host:port] | |
|-------------------->|------------------->| |-------------------->|------------------->|
| SYN+ACK, MPC | SYN+ACK | | SYN+ACK, MPC | SYN+ACK |
|<--------------------|<-------------------| |<--------------------|<-------------------|
| ACK, MPC | ACK | | ACK, MPC | ACK |
| ... | ... | | ... | ... |
Figure 11: Establishment of an Incoming Multipath TCP Connection Figure 12: Establishment of an Incoming Multipath TCP Connection
through a Transport Converter through a Transport Converter
It is out of scope of this document to define specific Convert TLVs It is out of scope of this document to define specific Convert TLVs
to manage incoming connections. These TLVs can be defined in a to manage incoming connections. These TLVs can be defined in a
separate document. separate document.
5. The Convert Protocol (Convert) 6. The Convert Protocol (Convert)
This section defines the Convert Protocol (Convert, for short) This section defines the Convert Protocol (Convert, for short)
messages that are exchanged between a Client and a Transport messages that are exchanged between a Client and a Transport
Converter. Converter.
By default, the Transport Converter listens on TCP port number TBA The Transport Converter listens on a dedicated TCP port number for
for Convert messages from Clients. Convert messages from Clients. That port number is configured by an
administrator.
Convert messages may appear only in a SYN, SYN+ACK, or ACK.
Convert messages MUST be included as the first bytes of the Convert messages MUST be included as the first bytes of the
bytestream. All Convert messages starts with a 32 bits long fixed bytestream. All Convert messages starts with a 32 bits long fixed
header (Section 5.1) followed by one or more Convert TLVs (Type, header (Section 6.1) followed by one or more Convert TLVs (Type,
Length, Value) (Section 5.2). Length, Value) (Section 6.2).
5.1. The Convert Fixed Header o Implementation note 1: Several implementers expressed concerns
about the use of TFO. As a reminder, the TFO Cookie protects from
some attack scenarios that affect open servers like web servers.
The Convert Protocol is different and, as discussed in RFC7413,
there are different ways to protect from such attacks. Instead of
using a TFO cookie inside the TCP options, which consumes precious
space in the extended TCP header, the Convert Protocol supports
the utilization of a Cookie that is placed in the SYN payload.
This provides the same level of protection as a TFO Cookie in
environments were such protection is required.
o Implementation note 2: Error messages are not included in RST but
sent in the bytestream. Implementers have indicated that
processing RST on clients was difficult on some platforms. This
design simplifies client implementations.
6.1. The Convert Fixed Header
The Convert Protocol uses a 32 bits long fixed header that is sent by The Convert Protocol uses a 32 bits long fixed header that is sent by
both the Client and the Transport Converter over each established both the Client and the Transport Converter over each established
connection. This header indicates both the version of the protocol connection. This header indicates both the version of the protocol
used and the length of the Convert message. used and the length of the Convert message.
The Client and the Transport Converter MUST send the fixed-sized The Client and the Transport Converter MUST send the fixed-sized
header, shown in Figure 12, as the first four bytes of the header, shown in Figure 13, as the first four bytes of the
bytestream. bytestream.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| Version | Total Length | Unassigned | | Version | Total Length | Unassigned |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
Figure 12: The Convert Fixed Header Figure 13: The Convert Fixed Header
The Version is encoded as an 8 bits unsigned integer value. This The Version is encoded as an 8 bits unsigned integer value. This
document specifies version 1. Version 0 is reserved by this document document specifies version 1. Version 0 is reserved by this document
and MUST NOT be used. and MUST NOT be used.
The Total Length is the number of 32 bits word, including the header, The Total Length is the number of 32 bits word, including the header,
of the bytestream that are consumed by the Convert messages. Since of the bytestream that are consumed by the Convert messages. Since
Total Length is also an 8 bits unsigned integer, those messages Total Length is also an 8 bits unsigned integer, those messages
cannot consume more than 1020 bytes of data. This limits the number cannot consume more than 1020 bytes of data. This limits the number
of bytes that a Transport Converter needs to process. A Total Length of bytes that a Transport Converter needs to process. A Total Length
of zero is invalid and the connection MUST be reset upon reception of of zero is invalid and the connection MUST be reset upon reception of
a header with such total length. a header with such total length.
The Unassigned field MUST be set to zero in this version of the The Unassigned field MUST be set to zero in this version of the
protocol. These bits are available for future use [RFC8126]. protocol. These bits are available for future use.
Data added by the Convert Protocol to the TCP bytestream is The Total Length field unambiguously marks the number of 32 bits
unambiguously distinguished from payload data by the Total Length words that carry Convert TLVs in the beginning of the bytestream.
field in the Convert messages.
5.2. Convert TLVs 6.2. Convert TLVs
5.2.1. Generic Convert TLV Format 6.2.1. Generic Convert TLV Format
The Convert Protocol uses variable length messages that are encoded The Convert Protocol uses variable length messages that are encoded
using the generic TLV format depicted in Figure 13. using the generic TLV format depicted in Figure 14.
The length of all TLVs used by the Convert Protocol is always a The length of all TLVs used by the Convert Protocol is always a
multiple of four bytes. All TLVs are aligned on 32 bits boundaries. multiple of four bytes. All TLVs are aligned on 32 bits boundaries.
All TLV fields are encoded using the network byte order. All TLV fields are encoded using the network byte order.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| Type | Length | Value ... | | Type | Length | Value ... |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
// ... (optional) Value // // ... (optional) Value //
+---------------------------------------------------------------+ +---------------------------------------------------------------+
Figure 13: Convert Generic TLV Format Figure 14: Convert Generic TLV Format
The Length field covers Type, Length, and Value fields. It is The Length field covers Type, Length, and Value fields. It is
expressed in units of 32 bits words. If necessary, Value MUST be expressed in units of 32 bits words. If necessary, Value MUST be
padded with zeroes so that the length of the TLV is a multiple of 32 padded with zeroes so that the length of the TLV is a multiple of 32
bits. bits.
A given TLV MUST only appear once on a connection. If two or more A given TLV MUST only appear once on a connection. If a Client
instances of the same TLV are exchanged over a Convert connection, receives two or more instances of the same TLV over a Convert
the associated TCP connections MUST be closed. connection, it MUST reset the associated TCP connection. If a
Converter receives two or more instances of the same TLV over a
Convert connection, it MUST return a Malformed Message Error TLV and
close the associated TCP connection.
5.2.2. Summary of Supported Convert TLVs 6.2.2. Summary of Supported Convert TLVs
This document specifies the following Convert TLVs: This document specifies the following Convert TLVs:
+------+-----+----------+------------------------------------------+ +------+-----+----------+------------------------------------------+
| Type | Hex | Length | Description | | Type | Hex | Length | Description |
+------+-----+----------+------------------------------------------+ +------+-----+----------+------------------------------------------+
| 1 | 0x1 | 1 | Info TLV | | 1 | 0x1 | 1 | Info TLV |
| 10 | 0xA | Variable | Connect TLV | | 10 | 0xA | Variable | Connect TLV |
| 20 | 0x14| Variable | Extended TCP Header TLV | | 20 | 0x14| Variable | Extended TCP Header TLV |
| 21 | 0x15| Variable | Supported TCP Extensions TLV | | 21 | 0x15| Variable | Supported TCP Extensions TLV |
| 22 | 0x16| Variable | Cookie TLV | | 22 | 0x16| Variable | Cookie TLV |
| 30 | 0x1E| Variable | Error TLV | | 30 | 0x1E| Variable | Error TLV |
+------+-----+----------+------------------------------------------+ +------+-----+----------+------------------------------------------+
Figure 14: The TLVs used by the Convert Protocol Figure 15: The TLVs used by the Convert Protocol
Type 0x0 is a reserved valued. Implementations MUST discard messages Type 0x0 is a reserved value. If a Client receives a TLV of type
0x0, it MUST reset the associated TCP connection. If a Converter
receives a TLV of type 0x0, it MUST return an Unsupported Message
Error TLV and close the associated TCP connection.
Implementations MUST reset the connection upon reception of messages
with such TLV. with such TLV.
The Client typically sends in the first connection it established The Client typically sends in the first connection it established
with a Transport Converter the Info TLV (Section 5.2.3) to learn its with a Transport Converter the Info TLV (Section 6.2.3) to learn its
capabilities. Assuming the Client is authorized to invoke the capabilities. Assuming the Client is authorized to invoke the
Transport Converter, the latter replies with the Supported TCP Transport Converter, the latter replies with the Supported TCP
Extensions TLV (Section 5.2.4). Extensions TLV (Section 6.2.4).
The Client can request the establishment of connections to servers by The Client can request the establishment of connections to servers by
using the Connect TLV (Section 5.2.5). If the connection can be using the Connect TLV (Section 6.2.5). If the connection can be
established with the final server, the Transport Converter replies established with the final server, the Transport Converter replies
with the Extended TCP Header TLV (Section 5.2.6). If not, the with the Extended TCP Header TLV (Section 6.2.6). If not, the
Transport Converter returns an Error TLV (Section 5.2.8) and then Transport Converter returns an Error TLV (Section 6.2.8) and then
closes the connection. closes the connection. The Transport Converter MUST NOT send a RST
immediately after the detection of an error to let the Error TLV
reach the Client. As explained later, the Client will anyway send a
RST upon reception of the Error TLV.
When an error is encountered an Error TLV with the appropriate error When an error is encountered an Error TLV with the appropriate error
code MUST be returned by the Transport Converter. code MUST be returned by the Transport Converter.
5.2.3. The Info TLV 6.2.3. The Info TLV
The Info TLV (Figure 15) is an optional TLV which can be sent by a The Info TLV (Figure 16) is an optional TLV which can be sent by a
Client to request the TCP extensions that are supported by a Client to request the TCP extensions that are supported by a
Transport Converter. It is typically sent on the first connection Transport Converter. It is typically sent on the first connection
that a Client establishes with a Transport Converter to learn its that a Client establishes with a Transport Converter to learn its
capabilities. Assuming a Client is entitled to invoke the Transport capabilities. Assuming a Client is entitled to invoke the Transport
Converter, the latter replies with the Supported TCP Extensions TLV Converter, the latter replies with the Supported TCP Extensions TLV
described in Section 5.2.4. described in Section 6.2.4.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| Type=0x1 | Length | Zero | | Type=0x1 | Length | Zero |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
Figure 15: The Info TLV Figure 16: The Info TLV
5.2.4. Supported TCP Extensions TLV 6.2.4. Supported TCP Extensions TLV
The Supported TCP Extensions TLV (Figure 16) is used by a Transport The Supported TCP Extensions TLV (Figure 17) is used by a Transport
Converter to announce the TCP options for which it provides a Converter to announce the TCP options for which it provides a
conversion service. A Transport Converter SHOULD include in this conversion service. A Transport Converter SHOULD include in this
list the TCP options that it accepts from Clients; these options are list the TCP options that it supports in outgoing SYNs.
included by the Transport Converter in the SYN packets that it sends
to initiate connections.
Each supported TCP option is encoded with its TCP option Kind listed Each supported TCP option is encoded with its TCP option Kind listed
in the "TCP Parameters" registry maintained by IANA. in the "TCP Parameters" registry maintained by IANA.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| Type=0x15 | Length | Unassigned | | Type=0x15 | Length | Unassigned |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| Kind #1 | Kind #2 | ... | | Kind #1 | Kind #2 | ... |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
/ ... / / ... /
/ / / /
+---------------------------------------------------------------+ +---------------------------------------------------------------+
Figure 16: The Supported TCP Extensions TLV Figure 17: The Supported TCP Extensions TLV
TCP option Kinds 0, 1, and 2 defined in [RFC0793] are supported by TCP option Kinds 0, 1, and 2 defined in [RFC0793] are supported by
all TCP implementations and thus MUST NOT appear in this list. all TCP implementations and thus MUST NOT appear in this list.
The list of Supported TCP Extensions is padded with 0 to end on a 32 The list of Supported TCP Extensions is padded with 0 to end on a 32
bits boundary. bits boundary.
For example, if the Transport Converter supports Multipath TCP, For example, if the Transport Converter supports Multipath TCP,
Kind=30 will be present in the Supported TCP Extensions TLV that it Kind=30 will be present in the Supported TCP Extensions TLV that it
returns in response to Info TLV. returns in response to Info TLV.
5.2.5. Connect TLV 6.2.5. Connect TLV
The Connect TLV (Figure 17) is used to request the establishment of a The Connect TLV (Figure 18) is used to request the establishment of a
connection via a Transport Converter. This connection can be from or connection via a Transport Converter. This connection can be from or
to a Client. to a Client.
The 'Remote Peer Port' and 'Remote Peer IP Address' fields contain The 'Remote Peer Port' and 'Remote Peer IP Address' fields contain
the destination port number and IP address of the Server, for the destination port number and IP address of the Server, for
outgoing connections. For incoming connections destined to a Client outgoing connections. For incoming connections destined to a Client
serviced via a Transport Converter, these fields convey the source serviced via a Transport Converter, these fields convey the source
port number and IP address. port number and IP address of the SYN packet received by the
Transport Converter from the server.
The Remote Peer IP Address MUST be encoded as an IPv6 address. IPv4 The Remote Peer IP Address MUST be encoded as an IPv6 address. IPv4
addresses MUST be encoded using the IPv4-Mapped IPv6 Address format addresses MUST be encoded using the IPv4-Mapped IPv6 Address format
defined in [RFC4291]. Further, Remote Peer IP address field MUST NOT defined in [RFC4291]. Further, Remote Peer IP address field MUST NOT
include multicast, broadcast, and host loopback addresses [RFC6890]. include multicast, broadcast, and host loopback addresses [RFC6890].
Connect TLVs witch such messages MUST be discarded by the Transport If a Converter receives a Connect TLVs witch such invalid addresses,
Converter. it MUST reply with a Malformed Message Error TLV and close the
associated TCP connection.
We distinguish two types of Connect TLV based on their length: (1) We distinguish two types of Connect TLV based on their length: (1)
the base Connect TLV has a length of 20 bytes and contains a remote the Base Connect TLV has a length of 20 bytes and contains a remote
address and a remote port, (2) the extended Connect TLV spans more address and a remote port (Figure 18), (2) the Extended Connect TLV
than 20 bytes and also includes the optional 'TCP Options' field. spans more than 20 bytes and also includes the optional 'TCP Options'
This field is used to specify how specific TCP options should be field (Figure 19). This field is used to request the advertisement
advertised by the Transport Converter to the server. of specific TCP options to the server.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| Type=0xA | Length | Remote Peer Port | | Type=0xA | Length | Remote Peer Port |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| | | |
| Remote Peer IP Address (128 bits) | | Remote Peer IP Address (128 bits) |
| | | |
| | | |
+---------------------------------------------------------------+ +---------------------------------------------------------------+
/ TCP Options (Variable) /
/ ... /
+---------------------------------------------------------------+
Figure 17: The Connect TLV Figure 18: The Base Connect TLV
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+
| Type=0xA | Length | Remote Peer Port |
+---------------+---------------+-------------------------------+
| |
| Remote Peer IP Address (128 bits) |
| |
| |
+---------------------------------------------------------------+
/ TCP Options (Variable) /
/ ... /
+---------------------------------------------------------------+
Figure 19: The Extended Connect TLV
The 'TCP Options' field is a variable length field that carries a The 'TCP Options' field is a variable length field that carries a
list of TCP option fields (Figure 18). Each TCP option field is list of TCP option fields (Figure 20). Each TCP option field is
encoded as a block of 2+n bytes where the first byte is the TCP encoded as a block of 2+n bytes where the first byte is the TCP
option Kind and the second byte is the length of the TCP option as option Kind and the second byte is the length of the TCP option as
specified in [RFC0793]. The minimum value for the TCP option Length specified in [RFC0793]. The minimum value for the TCP option Length
is 2. The TCP options that do not include a length sub-field, i.e., is 2. The TCP options that do not include a length sub-field, i.e.,
option types 0 (EOL) and 1 (NOP) defined in [RFC0793] MUST NOT be option types 0 (EOL) and 1 (NOP) defined in [RFC0793] MUST NOT be
placed inside the TCP options field of the Connect TLV. The optional placed inside the TCP options field of the Connect TLV. The optional
Value field contains the variable-length part of the TCP option. A Value field contains the variable-length part of the TCP option. A
length of two indicates the absence of the Value field. The TCP length of two indicates the absence of the Value field. The TCP
options field always ends on a 32 bits boundary after being padded options field always ends on a 32 bits boundary after being padded
with zeros. with zeros.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
| TCPOpt kind | TCPOpt Length | Value (opt) | .... | | TCPOpt kind | TCPOpt Length | Value (opt) | .... |
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
| .... | | .... |
+---------------------------------------------------------------+ +---------------------------------------------------------------+
| ... | | ... |
+---------------------------------------------------------------+ +---------------------------------------------------------------+
Figure 18: The TCP Options Field Figure 20: The TCP Options Field
Upon reception of a Connect TLV, and absent any policy (e.g., rate- Upon reception of a Base Connect TLV, and absent any policy (e.g.,
limit) or resource exhaustion conditions, a Transport Converter rate-limit) or resource exhaustion conditions, a Transport Converter
attempts to establish a connection to the address and port that it attempts to establish a connection to the address and port that it
contains. The Transport Converter MUST use by default the TCP contains. The Transport Converter MUST use by default the TCP
options that correspond to its local policy to establish this options that correspond to its local policy to establish this
connection. These are the options that it advertises in the connection. These are the options that it advertises in the
Supported TCP Extensions TLV. Supported TCP Extensions TLV.
Upon reception of an extended Connect TLV, and absent any rate limit Upon reception of an Extended Connect TLV, a Transport Converter
policy or resource exhaustion conditions, a Transport Converter MUST first checks whether it supports the TCP Options listed in the 'TCP
attempt to establish a connection to the address and port that it Options' field. If not, it returns an error message (Section 6.2.8).
contains. It MUST include the options of the 'TCP Options' sub-field If the above check succeeded and absent any rate limit policy or
in the SYN sent to the Server in addition to the TCP options that it resource exhaustion conditions, a Transport Converter MUST attempt to
establish a connection to the address and port that it contains. It
MUST include in the SYN that it sends to the Server the options
listed in the 'TCP Options' sub-field and the TCP options that it
would have used according to its local policies. For the TCP options would have used according to its local policies. For the TCP options
that are listed without an optional value, the Transport Converter that are included in the TCP Options field without an optional value,
MUST generate its own value. For the TCP options that are included the Transport Converter MUST generate its own value. For the TCP
in the 'TCP Options' field with an optional value, it MUST copy the options that are included in the 'TCP Options' field with an optional
entire option for use in the connection with the destination peer. value, it MUST copy the entire option in the SYN sent to the remote
This feature is required to support TCP Fast Open. server. This feature is required to support TCP Fast Open. See
Section 7 for a detailed discussion of the different types of TCP
options.
The Transport Converter may discard a Connect TLV request for various The Transport Converter may refuse a Connect TLV request for various
reasons (e.g., authorization failed, out of resources, invalid reasons (e.g., authorization failed, out of resources, invalid
address type). An error message indicating the encountered error is address type, unsupported TCP option). An error message indicating
returned to the requesting Client (Section 5.2.8). In order to the encountered error is returned to the requesting Client
prevent denial-of-service attacks, error messages sent to a Client (Section 6.2.8). In order to prevent denial-of-service attacks,
SHOULD be rate-limited. error messages sent to a Client SHOULD be rate-limited.
5.2.6. Extended TCP Header TLV 6.2.6. Extended TCP Header TLV
The Extended TCP Header TLV (Figure 19) is used by the Transport The Extended TCP Header TLV (Figure 21) is used by the Transport
Converter to send to the Client the extended TCP header that was Converter to return to the Client the TCP options that were returned
returned by the Server in the SYN+ACK packet. This TLV is only sent by the Server in the SYN+ACK packet. A Transport Converter MUST
if the Client sent a Connect TLV to request the establishment of a return this TLV if the Client sent an Extended Connect TLV and the
connection. connection was accepted by the server.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| Type=0x14 | Length | Unassigned | | Type=0x14 | Length | Unassigned |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
/ Returned Extended TCP header / / Returned Extended TCP header /
/ ... / / ... /
+---------------------------------------------------------------+ +---------------------------------------------------------------+
Figure 19: The Extended TCP Header TLV Figure 21: The Extended TCP Header TLV
The Returned Extended TCP header field is a copy of the extended The Returned Extended TCP header field is a copy of the TCP Options
header that was received in the SYN+ACK by the Transport Converter. that were included in the SYN+ACK received by the Transport
Converter.
The Unassigned field MUST be set to zero by the sender and ignored by The Unassigned field MUST be set to zero by the sender and ignored by
the receiver. These bits are available for future use [RFC8126]. the receiver.
5.2.7. The Cookie TLV 6.2.7. The Cookie TLV
The Cookie TLV (Figure 20 is an optional TLV which use is similar to The Cookie TLV (Figure 22) is an optional TLV which is similar to the
the TCP Fast Open Cookie [RFC7413]. A Transport Converter may want TCP Fast Open Cookie [RFC7413]. A Transport Converter may want to
to verify that a Client can receive the packets that it sends to verify that a Client can receive the packets that it sends to prevent
prevent attacks from spoofed addresses. This verification can be attacks from spoofed addresses. This verification can be done by
done by using a Cookie that is bound to, for example, the IP using a Cookie that is bound to, for example, the IP address(es) of
address(es) of the Client. This Cookie can be configured on the the Client. This Cookie can be configured on the Client by means
Client by means that are outside of this document or provided by the that are outside of this document or provided by the Transport
Transport Converter as follows. Converter as follows.
A Transport Converter that has been configured to use the optional A Transport Converter that has been configured to use the optional
Cookie TLV MUST verify the presence of this TLV in the payload of the Cookie TLV MUST verify the presence of this TLV in the payload of the
received SYN. If this TLV is present, the Transport Converter MUST received SYN. If this TLV is present, the Transport Converter MUST
validate the Cookie by means similar to those in Section 4.1.2 of validate the Cookie by means similar to those in Section 4.1.2 of
[RFC7413] (i.e., IsCookieValid). If the Cookie is valid, the [RFC7413] (i.e., IsCookieValid). If the Cookie is valid, the
connection establishment procedure can continue. Otherwise, the connection establishment procedure can continue. Otherwise, the
Transport Converter MUST return an Error TLV set to "Not Authorized" Transport Converter MUST return an Error TLV set to "Not Authorized"
and close the connection. and close the connection.
If the received SYN did not contain a Cookie TLV, and cookie If the received SYN did not contain a Cookie TLV, and cookie
validation is required, the Transport Converter should compute a validation is required, the Transport Converter MAY compute a Cookie
Cookie bound to this Client address and return a Convert message bound to this Client address and return a Convert message containing
containing the fixed header, an Error TLV set to "Missing Cookie" and the fixed header, an Error TLV set to "Missing Cookie" and the
the computed Cookie and close the connection. The Client will react computed Cookie and close the connection. The Client will react to
to this error by storing the received Cookie in its cache and attempt this error by first issuing a reset to terminate the connection. It
to reestablish a new connection to the Transport Converter that also stores the received Cookie in its cache and attempts to
includes the Cookie TLV. reestablish a new connection to the Transport Converter that includes
the Cookie TLV.
The format of the Cookie TLV is shown in Figure 20. The format of the Cookie TLV is shown in Figure 22.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| Type=0x16 | Length | Zero | | Type=0x16 | Length | Zero |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
/ Opaque Cookie / / Opaque Cookie /
/ ... / / ... /
+---------------------------------------------------------------+ +---------------------------------------------------------------+
Figure 20: The Cookie TLV Figure 22: The Cookie TLV
5.2.8. Error TLV 6.2.8. Error TLV
The Error TLV (Figure 21) is meant to provide information about some The Error TLV (Figure 23) is meant to provide information about some
errors that occurred during the processing of a Convert message. errors that occurred during the processing of a Convert message.
This TLV has a variable length. Upon reception of an Error TLV, a This TLV has a variable length. Upon reception of an Error TLV, a
Client MUST close the associated connection. Client MUST reset the associated connection.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+----------------+--------------+ +---------------+---------------+----------------+--------------+
| Type=0x1E | Length | Error Code | Value | | Type=0x1E | Length | Error Code | Value |
+---------------+---------------+----------------+--------------+ +---------------+---------------+----------------+--------------+
// ... (optional) Value // // ... (optional) Value //
+---------------------------------------------------------------+ +---------------------------------------------------------------+
Figure 21: The Error TLV Figure 23: The Error TLV
Different types of errors can occur while processing Convert Different types of errors can occur while processing Convert
messages. Each error is identified by an Error Code represented as messages. Each error is identified by an Error Code represented as
an unsigned integer. Four classes of error codes are defined: an unsigned integer. Four classes of error codes are defined:
o Message validation and processing errors (0-31 range): returned o Message validation and processing errors (0-31 range): returned
upon reception of an invalid message (including valid messages but upon reception of an invalid message (including valid messages but
with invalid or unknown TLVs). with invalid or unknown TLVs).
o Client-side errors (32-63 range): the Client sent a request that o Client-side errors (32-63 range): the Client sent a request that
skipping to change at page 25, line 39 skipping to change at page 30, line 21
from fulfilling the Client's request. from fulfilling the Client's request.
o Errors caused by the destination server (96-127 range): the final o Errors caused by the destination server (96-127 range): the final
destination could not be reached or it replied with a reset. destination could not be reached or it replied with a reset.
The following error codes are defined in this document: The following error codes are defined in this document:
o Unsupported Version (0): The version number indicated in the fixed o Unsupported Version (0): The version number indicated in the fixed
header of a message received from a peer is not supported. header of a message received from a peer is not supported.
This error code MUST be generated by a Transport Converter (or This error code MUST be generated by a peer (e.g. Transport
Client) when it receives a request having a version number that it Converter) when it receives a request having a version number that
does not support. it does not support.
The value field MUST be set to the version supported by the The value field MUST be set to the version supported by the peer.
Transport Converter (or Client). When multiple versions are When multiple versions are supported by the peer, it includes the
supported by the Transport Converter (or Client), it includes the
list of supported version in the value field; each version is list of supported version in the value field; each version is
encoded in 8 bits. The list of supported versions should be encoded in 8 bits. The list of supported versions should be
padded with zeros to end on a 32 bits boundary. padded with zeros to end on a 32 bits boundary.
Upon receipt of this error code, the Client (or Transport Upon receipt of this error code, the remote peer (e.g., Client)
Converter) checks whether it supports one of the versions returned checks whether it supports one of the versions returned by the
by the Transport Converter (or Client). The highest common peer. The highest common supported version MUST be used by the
supported version MUST be used by the Client (or Transport remote peer in subsequent exchanges with the peer.
Converter) in subsequent exchanges with the Transport Converter
(or Client).
o Malformed Message (1): This error code is sent to indicate that a o Malformed Message (1): This error code is sent to indicate that a
message received from a peer is can not be successfully parsed and message received from a peer cannot be successfully parsed and
validated. validated.
Typically, this error code is sent by the Transport Converter if Typically, this error code is sent by the Transport Converter if
it receives a Connect TLV enclosing a multicast, broadcast, or it receives a Connect TLV enclosing a multicast, broadcast, or
loopback IP address. loopback IP address.
To ease troubleshooting, the value field MUST echo the received To ease troubleshooting, the value field MUST echo the received
message shifted by one byte to keep to original alignment of the message shifted by one byte to keep to original alignment of the
message. message.
o Unsupported Message (2): This error code is sent to indicate that o Unsupported Message (2): This error code is sent to indicate that
a message type received from a peer is not supported. a message type received from a Client is not supported.
To ease troubleshooting, the value field MUST echo the received To ease troubleshooting, the value field MUST echo the received
message shifted by one byte to keep to original alignment of the message shifted by one byte to keep to original alignment of the
message. message.
o Missing Cookie (3): If a Transport Converter requires the o Missing Cookie (3): If a Transport Converter requires the
utilization of Cookies to prevent spoofing attacks and a Cookie utilization of Cookies to prevent spoofing attacks and a Cookie
TLV was not included in the Convert message, the Transport TLV was not included in the Convert message, the Transport
Converter MUST return this error to the requesting client. The Converter MUST return this error to the requesting client. The
first byte of the value field MUST be set to zero and the first byte of the value field MUST be set to zero and the
remaining bytes of the Error TLV contain the Cookie computed by remaining bytes of the Error TLV contain the Cookie computed by
the Transport Converter for this Client. the Transport Converter for this Client.
A Client which receives this error code MUST cache the received A Client which receives this error code SHOULD cache the received
Cookie and include it in subsequent Convert messages sent to that Cookie and include it in subsequent Convert messages sent to that
Transport Converter. Transport Converter.
o Not Authorized (32): This error code indicates that the Transport o Not Authorized (32): This error code indicates that the Transport
Converter refused to create a connection because of a lack of Converter refused to create a connection because of a lack of
authorization (e.g., administratively prohibited, authorization authorization (e.g., administratively prohibited, authorization
failure, invalid Cookie TLV, etc.). The Value field MUST be set failure, invalid Cookie TLV, etc.). The Value field MUST be set
to zero. to zero.
This error code MUST be sent by the Transport Converter when a This error code MUST be sent by the Transport Converter when a
skipping to change at page 27, line 40 skipping to change at page 32, line 21
o Connection Reset (96): This error indicates that the final o Connection Reset (96): This error indicates that the final
destination responded with an RST packet. The Value field MUST be destination responded with an RST packet. The Value field MUST be
set to zero. set to zero.
o Destination Unreachable (97): This error indicates that an ICMP o Destination Unreachable (97): This error indicates that an ICMP
destination unreachable, port unreachable, or network unreachable destination unreachable, port unreachable, or network unreachable
was received by the Transport Converter. The Value field MUST was received by the Transport Converter. The Value field MUST
echo the Code field of the received ICMP message. echo the Code field of the received ICMP message.
Figure 22 summarizes the different error codes. Figure 24 summarizes the different error codes.
+-------+------+-----------------------------------------------+ +-------+------+-----------------------------------------------+
| Error | Hex | Description | | Error | Hex | Description |
+-------+------+-----------------------------------------------+ +-------+------+-----------------------------------------------+
| 0 | 0x00 | Unsupported Version | | 0 | 0x00 | Unsupported Version |
| 1 | 0x01 | Malformed Message | | 1 | 0x01 | Malformed Message |
| 2 | 0x02 | Unsupported Message | | 2 | 0x02 | Unsupported Message |
| 3 | 0x03 | Missing Cookie | | 3 | 0x03 | Missing Cookie |
| 32 | 0x20 | Not Authorized | | 32 | 0x20 | Not Authorized |
| 33 | 0x21 | Unsupported TCP Option | | 33 | 0x21 | Unsupported TCP Option |
| 64 | 0x40 | Resource Exceeded | | 64 | 0x40 | Resource Exceeded |
| 65 | 0x41 | Network Failure | | 65 | 0x41 | Network Failure |
| 96 | 0x60 | Connection Reset | | 96 | 0x60 | Connection Reset |
| 97 | 0x61 | Destination Unreachable | | 97 | 0x61 | Destination Unreachable |
+-------+------+-----------------------------------------------+ +-------+------+-----------------------------------------------+
Figure 22: Convert Error Values Figure 24: Convert Error Values
6. Compatibility of Specific TCP Options with the Conversion Service 7. Compatibility of Specific TCP Options with the Conversion Service
In this section, we discuss how several standard track TCP options In this section, we discuss how several deployed standard track TCP
can be supported through the Convert Protocol. The non-standard options can be supported through the Convert Protocol. The other TCP
track options and the experimental options will be discussed in other options will be discussed in other documents.
documents.
6.1. Base TCP Options 7.1. Base TCP Options
Three TCP options were initially defined in [RFC0793]: End-of-Option Three TCP options were initially defined in [RFC0793]: End-of-Option
List (Kind=0), No-Operation (Kind=1) and Maximum Segment Size List (Kind=0), No-Operation (Kind=1) and Maximum Segment Size
(Kind=2). The first two options are mainly used to pad the TCP (Kind=2). The first two options are mainly used to pad the TCP
header. There is no reason for a client to request a Transport header. There is no reason for a client to request a Transport
Converter to specifically send these options towards the final Converter to specifically send these options towards the final
destination. destination.
The Maximum Segment Size option (Kind=2) is used by a host to The Maximum Segment Size option (Kind=2) is used by a host to
indicate the largest segment that it can receive over each indicate the largest segment that it can receive over each
connection. This value is function of the stack that terminates the connection. This value is function of the stack that terminates the
TCP connection. There is no reason for a Client to request a TCP connection. There is no reason for a Client to request a
Transport Converter to advertise a specific MSS value to a remote Transport Converter to advertise a specific MSS value to a remote
server. server.
A Transport Converter MUST ignore options with Kind=0, 1 or 2 if they A Transport Converter MUST ignore options with Kind=0, 1 or 2 if they
appear in a Connect TLV. It MUST NOT announce them in a Supported appear in a Connect TLV. It MUST NOT announce them in a Supported
TCP Extensions TLV. TCP Extensions TLV.
6.2. Window Scale (WS) 7.2. Window Scale (WS)
The Window Scale (WS) option (Kind=3) is defined in [RFC7323]. As The Window Scale (WS) option (Kind=3) is defined in [RFC7323]. As
for the MSS option, the window scale factor that is used for a for the MSS option, the window scale factor that is used for a
connection strongly depends on the TCP stack that handles the connection strongly depends on the TCP stack that handles the
connection. When a Transport Converter opens a TCP connection connection. When a Transport Converter opens a TCP connection
towards a remote server on behalf of a Client, it SHOULD use a WS towards a remote server on behalf of a Client, it SHOULD use a WS
option with a scaling factor that corresponds to the configuration of option with a scaling factor that corresponds to the configuration of
its stack. A local configuration MAY allow for WS option in the its stack. A local configuration MAY allow for WS option in the
proxied message to be function of the scaling factor of the incoming proxied message to be function of the scaling factor of the incoming
connection. connection.
There is no benefit from a deployment viewpoint in enabling a Client There is no benefit from a deployment viewpoint in enabling a Client
of a Transport Converter to specifically request the utilization of of a Transport Converter to specifically request the utilization of
the WS option (Kind=3) with a specific scaling factor towards a the WS option (Kind=3) with a specific scaling factor towards a
remote Server. For this reason, a Transport Converter MUST ignore remote Server. For this reason, a Transport Converter MUST ignore
option Kind=3 if it appears in a Connect TLV. It MUST NOT announce option Kind=3 if it appears in a Connect TLV. It MUST NOT announce
it in a Supported TCP Extensions TLV. it in a Supported TCP Extensions TLV.
6.3. Selective Acknowledgments 7.3. Selective Acknowledgments
Two distinct TCP options were defined to support selective Two distinct TCP options were defined to support selective
acknowledgments in [RFC2018]. This first one, SACK Permitted acknowledgments in [RFC2018]. This first one, SACK Permitted
(Kind=4), is used to negotiate the utilization of selective (Kind=4), is used to negotiate the utilization of selective
acknowledgments during the three-way handshake. The second one, SACK acknowledgments during the three-way handshake. The second one, SACK
(Kind=5), carries the selective acknowledgments inside regular (Kind=5), carries the selective acknowledgments inside regular
segments. segments.
The SACK Permitted option (Kind=4) MAY be advertised by a Transport The SACK Permitted option (Kind=4) MAY be advertised by a Transport
Converter in the Supported TCP Extensions TLV. Clients connected to Converter in the Supported TCP Extensions TLV. Clients connected to
this Transport Converter MAY include the SACK Permitted option in the this Transport Converter MAY include the SACK Permitted option in the
Connect TLV. Connect TLV.
The SACK option (Kind=5) cannot be used during the three-way The SACK option (Kind=5) cannot be used during the three-way
handshake. For this reason, a Transport Converter MUST ignore option handshake. For this reason, a Transport Converter MUST ignore option
Kind=5 if it appears in a Connect TLV. It MUST NOT announce it in a Kind=5 if it appears in a Connect TLV. It MUST NOT announce it in a
TCP Supported Extensions TLV. TCP Supported Extensions TLV.
6.4. Timestamp 7.4. Timestamp
The Timestamp option was initially defined in [RFC1323] and later The Timestamp option [RFC7323] can be used during the three-way
refined in [RFC7323]. It can be used during the three-way handshake handshake to negotiate the utilization of timestamps during the TCP
to negotiate the utilization of timestamps during the TCP connection. connection. It is notably used to improve round-trip-time
It is notably used to improve round-trip-time estimations and to estimations and to provide protection against wrapped sequence
provide protection against wrapped sequence numbers (PAWS). As for numbers (PAWS). As for the WS option, the timestamps are a property
the WS option, the timestamps are a property of a connection and of a connection and there is limited benefit in enabling a client to
there is limited benefit in enabling a client to request a Transport request a Transport Converter to use the timestamp option when
Converter to use the timestamp option when establishing a connection establishing a connection to a remote server. Furthermore, the
to a remote server. Furthermore, the timestamps that are used by TCP timestamps that are used by TCP stacks are specific to each stack and
stacks are specific to each stack and there is no benefit in enabling there is no benefit in enabling a client to specify the timestamp
a client to specify the timestamp value that a Transport Converter value that a Transport Converter could use to establish a connection
could use to establish a connection to a remote server. to a remote server.
A Transport Converter MAY advertise the Timestamp option (Kind=8) in A Transport Converter MAY advertise the Timestamp option (Kind=8) in
the TCP Supported Extensions TLV. The clients connected to this the TCP Supported Extensions TLV. The clients connected to this
Transport Converter MAY include the Timestamp option in the Connect Transport Converter MAY include the Timestamp option in the Connect
TLV but without any timestamp. TLV but without any timestamp.
6.5. Multipath TCP 7.5. Multipath TCP
The Multipath TCP options are defined in [RFC6824]. [RFC6824] The Multipath TCP options are defined in [RFC6824]. [RFC6824]
defines one variable length TCP option (Kind=30) that includes a sub- defines one variable length TCP option (Kind=30) that includes a sub-
type field to support several Multipath TCP options. There are type field to support several Multipath TCP options. There are
several operational use cases where clients would like to use several operational use cases where clients would like to use
Multipath TCP through a Transport Converter [IETFJ16]. However, none Multipath TCP through a Transport Converter [IETFJ16]. However, none
of these use cases require the Client to specify the content of the of these use cases require the Client to specify the content of the
Multipath TCP option that the Transport Converter should send to a Multipath TCP option that the Transport Converter should send to a
remote server. remote server.
A Transport Converter which supports Multipath TCP conversion service A Transport Converter which supports Multipath TCP conversion service
MUST advertise the Multipath TCP option (Kind=30) in the Supported MUST advertise the Multipath TCP option (Kind=30) in the Supported
TCP Extensions TLV. Clients serviced by this Transport Converter may TCP Extensions TLV. Clients serviced by this Transport Converter may
include the Multipath TCP option in the Connect TLV but without any include the Multipath TCP option in the Connect TLV but without any
content. content.
6.6. TCP Fast Open 7.6. TCP Fast Open
The TCP Fast Open cookie option (Kind=34) is defined in [RFC7413]. The TCP Fast Open cookie option (Kind=34) is defined in [RFC7413].
There are two different usages of this option that need to be There are two different usages of this option that need to be
supported by Transport Converters. The first utilization of the TCP supported by Transport Converters. The first utilization of the TCP
Fast Open cookie option is to request a cookie from the server. In Fast Open cookie option is to request a cookie from the server. In
this case, the option is sent with an empty cookie by the client and this case, the option is sent with an empty cookie by the client and
the server returns the cookie. The second utilization of the TCP the server returns the cookie. The second utilization of the TCP
Fast Open cookie option is to send a cookie to the server. In this Fast Open cookie option is to send a cookie to the server. In this
case, the option contains a cookie. case, the option contains a cookie.
skipping to change at page 31, line 7 skipping to change at page 35, line 21
Converter has advertised the support for TCP Fast Open in its Converter has advertised the support for TCP Fast Open in its
Supported TCP Extensions TLV, it needs to be able to process two Supported TCP Extensions TLV, it needs to be able to process two
types of Connect TLV. If such a Transport Converter receives a types of Connect TLV. If such a Transport Converter receives a
Connect TLV with the TCP Fast Open cookie option that does not Connect TLV with the TCP Fast Open cookie option that does not
contain a cookie, it MUST add an empty TCP Fast Open cookie option in contain a cookie, it MUST add an empty TCP Fast Open cookie option in
the SYN sent to the remote server. If such a Transport Converter the SYN sent to the remote server. If such a Transport Converter
receives a Connect TLV with the TCP Fast Open cookie option that receives a Connect TLV with the TCP Fast Open cookie option that
contains a cookie, it MUST copy the TCP Fast Open cookie option in contains a cookie, it MUST copy the TCP Fast Open cookie option in
the SYN sent to the remote server. the SYN sent to the remote server.
6.7. TCP User Timeout 7.7. TCP-AO
The TCP User Timeout option is defined in [RFC5482]. The associated
TCP option (Kind=28) does not appear to be widely deployed.
6.8. TCP-AO
TCP-AO [RFC5925] provides a technique to authenticate all the packets TCP-AO [RFC5925] provides a technique to authenticate all the packets
exchanged over a TCP connection. Given the nature of this extension, exchanged over a TCP connection. Given the nature of this extension,
it is unlikely that the applications that require their packets to be it is unlikely that the applications that require their packets to be
authenticated end-to-end would want their connections to pass through authenticated end-to-end would want their connections to pass through
a converter. For this reason, we do not recommend the support of the a converter. For this reason, we do not recommend the support of the
TCP-AO option by Transport Converters. The only use cases where it TCP-AO option by Transport Converters. The only use cases where it
could make sense to combine TCP-AO and the solution in this document could make sense to combine TCP-AO and the solution in this document
are those where the TCP-AO-NAT extension [RFC6978] is in use. are those where the TCP-AO-NAT extension [RFC6978] is in use.
A Transport Converter MUST NOT advertise the TCP-AO option (Kind=29) A Transport Converter MUST NOT advertise the TCP-AO option (Kind=29)
in the Supported TCP Extensions TLV. If a Transport Converter in the Supported TCP Extensions TLV. If a Transport Converter
receives a Connect TLV that contains the TCP-AO option, it MUST receives a Connect TLV that contains the TCP-AO option, it MUST
reject the establishment of the connection with error code set to reject the establishment of the connection with error code set to
"Unsupported TCP Option", except if the TCP-AO-NAT option is used. "Unsupported TCP Option", except if the TCP-AO-NAT option is used.
6.9. TCP Experimental Options 8. Interactions with Middleboxes
The TCP Experimental options are defined in [RFC4727]. Given the
variety of semantics for these options and their experimental nature,
it is impossible to discuss them in details in this document.
7. Interactions with Middleboxes
The Convert Protocol is designed to be used in networks that do not The Convert Protocol is designed to be used in networks that do not
contain middleboxes that interfere with TCP. Under such conditions, contain middleboxes that interfere with TCP. Under such conditions,
it is assumed that the network provider ensures that all involved on- it is assumed that the network provider ensures that all involved on-
path nodes are not breaking TCP signals (e.g., strip TCP options, path nodes are not breaking TCP signals (e.g., strip TCP options,
discard some SYNs, etc.). discard some SYNs, etc.).
Nevertheless, and in order to allow for a robust service, this Nevertheless, and in order to allow for a robust service, this
section describes how a Client can detect middlebox interference and section describes how a Client can detect middlebox interference and
stop using the Transport Converter affected by this interference. stop using the Transport Converter affected by this interference.
Internet measurements [IMC11] have shown that middleboxes can affect Internet measurements [IMC11] have shown that middleboxes can affect
the deployment of TCP extensions. In this section, we only discuss the deployment of TCP extensions. In this section, we focus the
the middleboxes that modify SYN and SYN+ACK packets since the Convert middleboxes that modify the payload since the Convert Protocol places
Protocol places its messages in such packets. its messages at the beginning of the bytestream.
Consider a middlebox that removes the SYN payload. The Client can Consider a middlebox that removes the SYN payload. The Client can
detect this problem by looking at the acknowledgment number field of detect this problem by looking at the acknowledgment number field of
the SYN+ACK returned by the Transport Converter. The Client MUST the SYN+ACK returned by the Transport Converter. The Client MUST
stop to use this Transport Converter given the middlebox stop to use this Transport Converter given the middlebox
interference. interference.
Consider now a middlebox that drops SYN/ACKs with a payload. The Consider now a middlebox that drops SYN/ACKs with a payload. The
Client won't be able to establish a connection via the Transport Client won't be able to establish a connection via the Transport
Converter. Converter. The case of a middlebox that removes the payload of
SYN+ACKs or from the packet that follows the SYN+ACK (but not the
The case of a middlebox that removes the payload of SYN+ACKs (but not payload of SYN) can be detected by a Client. This is hinted by the
the payload of SYN) can be detected by a Client. This is hinted by absence of a valid Convert message in the response.
the absence of an Error or Extended TCP Header TLV in a response. If
an Error was returned by the Transport Converter, a message to close
the connection would normally follow from the Converter. If no such
message is received, the Client may continue to use this Converter.
As explained in [RFC7413], some CGNs (Carrier Grade NATs) can affect As explained in [RFC7413], some CGNs (Carrier Grade NATs) can affect
the operation of TFO if they assign different IP addresses to the the operation of TFO if they assign different IP addresses to the
same end host. Such CGNs could affect the operation of the cookie same end host. Such CGNs could affect the operation of the cookie
validation used by the Convert Protocol. As a reminder CGNs, enabled validation used by the Convert Protocol. As a reminder CGNs, enabled
on the path between a Client and a Transport Converter, must adhere on the path between a Client and a Transport Converter, must adhere
to the address preservation defined in [RFC6888]. See also the to the address preservation defined in [RFC6888]. See also the
discussion in Section 7.1 of [RFC7413]. discussion in Section 7.1 of [RFC7413].
8. Security Considerations 9. Security Considerations
8.1. Privacy & Ingress Filtering 9.1. Privacy & Ingress Filtering
The Transport Converter may have access to privacy-related The Transport Converter may have access to privacy-related
information (e.g., subscriber credentials). The Transport Converter information (e.g., subscriber credentials). The Transport Converter
is designed to not leak such sensitive information outside a local is designed to not leak such sensitive information outside a local
domain. domain.
Given its function and its location in the network, a Transport Given its function and its location in the network, a Transport
Converter has access to the payload of all the packets that it Converter has access to the payload of all the packets that it
processes. As such, it MUST be protected as a core IP router (e.g., processes. As such, it MUST be protected as a core IP router (e.g.,
[RFC1812]). [RFC1812]).
Furthermore, ingress filtering policies MUST be enforced at the Furthermore, ingress filtering policies MUST be enforced at the
network boundaries [RFC2827]. network boundaries [RFC2827].
This document assumes that all network attachments are managed by the This document assumes that all network attachments are managed by the
same administrative entity. Therefore, enforcing anti-spoofing same administrative entity. Therefore, enforcing anti-spoofing
filters at these network ensures that hosts are not sending traffic filters at these network ensures that hosts are not sending traffic
with spoofed source IP addresses. with spoofed source IP addresses.
8.2. Authorization 9.2. Authorization
The Convert Protocol is intended to be used in managed networks where The Convert Protocol is intended to be used in managed networks where
end hosts can be identified by their IP address. end hosts can be identified by their IP address.
Stronger mutual authentication schemes MUST be defined to use the Stronger mutual authentication schemes MUST be defined to use the
Convert Protocol in more open network environments. One possibility Convert Protocol in more open network environments. One possibility
is to use TLS to perform mutual authentication between the client and is to use TLS to perform mutual authentication between the client and
the Converter. That is, use TLS when a Client retrieves a Cookie the Converter. That is, use TLS when a Client retrieves a Cookie
from the Converter and rely on certificate-based client from the Converter and rely on certificate-based client
authentication, pre-shared key based [RFC4279] or raw public key authentication, pre-shared key based [RFC4279] or raw public key
skipping to change at page 33, line 27 skipping to change at page 37, line 27
If the authentication succeeds, the Converter returns a cookie to the If the authentication succeeds, the Converter returns a cookie to the
Client. Subsequent Connect messages will be authorized as a function Client. Subsequent Connect messages will be authorized as a function
of the content of the Cookie TLV. of the content of the Cookie TLV.
In deployments where network-assisted connections are not allowed In deployments where network-assisted connections are not allowed
between hosts of a domain (i.e., hairpinning), the Converter may be between hosts of a domain (i.e., hairpinning), the Converter may be
instructed to discard such connections. Hairpinned connections are instructed to discard such connections. Hairpinned connections are
thus rejected by the Transport Converter by returning an Error TLV thus rejected by the Transport Converter by returning an Error TLV
set to "Not Authorized". Absent explicit configuration otherwise, set to "Not Authorized". Absent explicit configuration otherwise,
hairpinning is enabled by the Converter (see Figure 23. hairpinning is enabled by the Converter (see Figure 25.
<===Network Provider===> <===Network Provider===>
+----+ from X1:x1 to X2':x2' +-----+ X1':x1' +----+ from X1:x1 to X2':x2' +-----+ X1':x1'
| C1 |>>>>>>>>>>>>>>>>>>>>>>>>>>>>>--+--- | C1 |>>>>>>>>>>>>>>>>>>>>>>>>>>>>>--+---
+----+ | v | +----+ | v |
| v | | v |
| v | | v |
| v | | v |
+----+ from X1':x1' to X2:x2 | v | X2':x2' +----+ from X1':x1' to X2:x2 | v | X2':x2'
| C2 |<<<<<<<<<<<<<<<<<<<<<<<<<<<<<--+--- | C2 |<<<<<<<<<<<<<<<<<<<<<<<<<<<<<--+---
+----+ +-----+ +----+ +-----+
Converter Converter
Note: X2':x2' may be equal to Note: X2':x2' may be equal to
X2:x2 X2:x2
Figure 23: Hairpinning Example Figure 25: Hairpinning Example
See below for authorization considerations that are specific for See below for authorization considerations that are specific for
Multipath TCP. Multipath TCP.
8.3. Denial of Service 9.3. Denial of Service
Another possible risk is the amplification attacks since a Transport Another possible risk is the amplification attacks since a Transport
Converter sends a SYN towards a remote Server upon reception of a SYN Converter sends a SYN towards a remote Server upon reception of a SYN
from a Client. This could lead to amplification attacks if the SYN from a Client. This could lead to amplification attacks if the SYN
sent by the Transport Converter were larger than the SYN received sent by the Transport Converter were larger than the SYN received
from the Client or if the Transport Converter retransmits the SYN. from the Client or if the Transport Converter retransmits the SYN.
To mitigate such attacks, the Transport Converter SHOULD rate limit To mitigate such attacks, the Transport Converter SHOULD rate limit
the number of pending requests for a given Client. It SHOULD also the number of pending requests for a given Client. It SHOULD also
avoid sending to remote Servers SYNs that are significantly longer avoid sending to remote Servers SYNs that are significantly longer
than the SYN received from the Client. Finally, the Transport than the SYN received from the Client. Finally, the Transport
Converter SHOULD only retransmit a SYN to a Server after having Converter SHOULD only retransmit a SYN to a Server after having
received a retransmitted SYN from the corresponding Client. Means to received a retransmitted SYN from the corresponding Client. Means to
protect against SYN flooding attacks MUST also be enabled [RFC4987]. protect against SYN flooding attacks should also be enabled (e.g.,
Section 3 of [RFC4987]).
8.4. Traffic Theft 9.4. Traffic Theft
Traffic theft is a risk if an illegitimate Converter is inserted in Traffic theft is a risk if an illegitimate Converter is inserted in
the path. Indeed, inserting an illegitimate Converter in the the path. Indeed, inserting an illegitimate Converter in the
forwarding path allows traffic interception and can therefore provide forwarding path allows traffic interception and can therefore provide
access to sensitive data issued by or destined to a host. Converter access to sensitive data issued by or destined to a host. Converter
discovery and configuration are out of scope of this document. discovery and configuration are out of scope of this document.
8.5. Multipath TCP-specific Considerations 9.5. Authentication Considerations
Multipath TCP-related security threats are discussed in [RFC6181] and
[RFC6824].
The operator that manages the various network attachments (including The operator that manages the various network attachments (including
the Transport Converters) can enforce authentication and the Transport Converters) can enforce authentication and
authorization policies using appropriate mechanisms. For example, a authorization policies using appropriate mechanisms. For example, a
non-exhaustive list of methods to achieve authorization is provided non-exhaustive list of methods to achieve authorization is provided
hereafter: hereafter:
o The network provider may enforce a policy based on the o The network provider may enforce a policy based on the
International Mobile Subscriber Identity (IMSI) to verify that a International Mobile Subscriber Identity (IMSI) to verify that a
user is allowed to benefit from the Multipath TCP converter user is allowed to benefit from the TCP converter service. If
service. If that authorization fails, the Packet Data Protocol that authorization fails, the Packet Data Protocol (PDP) context/
(PDP) context/bearer will not be mounted. This method does not bearer will not be mounted. This method does not require any
require any interaction with the Transport Converter for interaction with the Transport Converter for authorization
authorization matters. matters.
o The network provider may enforce a policy based upon Access o The network provider may enforce a policy based upon Access
Control Lists (ACLs), e.g., at a Broadband Network Gateway (BNG) Control Lists (ACLs), e.g., at a Broadband Network Gateway (BNG)
to control the hosts that are authorized to communicate with a to control the hosts that are authorized to communicate with a
Transport Converter. These ACLs may be installed as a result of Transport Converter. These ACLs may be installed as a result of
RADIUS exchanges, e.g., [I-D.boucadair-radext-tcpm-converter]. RADIUS exchanges, e.g., [I-D.boucadair-radext-tcpm-converter].
This method does not require any interaction with the Transport This method does not require any interaction with the Transport
Converter for authorization matters. Converter for authorization matters.
o A device that embeds a Transport Converter may also host a RADIUS o A device that embeds a Transport Converter may also host a RADIUS
client that will solicit an AAA server to check whether client that will solicit an AAA server to check whether
connections received from a given source IP address are authorized connections received from a given source IP address are authorized
or not [I-D.boucadair-radext-tcpm-converter]. or not [I-D.boucadair-radext-tcpm-converter].
A first safeguard against the misuse of Transport Converter resources A first safeguard against the misuse of Transport Converter resources
by illegitimate users (e.g., users with access networks that are not by illegitimate users (e.g., users with access networks that are not
skipping to change at page 35, line 16 skipping to change at page 39, line 13
Converter for authorization matters. Converter for authorization matters.
o A device that embeds a Transport Converter may also host a RADIUS o A device that embeds a Transport Converter may also host a RADIUS
client that will solicit an AAA server to check whether client that will solicit an AAA server to check whether
connections received from a given source IP address are authorized connections received from a given source IP address are authorized
or not [I-D.boucadair-radext-tcpm-converter]. or not [I-D.boucadair-radext-tcpm-converter].
A first safeguard against the misuse of Transport Converter resources A first safeguard against the misuse of Transport Converter resources
by illegitimate users (e.g., users with access networks that are not by illegitimate users (e.g., users with access networks that are not
managed by the same provider that operates the Transport Converter) managed by the same provider that operates the Transport Converter)
is the Transport Converter to reject Multipath TCP connections is the Transport Converter to reject Convert connections received on
received on its Internet-facing interfaces. Only Multipath TCP its Internet-facing interfaces. Only Convert connections received on
connections received on the customer-facing interfaces of a Transport the customer-facing interfaces of a Transport Converter will be
Converter will be accepted. accepted.
9. IANA Considerations 10. IANA Considerations
9.1. Convert Service Port Number Note to the RFC Editor: Please replace "THISRFC" in the following
sub-sections with the RFC number to be assigned to this document.
IANA is requested to assign a TCP port number (TBA) for the Convert 10.1. Convert Service Name
Protocol from the "Service Name and Transport Protocol Port Number
Registry" available at https://www.iana.org/assignments/service- IANA is requested to assign a service name for the Convert Protocol
names-port-numbers/service-names-port-numbers.xhtml. from the "Service Name and Transport Protocol Port Number Registry"
available at https://www.iana.org/assignments/service-names-port-
numbers/service-names-port-numbers.xhtml.
Service Name: convert Service Name: convert
Port Number: TBD Port Number: N/A
Transport Protocol(s): TCP Transport Protocol(s): TCP
Description: 0-RTT TCP Convert Protocol Description: 0-RTT TCP Convert Protocol
Assignee: IESG <iesg@ietf.org> Assignee: IESG <iesg@ietf.org>
Contact: IETF Chair <chair@ietf.org> Contact: IETF Chair <chair@ietf.org>
Reference: RFC XXXX Reference: THISRFC
9.2. The Convert Protocol (Convert) Parameters Clients may use this service name to fed the procedure defined in
[RFC2782] to discover the IP address(es) and the port number used by
the Transport Converters of a domain.
IANA is requested to create a new "The Convert Protocol (Convert) 10.2. The Convert Protocol (Convert) Parameters
IANA is requested to create a new "The TCP Convert Protocol (Convert)
Parameters" registry. Parameters" registry.
The following subsections detail new registries within "The Convert The following subsections detail new registries within "The Convert
Protocol (Convert) Parameters" registry. Protocol (Convert) Parameters" registry.
9.2.1. Convert Versions Registration requests for the 128-191 range (for both "Convert TLVs"
and "Convert Error Messages" sub-registries) are evaluated after a
three-week review period on the tcp-convert-review@ietf.org mailing
list, on the advice of one or more Designated Experts. However, to
allow for the allocation of values prior to publication, the
Designated Experts may approve registration once they are satisfied
that such a specification will be published. New registration
requests should be sent in the form of an email to the review mailing
list; the request should use an appropriate subject (e.g., "Request
to register 0-RTT Convert TLV: example" or "Request to register 0-RTT
Convert Error Message: example"). IANA will only accept new
registrations from the Designated Experts, and will check that review
was requested on the mailing list in accordance with these
procedures.
Within the review period, the Designated Experts will either approve
or deny the registration request, communicating this decision to the
review list and IANA. Denials should include an explanation and, if
applicable, suggestions as to how to make the request successful.
Registration requests that are undetermined for a period longer than
21 days can be brought to the IESG's attention (using the
iesg@ietf.org mailing list) for resolution.
The Designated Expert is expected to ascertain the existence of
suitable documentation as described in Section 4.6 of [RFC8126] and
to verify that the document is permanently and publicly available.
The Designated Expert is also expected to check the clarity of
purpose and use of the requested code points.
Also, criteria that should be applied by the Designated Experts
includes determining whether the proposed registration duplicates
existing functionality, whether it is likely to be of general
applicability or whether it is useful only for a private use, and
whether the registration description is clear. IANA must only accept
registry updates to the 128-191 range (for both "Convert TLVs" and
"Convert Error Messages" sub-registries) from the Designated Experts
and should direct all requests for registration to the review mailing
list. It is suggested that multiple Designated Experts be appointed.
In cases where a registration decision could be perceived as creating
a conflict of interest for a particular Expert, that Expert should
defer to the judgment of the other Experts.
10.2.1. Convert Versions
IANA is requested to create the "Convert versions" sub-registry. New IANA is requested to create the "Convert versions" sub-registry. New
values are assigned via IETF Review (Section 4.8 of [RFC8126]). values are assigned via IETF Review (Section 4.8 of [RFC8126]).
The initial values to be assigned at the creation of the registry are The initial values to be assigned at the creation of the registry are
as follows: as follows:
+---------+--------------------------------------+-------------+ +---------+--------------------------------------+-------------+
| Version | Description | Reference | | Version | Description | Reference |
+---------+--------------------------------------+-------------+ +---------+--------------------------------------+-------------+
| 0 | Reserved by this document | [This-RFC] | | 0 | Reserved by this document | THISRFC |
| 1 | Assigned by this document | [This-RFC] | | 1 | Assigned by this document | THISRFC |
+---------+--------------------------------------+-------------+ +---------+--------------------------------------+-------------+
9.2.2. Convert TLVs 10.2.2. Convert TLVs
IANA is requested to create the "Convert TLVs" sub-registry. The IANA is requested to create the "Convert TLVs" sub-registry. The
procedure for assigning values from this registry is as follows: procedure for assigning values from this registry is as follows:
o The values in the range 1-127 can be assigned via IETF Review. o The values in the range 1-127 can be assigned via IETF Review.
o The values in the range 128-191 can be assigned via Specification o The values in the range 128-191 can be assigned via Specification
Required. Required.
o The values in the range 192-255 can be assigned for Private Use. o The values in the range 192-255 are reserved for Private Use.
The initial values to be assigned at the creation of the registry are The initial values to be assigned at the creation of the registry are
as follows: as follows:
+---------+--------------------------------------+-------------+ +---------+--------------------------------------+-------------+
| Code | Name | Reference | | Code | Name | Reference |
+---------+--------------------------------------+-------------+ +---------+--------------------------------------+-------------+
| 0 | Reserved | [This-RFC] | | 0 | Reserved | THISRFC |
| 1 | Info TLV | [This-RFC] | | 1 | Info TLV | THISRFC |
| 10 | Connect TLV | [This-RFC] | | 10 | Connect TLV | THISRFC |
| 20 | Extended TCP Header TLV | [This-RFC] | | 20 | Extended TCP Header TLV | THISRFC |
| 21 | Supported TCP Extension TLV | [This-RFC] | | 21 | Supported TCP Extension TLV | THISRFC |
| 22 | Cookie TLV | [This-RFC] | | 22 | Cookie TLV | THISRFC |
| 30 | Error TLV | [This-RFC] | | 30 | Error TLV | THISRFC |
+---------+--------------------------------------+-------------+ +---------+--------------------------------------+-------------+
9.2.3. Convert Error Messages 10.2.3. Convert Error Messages
IANA is requested to create the "Convert Errors" sub-registry. Codes IANA is requested to create the "Convert Errors" sub-registry. Codes
in this registry are assigned as a function of the error type. Four in this registry are assigned as a function of the error type. Four
types are defined; the following ranges are reserved for each of types are defined; the following ranges are reserved for each of
these types: these types:
o Message validation and processing errors: 0-31 o Message validation and processing errors: 0-31
o Client-side errors: 32-63 o Client-side errors: 32-63
skipping to change at page 37, line 12 skipping to change at page 42, line 12
o Errors caused by destination server: 96-127 o Errors caused by destination server: 96-127
The procedure for assigning values from this sub-registry is as The procedure for assigning values from this sub-registry is as
follows: follows:
o 0-127: Values in this range are assigned via IETF Review. o 0-127: Values in this range are assigned via IETF Review.
o 128-191: Values in this range are assigned via Specification o 128-191: Values in this range are assigned via Specification
Required. Required.
o 192-255: Values in this range are assigned for Private Use. o 192-255: Values in this range are reserved for Private Use.
The initial values to be assigned at the creation of the registry are The initial values to be assigned at the creation of the registry are
as follows: as follows:
+-------+------+-----------------------------------+-----------+ +-------+------+-----------------------------------+-----------+
| Error | Hex | Description | Reference | | Error | Hex | Description | Reference |
+-------+------+-----------------------------------+-----------+ +-------+------+-----------------------------------+-----------+
| 0 | 0x00 | Unsupported Version | [This-RFC]| | 0 | 0x00 | Unsupported Version | THISRFC |
| 1 | 0x01 | Malformed Message | [This-RFC]| | 1 | 0x01 | Malformed Message | THISRFC |
| 2 | 0x02 | Unsupported Message | [This-RFC]| | 2 | 0x02 | Unsupported Message | THISRFC |
| 3 | 0x03 | Missing Cookie | [This-RFC]| | 3 | 0x03 | Missing Cookie | THISRFC |
| 32 | 0x20 | Not Authorized | [This-RFC]| | 32 | 0x20 | Not Authorized | THISRFC |
| 33 | 0x21 | Unsupported TCP Option | [This-RFC]| | 33 | 0x21 | Unsupported TCP Option | THISRFC |
| 64 | 0x40 | Resource Exceeded | [This-RFC]| | 64 | 0x40 | Resource Exceeded | THISRFC |
| 65 | 0x41 | Network Failure | [This-RFC]| | 65 | 0x41 | Network Failure | THISRFC |
| 96 | 0x60 | Connection Reset | [This-RFC]| | 96 | 0x60 | Connection Reset | THISRFC |
| 97 | 0x61 | Destination Unreachable | [This-RFC]| | 97 | 0x61 | Destination Unreachable | THISRFC |
+-------+------+-----------------------------------+-----------+ +-------+------+-----------------------------------+-----------+
Figure 24: The Convert Error Codes Figure 26: The Convert Error Codes
10. References 11. References
10.1. Normative References 11.1. Normative References
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, [RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, DOI 10.17487/RFC0793, September 1981, RFC 793, DOI 10.17487/RFC0793, September 1981,
<https://www.rfc-editor.org/info/rfc793>. <https://www.rfc-editor.org/info/rfc793>.
[RFC2018] Mathis, M., Mahdavi, J., Floyd, S., and A. Romanow, "TCP
Selective Acknowledgment Options", RFC 2018,
DOI 10.17487/RFC2018, October 1996,
<https://www.rfc-editor.org/info/rfc2018>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Ciphersuites for Transport Layer Security (TLS)", Defeating Denial of Service Attacks which employ IP Source
RFC 4279, DOI 10.17487/RFC4279, December 2005, Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827,
<https://www.rfc-editor.org/info/rfc4279>. May 2000, <https://www.rfc-editor.org/info/rfc2827>.
[RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", RFC 4291, DOI 10.17487/RFC4291, February Architecture", RFC 4291, DOI 10.17487/RFC4291, February
2006, <https://www.rfc-editor.org/info/rfc4291>. 2006, <https://www.rfc-editor.org/info/rfc4291>.
[RFC4727] Fenner, B., "Experimental Values In IPv4, IPv6, ICMPv4,
ICMPv6, UDP, and TCP Headers", RFC 4727,
DOI 10.17487/RFC4727, November 2006,
<https://www.rfc-editor.org/info/rfc4727>.
[RFC4787] Audet, F., Ed. and C. Jennings, "Network Address [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address
Translation (NAT) Behavioral Requirements for Unicast Translation (NAT) Behavioral Requirements for Unicast
UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January
2007, <https://www.rfc-editor.org/info/rfc4787>. 2007, <https://www.rfc-editor.org/info/rfc4787>.
[RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common [RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common
Mitigations", RFC 4987, DOI 10.17487/RFC4987, August 2007, Mitigations", RFC 4987, DOI 10.17487/RFC4987, August 2007,
<https://www.rfc-editor.org/info/rfc4987>. <https://www.rfc-editor.org/info/rfc4987>.
[RFC5482] Eggert, L. and F. Gont, "TCP User Timeout Option",
RFC 5482, DOI 10.17487/RFC5482, March 2009,
<https://www.rfc-editor.org/info/rfc5482>.
[RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP [RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP
Authentication Option", RFC 5925, DOI 10.17487/RFC5925, Authentication Option", RFC 5925, DOI 10.17487/RFC5925,
June 2010, <https://www.rfc-editor.org/info/rfc5925>. June 2010, <https://www.rfc-editor.org/info/rfc5925>.
[RFC6824] Ford, A., Raiciu, C., Handley, M., and O. Bonaventure, [RFC6824] Ford, A., Raiciu, C., Handley, M., and O. Bonaventure,
"TCP Extensions for Multipath Operation with Multiple "TCP Extensions for Multipath Operation with Multiple
Addresses", RFC 6824, DOI 10.17487/RFC6824, January 2013, Addresses", RFC 6824, DOI 10.17487/RFC6824, January 2013,
<https://www.rfc-editor.org/info/rfc6824>. <https://www.rfc-editor.org/info/rfc6824>.
[RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa,
A., and H. Ashida, "Common Requirements for Carrier-Grade A., and H. Ashida, "Common Requirements for Carrier-Grade
NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888,
April 2013, <https://www.rfc-editor.org/info/rfc6888>. April 2013, <https://www.rfc-editor.org/info/rfc6888>.
[RFC6890] Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman, [RFC6890] Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman,
"Special-Purpose IP Address Registries", BCP 153, "Special-Purpose IP Address Registries", BCP 153,
RFC 6890, DOI 10.17487/RFC6890, April 2013, RFC 6890, DOI 10.17487/RFC6890, April 2013,
<https://www.rfc-editor.org/info/rfc6890>. <https://www.rfc-editor.org/info/rfc6890>.
[RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J., [RFC6978] Touch, J., "A TCP Authentication Option Extension for NAT
Weiler, S., and T. Kivinen, "Using Raw Public Keys in Traversal", RFC 6978, DOI 10.17487/RFC6978, July 2013,
Transport Layer Security (TLS) and Datagram Transport <https://www.rfc-editor.org/info/rfc6978>.
Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250,
June 2014, <https://www.rfc-editor.org/info/rfc7250>. [RFC7323] Borman, D., Braden, B., Jacobson, V., and R.
Scheffenegger, Ed., "TCP Extensions for High Performance",
RFC 7323, DOI 10.17487/RFC7323, September 2014,
<https://www.rfc-editor.org/info/rfc7323>.
[RFC7413] Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP [RFC7413] Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP
Fast Open", RFC 7413, DOI 10.17487/RFC7413, December 2014, Fast Open", RFC 7413, DOI 10.17487/RFC7413, December 2014,
<https://www.rfc-editor.org/info/rfc7413>. <https://www.rfc-editor.org/info/rfc7413>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26, Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017, RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>. <https://www.rfc-editor.org/info/rfc8126>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
10.2. Informative References 11.2. Informative References
[ANRW17] Trammell, B., Kuhlewind, M., De Vaere, P., Learmonth, I., [ANRW17] Trammell, B., Kuehlewind, M., De Vaere, P., Learmonth, I.,
and G. Fairhurst, "Tracking transport-layer evolution with and G. Fairhurst, "Tracking transport-layer evolution with
PATHspider", Applied Networking Research Workshop 2017 PATHspider", Applied Networking Research Workshop 2017
(ANRW17) , July 2017. (ANRW17) , July 2017.
[Fukuda2011] [Fukuda2011]
Fukuda, K., "An Analysis of Longitudinal TCP Passive Fukuda, K., "An Analysis of Longitudinal TCP Passive
Measurements (Short Paper)", Traffic Monitoring and Measurements (Short Paper)", Traffic Monitoring and
Analysis. TMA 2011. Lecture Notes in Computer Science, vol Analysis. TMA 2011. Lecture Notes in Computer Science, vol
6613. , 2011. 6613. , 2011.
[HotMiddlebox13b] [HotMiddlebox13b]
Detal, G., Paasch, C., and O. Bonaventure, "Multipath in Detal, G., Paasch, C., and O. Bonaventure, "Multipath in
the Middle(Box)", HotMiddlebox'13 , December 2013, the Middle(Box)", HotMiddlebox'13 , December 2013,
<http://inl.info.ucl.ac.be/publications/multipath- <http://inl.info.ucl.ac.be/publications/
middlebox>. multipath-middlebox>.
[I-D.arkko-arch-low-latency] [I-D.arkko-arch-low-latency]
Arkko, J. and J. Tantsura, "Low Latency Applications and Arkko, J. and J. Tantsura, "Low Latency Applications and
the Internet Architecture", draft-arkko-arch-low- the Internet Architecture", draft-arkko-arch-low-
latency-02 (work in progress), October 2017. latency-02 (work in progress), October 2017.
[I-D.boucadair-mptcp-plain-mode] [I-D.boucadair-mptcp-plain-mode]
Boucadair, M., Jacquenet, C., Bonaventure, O., Behaghel, Boucadair, M., Jacquenet, C., Bonaventure, O., Behaghel,
D., stefano.secci@lip6.fr, s., Henderickx, W., Skog, R., D., stefano.secci@lip6.fr, s., Henderickx, W., Skog, R.,
Vinapamula, S., Seo, S., Cloetens, W., Meyer, U., Vinapamula, S., Seo, S., Cloetens, W., Meyer, U.,
Contreras, L., and B. Peirens, "Extensions for Network- Contreras, L., and B. Peirens, "Extensions for Network-
Assisted MPTCP Deployment Models", draft-boucadair-mptcp- Assisted MPTCP Deployment Models", draft-boucadair-mptcp-
plain-mode-10 (work in progress), March 2017. plain-mode-10 (work in progress), March 2017.
[I-D.boucadair-radext-tcpm-converter] [I-D.boucadair-radext-tcpm-converter]
Boucadair, M. and C. Jacquenet, "RADIUS Extensions for Boucadair, M. and C. Jacquenet, "RADIUS Extensions for
0-RTT TCP Converters", draft-boucadair-radext-tcpm- 0-RTT TCP Converters", draft-boucadair-radext-tcpm-
converter-02 (work in progress), April 2019. converter-02 (work in progress), April 2019.
[I-D.boucadair-tcpm-dhc-converter] [I-D.boucadair-tcpm-dhc-converter]
Boucadair, M., Jacquenet, C., and R. K, "DHCP Options for Boucadair, M., Jacquenet, C., and T. Reddy.K, "DHCP
0-RTT TCP Converters", draft-boucadair-tcpm-dhc- Options for 0-RTT TCP Converters", draft-boucadair-tcpm-
converter-03 (work in progress), October 2019. dhc-converter-03 (work in progress), October 2019.
[I-D.olteanu-intarea-socks-6] [I-D.olteanu-intarea-socks-6]
Olteanu, V. and D. Niculescu, "SOCKS Protocol Version 6", Olteanu, V. and D. Niculescu, "SOCKS Protocol Version 6",
draft-olteanu-intarea-socks-6-07 (work in progress), July draft-olteanu-intarea-socks-6-08 (work in progress),
2019. November 2019.
[I-D.peirens-mptcp-transparent] [I-D.peirens-mptcp-transparent]
Peirens, B., Detal, G., Barre, S., and O. Bonaventure, Peirens, B., Detal, G., Barre, S., and O. Bonaventure,
"Link bonding with transparent Multipath TCP", draft- "Link bonding with transparent Multipath TCP", draft-
peirens-mptcp-transparent-00 (work in progress), July peirens-mptcp-transparent-00 (work in progress), July
2016. 2016.
[IETFJ16] Bonaventure, O. and S. Seo, "Multipath TCP Deployment", [IETFJ16] Bonaventure, O. and S. Seo, "Multipath TCP Deployment",
IETF Journal, Fall 2016 , n.d.. IETF Journal, Fall 2016 , n.d..
[IMC11] Honda, K., Nishida, Y., Raiciu, C., Greenhalgh, A., [IMC11] Honda, K., Nishida, Y., Raiciu, C., Greenhalgh, A.,
Handley, M., and T. Hideyuki, "Is it still possible to Handley, M., and T. Hideyuki, "Is it still possible to
extend TCP?", Proceedings of the 2011 ACM SIGCOMM extend TCP?", Proceedings of the 2011 ACM SIGCOMM
conference on Internet measurement conference , 2011. conference on Internet measurement conference , 2011.
[RFC1323] Jacobson, V., Braden, R., and D. Borman, "TCP Extensions
for High Performance", RFC 1323, DOI 10.17487/RFC1323, May
1992, <https://www.rfc-editor.org/info/rfc1323>.
[RFC1812] Baker, F., Ed., "Requirements for IP Version 4 Routers", [RFC1812] Baker, F., Ed., "Requirements for IP Version 4 Routers",
RFC 1812, DOI 10.17487/RFC1812, June 1995, RFC 1812, DOI 10.17487/RFC1812, June 1995,
<https://www.rfc-editor.org/info/rfc1812>. <https://www.rfc-editor.org/info/rfc1812>.
[RFC1919] Chatel, M., "Classical versus Transparent IP Proxies", [RFC1919] Chatel, M., "Classical versus Transparent IP Proxies",
RFC 1919, DOI 10.17487/RFC1919, March 1996, RFC 1919, DOI 10.17487/RFC1919, March 1996,
<https://www.rfc-editor.org/info/rfc1919>. <https://www.rfc-editor.org/info/rfc1919>.
[RFC1928] Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., and [RFC1928] Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., and
L. Jones, "SOCKS Protocol Version 5", RFC 1928, L. Jones, "SOCKS Protocol Version 5", RFC 1928,
DOI 10.17487/RFC1928, March 1996, DOI 10.17487/RFC1928, March 1996,
<https://www.rfc-editor.org/info/rfc1928>. <https://www.rfc-editor.org/info/rfc1928>.
[RFC2018] Mathis, M., Mahdavi, J., Floyd, S., and A. Romanow, "TCP [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
Selective Acknowledgment Options", RFC 2018, specifying the location of services (DNS SRV)", RFC 2782,
DOI 10.17487/RFC2018, October 1996, DOI 10.17487/RFC2782, February 2000,
<https://www.rfc-editor.org/info/rfc2018>. <https://www.rfc-editor.org/info/rfc2782>.
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827,
May 2000, <https://www.rfc-editor.org/info/rfc2827>.
[RFC3135] Border, J., Kojo, M., Griner, J., Montenegro, G., and Z. [RFC3135] Border, J., Kojo, M., Griner, J., Montenegro, G., and Z.
Shelby, "Performance Enhancing Proxies Intended to Shelby, "Performance Enhancing Proxies Intended to
Mitigate Link-Related Degradations", RFC 3135, Mitigate Link-Related Degradations", RFC 3135,
DOI 10.17487/RFC3135, June 2001, DOI 10.17487/RFC3135, June 2001,
<https://www.rfc-editor.org/info/rfc3135>. <https://www.rfc-editor.org/info/rfc3135>.
[RFC6181] Bagnulo, M., "Threat Analysis for TCP Extensions for [RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key
Multipath Operation with Multiple Addresses", RFC 6181, Ciphersuites for Transport Layer Security (TLS)",
DOI 10.17487/RFC6181, March 2011, RFC 4279, DOI 10.17487/RFC4279, December 2005,
<https://www.rfc-editor.org/info/rfc6181>. <https://www.rfc-editor.org/info/rfc4279>.
[RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and [RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and
P. Roberts, "Issues with IP Address Sharing", RFC 6269, P. Roberts, "Issues with IP Address Sharing", RFC 6269,
DOI 10.17487/RFC6269, June 2011, DOI 10.17487/RFC6269, June 2011,
<https://www.rfc-editor.org/info/rfc6269>. <https://www.rfc-editor.org/info/rfc6269>.
[RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix [RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix
Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011, Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011,
<https://www.rfc-editor.org/info/rfc6296>. <https://www.rfc-editor.org/info/rfc6296>.
[RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and
P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, P. Selkirk, "Port Control Protocol (PCP)", RFC 6887,
DOI 10.17487/RFC6887, April 2013, DOI 10.17487/RFC6887, April 2013,
<https://www.rfc-editor.org/info/rfc6887>. <https://www.rfc-editor.org/info/rfc6887>.
[RFC6928] Chu, J., Dukkipati, N., Cheng, Y., and M. Mathis, [RFC6928] Chu, J., Dukkipati, N., Cheng, Y., and M. Mathis,
"Increasing TCP's Initial Window", RFC 6928, "Increasing TCP's Initial Window", RFC 6928,
DOI 10.17487/RFC6928, April 2013, DOI 10.17487/RFC6928, April 2013,
<https://www.rfc-editor.org/info/rfc6928>. <https://www.rfc-editor.org/info/rfc6928>.
[RFC6978] Touch, J., "A TCP Authentication Option Extension for NAT [RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J.,
Traversal", RFC 6978, DOI 10.17487/RFC6978, July 2013, Weiler, S., and T. Kivinen, "Using Raw Public Keys in
<https://www.rfc-editor.org/info/rfc6978>. Transport Layer Security (TLS) and Datagram Transport
Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250,
[RFC7323] Borman, D., Braden, B., Jacobson, V., and R. June 2014, <https://www.rfc-editor.org/info/rfc7250>.
Scheffenegger, Ed., "TCP Extensions for High Performance",
RFC 7323, DOI 10.17487/RFC7323, September 2014,
<https://www.rfc-editor.org/info/rfc7323>.
[RFC7414] Duke, M., Braden, R., Eddy, W., Blanton, E., and A. [RFC7414] Duke, M., Braden, R., Eddy, W., Blanton, E., and A.
Zimmermann, "A Roadmap for Transmission Control Protocol Zimmermann, "A Roadmap for Transmission Control Protocol
(TCP) Specification Documents", RFC 7414, (TCP) Specification Documents", RFC 7414,
DOI 10.17487/RFC7414, February 2015, DOI 10.17487/RFC7414, February 2015,
<https://www.rfc-editor.org/info/rfc7414>. <https://www.rfc-editor.org/info/rfc7414>.
[RFC8041] Bonaventure, O., Paasch, C., and G. Detal, "Use Cases and [RFC8041] Bonaventure, O., Paasch, C., and G. Detal, "Use Cases and
Operational Experience with Multipath TCP", RFC 8041, Operational Experience with Multipath TCP", RFC 8041,
DOI 10.17487/RFC8041, January 2017, DOI 10.17487/RFC8041, January 2017,
skipping to change at page 42, line 36 skipping to change at page 47, line 25
Q., and E. Smith, "Cryptographic Protection of TCP Streams Q., and E. Smith, "Cryptographic Protection of TCP Streams
(tcpcrypt)", RFC 8548, DOI 10.17487/RFC8548, May 2019, (tcpcrypt)", RFC 8548, DOI 10.17487/RFC8548, May 2019,
<https://www.rfc-editor.org/info/rfc8548>. <https://www.rfc-editor.org/info/rfc8548>.
[TS23501] 3GPP (3rd Generation Partnership Project), ., "Technical [TS23501] 3GPP (3rd Generation Partnership Project), ., "Technical
Specification Group Services and System Aspects; System Specification Group Services and System Aspects; System
Architecture for the 5G System; Stage 2 (Release 16)", Architecture for the 5G System; Stage 2 (Release 16)",
2019, <https://www.3gpp.org/ftp/Specs/ 2019, <https://www.3gpp.org/ftp/Specs/
archive/23_series/23.501/>. archive/23_series/23.501/>.
Appendix A. Change Log Appendix A. Example Socket API Changes to Support the 0-RTT Convert
This section to be removed before publication.
o 00 : initial version, designed to support Multipath TCP and TFO
only
o 00 to -01 : added section Section 6 describing the support of
different standard tracks TCP options by Transport Converters,
clarification of the IANA section, moved the SOCKS comparison to
the appendix and various minor modifications
o 01 to -02: Minor modifications
o 02 to -03: Minor modifications
o 03 to -04: Minor modifications
o 04 to -05: Integrate a lot of feedback from implementors who have
worked on client and server side implementations. The main
modifications are the following :
* TCP Fast Open is not strictly required anymore. Several
implementors expressed concerns about this requirement. The
TFO Cookie protects from some attack scenarios that affect open
servers like web servers. The Convert Protocol is different
and as discussed in RFC7413, there are different ways to
protect from such attacks. Instead of using a TFO cookie
inside the TCP options, which consumes precious space in the
extended TCP header, this version supports the utilization of a
Cookie that is placed in the SYN payload. This provides the
same level of protection as a TFO Cookie in environments were
such protection is required.
* the Bootstrap procedure has been simplified based on feedback
from implementors
* Error messages are not included in RST segments anymore but
sent in the bytestream. Implementors have indicated that
processing such segments on clients was difficult on some
platforms. This change simplifies client implementations.
* Many minor editorial changes to clarify the text based on
implementors feedback.
o 05 to -06: Many clarifications to integrate the comments from the
chairs in preparation to the WGLC:
* Updated IANA policy to require "IETF Review" instead of
"Standard Action"
* Call out explicitly that data in SYNs are relayed by the
Converter
* Reiterate the scope
* Hairpinning behavior can be disabled (policy-based)
* Fix nits
o 07:
* Update the text about supplying data in SYNs to make it clear
that a constraint defined in RFC793 is relaxed following the
same rationale as in RFC7413.
* Nits
* Added Appendix A on example Socket API changes
o 08:
* Added short discussion on the termination of connections
o 09:
* Address various comments received during last call
o 10-13:
* Changes to address the comments from Phil: Add a new section to
group data plane considerations in one place + add a new
appendix with more details on address modes + rearrange the
MPTCP text.
o 14: fixed nits (the shepherd write-up)
Appendix B. Example Socket API Changes to Support the 0-RTT Convert
Protocol Protocol
B.1. Active Open (Client Side) A.1. Active Open (Client Side)
On the client side, the support of the 0-RTT Converter protocol does On the client side, the support of the 0-RTT Converter protocol does
not require any other changes than those identified in Appendix A of not require any other changes than those identified in Appendix A of
[RFC7413]. Those modifications are already supported by multiple TCP [RFC7413]. Those modifications are already supported by multiple TCP
stacks. stacks.
As an example, on Linux, a client can send the 0-RTT Convert message As an example, on Linux, a client can send the 0-RTT Convert message
inside a SYN by using sendto with the MSG_FASTOPEN flag as shown in inside a SYN by using sendto with the MSG_FASTOPEN flag as shown in
the example below: the example below:
skipping to change at page 45, line 12 skipping to change at page 48, line 9
o 0x1: (client) enables sending data in the opening SYN on the o 0x1: (client) enables sending data in the opening SYN on the
client. client.
o 0x4: (client) send data in the opening SYN regardless of cookie o 0x4: (client) send data in the opening SYN regardless of cookie
availability and without a cookie option. availability and without a cookie option.
By setting this configuration variable to 0x5, a Linux client using By setting this configuration variable to 0x5, a Linux client using
the above code would send data inside the SYN without using a TFO the above code would send data inside the SYN without using a TFO
option. option.
B.2. Passive Open (Converter Side) A.2. Passive Open (Converter Side)
The Converter needs to enable the reception of data inside the SYN The Converter needs to enable the reception of data inside the SYN
independently of the utilization of the TFO option. This implies independently of the utilization of the TFO option. This implies
that the Transport Converter application cannot rely on the TFO that the Transport Converter application cannot rely on the TFO
cookies to validate the reachability of the IP address that sent the cookies to validate the reachability of the IP address that sent the
SYN. It must rely on other techniques, such as the Cookie TLV SYN. It must rely on other techniques, such as the Cookie TLV
described in this document, to verify this reachability. described in this document, to verify this reachability.
[RFC7413] suggested the utilization of a TCP_FASTOPEN socket option [RFC7413] suggested the utilization of a TCP_FASTOPEN socket option
the enable the reception of SYNs containing data. Later, Appendix A the enable the reception of SYNs containing data. Later, Appendix A
skipping to change at page 46, line 10 skipping to change at page 49, line 5
However, this configuration is system-wide. This is convenient for However, this configuration is system-wide. This is convenient for
typical Transport Converter deployments where no other applications typical Transport Converter deployments where no other applications
relying on TFO are collocated on the same device. relying on TFO are collocated on the same device.
Recently, the TCP_FASTOPEN_NO_COOKIE socket option has been added to Recently, the TCP_FASTOPEN_NO_COOKIE socket option has been added to
provide the same behavior on a per socket basis. This enables a provide the same behavior on a per socket basis. This enables a
single host to support both servers that require the TFO cookie and single host to support both servers that require the TFO cookie and
servers that do not use it. servers that do not use it.
Appendix C. Some Design Considerations
Several implementors expressed concerns about the use of TFO. As a
reminder, the TFO Cookie protects from some attack scenarios that
affect open servers like web servers. The Convert Protocol is
different and, as discussed in RFC7413, there are different ways to
protect from such attacks. Instead of using a TFO cookie inside the
TCP options, which consumes precious space in the extended TCP
header, the Convert Protocol supports the utilization of a Cookie
that is placed in the SYN payload. This provides the same level of
protection as a TFO Cookie in environments were such protection is
required.
Error messages are not included in RST segments but sent in the
bytestream. Implementors have indicated that processing such
segments on clients was difficult on some platforms. This change
simplifies client implementations.
Appendix D. Address Preservation vs. Address Sharing
The Transport Converter is provided with instructions about the
behavior to adopt with regards to the processing of source addresses
of outgoing packets. The following sub-sections discusses two
deployment models for illustration purposes. It is out of the scope
of this document to make a recommendation.
D.1. Address Preservation
In this model, the visible source IP address of a packet proxied by a
Transport Converter to a Server is an IP address of the end host
(Client). No dedicated IP address pool is provisioned to the
Transport Converter.
For Multipath TCP, the Transport Converter preserves the source IP
address used by the Client when establishing the initial subflow.
Data conveyed in secondary subflows will be proxied by the Transport
Converter using the source IP address of the initial subflow. An
example of a proxied Multipath TCP connection with address
preservation is shown in Figure 25.
Transport
Client Converter Server
@:C1,C2 @:Tc @:S
|| | |
|src:C1 SYN dst:Tc|src:C1 dst:S|
|-------MPC [->S:port]------->|-------SYN------->|
|| | |
||dst:C1 src:Tc|dst:C1 src:S|
|<---------SYN/ACK------------|<-----SYN/ACK-----|
|| | |
|src:C1 dst:Tc|src:C1 dst:S|
|------------ACK------------->|-------ACK------->|
| | |
|src:C2 ... dst:Tc| ... |
||<-----Secondary Subflow---->|src:C1 dst:S|
|| |-------data------>|
| .. | ... |
Legend:
Tc: IP address used by the Transport Converter on its customer-facing
interface.
Figure 25: Example of Address Preservation
The Transport Converter must be on the forwarding path of incoming
traffic. Because the same (destination) IP address is used for both
proxied and non-proxied connections, the Transport Converter should
not drop incoming packets it intercepts if no matching entry is found
for the packets. Unless explicitly configured otherwise, such
packets are forwarded according to the instructions of a local
forwarding table.
D.2. Address/Prefix Sharing
A pool of global IPv4 addresses is provisioned to the Transport
Converter along with possible instructions about the address sharing
ratio to apply (see Appendix B of [RFC6269]). An address is thus
shared among multiple clients.
Likewise, rewriting the source IPv6 prefix [RFC6296] may be used to
ease redirection of incoming IPv6 traffic towards the appropriate
Transport Converter. A pool of IPv6 prefixes is then provisioned to
the Transport Converter for this purpose.
Adequate forwarding policies are enforced so that traffic destined to
an address of such pool is intercepted by the appropriate Transport
Converter. Unlike Appendix D.1, the Transport Converter drops
incoming packets which do not match an active transport session
entry.
An example is shown in Figure 26.
Transport
Client Converter Server
@:C @:Tc|Te @:S
| | |
|src:C dst:Tc|src:Te dst:S|
|-------SYN [->S:port]------->|-------SYN------->|
| | |
|dst:C src:Tc|dst:Te src:S|
|<---------SYN/ACK------------|<-----SYN/ACK-----|
| | |
|src:C dst:Tc|src:Te dst:S|
|------------ACK------------->|-------ACK------->|
| | |
| ... | ... |
Legend:
Tc: IP address used by the Transport Converter for its customer-facing
interface.
Te: IP address used by the Transport Converter for its Internet-facing
interface.
Figure 26: Address Sharing
Appendix E. Differences with SOCKSv5
At a first glance, the solution proposed in this document could seem
similar to the SOCKS v5 protocol [RFC1928] which is used to proxy TCP
connections. The Client creates a connection to a SOCKS proxy,
exchanges authentication information and indicates the destination
address and port of the final server. At this point, the SOCKS proxy
creates a connection towards the final server and relays all data
between the two proxied connections. The operation of an
implementation based on SOCKSv5 is illustrated in Figure 27.
Client SOCKS Proxy Server
-------------------->
SYN
<--------------------
SYN+ACK
-------------------->
ACK
-------------------->
Version=5, Auth Methods
<--------------------
Method
-------------------->
Auth Request (unless "No auth" method negotiated)
<--------------------
Auth Response
-------------------->
Connect Server:Port -------------------->
SYN
<--------------------
SYN+ACK
<--------------------
Succeeded
-------------------->
Data1
-------------------->
Data1
<--------------------
Data2
<--------------------
Data2
Figure 27: Establishment of a TCP connection through a SOCKS proxy
without authentication
The Convert Protocol also relays data between an upstream and a
downstream connection, but there are important differences with
SOCKSv5.
A first difference is that the Convert Protocol exchanges all control
information during the three-way handshake. This reduces the
connection establishment delay compared to SOCKS that requires two or
more round-trip-times before the establishment of the downstream
connection towards the final destination. In today's Internet,
latency is a important metric and various protocols have been tuned
to reduce their latency [I-D.arkko-arch-low-latency]. A recently
proposed extension to SOCKS leverages the TFO option
[I-D.olteanu-intarea-socks-6].
A second difference is that the Convert Protocol explicitly takes the
TCP extensions into account. By using the Convert Protocol, the
Client can learn whether a given TCP extension is supported by the
destination Server. This enables the Client to bypass the Transport
Converter when the destination supports the required TCP extension.
Neither SOCKS v5 [RFC1928] nor the proposed SOCKS v6
[I-D.olteanu-intarea-socks-6] provide such a feature.
A third difference is that a Transport Converter will only accept the
connection initiated by the Client provided that the downstream
connection is accepted by the Server. If the Server refuses the
connection establishment attempt from the Transport Converter, then
the upstream connection from the Client is rejected as well. This
feature is important for applications that check the availability of
a Server or use the time to connect as a hint on the selection of a
Server [RFC8305].
A fourth difference is that the Convert Protocol only allows the
client to specify the address/port of the destination server and not
a DNS name. We evaluated an alternate design for the Connect TLV
that included the DNS name of the remote peer instead of its IP
address as in SOCKS [RFC1928]. However, that design was not adopted
because it induces both an extra load and increased delays on the
Transport Converter to handle and manage DNS resolution requests.
Acknowledgments Acknowledgments
Although they could disagree with the contents of the document, we Although they could disagree with the contents of the document, we
would like to thank Joe Touch and Juliusz Chroboczek whose comments would like to thank Joe Touch and Juliusz Chroboczek whose comments
on the MPTCP mailing list have forced us to reconsider the design of on the MPTCP mailing list have forced us to reconsider the design of
the solution several times. the solution several times.
We would like to thank Raphael Bauduin, Stefano Secci, Anandatirtha We would like to thank Raphael Bauduin, Stefano Secci, Anandatirtha
Nandugudi and Gregory Vander Schueren for their help in preparing Nandugudi and Gregory Vander Schueren for their help in preparing
this document. Nandini Ganesh provided valuable feedback about the this document. Nandini Ganesh provided valuable feedback about the
handling of TFO and the error codes. Yuchung Cheng and Praveen handling of TFO and the error codes. Yuchung Cheng and Praveen
Balasubramanian helped to clarify the discussion on supplying data in Balasubramanian helped to clarify the discussion on supplying data in
SYNs. Phil Eardley and Michael Scharf's helped to clarify different SYNs. Phil Eardley and Michael Scharf's helped to clarify different
parts of the text. parts of the text.
Many thanks to Mirja Kuehlewind for the detailed AD review.
This document builds upon earlier documents that proposed various This document builds upon earlier documents that proposed various
forms of Multipath TCP proxies [I-D.boucadair-mptcp-plain-mode], forms of Multipath TCP proxies [I-D.boucadair-mptcp-plain-mode],
[I-D.peirens-mptcp-transparent] and [HotMiddlebox13b]. [I-D.peirens-mptcp-transparent] and [HotMiddlebox13b].
From [I-D.boucadair-mptcp-plain-mode]: From [I-D.boucadair-mptcp-plain-mode]:
Many thanks to Chi Dung Phung, Mingui Zhang, Rao Shoaib, Yoshifumi Many thanks to Chi Dung Phung, Mingui Zhang, Rao Shoaib, Yoshifumi
Nishida, and Christoph Paasch for their valuable comments. Nishida, and Christoph Paasch for their valuable comments.
Thanks to Ian Farrer, Mikael Abrahamsson, Alan Ford, Dan Wing, and Thanks to Ian Farrer, Mikael Abrahamsson, Alan Ford, Dan Wing, and
skipping to change at page 52, line 16 skipping to change at page 50, line 38
The authors of [I-D.peirens-mptcp-transparent] were: The authors of [I-D.peirens-mptcp-transparent] were:
o Bart Peirens o Bart Peirens
o Gregory Detal o Gregory Detal
o Sebastien Barre o Sebastien Barre
o Olivier Bonaventure o Olivier Bonaventure
Change Log
This section to be removed before publication.
o 00 : initial version, designed to support Multipath TCP and TFO
only
o 00 to -01 : added section Section 7 describing the support of
different standard tracks TCP options by Transport Converters,
clarification of the IANA section, moved the SOCKS comparison to
the appendix and various minor modifications
o 01 to -02: Minor modifications
o 02 to -03: Minor modifications
o 03 to -04: Minor modifications
o 04 to -05: Integrate a lot of feedback from implementers who have
worked on client and server side implementations. The main
modifications are the following :
* TCP Fast Open is not strictly required anymore. Several
implementers expressed concerns about this requirement. The
TFO Cookie protects from some attack scenarios that affect open
servers like web servers. The Convert Protocol is different
and as discussed in RFC7413, there are different ways to
protect from such attacks. Instead of using a TFO cookie
inside the TCP options, which consumes precious space in the
extended TCP header, this version supports the utilization of a
Cookie that is placed in the SYN payload. This provides the
same level of protection as a TFO Cookie in environments were
such protection is required.
* the Bootstrap procedure has been simplified based on feedback
from implementers
* Error messages are not included in RST segments anymore but
sent in the bytestream. Implementers have indicated that
processing such segments on clients was difficult on some
platforms. This change simplifies client implementations.
* Many minor editorial changes to clarify the text based on
implementers feedback.
o 05 to -06: Many clarifications to integrate the comments from the
chairs in preparation to the WGLC:
* Updated IANA policy to require "IETF Review" instead of
"Standard Action"
* Call out explicitly that data in SYNs are relayed by the
Converter
* Reiterate the scope
* Hairpinning behavior can be disabled (policy-based)
* Fix nits
o 07:
* Update the text about supplying data in SYNs to make it clear
that a constraint defined in RFC793 is relaxed following the
same rationale as in RFC7413.
* Nits
* Added Appendix A on example Socket API changes
o 08:
* Added short discussion on the termination of connections
o 09:
* Address various comments received during last call
o 10-13:
* Changes to address the comments from Phil: Add a new section to
group data plane considerations in one place + add a new
appendix with more details on address modes + rearrange the
MPTCP text.
o 14: fixed nits (the shepherd write-up)
o 15: Various clarifications in the text to address the detailed
comments provided by Mirja Kuehlewind
Authors' Addresses Authors' Addresses
Olivier Bonaventure (editor) Olivier Bonaventure (editor)
Tessares Tessares
Email: Olivier.Bonaventure@tessares.net Email: Olivier.Bonaventure@tessares.net
Mohamed Boucadair (editor) Mohamed Boucadair (editor)
Orange Orange
Clos Courtel Clos Courtel
 End of changes. 201 change blocks. 
896 lines changed or deleted 891 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/