draft-ietf-tcpm-converters-17.txt   draft-ietf-tcpm-converters-18.txt 
TCPM Working Group O. Bonaventure, Ed. TCPM Working Group O. Bonaventure, Ed.
Internet-Draft Tessares Internet-Draft Tessares
Intended status: Experimental M. Boucadair, Ed. Intended status: Experimental M. Boucadair, Ed.
Expires: August 31, 2020 Orange Expires: September 7, 2020 Orange
S. Gundavelli S. Gundavelli
Cisco Cisco
S. Seo S. Seo
Korea Telecom Korea Telecom
B. Hesmans B. Hesmans
Tessares Tessares
February 28, 2020 March 06, 2020
0-RTT TCP Convert Protocol 0-RTT TCP Convert Protocol
draft-ietf-tcpm-converters-17 draft-ietf-tcpm-converters-18
Abstract Abstract
This document specifies an application proxy, called Transport This document specifies an application proxy, called Transport
Converter, to assist the deployment of TCP extensions such as Converter, to assist the deployment of TCP extensions such as
Multipath TCP. A Transport Converter may provide conversion service Multipath TCP. A Transport Converter may provide conversion service
for one or more TCP extensions. The conversion service is provided for one or more TCP extensions. The conversion service is provided
by means of the TCP Convert Protocol (Convert). by means of the TCP Convert Protocol (Convert).
This protocol provides 0-RTT (Zero Round-Trip Time) conversion This protocol provides 0-RTT (Zero Round-Trip Time) conversion
service since no extra delay is induced by the protocol compared to service since no extra delay is induced by the protocol compared to
connections that are not proxied. Also, the Convert Protocol does connections that are not proxied. Also, the Convert Protocol does
not require any encapsulation (no tunnels, whatsoever). not require any encapsulation (no tunnels, whatsoever).
This specification assumes an explicit model, where the Transport This specification assumes an explicit model, where the Transport
Converter is explicitly configured on hosts. Converter is explicitly configured on hosts. As a sample
applicability use case, this document specifies how the Convert
Protocol applies for Multipath TCP.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 7, 2020.
This Internet-Draft will expire on August 31, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 25 skipping to change at page 2, line 26
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. The Problem . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. The Problem . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Network-Assisted Connections: The Rationale . . . . . . . 4 1.2. Network-Assisted Connections: The Rationale . . . . . . . 4
1.3. Applicability Scope . . . . . . . . . . . . . . . . . . . 6
2. Differences with SOCKSv5 . . . . . . . . . . . . . . . . . . 6 2. Differences with SOCKSv5 . . . . . . . . . . . . . . . . . . 6
3. Conventions and Definitions . . . . . . . . . . . . . . . . . 8 3. Conventions and Definitions . . . . . . . . . . . . . . . . . 8
4. Architecture & Behaviors . . . . . . . . . . . . . . . . . . 9 4. Architecture & Behaviors . . . . . . . . . . . . . . . . . . 9
4.1. Functional Elements . . . . . . . . . . . . . . . . . . . 9 4.1. Functional Elements . . . . . . . . . . . . . . . . . . . 9
4.2. Theory of Operation . . . . . . . . . . . . . . . . . . . 11 4.2. Theory of Operation . . . . . . . . . . . . . . . . . . . 10
4.3. Data Processing at the Transport Converter . . . . . . . 14 4.3. Data Processing at the Transport Converter . . . . . . . 14
4.4. Address Preservation vs. Address Sharing . . . . . . . . 16 4.4. Address Preservation vs. Address Sharing . . . . . . . . 16
4.4.1. Address Preservation . . . . . . . . . . . . . . . . 16 4.4.1. Address Preservation . . . . . . . . . . . . . . . . 16
4.4.2. Address/Prefix Sharing . . . . . . . . . . . . . . . 17 4.4.2. Address/Prefix Sharing . . . . . . . . . . . . . . . 17
5. Sample Examples . . . . . . . . . . . . . . . . . . . . . . . 18 5. Sample Examples . . . . . . . . . . . . . . . . . . . . . . . 18
5.1. Outgoing Converter-Assisted Multipath TCP Connections . . 18 5.1. Outgoing Converter-Assisted Multipath TCP Connections . . 18
5.2. Incoming Converter-Assisted Multipath TCP Connection . . 20 5.2. Incoming Converter-Assisted Multipath TCP Connection . . 20
6. The Convert Protocol (Convert) . . . . . . . . . . . . . . . 21 6. The Convert Protocol (Convert) . . . . . . . . . . . . . . . 21
6.1. The Convert Fixed Header . . . . . . . . . . . . . . . . 22 6.1. The Convert Fixed Header . . . . . . . . . . . . . . . . 22
6.2. Convert TLVs . . . . . . . . . . . . . . . . . . . . . . 23 6.2. Convert TLVs . . . . . . . . . . . . . . . . . . . . . . 23
6.2.1. Generic Convert TLV Format . . . . . . . . . . . . . 23 6.2.1. Generic Convert TLV Format . . . . . . . . . . . . . 23
6.2.2. Summary of Supported Convert TLVs . . . . . . . . . . 23 6.2.2. Summary of Supported Convert TLVs . . . . . . . . . . 24
6.2.3. The Info TLV . . . . . . . . . . . . . . . . . . . . 24 6.2.3. The Info TLV . . . . . . . . . . . . . . . . . . . . 25
6.2.4. Supported TCP Extensions TLV . . . . . . . . . . . . 25 6.2.4. Supported TCP Extensions TLV . . . . . . . . . . . . 25
6.2.5. Connect TLV . . . . . . . . . . . . . . . . . . . . . 25 6.2.5. Connect TLV . . . . . . . . . . . . . . . . . . . . . 26
6.2.6. Extended TCP Header TLV . . . . . . . . . . . . . . . 28 6.2.6. Extended TCP Header TLV . . . . . . . . . . . . . . . 28
6.2.7. The Cookie TLV . . . . . . . . . . . . . . . . . . . 29 6.2.7. The Cookie TLV . . . . . . . . . . . . . . . . . . . 29
6.2.8. Error TLV . . . . . . . . . . . . . . . . . . . . . . 30 6.2.8. Error TLV . . . . . . . . . . . . . . . . . . . . . . 30
7. Compatibility of Specific TCP Options with the Conversion 7. Compatibility of Specific TCP Options with the Conversion
Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
7.1. Base TCP Options . . . . . . . . . . . . . . . . . . . . 33 7.1. Base TCP Options . . . . . . . . . . . . . . . . . . . . 33
7.2. Window Scale (WS) . . . . . . . . . . . . . . . . . . . . 33 7.2. Window Scale (WS) . . . . . . . . . . . . . . . . . . . . 34
7.3. Selective Acknowledgments . . . . . . . . . . . . . . . . 34 7.3. Selective Acknowledgments . . . . . . . . . . . . . . . . 34
7.4. Timestamp . . . . . . . . . . . . . . . . . . . . . . . . 34 7.4. Timestamp . . . . . . . . . . . . . . . . . . . . . . . . 35
7.5. Multipath TCP . . . . . . . . . . . . . . . . . . . . . . 35 7.5. Multipath TCP . . . . . . . . . . . . . . . . . . . . . . 35
7.6. TCP Fast Open . . . . . . . . . . . . . . . . . . . . . . 35 7.6. TCP Fast Open . . . . . . . . . . . . . . . . . . . . . . 35
7.7. TCP-AO . . . . . . . . . . . . . . . . . . . . . . . . . 36 7.7. TCP-AO . . . . . . . . . . . . . . . . . . . . . . . . . 36
8. Interactions with Middleboxes . . . . . . . . . . . . . . . . 36 8. Interactions with Middleboxes . . . . . . . . . . . . . . . . 36
9. Security Considerations . . . . . . . . . . . . . . . . . . . 37 9. Security Considerations . . . . . . . . . . . . . . . . . . . 37
9.1. Privacy & Ingress Filtering . . . . . . . . . . . . . . . 37 9.1. Privacy & Ingress Filtering . . . . . . . . . . . . . . . 37
9.2. Authorization . . . . . . . . . . . . . . . . . . . . . . 37 9.2. Authentication and Authorization Considerations . . . . . 38
9.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 38 9.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 39
9.4. Traffic Theft . . . . . . . . . . . . . . . . . . . . . . 39 9.4. Traffic Theft . . . . . . . . . . . . . . . . . . . . . . 40
9.5. Authentication Considerations . . . . . . . . . . . . . . 39 9.5. Logging . . . . . . . . . . . . . . . . . . . . . . . . . 40
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40
10.1. Convert Service Name . . . . . . . . . . . . . . . . . . 40 10.1. Convert Service Name . . . . . . . . . . . . . . . . . . 40
10.2. The Convert Protocol (Convert) Parameters . . . . . . . 40 10.2. The Convert Protocol (Convert) Parameters . . . . . . . 41
10.2.1. Convert Versions . . . . . . . . . . . . . . . . . . 41 10.2.1. Convert Versions . . . . . . . . . . . . . . . . . . 41
10.2.2. Convert TLVs . . . . . . . . . . . . . . . . . . . . 41 10.2.2. Convert TLVs . . . . . . . . . . . . . . . . . . . . 42
10.2.3. Convert Error Messages . . . . . . . . . . . . . . . 42 10.2.3. Convert Error Messages . . . . . . . . . . . . . . . 42
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 43 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 43
11.1. Normative References . . . . . . . . . . . . . . . . . . 43 11.1. Normative References . . . . . . . . . . . . . . . . . . 43
11.2. Informative References . . . . . . . . . . . . . . . . . 44 11.2. Informative References . . . . . . . . . . . . . . . . . 45
Appendix A. Example Socket API Changes to Support the 0-RTT Appendix A. Example Socket API Changes to Support the 0-RTT
Convert Protocol . . . . . . . . . . . . . . . . . . 47 Convert Protocol . . . . . . . . . . . . . . . . . . 48
A.1. Active Open (Client Side) . . . . . . . . . . . . . . . . 47 A.1. Active Open (Client Side) . . . . . . . . . . . . . . . . 48
A.2. Passive Open (Converter Side) . . . . . . . . . . . . . . 48 A.2. Passive Open (Converter Side) . . . . . . . . . . . . . . 49
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 49 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 50
Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 51
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 53
1. Introduction 1. Introduction
1.1. The Problem 1.1. The Problem
Transport protocols like TCP evolve regularly [RFC7414]. TCP has Transport protocols like TCP evolve regularly [RFC7414]. TCP has
been improved in different ways. Some improvements such as changing been improved in different ways. Some improvements such as changing
the initial window size [RFC6928] or modifying the congestion control the initial window size [RFC6928] or modifying the congestion control
scheme can be applied independently on clients and servers. Other scheme can be applied independently on clients and servers. Other
improvements such as Selective Acknowledgments [RFC2018] or large improvements such as Selective Acknowledgments [RFC2018] or large
skipping to change at page 4, line 19 skipping to change at page 4, line 21
transport protocol even if the servers have not yet been upgraded and transport protocol even if the servers have not yet been upgraded and
conversely. Some assistance from the network to make use of these conversely. Some assistance from the network to make use of these
features is valuable. For example, Performance Enhancing Proxies features is valuable. For example, Performance Enhancing Proxies
[RFC3135], and other service functions have been deployed as [RFC3135], and other service functions have been deployed as
solutions to improve TCP performance over links with specific solutions to improve TCP performance over links with specific
characteristics. characteristics.
Recent examples of TCP extensions include Multipath TCP (MPTCP) Recent examples of TCP extensions include Multipath TCP (MPTCP)
[RFC6824] or TCPINC [RFC8548]. Those extensions provide features [RFC6824] or TCPINC [RFC8548]. Those extensions provide features
that are interesting for clients such as wireless devices. With that are interesting for clients such as wireless devices. With
Multipath TCP, those devices could seamlessly use WLAN (Wireless Multipath TCP, those devices could seamlessly use Wireless Local Area
Local Area Network) and cellular networks, for bonding purposes, Network (WLAN) and cellular networks, for bonding purposes, faster
faster hand-overs, or better resiliency. Unfortunately, deploying hand-overs, or better resiliency. Unfortunately, deploying those
those extensions on both a wide range of clients and servers remains extensions on both a wide range of clients and servers remains
difficult. difficult.
More recently, 5G bonding experimentation has been conducted into More recently, 5G bonding experimentation has been conducted into
global range of the incumbent 4G (LTE) connectivity using newly global range of the incumbent 4G (LTE) connectivity using newly
devised clients and a Multipath TCP proxy. Even if the 5G and the 4G devised clients and a Multipath TCP proxy. Even if the 5G and the 4G
bonding relying upon Multipath TCP increases the bandwidth, it is as bonding (that relies upon Multipath TCP) increases the bandwidth, it
well crucial to minimize latency for all the way between endhosts is as well crucial to minimize latency for all the way between
regardless of whether intermediate nodes are inside or outside of the endhosts regardless of whether intermediate nodes are inside or
mobile core. In order to handle URLLC (Ultra Reliable Low Latency outside of the mobile core. In order to handle Ultra Reliable Low
Communication) for the next generation mobile network, Multipath TCP Latency Communication (URLLC) for the next generation mobile network,
and its proxy mechanism such as the one used to provide Access Multipath TCP and its proxy mechanism such as the one used to provide
Traffic Steering, Switching, and Splitting (ATSSS) must be optimized Access Traffic Steering, Switching, and Splitting (ATSSS) must be
to reduce latency [TS23501]. optimized to reduce latency [TS23501].
1.2. Network-Assisted Connections: The Rationale 1.2. Network-Assisted Connections: The Rationale
This document specifies an application proxy, called Transport This document specifies an application proxy, called Transport
Converter. A Transport Converter is a function that is installed by Converter. A Transport Converter is a function that is installed by
a network operator to aid the deployment of TCP extensions and to a network operator to aid the deployment of TCP extensions and to
provide the benefits of such extensions to clients. A Transport provide the benefits of such extensions to clients in particular. A
Converter may provide conversion service for one or more TCP Transport Converter may provide conversion service for one or more
extensions. Which TCP extensions are eligible to the conversion TCP extensions. Which TCP extensions are eligible to the conversion
service is deployment-specific. The conversion service is provided service is deployment-specific. The conversion service is provided
by means of the 0-RTT TCP Convert Protocol (Convert), that is an by means of the 0-RTT TCP Convert Protocol (Convert), that is an
application-layer protocol which uses a dedicated TCP port number. application-layer protocol which uses a specific TCP port number.
The Convert Protocol provides 0-RTT (Zero Round-Trip Time) conversion The Convert Protocol provides Zero Round-Trip Time (0-RTT) conversion
service since no extra delay is induced by the protocol compared to service since no extra delay is induced by the protocol compared to
connections that are not proxied. Particularly, the Convert Protocol connections that are not proxied. Particularly, the Convert Protocol
does not require extra signaling setup delays before making use of does not require extra signaling setup delays before making use of
the conversion service. The Convert Protocol does not require any the conversion service. The Convert Protocol does not require any
encapsulation (no tunnels, whatsoever). encapsulation (no tunnels, whatsoever).
The Transport Converter adheres to the main principles drawn in The Transport Converter adheres to the main steps drawn in Section 3
[RFC1919]. In particular, a Transport Converter achieves the of [RFC1919]. In particular, a Transport Converter achieves the
following: following:
o Listen for client sessions; o Listen for client sessions;
o Receive from a client the address of the final target server; o Receive from a client the address of the server;
o Setup a session to the final server; o Setup a session to the server;
o Relay control messages and data between the client and the server; o Relay control messages and data between the client and the server;
o Perform access controls according to local policies. o Perform access controls according to local policies.
The main advantage of network-assisted conversion services is that The main advantage of network-assisted conversion services is that
they enable new TCP extensions to be used on a subset of the path they enable new TCP extensions to be used on a subset of the path
between endpoints, which encourages the deployment of these between endpoints, which encourages the deployment of these
extensions. Furthermore, the Transport Converter allows the client extensions. Furthermore, the Transport Converter allows the client
and the server to directly negotiate TCP extensions for the sake of and the server to directly negotiate TCP extensions for the sake of
skipping to change at page 6, line 24 skipping to change at page 6, line 29
brief overview of the differences between the well-known SOCKS brief overview of the differences between the well-known SOCKS
protocol and the 0-RTT Convert protocol. Section 4 provides a brief protocol and the 0-RTT Convert protocol. Section 4 provides a brief
explanation of the operation of Transport Converters. Then, explanation of the operation of Transport Converters. Then,
Section 6 describes the Convert Protocol. Section 7 discusses how Section 6 describes the Convert Protocol. Section 7 discusses how
Transport Converters can be used to support different TCP extensions. Transport Converters can be used to support different TCP extensions.
Section 8 then discusses the interactions with middleboxes, while Section 8 then discusses the interactions with middleboxes, while
Section 9 focuses on the security considerations. Appendix A Section 9 focuses on the security considerations. Appendix A
describes how a TCP stack would need to support the protocol describes how a TCP stack would need to support the protocol
described in this document. described in this document.
1.3. Applicability Scope
0-RTT TCP Convert Protocol specified in this document MUST be used in
a single administrative domain deployment model. That is, the entity
offering the connectivity service to a client is also be entity which
owns and operates the Transport Converter, with no transit over a
third-party network.
Deployment of Transport Converters by third parties MUST adhere to
the mutual authentication requirements in Section 9.2 to prevent
illegitimate traffic interception (Section 9.4), in particular.
2. Differences with SOCKSv5 2. Differences with SOCKSv5
Several IETF protocols provide proxy services; the closest to the Several IETF protocols provide proxy services; the closest to the
0-RTT Convert protocol being the SOCKSv5 protocol [RFC1928]. This 0-RTT Convert protocol being the SOCKSv5 protocol [RFC1928]. This
protocol is already used to deploy Multipath TCP in some cellular protocol is already used to deploy Multipath TCP in some cellular
networks (Section 2.2 of [RFC8041]). networks (Section 2.2 of [RFC8041]).
A SOCKS Client creates a connection to a SOCKS Proxy, exchanges A SOCKS Client creates a connection to a SOCKS Proxy, exchanges
authentication information, and indicates the IP address and port authentication information, and indicates the IP address and port
number of the target Server. At this point, the SOCKS Proxy creates number of the target Server. At this point, the SOCKS Proxy creates
skipping to change at page 8, line 9 skipping to change at page 8, line 12
all bytes sent by the application (Client) to the SOCKS Proxy are all bytes sent by the application (Client) to the SOCKS Proxy are
relayed to the Server and vice versa. relayed to the Server and vice versa.
The Convert Protocol is also used on TCP proxies that relay data The Convert Protocol is also used on TCP proxies that relay data
between an upstream and a downstream connection, but there are between an upstream and a downstream connection, but there are
important differences with SOCKSv5. A first difference is that the important differences with SOCKSv5. A first difference is that the
0-RTT Convert protocol exchanges all the control information during 0-RTT Convert protocol exchanges all the control information during
the initial RTT. This reduces the connection establishment delay the initial RTT. This reduces the connection establishment delay
compared to SOCKS which requires two or more round-trip-times before compared to SOCKS which requires two or more round-trip-times before
the establishment of the downstream connection towards the final the establishment of the downstream connection towards the final
destination. In today's Internet, latency is a important metric and destination. In today's Internet, latency is an important metric and
various protocols have ben tuned to reduce their latency various protocols have been tuned to reduce their latency
[I-D.arkko-arch-low-latency]. A recently proposed extension to SOCKS [I-D.arkko-arch-low-latency]. A recently proposed extension to SOCKS
leverages the TFO (TCP Fast Open) option leverages the TCP Fast Open (TFO) option
[I-D.olteanu-intarea-socks-6] to reduce this delay. [I-D.olteanu-intarea-socks-6] to reduce this delay.
A second difference is that the Convert Protocol explicitly takes the A second difference is that the Convert Protocol explicitly takes the
TCP extensions into account. By using the Convert Protocol, the TCP extensions into account. By using the Convert Protocol, the
Client can learn whether a given TCP extension is supported by the Client can learn whether a given TCP extension is supported by the
destination Server. This enables the Client to bypass the Transport destination Server. This enables the Client to bypass the Transport
Converter when the Server supports the required TCP extension(s). Converter when the Server supports the required TCP extension(s).
Neither SOCKSv5 [RFC1928] nor the proposed SOCKSv6 Neither SOCKSv5 [RFC1928] nor the proposed SOCKSv6
[I-D.olteanu-intarea-socks-6] provide such a feature. [I-D.olteanu-intarea-socks-6] provide such a feature.
skipping to change at page 9, line 24 skipping to change at page 9, line 24
o Servers. o Servers.
A Transport Converter is a network function that proxies all data A Transport Converter is a network function that proxies all data
exchanged over one upstream connection to one downstream connection exchanged over one upstream connection to one downstream connection
and vice versa (Figure 2). The Transport Converter, thus, maintains and vice versa (Figure 2). The Transport Converter, thus, maintains
state that associates one upstream connection to a corresponding state that associates one upstream connection to a corresponding
downstream connection. downstream connection.
A connection can be initiated from both sides of the Transport A connection can be initiated from both sides of the Transport
Converter (Internet-facing interface, customer-facing interface). Converter (External realm, Internal realm).
| |
: :
| |
+------------+ +------------+
Client <- upstream ->| Transport |<- downstream -> Server Client <- upstream ->| Transport |<- downstream -> Server
connection | Converter | connection connection | Converter | connection
+------------+ +------------+
| |
customer-facing interface : Internet-facing interface Internal realm : External realm
| |
Figure 2: A Transport Converter Proxies Data between Pairs of TCP Figure 2: A Transport Converter Proxies Data between Pairs of TCP
Connections Connections
"Client" refers to a software instance embedded on a host that can "Client" refers to a software instance embedded on a host that can
reach a Transport Converter via its customer-facing interface. The reach a Transport Converter in the internal realm. The "Client" can
"Client" can initiate connections via a Transport Converter (referred initiate connections via a Transport Converter (referred to as
to as outgoing connections). Also, the "Client" can accept incoming outgoing connections). Also, the "Client" can accept incoming
connections via a Transport Converter (referred to as incoming connections via a Transport Converter (referred to as incoming
connections). connections).
Transport Converters can be operated by network operators or third
parties. Nevertheless, this document focuses on the single
administrative deployment case where the entity offering the
connectivity service to a client is also the entity which owns and
operates the Transport Converter.
A Transport Converter can be embedded in a standalone device or be A Transport Converter can be embedded in a standalone device or be
activated as a service on a router. How such function is enabled is activated as a service on a router. How such function is enabled is
deployment-specific. deployment-specific.
The architecture assumes that new software will be installed on the The architecture assumes that new software will be installed on the
Client hosts to interact with one or more Transport Converters. Client hosts to interact with one or more Transport Converters.
Furthermore, the architecture allows for making use of new TCP Furthermore, the architecture allows for making use of new TCP
extensions even if those are not supported by a given server. extensions even if those are not supported by a given server.
A Client is configured, through means that are outside the scope of A Client is configured, through means that are outside the scope of
this document, with the names and/or the addresses of one or more this document, with the names and/or the addresses of one or more
Transport Converters and the TCP extensions that they support. The Transport Converters and the TCP extensions that they support. The
procedure for selecting a Transport Converter among a list of procedure for selecting a Transport Converter among a list of
configured Transport Converters is outside the scope of this configured Transport Converters is outside the scope of this
document. document.
skipping to change at page 10, line 48 skipping to change at page 10, line 42
\==========================================/ \==========================================/
* TLS messages exchanged between the Client * TLS messages exchanged between the Client
and the Server are not shown. and the Server are not shown.
Figure 3: End-to-end TLS via a Transport Converter Figure 3: End-to-end TLS via a Transport Converter
It is out of scope of this document to elaborate on specific It is out of scope of this document to elaborate on specific
considerations related to the use of TLS in the Client-Converter considerations related to the use of TLS in the Client-Converter
connection leg to exchange Convert messages (in addition to the end- connection leg to exchange Convert messages (in addition to the end-
to-end TLS connection). to-end TLS connection). In particular, (1) assessment whether 0-RTT
data mode discussed in Section 2.3 of [RFC8446] is safe under replay
and (2) specification of a profile for its use (Section E.5 of
[RFC8446]) are out of scope.
4.2. Theory of Operation 4.2. Theory of Operation
At a high level, the objective of the Transport Converter is to allow At a high level, the objective of the Transport Converter is to allow
the use a specific extension, e.g., Multipath TCP, on a subset of the the use a specific extension, e.g., Multipath TCP, on a subset of the
path even if the peer does not support this extension. This is path even if the peer does not support this extension. This is
illustrated in Figure 4 where the Client initiates a Multipath TCP illustrated in Figure 4 where the Client initiates a Multipath TCP
connection with the Transport Converter (packets belonging to the connection with the Transport Converter (packets belonging to the
Multipath TCP connection are shown with "===") while the Transport Multipath TCP connection are shown with "===") while the Transport
Converter uses a regular TCP connection with the Server. Converter uses a TCP connection with the Server.
Client Transport Server Client Transport Server
| Converter | | Converter |
| | | | | |
|==================>|--------------------->| |==================>|--------------------->|
| | | | | |
|<==================|<---------------------| |<==================|<---------------------|
| | | | | |
Multipath TCP packets Regular TCP packets Multipath TCP packets TCP packets
Figure 4: An Example of 0-RTT Network-Assisted Outgoing MPTCP Figure 4: An Example of 0-RTT Network-Assisted Outgoing MPTCP
Connection Connection
The packets belonging to a connection established through a Transport The packets belonging to a connection established through a Transport
Converter may follow a different path than the packets directly Converter may follow a different path than the packets directly
exchanged between the Client and the Server. Deployments should exchanged between the Client and the Server. Deployments should
minimize the possible additional delay by carefully selecting the minimize the possible additional delay by carefully selecting the
location of the Transport Converter used to reach a given location of the Transport Converter used to reach a given
destination. destination.
skipping to change at page 12, line 51 skipping to change at page 12, line 48
messages belonging to the connection. messages belonging to the connection.
The connection can also be established from the Internet towards a The connection can also be established from the Internet towards a
Client via a Transport Converter (Figure 6). This is typically the Client via a Transport Converter (Figure 6). This is typically the
case when the Client hosts an application server that listens to a case when the Client hosts an application server that listens to a
specific port number. When the Converter receives an incoming SYN specific port number. When the Converter receives an incoming SYN
from a remote host, it checks if it can provide the conversion from a remote host, it checks if it can provide the conversion
service for the destination IP address and destination port number of service for the destination IP address and destination port number of
that SYN. The Transport Converter receives this SYN because it is, that SYN. The Transport Converter receives this SYN because it is,
for example, on the path between the remote host and the Client or it for example, on the path between the remote host and the Client or it
provides address sharing service for the Client. If the check fails, provides address sharing service for the Client (Section 2 of
the packet is silently ignored by the Converter. If the check is [RFC6269]). If the check fails, the packet is silently ignored by
successful, the Converter tries to initiate a TCP connection towards the Converter. If the check is successful, the Converter tries to
the Client from its own address and using its configured TCP options. initiate a TCP connection towards the Client from its own address and
In the SYN that corresponds to this connection attempt, the Transport using its configured TCP options. In the SYN that corresponds to
Convert inserts a TLV message that indicates the source address and this connection attempt, the Transport Convert inserts a TLV message
port number of the remote host. A transport session entry is created that indicates the source address and port number of the remote host.
by the Converter for this connection. SYN+ACK and ACK will be then A transport session entry is created by the Converter for this
exchanged between the Client, the Converter, and remote host to connection. SYN+ACK and ACK will be then exchanged between the
confirm the establishment of the connection. The Converter uses the Client, the Converter, and remote host to confirm the establishment
transport session entry to proxy packets belonging to the connection. of the connection. The Converter uses the transport session entry to
proxy packets belonging to the connection.
Transport Remote Transport Remote
Client Converter Host (RH) Client Converter Host (RH)
| | | | | |
|SYN [<-RH IP@:port]| SYN | |SYN [<-RH IP@:port]| SYN |
|<------------------|<---------------------| |<------------------|<---------------------|
|------------------>|--------------------->| |------------------>|--------------------->|
| SYN+ACK [ ] | SYN+ACK | | SYN+ACK [ ] | SYN+ACK |
| ... | ... | | ... | ... |
skipping to change at page 14, line 5 skipping to change at page 14, line 4
the payload of SYN packets without creating additional security risks the payload of SYN packets without creating additional security risks
such as a network where addresses cannot be spoofed and the Transport such as a network where addresses cannot be spoofed and the Transport
Converter only serves a set of hosts that are identified by these Converter only serves a set of hosts that are identified by these
addresses. addresses.
For these reasons, this specification does not mandate the use of the For these reasons, this specification does not mandate the use of the
TCP Fast Open option when the Client sends a connection establishment TCP Fast Open option when the Client sends a connection establishment
packet towards a Transport Converter. The Convert Protocol includes packet towards a Transport Converter. The Convert Protocol includes
an optional Cookie TLV that provides similar protection as the TCP an optional Cookie TLV that provides similar protection as the TCP
Fast Open option without consuming space in the TCP header. Fast Open option without consuming space in the TCP header.
Furthermore, this design allows for the use of longer cookies than Furthermore, this design allows for the use of longer cookies than
[RFC7413]. [RFC7413].
If the downstream (or upstream) connection fails for some reason If the downstream (or upstream) connection fails for some reason
(excessive retransmissions, reception of an RST segment, etc.), then (excessive retransmissions, reception of an RST segment, etc.), then
the Converter reacts by forcing the tear-down of the upstream (or the Converter reacts by forcing the tear-down of the upstream (or
downstream) connection. downstream) connection. In particular, if an ICMP error message that
indicates a hard error is received on the downstream connection, the
Converter echoes the Code field of that ICMP message in a Destination
Unreachable Error TLV (see Section 6.2.8) that it transmits to the
Client. Note that if an ICMP error message that indicates a soft
error is received on the downstream connection, the Converter will
retransmit the corresponding data until it is acknowledged or the
connection times out. A classification of ICMP soft and hard errors
is provided in Table 1 of [RFC5461].
The same reasoning applies when the upstream connection ends with an The same reasoning applies when the upstream connection ends with an
exchange of FIN packets. In this case, the Converter will also exchange of FIN packets. In this case, the Converter will also
terminate the downstream connection by using FIN packets. If the terminate the downstream connection by using FIN packets. If the
downstream connection terminates with the exchange of FIN packets, downstream connection terminates with the exchange of FIN packets,
the Converter should initiate a graceful termination of the upstream the Converter should initiate a graceful termination of the upstream
connection. connection.
4.3. Data Processing at the Transport Converter 4.3. Data Processing at the Transport Converter
skipping to change at page 14, line 43 skipping to change at page 15, line 13
transport session entry for TCP connections is shown in Figure 7. transport session entry for TCP connections is shown in Figure 7.
(C,c) <--> (T,t), (S,s), Lifetime (C,c) <--> (T,t), (S,s), Lifetime
Where: Where:
* C and c are the source IP address and source port number * C and c are the source IP address and source port number
used by the Client for the upstream connection. used by the Client for the upstream connection.
* S and s are the Server's IP address and port number. * S and s are the Server's IP address and port number.
* T and t are the source IP address and source port number * T and t are the source IP address and source port number
used by the Transport Converter to proxy the connection. used by the Transport Converter to proxy the connection.
* Lifetime is the validity lifetime of the entry as assigned * Lifetime is a timer that tracks the remaining lifetime of
by the Converter. the entry as assigned by the Converter. When the timer
expires, the entry is deleted.
Figure 7: An Example of Transport Session Entry (TCP) Figure 7: An Example of Transport Session Entry
Clients send packets bound to connections eligible to the conversion Clients send packets bound to connections eligible to the conversion
service to the provisioned Transport Converter and destination port service to the provisioned Transport Converter and destination port
number. This applies for both control messages and data. Additional number. This applies for both control messages and data. Additional
information is supplied by Clients to the Transport Converter by information is supplied by Clients to the Transport Converter by
means of Convert messages as detailed in Section 6. User data can be means of Convert messages as detailed in Section 6. User data can be
included in SYN or non-SYN messages. User data is unambiguously included in SYN or non-SYN messages. User data is unambiguously
distinguished from Convert TLVs by a Transport Converter owing to the distinguished from Convert TLVs by a Transport Converter owing to the
Convert Fixed Header in the Convert messages (Section 6.1). These Convert Fixed Header in the Convert messages (Section 6.1). These
Convert TLVs are destined to the Transport Convert and are, thus, Convert TLVs are destined to the Transport Convert and are, thus,
skipping to change at page 16, line 18 skipping to change at page 16, line 32
behavior to adopt with regards to the processing of source addresses behavior to adopt with regards to the processing of source addresses
of outgoing packets. The following sub-sections discusses two of outgoing packets. The following sub-sections discusses two
deployment models for illustration purposes. It is out of the scope deployment models for illustration purposes. It is out of the scope
of this document to make a recommendation. of this document to make a recommendation.
4.4.1. Address Preservation 4.4.1. Address Preservation
In this model, the visible source IP address of a packet proxied by a In this model, the visible source IP address of a packet proxied by a
Transport Converter to a Server is an IP address of the end host Transport Converter to a Server is an IP address of the end host
(Client). No dedicated IP address pool is provisioned to the (Client). No dedicated IP address pool is provisioned to the
Transport Converter, but the the Transport Converter is located on Transport Converter, but the Transport Converter is located on the
the path between the Client and the Server. path between the Client and the Server.
For Multipath TCP, the Transport Converter preserves the source IP For Multipath TCP, the Transport Converter preserves the source IP
address used by the Client when establishing the initial subflow. address used by the Client when establishing the initial subflow.
Data conveyed in secondary subflows will be proxied by the Transport Data conveyed in secondary subflows will be proxied by the Transport
Converter using the source IP address of the initial subflow. An Converter using the source IP address of the initial subflow. An
example of a proxied Multipath TCP connection with address example of a proxied Multipath TCP connection with address
preservation is shown in Figure 8. preservation is shown in Figure 8.
Transport Transport
Client Converter Server Client Converter Server
@:C1,C2 @:Tc @:S @:C1,C2 @:Tc @:S
|| | | || | |
|src:C1 SYN dst:Tc|src:C1 dst:S| |src:C1 SYN dst:Tc|src:C1 dst:S|
|-------MPC [->S:port]------->|-------SYN------->| |-------MPC [->S:port]------->|-------SYN------->|
|| | | || | |
||dst:C1 src:Tc|dst:C1 src:S| ||dst:C1 src:Tc|dst:C1 src:S|
|<---------SYN/ACK------------|<-----SYN/ACK-----| |<---------SYN/ACK------------|<-----SYN/ACK-----|
|| | | || | |
|src:C1 dst:Tc|src:C1 dst:S| |src:C1 dst:Tc|src:C1 dst:S|
|------------ACK------------->|-------ACK------->| |------------ACK------------->|-------ACK------->|
| | | | | |
|src:C2 ... dst:Tc| ... | |src:C2 ... dst:Tc| ... |
||<-----Secondary Subflow---->|src:C1 dst:S| ||<-----Secondary Subflow---->|src:C1 dst:S|
|| |-------data------>| || |-------data------>|
| .. | ... | | .. | ... |
Legend: Legend:
Tc: IP address used by the Transport Converter on its customer-facing Tc: IP address used by the Transport Converter on the internal
interface. realm.
Figure 8: Example of Address Preservation Figure 8: Example of Address Preservation
The Transport Converter must be on the forwarding path of incoming The Transport Converter must be on the forwarding path of incoming
traffic. Because the same (destination) IP address is used for both traffic. Because the same (destination) IP address is used for both
proxied and non-proxied connections, the Transport Converter should proxied and non-proxied connections, the Transport Converter should
not drop incoming packets it intercepts if no matching entry is found not drop incoming packets it intercepts if no matching entry is found
for the packets. Unless explicitly configured otherwise, such for the packets. Unless explicitly configured otherwise, such
packets are forwarded according to the instructions of a local packets are forwarded according to the instructions of a local
forwarding table. forwarding table.
skipping to change at page 18, line 5 skipping to change at page 18, line 9
the Transport Converter for this purpose. the Transport Converter for this purpose.
Adequate forwarding policies are enforced so that traffic destined to Adequate forwarding policies are enforced so that traffic destined to
an address of such pool is intercepted by the appropriate Transport an address of such pool is intercepted by the appropriate Transport
Converter. Unlike Section 4.4.1, the Transport Converter drops Converter. Unlike Section 4.4.1, the Transport Converter drops
incoming packets which do not match an active transport session incoming packets which do not match an active transport session
entry. entry.
An example is shown in Figure 9. An example is shown in Figure 9.
Transport Transport
Client Converter Server Client Converter Server
@:C @:Tc|Te @:S @:C @:Tc|Te @:S
| | | | | |
|src:C dst:Tc|src:Te dst:S| |src:C dst:Tc|src:Te dst:S|
|-------SYN [->S:port]------->|-------SYN------->| |-------SYN [->S:port]------->|-------SYN------->|
| | | | | |
|dst:C src:Tc|dst:Te src:S| |dst:C src:Tc|dst:Te src:S|
|<---------SYN/ACK------------|<-----SYN/ACK-----| |<---------SYN/ACK------------|<-----SYN/ACK-----|
| | | | | |
|src:C dst:Tc|src:Te dst:S| |src:C dst:Tc|src:Te dst:S|
|------------ACK------------->|-------ACK------->| |------------ACK------------->|-------ACK------->|
| | | | | |
| ... | ... | | ... | ... |
Legend: Legend:
Tc: IP address used by the Transport Converter for its customer-facing Tc: IP address used by the Transport Converter on the internal
interface. relam.
Te: IP address used by the Transport Converter for its Internet-facing Te: IP address used by the Transport Converter on the external
interface. relam.
Figure 9: Address Sharing Figure 9: Address Sharing
5. Sample Examples 5. Sample Examples
5.1. Outgoing Converter-Assisted Multipath TCP Connections 5.1. Outgoing Converter-Assisted Multipath TCP Connections
As an example, let us consider how the Convert Protocol can help the As an example, let us consider how the Convert Protocol can help the
deployment of Multipath TCP. We assume that both the Client and the deployment of Multipath TCP. We assume that both the Client and the
Transport Converter support Multipath TCP, but consider two different Transport Converter support Multipath TCP, but consider two different
skipping to change at page 20, line 34 skipping to change at page 20, line 34
from remote hosts, the Client may use PCP [RFC6887] to instruct the from remote hosts, the Client may use PCP [RFC6887] to instruct the
Transport Converter to create dynamic mappings. Those mappings will Transport Converter to create dynamic mappings. Those mappings will
be used by the Transport Converter to intercept an incoming TCP be used by the Transport Converter to intercept an incoming TCP
connection destined to the Client and convert it into a Multipath TCP connection destined to the Client and convert it into a Multipath TCP
connection. connection.
Typically, the Client sends a PCP request to the Converter asking to Typically, the Client sends a PCP request to the Converter asking to
create an explicit TCP mapping for (internal IP address, internal create an explicit TCP mapping for (internal IP address, internal
port number). The Converter accepts the request by creating a TCP port number). The Converter accepts the request by creating a TCP
mapping (internal IP address, internal port number, external IP mapping (internal IP address, internal port number, external IP
address, external port number). The external IP address and external address, external port number). The external IP address, external
port number will be then advertised using an out-of-band mechanism so port number, and assigned lifetime are returned back the Client in
that remote hosts can initiate TCP connections to the Client via the the PCP response. The external IP address and external port number
Converter. Note that the external and internal information may be will be then advertised by the Client (or the user) using an out-of-
the same. band mechanism so that remote hosts can initiate TCP connections to
the Client via the Converter. Note that the external and internal
information may be the same.
Then, when the Converter receives an incoming SYN, it checks its Then, when the Converter receives an incoming SYN, it checks its
mapping table to verify if there is an active mapping matching the mapping table to verify if there is an active mapping matching the
destination IP address and destination port of that SYN. If no entry destination IP address and destination port of that SYN. If no entry
is found, the Converter silently ignores the message. If an entry is is found, the Converter silently ignores the message. If an entry is
found, the Converter inserts an MP_CAPABLE option and Connect TLV in found, the Converter inserts an MP_CAPABLE option and Connect TLV in
the SYN packet, rewrites the source IP address to one of its IP the SYN packet, rewrites the source IP address to one of its IP
addresses and, eventually, the destination IP address and port number addresses and, eventually, the destination IP address and port number
in accordance with the information stored in the mapping. SYN+ACK in accordance with the information stored in the mapping. SYN+ACK
and ACK will be then exchanged between the Client and the Converter and ACK will be then exchanged between the Client and the Converter
skipping to change at page 21, line 21 skipping to change at page 21, line 23
|-------------------->|------------------->| |-------------------->|------------------->|
| SYN+ACK, MPC | SYN+ACK | | SYN+ACK, MPC | SYN+ACK |
|<--------------------|<-------------------| |<--------------------|<-------------------|
| ACK, MPC | ACK | | ACK, MPC | ACK |
| ... | ... | | ... | ... |
Figure 12: Establishment of an Incoming Multipath TCP Connection Figure 12: Establishment of an Incoming Multipath TCP Connection
through a Transport Converter through a Transport Converter
It is out of scope of this document to define specific Convert TLVs It is out of scope of this document to define specific Convert TLVs
to manage incoming connections. These TLVs can be defined in a to manage incoming connections (that is, TLVs that mimic PCP
separate document. messages). These TLVs can be defined in a separate document.
6. The Convert Protocol (Convert) 6. The Convert Protocol (Convert)
This section defines the Convert Protocol (Convert, for short) This section defines the Convert Protocol (Convert, for short)
messages that are exchanged between a Client and a Transport messages that are exchanged between a Client and a Transport
Converter. Converter.
The Transport Converter listens on a dedicated TCP port number for The Transport Converter listens on a specific TCP port number for
Convert messages from Clients. That port number is configured by an Convert messages from Clients. That port number is configured by an
administrator. Absent any policy, the Transport Converter SHOULD administrator. Absent any policy, the Transport Converter SHOULD
silently ignore SYNs with no Convert TLVs. silently ignore SYNs with no Convert TLVs.
Convert messages may appear only in a SYN, SYN+ACK, or in an ACK that Convert messages may appear only in SYN, SYN+ACK, or ACK.
is sent shortly after the SYN+ACK.
Convert messages MUST be included as the first bytes of the Convert messages MUST be included as the first bytes of the
bytestream. All Convert messages starts with a 32 bits long fixed bytestream. All Convert messages starts with a 32 bits long fixed
header (Section 6.1) followed by one or more Convert TLVs (Type, header (Section 6.1) followed by one or more Convert TLVs (Type,
Length, Value) (Section 6.2). Length, Value) (Section 6.2).
If the initial SYN message contains user data in its payload (e.g., If the initial SYN message contains user data in its payload (e.g.,
[RFC7413]), that data MUST be placed right after the Convert TLVs [RFC7413]), that data MUST be placed right after the Convert TLVs
when generating the SYN. when generating the SYN.
The protocol can be extended by defining new TLVs or bumping the
version number if a different message format is needed. If a future
version is defined but with a different message format, the version
negotiation procedure defined in Section 6.2.8 (see "Unsupported
Version") is meant to agree on a version that is supported by both
peers.
o Implementation note 1: Several implementers expressed concerns o Implementation note 1: Several implementers expressed concerns
about the use of TFO. As a reminder, the TFO Cookie protects from about the use of TFO. As a reminder, the TFO Cookie protects from
some attack scenarios that affect open servers like web servers. some attack scenarios that affect open servers like web servers.
The Convert Protocol is different and, as discussed in RFC7413, The Convert Protocol is different and, as discussed in RFC7413,
there are different ways to protect from such attacks. Instead of there are different ways to protect from such attacks. Instead of
using a TFO cookie inside the TCP options, which consumes precious using a TFO cookie inside the TCP options, which consumes precious
space in the extended TCP header, the Convert Protocol supports space in the extended TCP header, the Convert Protocol supports
the utilization of a Cookie that is placed in the SYN payload. the utilization of a Cookie that is placed in the SYN payload.
This provides the same level of protection as a TFO Cookie in This provides the same level of protection as a TFO Cookie in
environments were such protection is required. environments were such protection is required.
skipping to change at page 22, line 28 skipping to change at page 22, line 37
connection. This header indicates both the version of the protocol connection. This header indicates both the version of the protocol
used and the length of the Convert message. used and the length of the Convert message.
The Client and the Transport Converter MUST send the fixed-sized The Client and the Transport Converter MUST send the fixed-sized
header, shown in Figure 13, as the first four bytes of the header, shown in Figure 13, as the first four bytes of the
bytestream. bytestream.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| Version | Total Length | Unassigned | | Version | Total Length | Magic Number |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
Figure 13: The Convert Fixed Header Figure 13: The Convert Fixed Header
The Version is encoded as an 8 bits unsigned integer value. This The Version is encoded as an 8 bits unsigned integer value. This
document specifies version 1. Version 0 is reserved by this document document specifies version 1. Version 0 is reserved by this document
and MUST NOT be used. and MUST NOT be used.
Note: Early versions of this specification don't use a dedicated
port number but only rely upon the IP address of the Converter.
Having a bit set in the version field together with the length
field allows to avoid mis-interpreting a data in a SYN as Convert
TLVs. Since the design was updated to use a specific service
port, that constraint was relaxed. Version 0 would work but given
existing implementations already use Version 1, the use of Version
0 is maintained as reserved.
The Total Length is the number of 32 bits word, including the header, The Total Length is the number of 32 bits word, including the header,
of the bytestream that are consumed by the Convert messages. Since of the bytestream that are consumed by the Convert messages. Since
Total Length is also an 8 bits unsigned integer, those messages Total Length is also an 8 bits unsigned integer, those messages
cannot consume more than 1020 bytes of data. This limits the number cannot consume more than 1020 bytes of data. This limits the number
of bytes that a Transport Converter needs to process. A Total Length of bytes that a Transport Converter needs to process. A Total Length
of zero is invalid and the connection MUST be reset upon reception of of zero is invalid and the connection MUST be reset upon reception of
a header with such total length. a header with such total length.
The Unassigned field MUST be set to zero in this version of the The Magic Number field MUST be set to the RFC number to be assigned
protocol. These bits are available for future use. to this document. This field is meant to further strengthen the
protocol to unambiguously distinguish any data supplied by an
application from Convert TLVs.
o Note to the RFC Editor: Please replace "the RFC number to be
assigned to this document" with the hex representation of the RFC
number assigned to this document.
The Total Length field unambiguously marks the number of 32 bits The Total Length field unambiguously marks the number of 32 bits
words that carry Convert TLVs in the beginning of the bytestream. words that carry Convert TLVs in the beginning of the bytestream.
6.2. Convert TLVs 6.2. Convert TLVs
6.2.1. Generic Convert TLV Format 6.2.1. Generic Convert TLV Format
The Convert Protocol uses variable length messages that are encoded The Convert Protocol uses variable length messages that are encoded
using the generic TLV format depicted in Figure 14. using the generic TLV format depicted in Figure 14.
skipping to change at page 25, line 21 skipping to change at page 25, line 31
Figure 16: The Info TLV Figure 16: The Info TLV
6.2.4. Supported TCP Extensions TLV 6.2.4. Supported TCP Extensions TLV
The Supported TCP Extensions TLV (Figure 17) is used by a Transport The Supported TCP Extensions TLV (Figure 17) is used by a Transport
Converter to announce the TCP options for which it provides a Converter to announce the TCP options for which it provides a
conversion service. A Transport Converter SHOULD include in this conversion service. A Transport Converter SHOULD include in this
list the TCP options that it supports in outgoing SYNs. list the TCP options that it supports in outgoing SYNs.
Each supported TCP option is encoded with its TCP option Kind listed Each supported TCP option is encoded with its TCP option Kind listed
in the "TCP Parameters" registry maintained by IANA. in the "TCP Parameters" registry maintained by IANA. The Unassigned
field MUST be set to zero by the Transport Converter and ignored by
the Client.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| Type=0x15 | Length | Unassigned | | Type=0x15 | Length | Unassigned |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| Kind #1 | Kind #2 | ... | | Kind #1 | Kind #2 | ... |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
/ ... / / ... /
/ / / /
+---------------------------------------------------------------+ +---------------------------------------------------------------+
Figure 17: The Supported TCP Extensions TLV Figure 17: The Supported TCP Extensions TLV
TCP option Kinds 0, 1, and 2 defined in [RFC0793] are supported by TCP option Kinds 1 and 2 defined in [RFC0793] are supported by all
all TCP implementations and thus MUST NOT appear in this list. TCP implementations and thus MUST NOT appear in this list.
The list of Supported TCP Extensions is padded with 0 to end on a 32 The list of Supported TCP Extensions is padded with 0 to end on a 32
bits boundary. bits boundary.
For example, if the Transport Converter supports Multipath TCP, For example, if the Transport Converter supports Multipath TCP,
Kind=30 will be present in the Supported TCP Extensions TLV that it Kind=30 will be present in the Supported TCP Extensions TLV that it
returns in response to Info TLV. returns in response to Info TLV.
6.2.5. Connect TLV 6.2.5. Connect TLV
skipping to change at page 26, line 21 skipping to change at page 26, line 34
The Remote Peer IP Address MUST be encoded as an IPv6 address. IPv4 The Remote Peer IP Address MUST be encoded as an IPv6 address. IPv4
addresses MUST be encoded using the IPv4-Mapped IPv6 Address format addresses MUST be encoded using the IPv4-Mapped IPv6 Address format
defined in [RFC4291]. Further, Remote Peer IP address field MUST NOT defined in [RFC4291]. Further, Remote Peer IP address field MUST NOT
include multicast, broadcast, and host loopback addresses [RFC6890]. include multicast, broadcast, and host loopback addresses [RFC6890].
If a Converter receives a Connect TLVs with such invalid addresses, If a Converter receives a Connect TLVs with such invalid addresses,
it MUST reply with a Malformed Message Error TLV and close the it MUST reply with a Malformed Message Error TLV and close the
associated TCP connection. associated TCP connection.
We distinguish two types of Connect TLV based on their length: (1) We distinguish two types of Connect TLV based on their length: (1)
the Base Connect TLV has a length of 20 bytes and contains a remote the Base Connect TLV has a length set to 5 (i.e., 20 bytes) and
address and a remote port (Figure 18), (2) the Extended Connect TLV contains a remote address and a remote port (Figure 18), (2) the
spans more than 20 bytes and also includes the optional 'TCP Options' Extended Connect TLV spans more than 20 bytes and also includes the
field (Figure 19). This field is used to request the advertisement optional 'TCP Options' field (Figure 19). This field is used to
of specific TCP options to the server. request the advertisement of specific TCP options to the server.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| Type=0xA | Length | Remote Peer Port | | Type=0xA | Length | Remote Peer Port |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| | | |
| Remote Peer IP Address (128 bits) | | Remote Peer IP Address (128 bits) |
| | | |
| | | |
skipping to change at page 28, line 7 skipping to change at page 28, line 7
Upon reception of a Base Connect TLV, and absent any policy (e.g., Upon reception of a Base Connect TLV, and absent any policy (e.g.,
rate-limit) or resource exhaustion conditions, a Transport Converter rate-limit) or resource exhaustion conditions, a Transport Converter
attempts to establish a connection to the address and port that it attempts to establish a connection to the address and port that it
contains. The Transport Converter MUST use by default the TCP contains. The Transport Converter MUST use by default the TCP
options that correspond to its local policy to establish this options that correspond to its local policy to establish this
connection. These are the options that it advertises in the connection. These are the options that it advertises in the
Supported TCP Extensions TLV. Supported TCP Extensions TLV.
Upon reception of an Extended Connect TLV, a Transport Converter Upon reception of an Extended Connect TLV, a Transport Converter
first checks whether it supports the TCP Options listed in the 'TCP first checks whether it supports the TCP Options listed in the 'TCP
Options' field. If not, it returns an error message (Section 6.2.8). Options' field. If not, it returns an error TLV set to "Unsupported
If the above check succeeded and absent any rate limit policy or TCP Option" (Section 6.2.8). If the above check succeeded and absent
resource exhaustion conditions, a Transport Converter MUST attempt to any rate limit policy or resource exhaustion conditions, a Transport
establish a connection to the address and port that it contains. It Converter MUST attempt to establish a connection to the address and
MUST include in the SYN that it sends to the Server the options port that it contains. It MUST include in the SYN that it sends to
listed in the 'TCP Options' sub-field and the TCP options that it the Server the options listed in the 'TCP Options' sub-field and the
would have used according to its local policies. For the TCP options TCP options that it would have used according to its local policies.
that are included in the TCP Options field without an optional value, For the TCP options that are included in the TCP Options field
the Transport Converter MUST generate its own value. For the TCP without an optional value, the Transport Converter MUST generate its
options that are included in the 'TCP Options' field with an optional own value. For the TCP options that are included in the 'TCP
value, it MUST copy the entire option in the SYN sent to the remote Options' field with an optional value, it MUST copy the entire option
server. This procedure is designed with TFO in mind. Particularly, in the SYN sent to the remote server. This procedure is designed
this procedure allows to successfully exchange a TFO Cookie between with TFO in mind. Particularly, this procedure allows to
the client and the server. See Section 7 for a detailed discussion successfully exchange a TFO Cookie between the client and the server.
of the different types of TCP options. See Section 7 for a detailed discussion of the different types of TCP
options.
The Transport Converter may refuse a Connect TLV request for various The Transport Converter may refuse a Connect TLV request for various
reasons (e.g., authorization failed, out of resources, invalid reasons (e.g., authorization failed, out of resources, invalid
address type, unsupported TCP option). An error message indicating address type, unsupported TCP option). An error message indicating
the encountered error is returned to the requesting Client the encountered error is returned to the requesting Client
(Section 6.2.8). In order to prevent denial-of-service attacks, (Section 6.2.8). In order to prevent denial-of-service attacks,
error messages sent to a Client SHOULD be rate-limited. error messages sent to a Client SHOULD be rate-limited.
6.2.6. Extended TCP Header TLV 6.2.6. Extended TCP Header TLV
skipping to change at page 29, line 17 skipping to change at page 29, line 17
6.2.7. The Cookie TLV 6.2.7. The Cookie TLV
The Cookie TLV (Figure 22) is an optional TLV which is similar to the The Cookie TLV (Figure 22) is an optional TLV which is similar to the
TCP Fast Open Cookie [RFC7413]. A Transport Converter may want to TCP Fast Open Cookie [RFC7413]. A Transport Converter may want to
verify that a Client can receive the packets that it sends to prevent verify that a Client can receive the packets that it sends to prevent
attacks from spoofed addresses. This verification can be done by attacks from spoofed addresses. This verification can be done by
using a Cookie that is bound to, for example, the IP address(es) of using a Cookie that is bound to, for example, the IP address(es) of
the Client. This Cookie can be configured on the Client by means the Client. This Cookie can be configured on the Client by means
that are outside of this document or provided by the Transport that are outside of this document or provided by the Transport
Converter as follows. Converter.
A Transport Converter that has been configured to use the optional A Transport Converter that has been configured to use the optional
Cookie TLV MUST verify the presence of this TLV in the payload of the Cookie TLV MUST verify the presence of this TLV in the payload of the
received SYN. If this TLV is present, the Transport Converter MUST received SYN. If this TLV is present, the Transport Converter MUST
validate the Cookie by means similar to those in Section 4.1.2 of validate the Cookie by means similar to those in Section 4.1.2 of
[RFC7413] (i.e., IsCookieValid). If the Cookie is valid, the [RFC7413] (i.e., IsCookieValid). If the Cookie is valid, the
connection establishment procedure can continue. Otherwise, the connection establishment procedure can continue. Otherwise, the
Transport Converter MUST return an Error TLV set to "Not Authorized" Transport Converter MUST return an Error TLV set to "Not Authorized"
and close the connection. and close the connection.
skipping to change at page 30, line 12 skipping to change at page 30, line 12
Figure 22: The Cookie TLV Figure 22: The Cookie TLV
6.2.8. Error TLV 6.2.8. Error TLV
The Error TLV (Figure 23) is meant to provide information about some The Error TLV (Figure 23) is meant to provide information about some
errors that occurred during the processing of a Convert message. errors that occurred during the processing of a Convert message.
This TLV has a variable length. Upon reception of an Error TLV, a This TLV has a variable length. Upon reception of an Error TLV, a
Client MUST reset the associated connection. Client MUST reset the associated connection.
An Error TLV can be included in the SYN+ACK or an ACK sent shortly An Error TLV can be included in the SYN+ACK or an ACK.
after the SYN+ACK.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+----------------+--------------+ +---------------+---------------+----------------+--------------+
| Type=0x1E | Length | Error Code | Value | | Type=0x1E | Length | Error Code | Value |
+---------------+---------------+----------------+--------------+ +---------------+---------------+----------------+--------------+
// ... (optional) Value // // ... (optional) Value //
+---------------------------------------------------------------+ +---------------------------------------------------------------+
Figure 23: The Error TLV Figure 23: The Error TLV
skipping to change at page 31, line 8 skipping to change at page 31, line 8
o Unsupported Version (0): The version number indicated in the fixed o Unsupported Version (0): The version number indicated in the fixed
header of a message received from a peer is not supported. header of a message received from a peer is not supported.
This error code MUST be generated by a peer (e.g. Transport This error code MUST be generated by a peer (e.g. Transport
Converter) when it receives a request having a version number that Converter) when it receives a request having a version number that
it does not support. it does not support.
The value field MUST be set to the version supported by the peer. The value field MUST be set to the version supported by the peer.
When multiple versions are supported by the peer, it includes the When multiple versions are supported by the peer, it includes the
list of supported version in the value field; each version is list of supported version in the value field; each version is
encoded in 8 bits. The list of supported versions should be encoded in 8 bits. The list of supported versions MUST be padded
padded with zeros to end on a 32 bits boundary. with zeros to end on a 32 bits boundary.
Upon receipt of this error code, the remote peer (e.g., Client) Upon receipt of this error code, the remote peer (e.g., Client)
checks whether it supports one of the versions returned by the checks whether it supports one of the versions returned by the
peer. The highest common supported version MUST be used by the peer. The highest common supported version MUST be used by the
remote peer in subsequent exchanges with the peer. remote peer in subsequent exchanges with the peer.
o Malformed Message (1): This error code is sent to indicate that a o Malformed Message (1): This error code is sent to indicate that a
message received from a peer cannot be successfully parsed and message received from a peer cannot be successfully parsed and
validated. validated.
Typically, this error code is sent by the Transport Converter if Typically, this error code is sent by the Transport Converter if
it receives a Connect TLV enclosing a multicast, broadcast, or it receives a Connect TLV enclosing a multicast, broadcast, or
loopback IP address. loopback IP address.
To ease troubleshooting, the value field MUST echo the received To ease troubleshooting, the value field MUST echo the received
message shifted by one byte to keep to original alignment of the message using the format depicted in Figure 24. This format
message. allows to keep the original alignment of the message that
triggered the error.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+----------------+--------------+
| Type=0x1E | Length | Error Code | Zeros |
+---------------+---------------+----------------+--------------+
// Echo the message which triggered the error //
+---------------------------------------------------------------+
Figure 24: Error TLV to ease Message Correlation
o Unsupported Message (2): This error code is sent to indicate that o Unsupported Message (2): This error code is sent to indicate that
a message type received from a Client is not supported. a message type received from a Client is not supported.
To ease troubleshooting, the value field MUST echo the received To ease troubleshooting, the value field MUST echo the received
message shifted by one byte to keep to original alignment of the message using the format shown in Figure 24.
message.
o Missing Cookie (3): If a Transport Converter requires the o Missing Cookie (3): If a Transport Converter requires the
utilization of Cookies to prevent spoofing attacks and a Cookie utilization of Cookies to prevent spoofing attacks and a Cookie
TLV was not included in the Convert message, the Transport TLV was not included in the Convert message, the Transport
Converter MUST return this error to the requesting client only if Converter MUST return this error to the requesting client only if
it computes a cookie for this client. The first byte of the value it computes a cookie for this client. The first byte of the value
field MUST be set to zero and the remaining bytes of the Error TLV field MUST be set to zero and the remaining bytes of the Error TLV
contain the Cookie computed by the Transport Converter for this contain the Cookie computed by the Transport Converter for this
Client. Client.
A Client which receives this error code SHOULD cache the received A Client which receives this error code SHOULD cache the received
Cookie and include it in subsequent Convert messages sent to that Cookie and include it in subsequent Convert messages sent to that
Transport Converter. Transport Converter.
o Not Authorized (32): This error code indicates that the Transport o Not Authorized (32): This error code indicates that the Transport
Converter refused to create a connection because of a lack of Converter refused to create a connection because of a lack of
authorization (e.g., administratively prohibited, authorization authorization (e.g., administratively prohibited, authorization
failure, invalid Cookie TLV, etc.). The Value field MUST be set failure, invalid Cookie TLV). The Value field MUST be set to
to zero. zero.
This error code MUST be sent by the Transport Converter when a This error code MUST be sent by the Transport Converter when a
request cannot be successfully processed because the authorization request cannot be successfully processed because the authorization
failed. failed.
o Unsupported TCP Option (33): A TCP option that the Client o Unsupported TCP Option (33): A TCP option that the Client
requested to advertise to the final Server cannot be safely used. requested to advertise to the final Server cannot be safely used.
The Value field is set to the type of the unsupported TCP option. The Value field is set to the type of the unsupported TCP option.
If several unsupported TCP options were specified in the Connect If several unsupported TCP options were specified in the Connect
skipping to change at page 32, line 43 skipping to change at page 33, line 6
Transport Converter may indicate in the Value field the suggested Transport Converter may indicate in the Value field the suggested
delay (in seconds) that the Client SHOULD wait before soliciting delay (in seconds) that the Client SHOULD wait before soliciting
the Transport Converter for a new proxied connection. A Value of the Transport Converter for a new proxied connection. A Value of
zero corresponds to a default delay of at least 30 seconds. zero corresponds to a default delay of at least 30 seconds.
o Connection Reset (96): This error indicates that the final o Connection Reset (96): This error indicates that the final
destination responded with an RST packet. The Value field MUST be destination responded with an RST packet. The Value field MUST be
set to zero. set to zero.
o Destination Unreachable (97): This error indicates that an ICMP o Destination Unreachable (97): This error indicates that an ICMP
destination unreachable, port unreachable, or network unreachable message indicating a hard error (e.g., destination unreachable,
was received by the Transport Converter. The Value field MUST port unreachable, or network unreachable) was received by the
echo the Code field of the received ICMP message. Transport Converter. The Value field MUST echo the Code field of
the received ICMP message.
Figure 24 summarizes the different error codes. As a reminder, TCP implementations are supposed to act on an ICMP
error message passed up from the IP layer, directing it to the
connection that triggered the error using the demultiplexing
information included in the payload of that ICMP message. Such
demultiplexing issue does not apply for handling the "Destination
Unreachable" Error TLV because the error is sent in-band. For
this reason, the payload of the ICMP message is not echoed in the
Destination Unreachable Error TLV.
Figure 25 summarizes the different error codes.
+-------+------+-----------------------------------------------+ +-------+------+-----------------------------------------------+
| Error | Hex | Description | | Error | Hex | Description |
+-------+------+-----------------------------------------------+ +-------+------+-----------------------------------------------+
| 0 | 0x00 | Unsupported Version | | 0 | 0x00 | Unsupported Version |
| 1 | 0x01 | Malformed Message | | 1 | 0x01 | Malformed Message |
| 2 | 0x02 | Unsupported Message | | 2 | 0x02 | Unsupported Message |
| 3 | 0x03 | Missing Cookie | | 3 | 0x03 | Missing Cookie |
| 32 | 0x20 | Not Authorized | | 32 | 0x20 | Not Authorized |
| 33 | 0x21 | Unsupported TCP Option | | 33 | 0x21 | Unsupported TCP Option |
| 64 | 0x40 | Resource Exceeded | | 64 | 0x40 | Resource Exceeded |
| 65 | 0x41 | Network Failure | | 65 | 0x41 | Network Failure |
| 96 | 0x60 | Connection Reset | | 96 | 0x60 | Connection Reset |
| 97 | 0x61 | Destination Unreachable | | 97 | 0x61 | Destination Unreachable |
+-------+------+-----------------------------------------------+ +-------+------+-----------------------------------------------+
Figure 24: Convert Error Values Figure 25: Convert Error Values
7. Compatibility of Specific TCP Options with the Conversion Service 7. Compatibility of Specific TCP Options with the Conversion Service
In this section, we discuss how several deployed standard track TCP In this section, we discuss how several deployed standard track TCP
options can be supported through the Convert Protocol. The other TCP options can be supported through the Convert Protocol. The other TCP
options will be discussed in other documents. options will be discussed in other documents.
7.1. Base TCP Options 7.1. Base TCP Options
Three TCP options were initially defined in [RFC0793]: End-of-Option Three TCP options were initially defined in [RFC0793]: End-of-Option
skipping to change at page 35, line 42 skipping to change at page 36, line 9
Fast Open cookie option is to request a cookie from the server. In Fast Open cookie option is to request a cookie from the server. In
this case, the option is sent with an empty cookie by the client and this case, the option is sent with an empty cookie by the client and
the server returns the cookie. The second utilization of the TCP the server returns the cookie. The second utilization of the TCP
Fast Open cookie option is to send a cookie to the server. In this Fast Open cookie option is to send a cookie to the server. In this
case, the option contains a cookie. case, the option contains a cookie.
A Transport Converter MAY advertise the TCP Fast Open cookie option A Transport Converter MAY advertise the TCP Fast Open cookie option
(Kind=34) in the Supported TCP Extensions TLV. If a Transport (Kind=34) in the Supported TCP Extensions TLV. If a Transport
Converter has advertised the support for TCP Fast Open in its Converter has advertised the support for TCP Fast Open in its
Supported TCP Extensions TLV, it needs to be able to process two Supported TCP Extensions TLV, it needs to be able to process two
types of Connect TLV. If such a Transport Converter receives a types of Connect TLV.
Connect TLV with the TCP Fast Open cookie option that does not
contain a cookie, it MUST add an empty TCP Fast Open cookie option in If such a Transport Converter receives a Connect TLV with the TCP
the SYN sent to the remote server. If such a Transport Converter Fast Open cookie option that does not contain a cookie, it MUST add
receives a Connect TLV with the TCP Fast Open cookie option that an empty TCP Fast Open cookie option in the SYN sent to the remote
contains a cookie, it MUST copy the TCP Fast Open cookie option in server. If the remote server supports TFO, it responds with a SYN-
the SYN sent to the remote server. ACK according to the procedure in Section 4.1.2 of [RFC7413]. This
SYN-ACK may contain a Fast Open option with a cookie. Upon receipt
of the SYN-ACK by the Converter, it relays Fast Open option with the
cookie to the Client.
If such a Transport Converter receives a Connect TLV with the TCP
Fast Open cookie option that contains a cookie, it MUST copy the TCP
Fast Open cookie option in the SYN sent to the remote server.
7.7. TCP-AO 7.7. TCP-AO
TCP-AO [RFC5925] provides a technique to authenticate all the packets TCP-AO [RFC5925] provides a technique to authenticate all the packets
exchanged over a TCP connection. Given the nature of this extension, exchanged over a TCP connection. Given the nature of this extension,
it is unlikely that the applications that require their packets to be it is unlikely that the applications that require their packets to be
authenticated end-to-end would want their connections to pass through authenticated end-to-end would want their connections to pass through
a converter. For this reason, we do not recommend the support of the a converter. For this reason, we do not recommend the support of the
TCP-AO option by Transport Converters. The only use cases where it TCP-AO option by Transport Converters. The only use cases where it
could make sense to combine TCP-AO and the solution in this document could make sense to combine TCP-AO and the solution in this document
are those where the TCP-AO-NAT extension [RFC6978] is in use. are those where the TCP-AO-NAT extension [RFC6978] is in use.
A Transport Converter MUST NOT advertise the TCP-AO option (Kind=29) A Transport Converter MUST NOT advertise the TCP-AO option (Kind=29)
in the Supported TCP Extensions TLV. If a Transport Converter in the Supported TCP Extensions TLV. If a Transport Converter
receives a Connect TLV that contains the TCP-AO option, it MUST receives a Connect TLV that contains the TCP-AO option, it MUST
reject the establishment of the connection with error code set to reject the establishment of the connection with error code set to
"Unsupported TCP Option", except if the TCP-AO-NAT option is used. "Unsupported TCP Option", except if the TCP-AO-NAT option is used.
Nevertheless, given that TCP-AO-NAT is Experimental, its usage is not
currently defined and must be specified by some other document before
it can be used.
8. Interactions with Middleboxes 8. Interactions with Middleboxes
The Convert Protocol is designed to be used in networks that do not The Convert Protocol is designed to be used in networks that do not
contain middleboxes that interfere with TCP. Under such conditions, contain middleboxes that interfere with TCP. Under such conditions,
it is assumed that the network provider ensures that all involved on- it is assumed that the network provider ensures that all involved on-
path nodes are not breaking TCP signals (e.g., strip TCP options, path nodes are not breaking TCP signals (e.g., strip TCP options,
discard some SYNs, etc.). discard some SYNs, etc.).
Nevertheless, and in order to allow for a robust service, this Nevertheless, and in order to allow for a robust service, this
skipping to change at page 37, line 15 skipping to change at page 37, line 37
As explained in [RFC7413], some CGNs (Carrier Grade NATs) can affect As explained in [RFC7413], some CGNs (Carrier Grade NATs) can affect
the operation of TFO if they assign different IP addresses to the the operation of TFO if they assign different IP addresses to the
same end host. Such CGNs could affect the operation of the cookie same end host. Such CGNs could affect the operation of the cookie
validation used by the Convert Protocol. As a reminder CGNs, enabled validation used by the Convert Protocol. As a reminder CGNs, enabled
on the path between a Client and a Transport Converter, must adhere on the path between a Client and a Transport Converter, must adhere
to the address preservation defined in [RFC6888]. See also the to the address preservation defined in [RFC6888]. See also the
discussion in Section 7.1 of [RFC7413]. discussion in Section 7.1 of [RFC7413].
9. Security Considerations 9. Security Considerations
An implementation MUST check that the Convert TLVs are properly
framed within the boundary indicated by the Total Length in the fixed
header (Section 6.1).
Additional security considerations are discussed in the following
sub-sections.
9.1. Privacy & Ingress Filtering 9.1. Privacy & Ingress Filtering
The Transport Converter may have access to privacy-related The Transport Converter may have access to privacy-related
information (e.g., subscriber credentials). The Transport Converter information (e.g., subscriber credentials). The Transport Converter
is designed to not leak such sensitive information outside a local is designed to not leak such sensitive information outside a local
domain. domain.
Given its function and its location in the network, a Transport Given its function and location in the network, a Transport Convert
Converter has access to the payload of all the packets that it is in a position to observe all packets that it processes, to include
processes. As such, it MUST be protected as a core IP router (e.g., payloads and meta-data; and has the ability to profile and conduct
[RFC1812]). some traffic analysis of user behavior. The Transport Converter MUST
be as protected as a core IP router (e.g., Section 10 of [RFC1812]).
Furthermore, ingress filtering policies MUST be enforced at the Furthermore, ingress filtering policies MUST be enforced at the
network boundaries [RFC2827]. network boundaries [RFC2827].
This document assumes that all network attachments are managed by the This document assumes that all network attachments are managed by the
same administrative entity. Therefore, enforcing anti-spoofing same administrative entity. Therefore, enforcing anti-spoofing
filters at these network ensures that hosts are not sending traffic filters at these network is a guard that hosts are not sending
with spoofed source IP addresses. traffic with spoofed source IP addresses.
9.2. Authorization 9.2. Authentication and Authorization Considerations
The Convert Protocol is intended to be used in managed networks where The Convert Protocol is RECOMMENDED to be used in a managed network
end hosts can be identified by their IP address. where end hosts can be securely identified by their IP address. If
such control is not exerted and there is a more open network
environment, a strong mutual authentication scheme MUST be defined to
use the Convert Protocol.
Stronger mutual authentication schemes MUST be defined to use the One possibility for mutual authentication is to use TLS to perform
Convert Protocol in more open network environments. One possibility mutual authentication between the client and the Converter. That is,
is to use TLS to perform mutual authentication between the client and use TLS when a Client retrieves a Cookie from the Converter and rely
the Converter. That is, use TLS when a Client retrieves a Cookie on certificate-based client authentication, pre-shared key based
from the Converter and rely on certificate-based client [RFC4279] or raw public key based client authentication [RFC7250] to
authentication, pre-shared key based [RFC4279] or raw public key secure this connection. If the authentication succeeds, the
based client authentication [RFC7250] to secure this connection. Converter returns a cookie to the Client. Subsequent Connect
messages will be authorized as a function of the content of the
Cookie TLV.
If the authentication succeeds, the Converter returns a cookie to the The operator that manages the various network attachments (including
Client. Subsequent Connect messages will be authorized as a function the Transport Converters) has various options for enforcing
of the content of the Cookie TLV. authentication and authorization policies. For example, a non-
exhaustive list of methods to achieve authorization is provided
hereafter:
o The network provider may enforce a policy based on the
International Mobile Subscriber Identity (IMSI) to verify that a
user is allowed to benefit from the TCP converter service. If
that authorization fails, the Packet Data Protocol (PDP) context/
bearer will not be mounted. This method does not require any
interaction with the Transport Converter for authorization
matters.
o The network provider may enforce a policy based upon Access
Control Lists (ACLs), e.g., at a Broadband Network Gateway (BNG)
to control the hosts that are authorized to communicate with a
Transport Converter. These ACLs may be installed as a result of
RADIUS exchanges, e.g., [I-D.boucadair-radext-tcpm-converter].
This method does not require any interaction with the Transport
Converter for authorization matters.
o A device that embeds a Transport Converter may also host a RADIUS
client that will solicit an AAA server to check whether
connections received from a given source IP address are authorized
or not [I-D.boucadair-radext-tcpm-converter].
A first safeguard against the misuse of Transport Converter resources
by illegitimate users (e.g., users with access networks that are not
managed by the same provider that operates the Transport Converter)
is the Transport Converter to reject Convert connections received in
the external realm. Only Convert connections received in the
internal realm of a Transport Converter will be accepted.
In deployments where network-assisted connections are not allowed In deployments where network-assisted connections are not allowed
between hosts of a domain (i.e., hairpinning), the Converter may be between hosts of a domain (i.e., hairpinning), the Converter may be
instructed to discard such connections. Hairpinned connections are instructed to discard such connections. Hairpinned connections are
thus rejected by the Transport Converter by returning an Error TLV thus rejected by the Transport Converter by returning an Error TLV
set to "Not Authorized". Absent explicit configuration otherwise, set to "Not Authorized". Absent explicit configuration otherwise,
hairpinning is enabled by the Converter (see Figure 25. hairpinning is enabled by the Converter (see Figure 26.
<===Network Provider===> <===Network Provider===>
+----+ from X1:x1 to X2':x2' +-----+ X1':x1' +----+ from X1:x1 to X2':x2' +-----+ X1':x1'
| C1 |>>>>>>>>>>>>>>>>>>>>>>>>>>>>>--+--- | C1 |>>>>>>>>>>>>>>>>>>>>>>>>>>>>>--+---
+----+ | v | +----+ | v |
| v | | v |
| v | | v |
| v | | v |
+----+ from X1':x1' to X2:x2 | v | X2':x2' +----+ from X1':x1' to X2:x2 | v | X2':x2'
| C2 |<<<<<<<<<<<<<<<<<<<<<<<<<<<<<--+--- | C2 |<<<<<<<<<<<<<<<<<<<<<<<<<<<<<--+---
+----+ +-----+ +----+ +-----+
Converter Converter
Note: X2':x2' may be equal to Note: X2':x2' may be equal to
X2:x2 X2:x2
Figure 25: Hairpinning Example Figure 26: Hairpinning Example
See below for authorization considerations that are specific for
Multipath TCP.
9.3. Denial of Service 9.3. Denial of Service
Another possible risk is the amplification attacks since a Transport Another possible risk is the amplification attacks since a Transport
Converter sends a SYN towards a remote Server upon reception of a SYN Converter sends a SYN towards a remote Server upon reception of a SYN
from a Client. This could lead to amplification attacks if the SYN from a Client. This could lead to amplification attacks if the SYN
sent by the Transport Converter were larger than the SYN received sent by the Transport Converter were larger than the SYN received
from the Client or if the Transport Converter retransmits the SYN. from the Client or if the Transport Converter retransmits the SYN.
To mitigate such attacks, the Transport Converter SHOULD rate limit To mitigate such attacks, the Transport Converter SHOULD rate limit
the number of pending requests for a given Client. It SHOULD also the number of pending requests for a given Client. It SHOULD also
avoid sending to remote Servers SYNs that are significantly longer avoid sending to remote Servers SYNs that are significantly longer
than the SYN received from the Client. Finally, the Transport than the SYN received from the Client. Finally, the Transport
Converter SHOULD only retransmit a SYN to a Server after having Converter SHOULD only retransmit a SYN to a Server after having
received a retransmitted SYN from the corresponding Client. Means to received a retransmitted SYN from the corresponding Client. Means to
protect against SYN flooding attacks should also be enabled (e.g., protect against SYN flooding attacks should also be enabled (e.g.,
Section 3 of [RFC4987]). Section 3 of [RFC4987]).
Attacks from within the network between a Client and a Transport
Converter are yet another actual threat. Means to ensure that
illegitimate nodes cannot connect to a network should be implemented.
9.4. Traffic Theft 9.4. Traffic Theft
Traffic theft is a risk if an illegitimate Converter is inserted in Traffic theft is a risk if an illegitimate Converter is inserted in
the path. Indeed, inserting an illegitimate Converter in the the path. Indeed, inserting an illegitimate Converter in the
forwarding path allows traffic interception and can therefore provide forwarding path allows traffic interception and can therefore provide
access to sensitive data issued by or destined to a host. Converter access to sensitive data issued by or destined to a host. Converter
discovery and configuration are out of scope of this document. discovery and configuration are out of scope of this document.
9.5. Authentication Considerations 9.5. Logging
The operator that manages the various network attachments (including
the Transport Converters) can enforce authentication and
authorization policies using appropriate mechanisms. For example, a
non-exhaustive list of methods to achieve authorization is provided
hereafter:
o The network provider may enforce a policy based on the
International Mobile Subscriber Identity (IMSI) to verify that a
user is allowed to benefit from the TCP converter service. If
that authorization fails, the Packet Data Protocol (PDP) context/
bearer will not be mounted. This method does not require any
interaction with the Transport Converter for authorization
matters.
o The network provider may enforce a policy based upon Access
Control Lists (ACLs), e.g., at a Broadband Network Gateway (BNG)
to control the hosts that are authorized to communicate with a
Transport Converter. These ACLs may be installed as a result of
RADIUS exchanges, e.g., [I-D.boucadair-radext-tcpm-converter].
This method does not require any interaction with the Transport
Converter for authorization matters.
o A device that embeds a Transport Converter may also host a RADIUS
client that will solicit an AAA server to check whether
connections received from a given source IP address are authorized
or not [I-D.boucadair-radext-tcpm-converter].
A first safeguard against the misuse of Transport Converter resources If the Converter is configured to behave in the address sharing mode
by illegitimate users (e.g., users with access networks that are not (Section 4.4.2), the logging recommendations discussed in Section 4
managed by the same provider that operates the Transport Converter) of [RFC6888] need to be considered. Security-related issues
is the Transport Converter to reject Convert connections received on encountered in address sharing environments are documented in
its Internet-facing interfaces. Only Convert connections received on Section 13 of [RFC6269].
the customer-facing interfaces of a Transport Converter will be
accepted.
10. IANA Considerations 10. IANA Considerations
Note to the RFC Editor: Please replace "THISRFC" in the following Note to the RFC Editor: Please replace "THISRFC" in the following
sub-sections with the RFC number to be assigned to this document. sub-sections with the RFC number to be assigned to this document.
10.1. Convert Service Name 10.1. Convert Service Name
IANA is requested to assign a service name for the Convert Protocol IANA is requested to assign a service name for the Convert Protocol
from the "Service Name and Transport Protocol Port Number Registry" from the "Service Name and Transport Protocol Port Number Registry"
skipping to change at page 41, line 18 skipping to change at page 41, line 47
IANA is requested to create the "Convert versions" sub-registry. New IANA is requested to create the "Convert versions" sub-registry. New
values are assigned via IETF Review (Section 4.8 of [RFC8126]). values are assigned via IETF Review (Section 4.8 of [RFC8126]).
The initial values to be assigned at the creation of the registry are The initial values to be assigned at the creation of the registry are
as follows: as follows:
+---------+--------------------------------------+-------------+ +---------+--------------------------------------+-------------+
| Version | Description | Reference | | Version | Description | Reference |
+---------+--------------------------------------+-------------+ +---------+--------------------------------------+-------------+
| 0 | Reserved by this document | THISRFC | | 0 | Reserved | THISRFC |
| 1 | Assigned by this document | THISRFC | | 1 | Assigned | THISRFC |
+---------+--------------------------------------+-------------+ +---------+--------------------------------------+-------------+
Figure 27: Current Convert Versions
10.2.2. Convert TLVs 10.2.2. Convert TLVs
IANA is requested to create the "Convert TLVs" sub-registry. The IANA is requested to create the "Convert TLVs" sub-registry. The
procedure for assigning values from this registry is as follows: procedure for assigning values from this registry is as follows:
o The values in the range 1-127 can be assigned via IETF Review. o The values in the range 1-127 can be assigned via IETF Review.
o The values in the range 128-191 can be assigned via Specification o The values in the range 128-191 can be assigned via Specification
Required. Required.
skipping to change at page 42, line 5 skipping to change at page 42, line 32
+---------+--------------------------------------+-------------+ +---------+--------------------------------------+-------------+
| 0 | Reserved | THISRFC | | 0 | Reserved | THISRFC |
| 1 | Info TLV | THISRFC | | 1 | Info TLV | THISRFC |
| 10 | Connect TLV | THISRFC | | 10 | Connect TLV | THISRFC |
| 20 | Extended TCP Header TLV | THISRFC | | 20 | Extended TCP Header TLV | THISRFC |
| 21 | Supported TCP Extension TLV | THISRFC | | 21 | Supported TCP Extension TLV | THISRFC |
| 22 | Cookie TLV | THISRFC | | 22 | Cookie TLV | THISRFC |
| 30 | Error TLV | THISRFC | | 30 | Error TLV | THISRFC |
+---------+--------------------------------------+-------------+ +---------+--------------------------------------+-------------+
Figure 28: Initial Convert TLVs
10.2.3. Convert Error Messages 10.2.3. Convert Error Messages
IANA is requested to create the "Convert Errors" sub-registry. Codes IANA is requested to create the "Convert Errors" sub-registry. Codes
in this registry are assigned as a function of the error type. Four in this registry are assigned as a function of the error type. Four
types are defined; the following ranges are reserved for each of types are defined; the following ranges are reserved for each of
these types: these types:
o Message validation and processing errors: 0-31 o Message validation and processing errors: 0-31
o Client-side errors: 32-63 o Client-side errors: 32-63
skipping to change at page 42, line 33 skipping to change at page 43, line 13
o 0-127: Values in this range are assigned via IETF Review. o 0-127: Values in this range are assigned via IETF Review.
o 128-191: Values in this range are assigned via Specification o 128-191: Values in this range are assigned via Specification
Required. Required.
o 192-255: Values in this range are reserved for Private Use. o 192-255: Values in this range are reserved for Private Use.
The initial values to be assigned at the creation of the registry are The initial values to be assigned at the creation of the registry are
as follows: as follows:
+-------+------+-----------------------------------+-----------+ +-------+-----------------------------------+-----------+
| Error | Hex | Description | Reference | | Error | Description | Reference |
+-------+------+-----------------------------------+-----------+ +-------+-----------------------------------+-----------+
| 0 | 0x00 | Unsupported Version | THISRFC | | 0 | Unsupported Version | THISRFC |
| 1 | 0x01 | Malformed Message | THISRFC | | 1 | Malformed Message | THISRFC |
| 2 | 0x02 | Unsupported Message | THISRFC | | 2 | Unsupported Message | THISRFC |
| 3 | 0x03 | Missing Cookie | THISRFC | | 3 | Missing Cookie | THISRFC |
| 32 | 0x20 | Not Authorized | THISRFC | | 32 | Not Authorized | THISRFC |
| 33 | 0x21 | Unsupported TCP Option | THISRFC | | 33 | Unsupported TCP Option | THISRFC |
| 64 | 0x40 | Resource Exceeded | THISRFC | | 64 | Resource Exceeded | THISRFC |
| 65 | 0x41 | Network Failure | THISRFC | | 65 | Network Failure | THISRFC |
| 96 | 0x60 | Connection Reset | THISRFC | | 96 | Connection Reset | THISRFC |
| 97 | 0x61 | Destination Unreachable | THISRFC | | 97 | Destination Unreachable | THISRFC |
+-------+------+-----------------------------------+-----------+ +-------+-----------------------------------+-----------+
Figure 26: The Convert Error Codes Figure 29: Initial Convert Error Codes
11. References 11. References
11.1. Normative References 11.1. Normative References
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, [RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, DOI 10.17487/RFC0793, September 1981, RFC 793, DOI 10.17487/RFC0793, September 1981,
<https://www.rfc-editor.org/info/rfc793>. <https://www.rfc-editor.org/info/rfc793>.
[RFC2018] Mathis, M., Mahdavi, J., Floyd, S., and A. Romanow, "TCP [RFC2018] Mathis, M., Mahdavi, J., Floyd, S., and A. Romanow, "TCP
skipping to change at page 44, line 15 skipping to change at page 44, line 37
[RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa,
A., and H. Ashida, "Common Requirements for Carrier-Grade A., and H. Ashida, "Common Requirements for Carrier-Grade
NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888,
April 2013, <https://www.rfc-editor.org/info/rfc6888>. April 2013, <https://www.rfc-editor.org/info/rfc6888>.
[RFC6890] Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman, [RFC6890] Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman,
"Special-Purpose IP Address Registries", BCP 153, "Special-Purpose IP Address Registries", BCP 153,
RFC 6890, DOI 10.17487/RFC6890, April 2013, RFC 6890, DOI 10.17487/RFC6890, April 2013,
<https://www.rfc-editor.org/info/rfc6890>. <https://www.rfc-editor.org/info/rfc6890>.
[RFC6978] Touch, J., "A TCP Authentication Option Extension for NAT
Traversal", RFC 6978, DOI 10.17487/RFC6978, July 2013,
<https://www.rfc-editor.org/info/rfc6978>.
[RFC7323] Borman, D., Braden, B., Jacobson, V., and R. [RFC7323] Borman, D., Braden, B., Jacobson, V., and R.
Scheffenegger, Ed., "TCP Extensions for High Performance", Scheffenegger, Ed., "TCP Extensions for High Performance",
RFC 7323, DOI 10.17487/RFC7323, September 2014, RFC 7323, DOI 10.17487/RFC7323, September 2014,
<https://www.rfc-editor.org/info/rfc7323>. <https://www.rfc-editor.org/info/rfc7323>.
[RFC7413] Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP [RFC7413] Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP
Fast Open", RFC 7413, DOI 10.17487/RFC7413, December 2014, Fast Open", RFC 7413, DOI 10.17487/RFC7413, December 2014,
<https://www.rfc-editor.org/info/rfc7413>. <https://www.rfc-editor.org/info/rfc7413>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
skipping to change at page 46, line 34 skipping to change at page 47, line 5
Shelby, "Performance Enhancing Proxies Intended to Shelby, "Performance Enhancing Proxies Intended to
Mitigate Link-Related Degradations", RFC 3135, Mitigate Link-Related Degradations", RFC 3135,
DOI 10.17487/RFC3135, June 2001, DOI 10.17487/RFC3135, June 2001,
<https://www.rfc-editor.org/info/rfc3135>. <https://www.rfc-editor.org/info/rfc3135>.
[RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key [RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key
Ciphersuites for Transport Layer Security (TLS)", Ciphersuites for Transport Layer Security (TLS)",
RFC 4279, DOI 10.17487/RFC4279, December 2005, RFC 4279, DOI 10.17487/RFC4279, December 2005,
<https://www.rfc-editor.org/info/rfc4279>. <https://www.rfc-editor.org/info/rfc4279>.
[RFC5461] Gont, F., "TCP's Reaction to Soft Errors", RFC 5461,
DOI 10.17487/RFC5461, February 2009,
<https://www.rfc-editor.org/info/rfc5461>.
[RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and [RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and
P. Roberts, "Issues with IP Address Sharing", RFC 6269, P. Roberts, "Issues with IP Address Sharing", RFC 6269,
DOI 10.17487/RFC6269, June 2011, DOI 10.17487/RFC6269, June 2011,
<https://www.rfc-editor.org/info/rfc6269>. <https://www.rfc-editor.org/info/rfc6269>.
[RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix [RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix
Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011, Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011,
<https://www.rfc-editor.org/info/rfc6296>. <https://www.rfc-editor.org/info/rfc6296>.
[RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and
P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, P. Selkirk, "Port Control Protocol (PCP)", RFC 6887,
DOI 10.17487/RFC6887, April 2013, DOI 10.17487/RFC6887, April 2013,
<https://www.rfc-editor.org/info/rfc6887>. <https://www.rfc-editor.org/info/rfc6887>.
[RFC6928] Chu, J., Dukkipati, N., Cheng, Y., and M. Mathis, [RFC6928] Chu, J., Dukkipati, N., Cheng, Y., and M. Mathis,
"Increasing TCP's Initial Window", RFC 6928, "Increasing TCP's Initial Window", RFC 6928,
DOI 10.17487/RFC6928, April 2013, DOI 10.17487/RFC6928, April 2013,
<https://www.rfc-editor.org/info/rfc6928>. <https://www.rfc-editor.org/info/rfc6928>.
[RFC6978] Touch, J., "A TCP Authentication Option Extension for NAT
Traversal", RFC 6978, DOI 10.17487/RFC6978, July 2013,
<https://www.rfc-editor.org/info/rfc6978>.
[RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J., [RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J.,
Weiler, S., and T. Kivinen, "Using Raw Public Keys in Weiler, S., and T. Kivinen, "Using Raw Public Keys in
Transport Layer Security (TLS) and Datagram Transport Transport Layer Security (TLS) and Datagram Transport
Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250, Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250,
June 2014, <https://www.rfc-editor.org/info/rfc7250>. June 2014, <https://www.rfc-editor.org/info/rfc7250>.
[RFC7414] Duke, M., Braden, R., Eddy, W., Blanton, E., and A. [RFC7414] Duke, M., Braden, R., Eddy, W., Blanton, E., and A.
Zimmermann, "A Roadmap for Transmission Control Protocol Zimmermann, "A Roadmap for Transmission Control Protocol
(TCP) Specification Documents", RFC 7414, (TCP) Specification Documents", RFC 7414,
DOI 10.17487/RFC7414, February 2015, DOI 10.17487/RFC7414, February 2015,
skipping to change at page 49, line 42 skipping to change at page 50, line 18
would like to thank Joe Touch and Juliusz Chroboczek whose comments would like to thank Joe Touch and Juliusz Chroboczek whose comments
on the MPTCP mailing list have forced us to reconsider the design of on the MPTCP mailing list have forced us to reconsider the design of
the solution several times. the solution several times.
We would like to thank Raphael Bauduin, Stefano Secci, Anandatirtha We would like to thank Raphael Bauduin, Stefano Secci, Anandatirtha
Nandugudi and Gregory Vander Schueren for their help in preparing Nandugudi and Gregory Vander Schueren for their help in preparing
this document. Nandini Ganesh provided valuable feedback about the this document. Nandini Ganesh provided valuable feedback about the
handling of TFO and the error codes. Yuchung Cheng and Praveen handling of TFO and the error codes. Yuchung Cheng and Praveen
Balasubramanian helped to clarify the discussion on supplying data in Balasubramanian helped to clarify the discussion on supplying data in
SYNs. Phil Eardley and Michael Scharf's helped to clarify different SYNs. Phil Eardley and Michael Scharf's helped to clarify different
parts of the text. parts of the text. Thanks to Eric Vyncke, Roman Danyliw, Benjamin
Kaduk, and Alexey Melnikov for the IESG review, and Christian Huitema
for the security directorate review.
Many thanks to Mirja Kuehlewind for the detailed AD review. Many thanks to Mirja Kuehlewind for the detailed AD review.
This document builds upon earlier documents that proposed various This document builds upon earlier documents that proposed various
forms of Multipath TCP proxies [I-D.boucadair-mptcp-plain-mode], forms of Multipath TCP proxies [I-D.boucadair-mptcp-plain-mode],
[I-D.peirens-mptcp-transparent] and [HotMiddlebox13b]. [I-D.peirens-mptcp-transparent] and [HotMiddlebox13b].
From [I-D.boucadair-mptcp-plain-mode]: From [I-D.boucadair-mptcp-plain-mode]:
Many thanks to Chi Dung Phung, Mingui Zhang, Rao Shoaib, Yoshifumi Many thanks to Chi Dung Phung, Mingui Zhang, Rao Shoaib, Yoshifumi
skipping to change at page 51, line 14 skipping to change at page 51, line 41
The authors of [I-D.peirens-mptcp-transparent] were: The authors of [I-D.peirens-mptcp-transparent] were:
o Bart Peirens o Bart Peirens
o Gregory Detal o Gregory Detal
o Sebastien Barre o Sebastien Barre
o Olivier Bonaventure o Olivier Bonaventure
Change Log
This section to be removed before publication.
o 00 : initial version, designed to support Multipath TCP and TFO
only
o 00 to -01 : added section Section 7 describing the support of
different standard tracks TCP options by Transport Converters,
clarification of the IANA section, moved the SOCKS comparison to
the appendix and various minor modifications
o 01 to -02: Minor modifications
o 02 to -03: Minor modifications
o 03 to -04: Minor modifications
o 04 to -05: Integrate a lot of feedback from implementers who have
worked on client and server side implementations. The main
modifications are the following :
* TCP Fast Open is not strictly required anymore. Several
implementers expressed concerns about this requirement. The
TFO Cookie protects from some attack scenarios that affect open
servers like web servers. The Convert Protocol is different
and as discussed in RFC7413, there are different ways to
protect from such attacks. Instead of using a TFO cookie
inside the TCP options, which consumes precious space in the
extended TCP header, this version supports the utilization of a
Cookie that is placed in the SYN payload. This provides the
same level of protection as a TFO Cookie in environments were
such protection is required.
* the Bootstrap procedure has been simplified based on feedback
from implementers
* Error messages are not included in RST segments anymore but
sent in the bytestream. Implementers have indicated that
processing such segments on clients was difficult on some
platforms. This change simplifies client implementations.
* Many minor editorial changes to clarify the text based on
implementers feedback.
o 05 to -06: Many clarifications to integrate the comments from the
chairs in preparation to the WGLC:
* Updated IANA policy to require "IETF Review" instead of
"Standard Action"
* Call out explicitly that data in SYNs are relayed by the
Converter
* Reiterate the scope
* Hairpinning behavior can be disabled (policy-based)
* Fix nits
o 07:
* Update the text about supplying data in SYNs to make it clear
that a constraint defined in RFC793 is relaxed following the
same rationale as in RFC7413.
* Nits
* Added Appendix A on example Socket API changes
o 08:
* Added short discussion on the termination of connections
o 09:
* Address various comments received during last call
o 10-13:
* Changes to address the comments from Phil: Add a new section to
group data plane considerations in one place + add a new
appendix with more details on address modes + rearrange the
MPTCP text.
o 14: fixed nits (the shepherd write-up)
o 15: Rewrote parts of the text to address the detailed comments
provided by M. Kuehlewind
Authors' Addresses Authors' Addresses
Olivier Bonaventure (editor) Olivier Bonaventure (editor)
Tessares Tessares
Email: Olivier.Bonaventure@tessares.net Email: Olivier.Bonaventure@tessares.net
Mohamed Boucadair (editor) Mohamed Boucadair (editor)
Orange Orange
Clos Courtel Clos Courtel
Rennes 35000 Rennes 35000
France France
Email: mohamed.boucadair@orange.com Email: mohamed.boucadair@orange.com
Sri Gundavelli Sri Gundavelli
Cisco Cisco
 End of changes. 96 change blocks. 
350 lines changed or deleted 363 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/