MPTCP Working Group O. Bonaventure
Internet-Draft Tessares
Intended status: Experimental M. Boucadair
Expires: January 18, 2018 Orange
B. Peirens
Proxiums
July 17, 2017
0-RTT TCP converters
draft-bonaventure-mptcp-converters-01
Abstract
This document proposes the utilisation of Transport Converters to aid
the deployment of TCP extensions such as Multipath TCP.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 18, 2018.
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Bonaventure, et al. Expires January 18, 2018 [Page 1]
Internet-Draft 0-RTT TCP converters July 2017
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1. Differences with SOCKSv5 . . . . . . . . . . . . . . . . . 9
3. The Converter Protocol . . . . . . . . . . . . . . . . . . . . 12
3.1. The Fixed Header . . . . . . . . . . . . . . . . . . . . . 12
3.2. The TLV Messages . . . . . . . . . . . . . . . . . . . . . 12
3.2.1. The Connect TLV . . . . . . . . . . . . . . . . . . . 13
3.2.2. Extended TCP Header TLV . . . . . . . . . . . . . . . 14
3.2.3. Error TLV . . . . . . . . . . . . . . . . . . . . . . 15
3.2.4. The Bootstrap TLV . . . . . . . . . . . . . . . . . . 16
3.2.5. Supported TCP Options TLV . . . . . . . . . . . . . . 16
4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.1. Bootstrap . . . . . . . . . . . . . . . . . . . . . . . . 18
4.2. Multipath TCP . . . . . . . . . . . . . . . . . . . . . . 19
4.3. TCP Fast Open (TFO) . . . . . . . . . . . . . . . . . . . 22
5. Interactions with middleboxes . . . . . . . . . . . . . . . . 26
6. Security Considerations . . . . . . . . . . . . . . . . . . . 27
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 28
8. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 29
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 30
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 31
10.1. Normative References . . . . . . . . . . . . . . . . . . . 31
10.2. Informative References . . . . . . . . . . . . . . . . . . 31
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 34
Bonaventure, et al. Expires January 18, 2018 [Page 2]
Internet-Draft 0-RTT TCP converters July 2017
1. Introduction
Transport protocols like TCP evolve regularly [RFC7414]. Given the
end-to-end nature of those protocols, a new feature can only be used
once it has been deployed on both clients and servers. Experience
with TCP extensions reveals that the deployment of a new TCP
extension requires many years [Fukuda2011].
There are some situations where the transport stack used on clients
(resp. servers) can be upgraded at a faster pace than the transport
stack running on servers (resp. clients). In those situations,
clients would typically want to benefit from the features of an
improved transport protocol even if the servers have not yet been
upgraded and conversely. In the past, Performance Enhancing Proxies
have been proposed and deployed [RFC3135] as solutions to improve TCP
performance over links with specific characteristics.
Recent examples of TCP extensions include Multipath TCP [RFC6824] or
TCPINC [I-D.ietf-tcpinc-tcpcrypt]. Those extensions provide features
that are interesting for clients such as cellular devices. With
Multipath TCP, cellular devices could seamlessly use WLAN and
cellular networks, either for bonding purposes, for faster handovers,
or better resiliency. Unfortunately, deploying those extensions on
both a wide range of clients and servers remains difficult.
In this document, we propose the utilisation of a Transport
Converter. A Transport Converter is a network function that is
installed by a network operator to aid the deployment of TCP
extensions and to provide the benefits of such extensons to the
subscribers. A Transport Converter operates entirely at the
transport layer and supports one or more TCP extensions. The
converter protocol is an application layer protocol that uses a TCP
port number to be assigned by IANA.
The main advantage of network-assisted converters is that they enable
new TCP extensions to be used on a subset of the end-to-end path,
which encourages the deployment of these extensions. A Transport
Converter is designed to not alter options that are supplied by the
client or the server; those options can still be negotiated directly
between the endpoints.
This document does not assume that all the traffic is eligible to the
network-assisted conversion service. Only a subset of the trafic
will be forwarded to a converter according to a set of policies.
Furthermore, it is possible to bypass the converter to connect to the
servers that already support the required TCP extension.
This document assumes that a client is configured with one or a list
Bonaventure, et al. Expires January 18, 2018 [Page 3]
Internet-Draft 0-RTT TCP converters July 2017
of transport converters. Configuration means are outside the scope
of this document.
This document is organised as follows. We first provide a brief
explanation of the operation of Transport Converters in Section 2.
We compare them in Section 2.1 with SOCKS proxies that are already
used to deploy Multipath TCP in cellular networks [IETFJ16]. We then
describe the Converter protocol in Section 3 and illustrate its usage
with a few examples in Section 4. We then discuss the interactions
with middleboxes (Section 5) and the security considerations
(Section 6).
Bonaventure, et al. Expires January 18, 2018 [Page 4]
Internet-Draft 0-RTT TCP converters July 2017
2. Architecture
The architecture considers three types of end hosts:
o Client endhosts
o Transport Converters
o Server endhosts
It does not mandate anything on the server side. The architecture
assumes that new software will be installed on the Client hosts and
on Transport Converters. Further, the architecture allow for making
use of new extensions if those are supported by a given server.
A Transport Converter is a network function that relays all data
exchanged over one upstream connection to one downstream connection
and vice versa. A connection can be initiated from both interfaces
of the transport converter (Internet-facing Interface, client-facing
inetreface). The converter, thus, maintains state that associates
one upstream connection to a corresponding downstream connection.
One of the benefits of this design is that different transport
protocol extensions can be used on the upstream and the downstream
connection. This encourages the deployment of new TCP extensions
until they are supported by all servers.
+------------+
<--- upstream --->| transport |<--- downstream --->
| converter |
+------------+
Figure 1: A Transport Converter relays data between pairs of
transport connections
Transport converters can be operated by either the network operator
or third parties. The Client is configured, through means that are
outside the scope of this document, with the names and/or the
addresses of one or more Transport Converters. The packets belonging
to a transport connection that pass through a transport converter may
follow a different path than the packets directly exchanged between
the Client and the Server. Deployments should minimise this
additional delay by carefully selecting the location of the Transport
Converter used to reach a given destination.
A transport converter can be embedded in a standalone device or be
actiavted as a service on a router. How such function is enabled is
deployement-specific.
Bonaventure, et al. Expires January 18, 2018 [Page 5]
Internet-Draft 0-RTT TCP converters July 2017
+-+ +-+ +-+
Client - |R| -- |R| -- |R| - - - Server
+-+ +-+ +-+
|
Transport
Converter
Figure 2: A Transport Converter can be installed anywhere in the
network
When establishing a transport connection, the Client can, depending
on local policies, either contact the Server directly (e.g., by
sending a TCP SYN towards the Server) or create the connection via a
Transport Converter. In the latter case, the Client initiates a
connection towards the Transport Converter and indicates the address
and port number of the ultimate Server inside the connection
establishment packet (shown between brackets in Figure 3). Doing so
enables the Transport Converter to immediately initiate a connection
towards that Server, without experiencing an extra delay. The
Transport Converter waits until the confirmation that the Server
agrees to establish the connection before confirming it to the
Client. Figure 3 illustrates the establishment of a TCP connection
by the Client through a Transport Converter. The information shown
between brackets is part of the Converter protocol described later in
this document.
The connection can also be established from the Internet towards a
client via a transport converter. This is typically the case when
the client embbeds a server (video server, for example).
Bonaventure, et al. Expires January 18, 2018 [Page 6]
Internet-Draft 0-RTT TCP converters July 2017
Transport
Client Converter Server
-------------------->
SYN [->Server:port]
-------------------->
SYN
<--------------------
SYN+ACK
<--------------------
SYN+ACK [ ]
-------------------->
ACK
-------------------->
ACK
Figure 3: Establishment of a TCP connection through a Converter
As shown in Figure 3, the Converter places its supplied information
inside the handshake packets. This information is encoded in a way
that separates this information from the user data that can also be
carried inside the payload of such packets (e.g., [RFC7413]).
With TCP, the Converter protocol places the destination address and
port number of the final Server in the payload of the SYN. The SYN+
ACK packet returned by the Transport Converter to the Client contains
information that confirms the establishment of the connection between
the Transport Converter and the final Server. It is important to
note that the Transport Converter maintains two transport connections
that are combined together. The upstream connection is the one
between the Client and the Transport Converter. The downstream
connection is between the Transport Converter and the final Server.
Any user data received by the Transport Converter over the upstream
(resp. downstream) connection is relayed over the downstream (resp.
upstream) connection to give to the Client the illusion of an end-to-
end connection.
As an example, let us consider how such a protocol can help the
deployment of Multipath TCP [RFC6824]. We assume that both the
Client and the Transport Converter support Multipath TCP, but
consider two different cases depending
whether the Server supports Multipath TCP or not. A Multipath TCP
connection is created by placing the MP_CAPABLE (MPC) option in the
SYN sent by the Client. Figure 4 describes the operation of the
Bonaventure, et al. Expires January 18, 2018 [Page 7]
Internet-Draft 0-RTT TCP converters July 2017
Transport Converter if the Server does not support Multipath TCP.
Transport
Client Converter Server
-------------------->
SYN, MPC [->Server:port]
-------------------->
SYN, MPC
<--------------------
SYN+ACK
<--------------------
SYN+ACK,MPC [ NoMPC ]
-------------------->
ACK,MPC
-------------------->
ACK
Figure 4: Establishment of a Multipath TCP connection through a
Converter
The Client tries to initiate a Multipath TCP connection by sending a
SYN with the MP_CAPABLE option (MPC in Figure 4). The SYN includes
the address and port number of the final Server and the Transport
Converter attempts to initiate a Multipath TCP connection towards
this Server. Since the Server does not support Multipath TCP, it
replies with a SYN+ACK that does not contain the MP_CAPABLE option.
The Transport Converter notes that the connection with the Server
does not support Multipath TCP.
Figure 5 considers a Server that supports Multipath TCP. In this
case, it replies to the SYN sent by the Transport Converter with the
MP_CAPABLE option. Upon reception of this SYN+ACK, the Transport
Converter confirms the establishment of the connection to the Client
and indicates in the SYN+ACK packet sent to the Client that the
Server supports Multipath TCP. With this information, the Client has
discovered that the Server supports Multipath TCP natively. This
will enable it to bypass the Transport Converter for the next
Multipath TCP connection that it will initiate towards this Server or
by creating a subflow to the server directly. The one established
via the transport converter can be closed.
Bonaventure, et al. Expires January 18, 2018 [Page 8]
Internet-Draft 0-RTT TCP converters July 2017
Transport
Client Converter Server
-------------------->
SYN, MPC [->Server:port]
-------------------->
SYN, MPC
<--------------------
SYN+ACK, MPC
<--------------------
SYN+ACK, MPC [ MPC supported ]
-------------------->
ACK, MPC
-------------------->
ACK, MPC
Figure 5: Establishment of a Multipath TCP connection through a
converter
2.1. Differences with SOCKSv5
The description above is a simplified description of the Converter
protocol. At a first glance, the proposed solution could seem
similar to the SOCKS v5 protocol [RFC1928]. This protocol is used to
proxy TCP connections. The Client creates a connection to a SOCKS
proxy, exchanges authentication information and indicates the
destination address and port of the final server. At this point, the
SOCKS proxy creates a connection towards the final server and relays
all data between the two proxied connections. The operation of SOCKS
v5 is illustrated in Figure 6.
Bonaventure, et al. Expires January 18, 2018 [Page 9]
Internet-Draft 0-RTT TCP converters July 2017
Client SOCKS Server
-------------------->
SYN
<--------------------
SYN+ACK
-------------------->
Version=5
<--------------------
No Auth
-------------------->
Connect Server:Port -------------------->
SYN
<--------------------
SYN+ACK
<--------------------
Succeeded
-------------------->
Data1
-------------------->
Data1
<--------------------
Data2
<--------------------
Data2
Figure 6: Establishment of a TCP connection through a SOCKS proxy
without authentication
The converter protocol proposed in this document also relays data
between an upstream and a downstream connection, but there are
important differences with SOCKS v5.
A first difference is that the converter protocol leverages the TFO
option [RFC7413] to place all its control information inside the SYN
and SYN+ACK packets. This reduces the connection establishment delay
compared to SOCKS that requires two or more round-trip-times before
the establishment of the downstream connection towards the final
destination. In today's Internet, latency is a important metric and
various protocols have been tuned to reduce their latency
[I-D.arkko-arch-low-latency]. A recently proposed extension to SOCKS
also leverages the TFO option [I-D.olteanu-intarea-socks-6].
A second difference is that the converter protocol takes the TCP
extensions explicitly into account. With the converter protocol, the
Client can learn whether a given TCP extension is supported by the
Bonaventure, et al. Expires January 18, 2018 [Page 10]
Internet-Draft 0-RTT TCP converters July 2017
destination Server. This enables the Client to bypass the Transport
Converter when the destination supports the required TCP extension.
Neither SOCKSv5 [RFC1928] nor the proposed SOCKS v6
[I-D.olteanu-intarea-socks-6] provide such feature.
A third difference is that a Transport Converter will only accept the
connection initiated by the Client provided that the downstream
connection is accepted by the Server. If the Server refuses the
connection establishment attempt from the Transport Converter, then
the upstream connection from the Client is rejected as well. This
feature is important for applications that check the availability of
a Server or use the time to connect as a hint on the selection of a
Server [RFC6555]. This is illustrated inFigure 7.
Transport
Client Converter Server
-------------------->
SYN, MPC [->Server:port]
-------------------->
SYN, MPC
<--------------------
RST
<--------------------
RST [ ... ]
Figure 7: Establishment of a Multipath TCP connection through a
converter
These differences between SOCKS and the Converter protocol imply that
a Transport Converter cannot be implemented as a regular user-space
application like a SOCKS proxy. A Transport Converter needs to
interact with the underlying TCP implementation more closely than the
regular socket APIs used by the SOCKS proxy.
Bonaventure, et al. Expires January 18, 2018 [Page 11]
Internet-Draft 0-RTT TCP converters July 2017
3. The Converter Protocol
We now describe in details the messages that are exchanged between a
Client and a Transport Converter. The Converter protocol leverages
the TCP Fast Open extension defined in [RFC7413].
The Converter Protocol uses a 32 bits long fixed header that is sent
by both the Client and the Transport Converter. This header
indicates both the version of the protocol used and the length of the
CP messages.
3.1. The Fixed Header
When a Client initiates a connection to a Transport Converter using
the Converter Protocol, it MUST send the fixed-sized header shown in
Figure 8 as the first four bytes of the bytestream.
+---------------+---------------+-------------------------------+
| Version | Total Length | Reserved |
+---------------+---------------+-------------------------------+
Figure 8: The fixed-sized header of the Converter Protocol
The Version is encoded as an 8 bits unsigned integer value. This
document specifies version 1. The Total Length is the number of 32
bits word, including the header, of the bytestram that are consumed
by the Converter Protocol messages. Since Total Length is also an 8
bits unsigned integer, those messages cannot consume more than 1020
bytes of data. This limits the number of bytes that a Transport
Converter needs to process. A Total Length of zero is invalid and
the connection MUST be reset upon reception of such a header. The
Reserved field MUST be set to zero in this version of the protocol.
3.2. The TLV Messages
The Converter protocol uses variable length messages that are encoded
using a TLV format to simplify the parsing of the messages and leave
room to extend the protocol in the future. A given TLV can only
appear once on a Converter connection. If two or more copies of the
same TLV are exchanged over a Converter connection, the associated
TCP connections MUST be closed.
Five TLVs are defined in this document. They are listed in Table 1.
Bonaventure, et al. Expires January 18, 2018 [Page 12]
Internet-Draft 0-RTT TCP converters July 2017
+------+----------+---------------------------+
| Type | Length | Description |
+------+----------+---------------------------+
| 1 | 1 | Bootstrap TLV |
| | | |
| 10 | Variable | Connect TLV |
| | | |
| 20 | Variable | Extended TCP Header TLV |
| | | |
| 21 | Variable | Supported TCP Options TLV |
| | | |
| 30 | Variable | Error TLV |
+------+----------+---------------------------+
Table 1: The TLVs used by the Converter protocol
3.2.1. The Connect TLV
This TLV is used to request the Transport Converter to establish a
connection towards the Server address and port included in the TLV.
The Server Address is always encoded as an IPv6 address. IPv4
addresses are encoded using the IPv4-Mapped IPv6 Address format
defined in [RFC4291]. The optional TCP Options field is used to
specify how some TCP Options are advertised by the Transport
Converter to the final destination. If this field is empty, then the
Transport Converter uses the standard TCP options that correspond to
its local policy.
+---------------+---------------+-------------------------------+
| Type | Length | Server Port |
+---------------+---------------+-------------------------------+
| |
| Server Address |
| |
| |
+---------------------------------------------------------------+
| TCP Options |
| ... |
+---------------------------------------------------------------+
Figure 9: The Connect TLV
The TCP Options field is a variable length field that carries a list
of TCP Option fields. Each TCP Option field is encoded as a block of
2+n bytes where the first byte is the TCP Option Type and the second
byte is the length of the TCP Option as specified in [RFC0793]. The
minimum value for the TCPOpt Length is 2. The TCP Options that do
not include a length subfield, i.e. option types 0 (EOL) and 1 (NOP)
Bonaventure, et al. Expires January 18, 2018 [Page 13]
Internet-Draft 0-RTT TCP converters July 2017
defined in [RFC0793] cannot be placed inside the TCP Options field of
the Connect TLV. The optional Value field contains the variable-
length part of the TCP option. A length of two indicates the absence
of the Value field. The TCP Options field always ends on a 32 bits
boundary after being padded with zeros.
+---------------------------------------------------------------+
| TCPOpt type | TCPOpt Length | Value (opt) | .... |
+---------------+---------------+-------------------------------+
| .... |
+---------------------------------------------------------------+
| | Padded with zeros |
+---------------------------------------------------------------+
Figure 10: The TCP Options field
If a Transport Converter receives a Connect TLV with an empty TCP
Options field, it shall place in the SYN that it sends towards the
Server the TCP Options that it would have used according to its local
policy.
If a Transport Converter receives a Connect TLV with an non-empty TCP
Options field, it shall place in the SYN that it sends towards the
destination Server the TCP Options that it would have used according
to its local policies and the options that are listed in the TCP
Options field. For the TCP Options that are listed without an
optional value, it will generate its own value. For the TCP Options
that are included in the TCP Options field with an optional value, it
shall copy the entire option in the SYN sent to the Server. This
feature is required to support TCP Fast Open as explained in
Section 4.3.
3.2.2. Extended TCP Header TLV
The Extended TCP Header TLV is used by the Transport Converter to
return to the Client the extended TCP header that was returned by the
Server in the SYN+ACK packet. This TLV is only present if the Client
has sent a Connect TLV to request the establishment of a connection.
+---------------+---------------+-------------------------------+
| Type | Length | Reserved |
+---------------+---------------+-------------------------------+
| Returned Extended TCP header |
| ... |
+---------------------------------------------------------------+
Figure 11: The Extended TCP Header TLV
Bonaventure, et al. Expires January 18, 2018 [Page 14]
Internet-Draft 0-RTT TCP converters July 2017
The Returned Extended TCP header field is a copy of the extended
header that was received in the SYN+ACK by the Transport Converter.
The Reserved field is set to zero by the transmitter and ignored by
the receiver.
3.2.3. Error TLV
This optional TLV can be used by the Transport Converter to provide
information about some errors that occurred during the processing of
a request to convert a connection. This TLV will appear after the
Converter header in a RST segment returned by the Transport Converter
if the error is fatal and prevented the establishment of the
connection. If the error is not fatal and the connection could be
established with the final destination, then the error TLV will be
placed in the SYN/ACK packet.
+---------------+---------------+-------------------------------+
| Type | Length | Error | Value |
+---------------+---------------+-------------------------------+
Figure 12: The Error TLV
The following fatal errors are defined in this document:
o Administratively prohibited (1). This error indicates that the
Converter refused to create a connection towards the specific
Server Address Destination or Port. The Value field is set to
zero.
o Connection reset by final destination (2). This Error indicates
that the final destination responded with a RST packet. The Value
field is set to zero.
o Destination unreachable (3). This Error indicates that an ICMP
destination unreachable, port unreachable or network unreachable
was received by the Transport Converter. The Value field contains
the Code field of the received ICMP message.
o Invalid Converter message (4). This Error indicates that the
Transport Converter received an unknown TLV. The Value field is
set to the type of the unknown TLV. If several unknown TLVs were
received, only one of them is reported in the error.
o Resource Exceeded (5). This Error indicates that the Transport
Converter does not have enough resources to perform the Client
request.
The following non-fatal errors are defined in this document:
Bonaventure, et al. Expires January 18, 2018 [Page 15]
Internet-Draft 0-RTT TCP converters July 2017
o Unsupported TCP Option (128). A TCP Option that the Client
requested to advertise to the final Server is not supported by the
Transport Converter. The Value field is set to the type of the
unsupported TCP Option. If several unsupported TCP Options were
specified in the Connect TLV, only one of them is returned in the
Value.
Table 2 summarises the different error messages.
+-------+---------------------------------------+
| Error | Description |
+-------+---------------------------------------+
| 1 | Administratively prohibited |
| | |
| 2 | Connection reset by final destination |
| | |
| 3 | Destination unreachable |
| | |
| 16 | Invalid Converter message |
| | |
| 32 | Resource Exceeded |
| | |
| 128 | Error TLV |
+-------+---------------------------------------+
Table 2: The different error types
3.2.4. The Bootstrap TLV
The Bootstrap TLV is sent by a Client to request the TCP Extensions
that are supported by a Transport Converter. It is typically sent on
the first connection that a Client establishes with a Transport
Converter to learn its capabilities. The Transport Converter replies
with the Supported TCP Options TLV described in Section 3.2.5.
+---------------+---------------+-------------------------------+
| Type | Length | Zero |
+---------------+---------------+-------------------------------+
Figure 13: The Bootstrap TLV
3.2.5. Supported TCP Options TLV
The Supported TCP Options TLV is used by a Converter to announce the
TCP options that it supports. Each supported TCP Option is encoded
with its TCP option Kind listed in the TCP Parameters registry
maintained by IANA. TCP option Kinds 0, 1 and 2 defined in [RFC0793]
Bonaventure, et al. Expires January 18, 2018 [Page 16]
Internet-Draft 0-RTT TCP converters July 2017
are supported by all TCP implementations and thus cannot appear in
this list. The list of supported TCP Options is padded with 0 to end
on a 32 bits boundary.
+---------------+---------------+-------------------------------+
| Type | Length | Reserved |
+---------------+---------------+-------------------------------+
| Kind #1 | Kind #2 | ... |
+---------------+---------------+-------------------------------+
/ /
/ /
+---------------+---------------+-------------------------------+
| | Kind #n | Zero |
+---------------------------------------------------------------+
Figure 14: The Supported Options TLV
Bonaventure, et al. Expires January 18, 2018 [Page 17]
Internet-Draft 0-RTT TCP converters July 2017
4. Examples
This section provides some examples of the utilisation of the
Transport Converter. We consider the following network to illustrate
the operation of the Converter protocol.
Client Transport Server
Converter
@c @t @s
Figure 15: Simple scenario
4.1. Bootstrap
The Converter protocol is designed with the ability to leverage on
the utilisation of TCP Fast Open between the Client and the Transport
Converter. To be able to place data inside the SYN packet that it
sends, the Client first needs to obtain a TFO cookie from the
Transport Converter. This is achieved by establishing a TCP
connection to the Transport Converter without requesting the
establishment of a connection towards a Server. This connection is
established immediatley when a new Converter is configured to the
client.
Note that the Converter may rely on local policies to decide whether
it can service a given requesting client. That is, the Convert may
not return a cookie for that client.
Also, the Converter may behave in a Cookie-less mode when appropriate
means are enforced at the converter and the network in-between to
protect against atatcks such spoofing and SYN flood. Under such
deployments, the use of TFO is not required.
To perform the bootstrap operation, the Client sends the following
SYN packet :
o source IP address: @c (one of the client's IP addresses)
o destination IP address: @t
o TCP Options : MSS, TFO (2 bytes), NOP, NOP
o Payload : empty
The Converter replies with the following SYN+ACK packet:
Bonaventure, et al. Expires January 18, 2018 [Page 18]
Internet-Draft 0-RTT TCP converters July 2017
o source IP address: @t
o destination IP address: @c
o TCP Options : MSS, TFO (including @tcookie), NOP, NOP
o Payload : empty
At this point, the Client has learned the TFO cookie (@tcookie) that
needs to be used fro subsequent exchanges with this Transport
Converter. For the examples in this section, we assume TFO cookies
that contain 4 bytes of information. Other cookie lengths are
possible as per [RFC7413].
The Client sends the third Ack to conclude the three-way handshake.
It then sends in a Data packet the fixed header and the Bootstrap TLV
to query the TCP options that are supported by the Converter. This
message spans 8 bytes (4 for the fixed header and 4 for the Bootstrap
TLV). The Converter replies with the converter fixed header and a
TCP Options TLV that indicates the TCP extensions that it supports.
During the bootstrap phase, the client may register on the converter
the set of its available IP addresses. Announcing these addresses
will help the converter to place incoming multipath connections to
the client.
The Client needs to recontact the Converter before the expiry of the
TFO Cookie to refresh it or obtain a new one.
The TFO-cookie supplied by the Converter is inserted in subsequent
messages as part of the Converter TLVs. As such, there is no
ambiguity with TFO cookie that is supplied by the Client to the
remote server; this second cookie is enclosed according to the
procedure in [RFC7413].
4.2. Multipath TCP
The MP_CAPABLE Option defined in [RFC6824] allows to negotiate the
utilisation of Multipath TCP. Consider a Client that uses the
Transport Converter to create a connection on port 123 with a Server
that supports [RFC6824].
For this, the Client sends the following SYN packet :
o source IP address: @c
o destination IP address: @t
Bonaventure, et al. Expires January 18, 2018 [Page 19]
Internet-Draft 0-RTT TCP converters July 2017
o TCP Options : MSS, TFO (@t cookie), MP_CAPABLE(key@c)
o Payload :
* Converter Header, Total Length=7 32 bits words
* Connect :
+ Length=6
+ Port=123
+ Address: @s
+ TCP Options:
- TCPOpt type: 30 (Multipath TCP)
- TCPOpt Length: 2 (no value)
- Padding: zero (2 bytes)
Upon reception of this packet, the Transport Converter creates a SYN
packet and sends it to the destination Server:
o source IP address: @t
o destination IP address: @s
o TCP Options : MSS, MP_CAPABLE(key@ts)
o Payload : empty
The Server replies with the following SYN+ACK:
o source IP address: @s
o destination IP address: @t
o TCP Options : MSS, MP_CAPABLE(key@ts,key@s)
o Payload : empty
The Transport Converter then confirms the establishment of the
connection to the Client with the following SYN+ACK:
Bonaventure, et al. Expires January 18, 2018 [Page 20]
Internet-Draft 0-RTT TCP converters July 2017
o source IP address: @t
o destination IP address: @c
o TCP Options : MSS, MP_CAPABLE(key@c,key@tc)
o Payload:
* Converter Header, Total Length=8
* TCP Extended Header TLV:
+ Length=7
+ Value: MSS, MP_CAPABLE(key@ts,key@s)
Upon reception of this packet, the Client has the confirmation that
the Multipath TCP connection has been established through the
Transport Converter. By parsing the TCP Extended Header TLV, it
detects that Server @s supports Multipath TCP and will thus be able
to bypass the Transport Converter for future connections towards this
Server.
In order to support incoming connections from remote hosts, the
client may use PCP [RFC6887] to instruct the converter to create
dynamic mappings. Those mappings will be used by the converter to
intercept an incoming TCP connection destined to the client and
convert it into an MPTCP connection.
Transport
H1 Converter Remote Host
<-------------------
SYN
<-------------------
SYN, MPC[Remote Host:port]
--------------------->
SYN+ACK, MPC
--------------------->
SYN+ACK
<---------------------
ACK
<-------------------
ACK, MPC
Bonaventure, et al. Expires January 18, 2018 [Page 21]
Internet-Draft 0-RTT TCP converters July 2017
Figure 16: Establishment of an Incoming TCP Connection through a
Converter
4.3. TCP Fast Open (TFO)
The TCP Fast Open (TFO) option is defined in [RFC7413]. In this
section, we show how a Client can use TFO with a remote Server
through a Transport Converter. We consider two TCP connections to
this Server. The Client has already received the cookie of the
Transport Converter (@t cookie).
For the first connection, the Client sends the following SYN packet:
o source IP address: @c
o destination IP address: @t
o TCP Options : MSS, TFO (@t cookie)
o Payload :
* Converter Header, Total Length=8
* Connect:
+ Length=7
+ Port=123
+ Address: @s
+ TCP Options:
- TCPOpt type: 34 (TFO)
- TCPOpt Length: 2 (no value)
- Padding: zero (2 bytes)
The TFO option of the SYN packet contains the cookie chosen by the
Transport Converter. The Transport Converter then issues the
following SYN packet towards the Server:
o source IP address: @t
o destination IP address: @s
Bonaventure, et al. Expires January 18, 2018 [Page 22]
Internet-Draft 0-RTT TCP converters July 2017
o TCP Options : MSS, TFO (empty), NOP, NOP
o Payload : empty
The Server replies with its own TFO cookie (@s cookie) in the SYN+ACK
packet:
o source IP address: @s
o destination IP address: @t
o TCP Options : MSS, TFO (@s cookie)
o Payload : empty
The Converter confirms the establishment of the TCP connection to the
Client by sending the following SYN+ACK packet:
o source IP address: @t
o destination IP address: @c
o TCP Options : MSS, NOP, NOP
o Payload :
* Converter Header, Total Length=8
* TCP Extended Header TLV:
+ Length=7
+ Value: MSS, TFO (@s cookie)
* some data
The Client can extract the Server cookie from the TCP Extended Header
TLV and initiate future connections to this Server as follows
(assuming that it prefers to establish it via the Transport Converter
instead of contacting directly the final destination).
o source IP address: @c
o destination IP address: @t
o TCP Options : MSS, TFO (@t cookie)
Bonaventure, et al. Expires January 18, 2018 [Page 23]
Internet-Draft 0-RTT TCP converters July 2017
o Payload :
* Converter Header, Total Length=4
* Connect:
+ Length=8
+ Port=123
+ Address: @s
+ TCP Options:
- TCPOpt type: 34 (TFO)
- TCPOpt Length: 6 (value is @s cookie)
- Padding: zero (2 bytes)
The Transport Converter then initiates the connection towards the
final destination by sending the following SYN packet:
o source IP address: @t
o destination IP address: @s
o TCP Options : MSS, TFO (@s cookie), NOP, NOP
o Payload : some data
The Server verifies the TFO option and accepts the data in the SYN.
It replies with the following SYN+ACK packet:
o source IP address: @s
o destination IP address: @t
o TCP Options : MSS, NOP, NOP
o Payload : more data
The Server confirms the establishment of the TCP connection to the
Client by sending the following SYN+ACK packet:
o source IP address: @t
Bonaventure, et al. Expires January 18, 2018 [Page 24]
Internet-Draft 0-RTT TCP converters July 2017
o destination IP address: @c
o TCP Options : MSS, NOP, NOP
o Payload :
* Converter Header, Total Length=3
* Report:
+ Length=2
+ Value: MSS, NOP, NOP
* more data
The Client has thus been able to use TFO with a remote Server through
the Transport Converter.
Bonaventure, et al. Expires January 18, 2018 [Page 25]
Internet-Draft 0-RTT TCP converters July 2017
5. Interactions with middleboxes
The Converter protocol was designed to be used in networks that do
not contain middleboxes that interfere with TCP. We describe in this
section how a Client can detect middlebox interference and stop using
the Transport Converter affected by this interference.
Internet measurements [IMC11] have shown that middleboxes can affect
the deployment of TCP extensions. In this section, we only discuss
the middleboxes that modify SYN and SYN+ACK packets since the
Converter protocol places its messages in such packets.
Let us first consider a middlebox that removes the TFO Option from
the SYN packet. This interference will be detected by the Client
during the boostrap procedure described in section Section 4.1. A
Client should not use a Transport Converter that does not reply with
the TFO option during the Bootstrap.
Consider a middlebox that removes the SYN payload after the bootstrap
procedure. The Client can detect this problem by looking at the
acknowledgement number field of the SYN+ACK returned by the Transport
Converter. The Client should stop to use this Transport Converter
given the middlebox interference.
As explained in [RFC7413], some carrier-grade NATs can affect the
operation of TFO if they assign different IP addresses to the same
endhost. Such carrier-grade NATs could affect the operation of the
TFO Option used by the Converter protocol. See also the discussion
in section 7.1 of [RFC7413].
Bonaventure, et al. Expires January 18, 2018 [Page 26]
Internet-Draft 0-RTT TCP converters July 2017
6. Security Considerations
Given its function and its location in the network, a Transport
Converter has access to the payload of all the packets that it
processes. As such, it must be protected as a core IP router.
The Converter protocol is intended to be used in managed networks
where endhosts can be identified by their IP address. Thanks to the
Bootstrap procedure described in section Section 4.1, the Transport
Converter can verify that the Client correctly receives packets sent
by the Converter. Stronger authentication schemes should be defined
to use the Converter protocol in more open network environments.
Upon reception of a SYN that contains a valid TFO Cookie and a
Connect TLV, the Transport Converter attempts to establish a TCP
connection to a remote Server. There is a risk of denial of service
attack if a Client requests too many connections in a short period of
time. Implementations should limit the number of pending connections
from a given Client.
Another possible risk are the amplification attacks since a Transport
Converter sends a SYN towards a remote Server upon reception of a SYN
from a Client. This could lead to amplification attacks if the SYN
sent by the Transport Converter were larger than the SYN received
from the Client or if the Transport Converter retransmits the SYN.
To mitigate such attack,s the Transport Converter should first limit
the number of pending requested for a given Client. It should also
avoid sending to remote Servers SYNs that are significantly longer
than the SYN received from the Client. In practice, Transport
Converters should not advertise to a Server TCP Options that were not
specified by the Client in the received SYN. Finally, the Transport
Converter should only retransmit a SYN to a Server after having
received a retransmitted SYN from the corresponding Client.
Bonaventure, et al. Expires January 18, 2018 [Page 27]
Internet-Draft 0-RTT TCP converters July 2017
7. IANA Considerations
This document requests the allocation of a reserved service name and
port number for the converter protocol at https://www.iana.org/
assignments/service-names-port-numbers/
service-names-port-numbers.xhtml.
This documents specifies version 1 of the Converter protocol. Five
types of Converter messages are defined:
o 1: Bootstrap TLV
o 10: Connect TLV
o 20: Extended TCP Header TLV
o 21: Supported TCP Options TLV
o 30: Error TLV
Furthermore, it also defines 6 types of errors.
o 1: Administratively prohibited
o 2: Connection reset by final destination
o 3: Destination unreachable
o 16: Invalid Converter message
o 32: Resource Exceeded -128: Error TLV
Bonaventure, et al. Expires January 18, 2018 [Page 28]
Internet-Draft 0-RTT TCP converters July 2017
8. Conclusion
We have proposed the utilisation of Transport Converters to aid the
deployment of TCP extensions such as Multipath TCP. Compared with
deployed solutions such as SOCKS proxies, the Transport Converters
provide several benefits. First, they do not increase the connection
establishment time. Second, they are compatible and benefit from the
TCP Fast Open extension. Third, clients benefit from the Transport
Converter when the Server does not support the required extension.
Furthermore, they can easily detect when the Server supports the
required extension and thus bypass the Transport Converter to contact
those Servers.
Bonaventure, et al. Expires January 18, 2018 [Page 29]
Internet-Draft 0-RTT TCP converters July 2017
9. Acknowledgements
This document builds upon earlier documents that proposed various
forms of Multipath TCP proxies [I-D.boucadair-mptcp-plain-mode],
[I-D.peirens-mptcp-transparent] and [HotMiddlebox13b].
We would like to thank Bart Peirens, Raphael Bauduin and Anand
Nandugudi for their help in preparing this draft.
Although they could disagree with the contents of the document, we
would like to thank Joe Touch and Juliusz Chroboczek whose comments
on the MPTCP mailing list have forced us to reconsider the design of
the solution several times.
Bonaventure, et al. Expires January 18, 2018 [Page 30]
Internet-Draft 0-RTT TCP converters July 2017
10. References
10.1. Normative References
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, DOI 10.17487/RFC0793, September 1981,
<http://www.rfc-editor.org/info/rfc793>.
[RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", RFC 4291, DOI 10.17487/RFC4291,
February 2006, <http://www.rfc-editor.org/info/rfc4291>.
[RFC6824] Ford, A., Raiciu, C., Handley, M., and O. Bonaventure,
"TCP Extensions for Multipath Operation with Multiple
Addresses", RFC 6824, DOI 10.17487/RFC6824, January 2013,
<http://www.rfc-editor.org/info/rfc6824>.
[RFC7413] Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP
Fast Open", RFC 7413, DOI 10.17487/RFC7413, December 2014,
<http://www.rfc-editor.org/info/rfc7413>.
10.2. Informative References
[Fukuda2011]
Fukuda, K., "An Analysis of Longitudinal TCP Passive
Measurements (Short Paper)", Traffic Monitoring and
Analysis. TMA 2011. Lecture Notes in Computer Science, vol
6613. , 2011.
[HotMiddlebox13b]
Detal, G., Paasch, C., and O. Bonaventure, "Multipath in
the Middle(Box)", HotMiddlebox'13 , December 2013, <http:/
/inl.info.ucl.ac.be/publications/multipath-middlebox>.
[I-D.arkko-arch-low-latency]
Arkko, J. and J. Tantsura, "Low Latency Applications and
the Internet Architecture",
draft-arkko-arch-low-latency-01 (work in progress),
July 2017.
[I-D.boucadair-mptcp-plain-mode]
Boucadair, M., Jacquenet, C., Bonaventure, O., Behaghel,
D., stefano.secci@lip6.fr, s., Henderickx, W., Skog, R.,
Vinapamula, S., Seo, S., Cloetens, W., Meyer, U.,
Contreras, L., and B. Peirens, "Extensions for Network-
Assisted MPTCP Deployment Models",
draft-boucadair-mptcp-plain-mode-10 (work in progress),
March 2017.
Bonaventure, et al. Expires January 18, 2018 [Page 31]
Internet-Draft 0-RTT TCP converters July 2017
[I-D.ietf-tcpinc-tcpcrypt]
Bittau, A., Giffin, D., Handley, M., Mazieres, D., Slack,
Q., and E. Smith, "Cryptographic protection of TCP Streams
(tcpcrypt)", draft-ietf-tcpinc-tcpcrypt-06 (work in
progress), March 2017.
[I-D.olteanu-intarea-socks-6]
Olteanu, V. and D. Niculescu, "SOCKS Protocol Version 6",
draft-olteanu-intarea-socks-6-00 (work in progress),
June 2017.
[I-D.peirens-mptcp-transparent]
Peirens, B., Detal, G., Barre, S., and O. Bonaventure,
"Link bonding with transparent Multipath TCP",
draft-peirens-mptcp-transparent-00 (work in progress),
July 2016.
[IETFJ16] Bonaventure, O. and S. Seo, "Multipath TCP Deployment",
IETF Journal, Fall 2016 , n.d..
[IMC11] Honda, K., Nishida, Y., Raiciu, C., Greenhalgh, A.,
Handley, M., and T. Hideyuki, "Is it still possible to
extend TCP ?", Proceedings of the 2011 ACM SIGCOMM
conference on Internet measurement conference , 2011.
[RFC1928] Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., and
L. Jones, "SOCKS Protocol Version 5", RFC 1928,
DOI 10.17487/RFC1928, March 1996,
<http://www.rfc-editor.org/info/rfc1928>.
[RFC3135] Border, J., Kojo, M., Griner, J., Montenegro, G., and Z.
Shelby, "Performance Enhancing Proxies Intended to
Mitigate Link-Related Degradations", RFC 3135,
DOI 10.17487/RFC3135, June 2001,
<http://www.rfc-editor.org/info/rfc3135>.
[RFC6555] Wing, D. and A. Yourtchenko, "Happy Eyeballs: Success with
Dual-Stack Hosts", RFC 6555, DOI 10.17487/RFC6555,
April 2012, <http://www.rfc-editor.org/info/rfc6555>.
[RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and
P. Selkirk, "Port Control Protocol (PCP)", RFC 6887,
DOI 10.17487/RFC6887, April 2013,
<http://www.rfc-editor.org/info/rfc6887>.
[RFC7414] Duke, M., Braden, R., Eddy, W., Blanton, E., and A.
Zimmermann, "A Roadmap for Transmission Control Protocol
(TCP) Specification Documents", RFC 7414, DOI 10.17487/
Bonaventure, et al. Expires January 18, 2018 [Page 32]
Internet-Draft 0-RTT TCP converters July 2017
RFC7414, February 2015,
<http://www.rfc-editor.org/info/rfc7414>.
Bonaventure, et al. Expires January 18, 2018 [Page 33]
Internet-Draft 0-RTT TCP converters July 2017
Authors' Addresses
Olivier Bonaventure
Tessares
Email: Olivier.Bonaventure@tessares.net
Mohamed Boucadair
Orange
Email: mohamed.boucadair@orange.com
Bart Peirens
Proxiums
Email: bart.peirens@proximus.com
Bonaventure, et al. Expires January 18, 2018 [Page 34]