Network Working Group                                      M. Kuehlewind
Internet-Draft                                               B. Trammell
Intended status: Informational                                ETH Zurich
Expires: April 22, 2017                                    J. Hildebrand
                                                        October 19, 2016

           Transport-Independent Path Layer State Management


   This document describes a simple state machine for stateful network
   devices on a path between two endpoints to associate state with
   traffic traversing them on a per-flow basis, as well as abstract
   signaling mechanisms for driving the state machine.  This state
   machine is intended to replace the de-facto use of the TCP state
   machine or incomplete forms thereof by stateful network devices in a
   transport-independent way, while still allowing for fast state
   timeout of non-established or undesirable flows.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on April 22, 2017.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect

Kuehlewind, et al.       Expires April 22, 2017                 [Page 1]

Internet-Draft              PLUS Statefulness               October 2016

   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  State Machine . . . . . . . . . . . . . . . . . . . . . . . .   4
     3.1.  Uniflow States  . . . . . . . . . . . . . . . . . . . . .   5
     3.2.  Biflow States . . . . . . . . . . . . . . . . . . . . . .   6
     3.3.  Additional States and Actions . . . . . . . . . . . . . .   6
   4.  Abstract Signaling Mechanisms . . . . . . . . . . . . . . . .   6
     4.1.  Flow Identification . . . . . . . . . . . . . . . . . . .   7
     4.2.  Association Signaling . . . . . . . . . . . . . . . . . .   7
     4.3.  Stop Signaling  . . . . . . . . . . . . . . . . . . . . .   8
     4.4.  Timeout Exposure  . . . . . . . . . . . . . . . . . . . .   9
   5.  Signal mappings for transport protocols . . . . . . . . . . .   9
     5.1.  Signal mapping for TCP  . . . . . . . . . . . . . . . . .   9
     5.2.  Signal mapping for QUIC . . . . . . . . . . . . . . . . .  10
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  10
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .  10
   8.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .  10
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  11
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .  11
     9.2.  Informative References  . . . . . . . . . . . . . . . . .  11
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  12

1.  Introduction

   The boundary between the network and transport layers was originally
   defined to be that between information used (and potentially
   modified) hop-by-hop, and that used end-to-end.  End-to-end
   information in the transport layer is associated with state at the
   endpoints, but processing of network-layer information was assumed to
   be stateless.

   The widespread deployment of stateful middleboxes in the Internet,
   such as network address and port translators (NAPT), firewalls that
   model the TCP state machine to distinguish packets belonging from
   desirable flows from backscatter and random attack traffic, and
   devices which keep per-flow state for reporting and monitoring
   purposes (e.g.  IPFIX [RFC7011] Metering Processes), has broken this
   assumption, and made it more difficult to deploy non-TCP transport
   protocols in the Internet.

Kuehlewind, et al.       Expires April 22, 2017                 [Page 2]

Internet-Draft              PLUS Statefulness               October 2016

   The deployment of new transport protocols encapsulated in UDP with
   encrypted transport headers (such as QUIC
   [I-D.hamilton-quic-transport-protocol]) will present a challenge to
   the operation of these devices, and their ubquity likewise threatens
   to impair the deployability of these protocols.  There are two main
   causes for this problem: first, stateful devices often use an
   internal model of the TCP state machine to determine when TCP flows
   start and end, allowing them to manage state for these flows; for UDP
   flows, they must rely on timeouts.  These timeouts are generally
   short relative to those for TCP [IMC-GATEWAYS], requiring UDP-
   encapsulated transports either to generate unproductive keepalive
   traffic for long-lived sessions, or to tolerate connectivity problems
   and the necessity of reconnection due to loss of on-path state.

   This document presents a solution to this problem by defining a state
   machine that is transport independent to be implemented at per-flow
   state-keeping middleboxes as a replacement for incomplete TCP state
   modeling.  Middleboxes implementing this state machine using signals
   from a common UDP encapsulation layer can have equivalent necessary
   state information to that provided by TCP, reducing the friction
   between middleboxes and these new transport protocols.

2.  Terminology

   In this document, the term "flow" is defined to be compatible with
   the definition given in [RFC7011]: A flow is defined as a set of
   packets passing a device on the network during a certain time
   interval.  All packets belonging to a particular Flow have a set of
   common properties.  Each property is defined as the result of
   applying a function to the values of:

   1.  one or more network layer header fields (e.g., destination IP
       address) or transport layer header fields (e.g., destination port
       number) that the device has access to;

   2.  one or more characteristics of the packet itself (e.g., number of
       MPLS labels, etc.);

   3.  one or more of the fields derived from packet treatment at the
       device (e.g., next-hop IP address, the output interface, etc.).

   A packet is defined as belonging to a flow if it completely satisfies
   all the defined properties of the flow.

   A bidirectional flow or biflow is defined as compatible with
   [RFC5103], by joining the "forward direction" flow with the "reverse
   direction" flow, derived by reversing the direction of directional
   fields (ports and IP addresses).  Biflows are only relevant at

Kuehlewind, et al.       Expires April 22, 2017                 [Page 3]

Internet-Draft              PLUS Statefulness               October 2016

   devices positioned so as to see all the packets in both directions of
   the biflow, generally on the endpoint side of the service demarcation
   point for either endpoint as defined in the reference path given in

3.  State Machine

   The transport-independent state machine for on-path devices is shown
   in Figure 1.  It relies on four states, three configurable timeouts,
   and a set of signals defined in Section 4.  The states are defined as

   o  zero: there is no state for a given flow at the device

   o  uniflow: a packet has been seen in one direction; state will be
      kept at the device until it is explicitly cancelled or until
      timeout t1 elapses without a packet.

   o  biflow: a packet has been seen in one direction and an indication
      that that the receiving endpoint wishes to continue the
      association has been seen in the opposite direction; state will be
      kept at the device until it is explicitly canceled or until
      timeout t2 elapses without a packet.

   o  closing: an established biflow is shutting down due to an explicit
      close indication; state will be kept at the device until timeout
      t3 elapses.

   The three timeouts are defined as follows:

   o  t1 is the unidirectional idle timeout.  It can be considered
      equivalent to the idle timeout for transport protocols where the
      device has no information about session start and end (e.g. most
      UDP protocols).

   o  t2 is the bidirectional idle timeout.  It can be considered
      equivalent to the timeout for transport protocols where the device
      has information about session start and end (e.g.  TCP).

   o  t3 is the closing timeout: how long the device will account
      additional packets to a flow after observing a stop signal, and is
      generally applied to ensuring a reordered stop signal doesn't
      create a new flow.

   Selection of timeouts is a configuration and implementation detail,
   but generally t3 <= t1 < t2.

Kuehlewind, et al.       Expires April 22, 2017                 [Page 4]

Internet-Draft              PLUS Statefulness               October 2016

      _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
     '                                         '
     '    +----+   p(s->d)   +-----+           '
     '   /      \---------->/       \----+     '  UNIFLOW
     '  (  zero  )         ( uniflow ) p(s->d) '  ONLY
     '   \      /<----------\       /<---+     '  STATES
     '    +----+      t1     +-----+           '
     '_ _ _ ^_^ _ _ _ _ _ _ _ _ | _ _ _ _ _ _ _'
         t3 |  \                | association
            |   \__________     v
          +-----+     t2   \  +----+
         /       \          \/      \----+
        ( closing )<--------( biflow ) p(s<->d)
         \       /   stop    \      /<---+
          +-----+             +----+

    Figure 1: Transport-Independent State Machine for Stateful On-Path

3.1.  Uniflow States

   Every packet received by a device keeping per-flow state must
   associate that packet with a flow (see Section 4.1).  When a device
   receives a packet associated with a flow it has not state forward,
   and it is configured to forward the packet instead of dropping it, it
   moves that flow from the zero state into the uniflow state and starts
   a timer t1.  It resets this timer for any additional packet it
   forwards in the same direction as long as the flow remains in the
   uniflow state.  When timer t1 expires on a flow in the uniflow state,
   the device drops state for the flow and performs any processing
   associated with doing so: tearing down NAT bindings, closing
   associated firewall pinholes, exporting flow information, and so on.
   The device may also drop state on a stop signal, if observed.

   Some devices will only see one side of a communication, e.g. if they
   are placed in a portion of a network with asymmetric routing.  These
   devices use only the zero and uniflow states (as marked in Figure 1.)
   In addition, true uniflows - protocols which are solely
   unidirectional (e.g. some applications over UDP) - will also use only
   the uniflow-only states.  In either case, current devices generally
   don't associate much state with observed uniflows flows, and timeout
   is generally sufficient to expire this state.

Kuehlewind, et al.       Expires April 22, 2017                 [Page 5]

Internet-Draft              PLUS Statefulness               October 2016

3.2.  Biflow States

   A uniflow transitions to the biflow state when the device observes an
   association signal.  An association signal consists of a packet sent
   in the opposite direction from the uniflow packet(s), with certain
   properties as defined in Section 4.2.  After transitioning to the
   biflow state, the device starts a timer t2.  It resets this timer for
   any packet it forwards in either direction.  The biflow state
   represents a fully established bidirectional communication.  When
   timer t2 expires, the device assumes that the flow has shut down
   without signaling as such, and drops state for the flow, performing
   any associated processing.  When a stop signal is observed in either
   direction, the flow transitions to the closing state.

   When a flow enters the closing state, it starts a timer t3.  While
   the stop signal should be the last packet on a flow, the t3 timer
   ensures that reordered packets after the stop signal will be
   accounted to the flow.  When this timer expires, the device drops
   state for the flow, performing any associated processing.

3.3.  Additional States and Actions

   This document is concerned only with states and transitions common to
   transport- and function- independent state maintenance.  Devices may
   augment the transitions in this state diagram depending on their
   function.  For example, a firewall that decides based on some
   information beyond the signals used by this state machine to shut
   down a flow may transition it directly to a blacklist state on
   shutdown.  Or, a firewall may fail to forward additional packets in
   the uniflow state until an association signal is observed.

4.  Abstract Signaling Mechanisms

   The state machine in Section 3 requires three signals: a new flow
   signal (the first packet observed in a flow in the zero state), an
   association signal (allowing a device to verify that an endpoint
   wishes a bidirectional communication to be established or to
   continue), and a stop signal (noting that an endpoint wishes to stop
   a bidirectional communication).  Additional related signals may also
   be useful, depending on the function a device provides.  There are a
   few different ways to implement these signals; here, we explore the
   properties of some potential implementations.

   We assume the following general requirements for these signals;
   parallel to those given in [draft-trammell-plus-abstract-mech]:

   o  At least the endpoints can verify the integrity of the signals
      exposed, and shut down a transport association when that

Kuehlewind, et al.       Expires April 22, 2017                 [Page 6]

Internet-Draft              PLUS Statefulness               October 2016

      verification fails, in order to reduce the incentive for on-path
      devices to attempt to spoof these signals.

   o  Endpoints and devices on path can probabilistically verify that a
      originator of a signal is on-path.

4.1.  Flow Identification

   In order to keep per-flow state, each device using this state machine
   must have a function it can apply to each packet to be able to
   extract common properties to identify the flow it is associated with.
   In general, the set of properties used for flow identification on
   presently deployed devices includes the source and destination IP
   address, the source and destination transport layer port number, the
   transport protocol number.  The differentiated services field
   [RFC2474] may also be included in the set of properties defining a
   flow, since it may indicate different forwarding treatment.

   However, other protocols may use additional bits in their own headers
   for flow identification.  In any case, a protocol implementing
   signaling for this state machine must specify the function used for
   flow identification.

4.2.  Association Signaling

   An association signal indicates that endpoint that received the first
   packet seen by the device is interested in continuing conversation
   with the sending endpoint.  This signal is roughly an in-band
   analogue to consent signaling in ICE [RFC7675] that is carried to
   every device along the path.

   Transport-independent, path-verifiable association signaling can be
   implemented using a association token generated by one endpoint,
   present on each packet sent in the flow by that endpoint, and a
   response token, derived from the association token using a well-
   known, defined function, present on each packet sent in the flow by
   the opposite endpoint.  We can assume a transport association has an
   initiator and a responder; under this assumption, the association
   token is chosen by the initiator, and the response token generated by
   the responder.

   Any packet sent by the responder with a valid response token, and
   without a stop signal (see Section 4.3), can then be taken to be a
   association signal to continue a bidirectional communication.  Note
   that, since it relies on a widely-known function, this mechanism does
   allow on-path devices to forge association signaling in a way that
   downstream on-path devices cannot detect.  However, in the presence
   of end-to-end signal integrity verification, this forgery will be

Kuehlewind, et al.       Expires April 22, 2017                 [Page 7]

Internet-Draft              PLUS Statefulness               October 2016

   detected by the endpoint, which MUST terminate the association on a
   forged association signal; the flow at the duped on-path device will
   transition from biflow to closing within a single packet.  This
   reduces any attack against the association signaling mechanism to the
   disruption of a connection, which on-path devices can do in any case
   by simply refusing to forward packets.

   Association tokens MUST be chosen by initiators to be hard to guess;
   otherwise, off-path devices can spoof association and response
   signals.  Cryptographic random number generators suffice here.  In
   choosing the number of bits for an association token, there is a
   tradeoff between per-packet overhead and state overhead at on-path
   devices, and assurance that an association token is hard to guess.
   This tradeoff must be evaluated at protocol design time.

   There are a few considerations in choosing a function (or functions)
   to generate the response token from the association token, and to
   verify a response token given an association token.  The simplest
   such function is the identity function: the response token is simply
   the association token.  Simple two-way functions (e.g. one's
   complement of the association token) provide additional assurance of
   implementation of the protocol, and cannot be accidentally triggered
   by simple reflection of unknown bits in a packet.  One- way functions
   (e.g. truncated SHA-2 hash of the association token) additionally
   allow on-path recognition of initiator and responder from the middle
   of a flow.

   In any case, a concrete implementation of association signaling must
   choose a single function, or mechanism for unambiguously choosing
   one, at both endpoints as well as along the path.

4.3.  Stop Signaling

   A stop signal is directly carried or otherwise encoded in the
   protocol header to indicate that a flow is ending, whether normally
   or abnormally, and that state associated with the flow should be torn
   down.  Upon decoding a stop signal, a device on path should move the
   flow from uniflow state to null, or from biflow state to closing.

   Transports should send a stop signal only on the last packet sent in
   a bidirectional flow.  The closing timeout t3 is intended to ensure
   that any packets reordered in delivery are accounted to the flow
   before state for it is dropped.

   We assume the encoding of a stop signal into a packet header, as with
   all other signals, is integrity protected end-to-end.  Stop signals,
   as association signals, be forged by one on-path device to dupe other
   devices into moving flows into the closing state.  However, state

Kuehlewind, et al.       Expires April 22, 2017                 [Page 8]

Internet-Draft              PLUS Statefulness               October 2016

   will be re-established by the continuing flow (and resulting
   association signals) after the closing timeout, and an endpoint
   receiving a spoofed stop signal could enter a fast re-establishment
   phase of the upper layer transport protocol to minimize disruption,
   further reducing the incentive to attackers to spoof stop signals.

4.4.  Timeout Exposure

   Since one of the goals of these mechanisms is to reduce the amount of
   non- productive keepalive traffic required for UDP-encapsulated
   transport protocols, they MAY be deployed together with a path-to-
   receiver signal with feedback as defined in
   [draft-trammell-plus-abstract-mech] asking for timeouts t1, t2, and
   t3 for a given flow.

5.  Signal mappings for transport protocols

   We now show how this state machine can be driven by signals available
   in TCP and QUIC.

5.1.  Signal mapping for TCP

   A mapping of TCP flags to transitions in to the state machine in
   Section 3 shows how devices currently using a model of the TCP state
   machine can be converted to use this state machine.

   Simply speaking, an ACK flag [RFC0793] in the absence of the FIN or
   RST flags, and an in-window acknowledgment number, is synonymous with
   the association signal, while the RST or final FIN flags are stop
   signals.  For a typical TCP flow:

   1.  The initial SYN places the flow into uniflow state,

   2.  The SYN-ACK sent in reply acts as a association signal and places
       the flow into biflow state,

   3.  Any RST moves the flow into closing state, or

   4.  The final FIN-ACK (not the first half-close FIN) moves the flow
       into closing state.

   Note that since any valid ACK acts as an association signal, this
   mapping allows flows to transition to the biflow state even if the
   initial SYN-ACK is not observed.  However, generating a stop signal
   from FIN does require additional TCP state modeling to prevent moving
   into the closing state on a half-close.

Kuehlewind, et al.       Expires April 22, 2017                 [Page 9]

Internet-Draft              PLUS Statefulness               October 2016

   Note that the association and stop signals derived from the TCP
   header are not integrity protected, and an association signal based
   on in-window ACK is not particularly resistant to off-path attacks;
   the state machine is therefore more susceptible to manipulation when
   used with vanilla TCP as when with a transport protocol providing
   full integrity protection for its headers end-to-end.

5.2.  Signal mapping for QUIC

   QUIC [I-D.hamilton-quic-transport-protocol] as presently defined
   lacks only a stop signal to be able to drive this state machine.
   QUIC's 64-bit connection ID suffices as an association and response
   token as in Section 4.2; the response token function is identity.
   QUIC's cryptographic protocol, to be based on TLS
   [I-D.thomson-quic-tls], will provide the necessary integrity
   protection to drive the state machine.

   Any number of designs could be chosen to add a stop signal compatible
   with the definition in Section 4.3 to QUIC.  One is particularly
   promising, however.  We note that the Public Reset facility described
   in section 8 of [I-D.hamilton-quic-transport-protocol] very nearly
   meets the criteria; it would need to be expanded to expose normal
   termination as well as abnormal termination, and to provide for
   endpoint detection of inauthentic termination signals.

6.  IANA Considerations

   This document has no actions for IANA.

7.  Security Considerations

   This document defines a state machine for transport-independent state
   management on middleboxes, using in-band signaling, to replace the
   commonly- implemented current practice of incomplete TCP state
   modeling on these devices.  It defines new signals for state
   management.  While these signals can be spoofed by any device on path
   that observes traffic in both directions, we presume the presence of
   end-to-end integrity protection of these signals provided by the
   upper-layer transport driving them.  This allows such spoofing to be
   detected and countered by endpoints, reducing the threat from on-path
   devices to connection disruption, which such devices are trivially
   placed to perform in any case.

8.  Acknowledgments

   Thanks to Christian Huitema for discussions leading to this document.

Kuehlewind, et al.       Expires April 22, 2017                [Page 10]

Internet-Draft              PLUS Statefulness               October 2016

   This work is partially supported by the European Commission under
   Horizon 2020 grant agreement no. 688421 Measurement and Architecture
   for a Middleboxed Internet (MAMI), and by the Swiss State Secretariat
   for Education, Research, and Innovation under contract no. 15.0268.
   This support does not imply endorsement.

9.  References

9.1.  Normative References

   [RFC5103]  Trammell, B. and E. Boschi, "Bidirectional Flow Export
              Using IP Flow Information Export (IPFIX)", RFC 5103,
              DOI 10.17487/RFC5103, January 2008,

   [RFC7011]  Claise, B., Ed., Trammell, B., Ed., and P. Aitken,
              "Specification of the IP Flow Information Export (IPFIX)
              Protocol for the Exchange of Flow Information", STD 77,
              RFC 7011, DOI 10.17487/RFC7011, September 2013,

   [RFC7398]  Bagnulo, M., Burbridge, T., Crawford, S., Eardley, P., and
              A. Morton, "A Reference Path and Measurement Points for
              Large-Scale Measurement of Broadband Performance",
              RFC 7398, DOI 10.17487/RFC7398, February 2015,

9.2.  Informative References

              Trammell, B., "Abstract Mechanisms for a Cooperative Path
              Layer under Endpoint Control", September 2016.

              Hamilton, R., Iyengar, J., Swett, I., and A. Wilk, "QUIC:
              A UDP-Based Multiplexed and Secure Transport", draft-
              hamilton-quic-transport-protocol-00 (work in progress),
              July 2016.

              Thomson, M. and R. Hamilton, "Porting QUIC to Transport
              Layer Security (TLS)", draft-thomson-quic-tls-00 (work in
              progress), March 2016.

              Hatonen, S., Nyrhinen, A., Eggert, L., Strowes, S.,
              Sarolahti, P., and M. Kojo, "An experimental study of home
              gateway characteristics (Proc. ACM IMC 2010)", n.d..

Kuehlewind, et al.       Expires April 22, 2017                [Page 11]

Internet-Draft              PLUS Statefulness               October 2016

   [RFC0793]  Postel, J., "Transmission Control Protocol", STD 7,
              RFC 793, DOI 10.17487/RFC0793, September 1981,

   [RFC2474]  Nichols, K., Blake, S., Baker, F., and D. Black,
              "Definition of the Differentiated Services Field (DS
              Field) in the IPv4 and IPv6 Headers", RFC 2474,
              DOI 10.17487/RFC2474, December 1998,

   [RFC7675]  Perumal, M., Wing, D., Ravindranath, R., Reddy, T., and M.
              Thomson, "Session Traversal Utilities for NAT (STUN) Usage
              for Consent Freshness", RFC 7675, DOI 10.17487/RFC7675,
              October 2015, <>.

Authors' Addresses

   Mirja Kuehlewind
   ETH Zurich
   Gloriastrasse 35
   8092 Zurich


   Brian Trammell
   ETH Zurich
   Gloriastrasse 35
   8092 Zurich


   Joe Hildebrand


Kuehlewind, et al.       Expires April 22, 2017                [Page 12]