Network Working Group M. Boucadair Internet-Draft C. Jacquenet Intended status: Experimental P. Seite Expires: January 4, 2016 France Telecom O. Bonaventure Tessares L. Deng China Mobile July 3, 2015 An MPTCP Profile for NAT- and Firewall-Free Networks: Network-Assisted MPTCP Deployments draft-boucadair-mptcp-natfwfree-profile-00 Abstract One of the promising deployment scenarios for Multipath TCP (MPTCP) is to enable a Customer Premises Equipment (CPE) that is connected to multiple networks (e.g., DSL, LTE, WLAN) to optimize the usage of such resources, thereby providing better serviceability overall (including whenever the CPE fails to connect to one of the access networks). This document specifies a MPTCP profile for such deployments in network regions that are firewall- and NAT-free. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 4, 2016. Boucadair, et al. Expires January 4, 2016 [Page 1] Internet-Draft Transport Profiles July 2015 Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Target Use Cases . . . . . . . . . . . . . . . . . . . . . . 5 4. Relaxing Some Base MPTCP Features . . . . . . . . . . . . . . 5 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 8.1. Normative References . . . . . . . . . . . . . . . . . . 9 8.2. Informative References . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 1. Introduction One of the promising deployment scenarios for Multipath TCP (MPTCP, [RFC6824]) is to enable a Customer Premises Equipment (CPE) that is connected to multiple networks (e.g., DSL, LTE, WLAN) to optimize the usage of such resources, see for example [I-D.deng-mptcp-proxy] or [RFC4908]. This deployment scenario relies on MPTCP proxies on both the CPE and the network sides (Figure 1). The latter plays the role of traffic concentrator. A concentrator terminates the MPTCP sessions, from a CPE, before relaying it into a legacy TCP session. Boucadair, et al. Expires January 4, 2016 [Page 2] Internet-Draft Transport Profiles July 2015 IP Network #1 +------------+ _--------_ +------------+ | | (e.g., LTE ) | | | CPE +======================+ | | (MPTCP | (_ _) |Concentrator| | Proxy) | (_______) | (MPTCP | | | | Proxy) |------> Internet | | | | | | IP Network #2 | | | | _--------_ | | | | ( e.g., DSL ) | | | +======================+ | | | (_ _) | | +-----+------+ (_______) +------------+ | ----CPE network---- | end-nodes Figure 1: "Network-Assisted" MPTCP Design Because the paths between the CPE and the concentrator are firewall- and NAT-free, the complexity of the MPTCP specification that was initially induced by the need to handle the presence of firewalls as well as routing asymmetry effects, is not justified anymore. Concretely, in the situations where the paths between the CPE and the concentrator are firewall- and NAT-free, the MPTCP stack is not required to support the dedicated features required to handle the presence of firewalls as well as routing asymmetry effects. Such context encourages the specification of a dedicated MPTCP profile that would in turn foster the adoption of MPTCP. This document specifies such MPTCP profile that is adapted to network regions that are firewall- and NAT-free. The constraint discussed in [RFC6824] does not apply for such deployments: "External Constraints: The protocol must function through the vast majority of existing middleboxes such as NATs, firewalls, and proxies, and as such must resemble existing TCP as far as possible on the wire. Furthermore, the protocol must not assume the segments it sends on the wire arrive unmodified at the destination: they may be split or coalesced; TCP options may be removed or duplicated." NAT is used through this document to refer to any function that rewrites a source IP address/prefix to another IP address/prefix Boucadair, et al. Expires January 4, 2016 [Page 3] Internet-Draft Transport Profiles July 2015 within the same or distinct address family. NAT is also to refer to any function that rewrites port numbers. Typical examples are traditional IPv4-IPv4 NAT ([RFC3022]), NPTv6 ([RFC6296]), NAT64 ([RFC6146]), DS-Lite AFTR ([RFC6333]), or Carrier Grade NAT (CGN, [RFC6888]). Lawful intercept and data retention implications due to the use of MPTCP are out of the scope of this document. 2. Assumptions The following assumptions are made: o One or multiple concentrators are deployed on the network side to assist MPTCP-enabled hosts to establish MPTCP connections via available network attachments. o On the uplink path, the concentrator terminates the MPTCP connections received from its customer-facing interfaces and transforms these connections into legacy TCP connections towards upstream servers. On the downlink path, the concentrator turns the legacy server's TCP connection into MPTCP connections towards its customer-facing interfaces. o Various network attachments are provided to an MPTCP-enabled host/ CPE; all these network attachments are managed by the same administrative entity. o The CPE implements an MPTCP proxy as well. This MPTCP proxy acts as a traffic concentrator from the end-nodes (i.e., hosts attached to the CPE) standpoint. o The network legs between the hosts and a concentrator instance are NAT- and firewall-free. o The logic for mounting network attachments by a host is deployment- and implementation-specific that are out of scope of this document . o The Network Provider that manages the various network attachments (including the concentrators) can enforce authentication and authorization policies using appropriate mechanisms that are out of scope of this document. o Policies can be enforced by a concentrator instance operated by the Network Provider to manage both upstream and downstream traffic. These policies may be subscriber-specific, connection- specific or system-wide. o The concentrator may be notified about the results of monitoring (including probing) the various network legs to service a customer, a group of customers, a given region, etc. No assumption is made by this document about how these probing operations are executed. o Ingress filtering ([RFC2827]) is implemented at the boundaries of the networks to provide anti-spoofing. Boucadair, et al. Expires January 4, 2016 [Page 4] Internet-Draft Transport Profiles July 2015 o An MPTCP-enabled multiple Interfaces host, that is directly connected to one or multiple access networks obtains address/ prefixes via legacy mechanisms of the various available network attachments. The host may be assigned the same or distinct IP address/prefixes via the various available network attachments. o The CPE does not alter or strip MPTCP signals received from end- nodes. o The concentrator may behave in a transparent mode (that is, hosts are unaware of the presence of the concentrator in the communication path(s)) or in a non-transparent mode (i.e., the identity of the concentrator is explicitly configured to the hosts). o A mechanism should be used to make sure the same IP address is assigned to the host when transforming an MPTCP connection into a TCP connection. No assumption is made about how such mechanism is implemented. Network Providers should be aware of the complications that may arise if a same IP address/prefix is shared among multiple hosts (see [RFC6967]). Whether these complications apply or not is deployment-specific. o The location of the concentrator(s) is deployment-specific. Network Providers may choose to adopt centralized or distributed (even if they may not be present on the different network accesses) designs, etc. Nevertheless, in order to take advantage of MPTCP, the location of the concentrator should not jeopardize packet forwarding performance for traffic sent from or directed to connected hosts. 3. Target Use Cases Two main use cases are targeted by this profile: 1. Multi-homed CPEs (e.g., [RFC4908]). 2. MPTCP within core networks to achieve load-balancing or bandwidth aggregation. This use case assumes that MPTCP connections are established between nodes that are managed by the same administrative entity. 4. Relaxing Some Base MPTCP Features The following list is a set of items of the MPTCP specification that can be relaxed to facilitate and improve MPTCP operation in firewall- and NAT-free regions of the network. A technical justification is provided to relax each of these items. The rest of the MPTCP specifications that are not mentioned in this section MUST be followed even in firewall and NAT-free networks. Boucadair, et al. Expires January 4, 2016 [Page 5] Internet-Draft Transport Profiles July 2015 Item 1: Checksum SHOULD be disabled. This behavior implies in particular that "A" flag bit must always be set to 0. Justification: This is a direct consequence of the absence of NATs and firewalls in the network leg between the host and a concentrator. Item 2: Section 3.6 of [RFC6824] does not apply. Justification: The target deployments assume that all paths are MPTCP-compliant; once the first subflow is established, it is safe to assume that any additional subflow will be successfully established over an MPTCP-compliant path. There is no need to envision a TCP fallback mechanism except for the first subflow. Operators may run tests to assess whether available paths are MPTCP-compliant. For example, Operators can perform tests with tools like tracebox to validate the absence of middleboxes on the network legs that are used. It is out of scope of this document to define those tests. Item 3: Endpoints may rely on the source address of a sub-flow established by an initiating peer to establish new subflows or enforce policies (e.g., rate-limit at the concentrator side). Justification: The point about private IP addresses discussed in Section of [RFC6824] does not apply, since there is no NAT in the path between the involved MPTCP endpoints. Item 4: Given that the network legs that are used are trusted, there is no need to authenticate the establishment of the additional subflows with a HMAC in the MP_JOIN. MP_JOIN options are still used, but they neither contain random numbers nor truncated HMACs. The MP_JOIN option in the SYN has a length of 8 bytes and contains the receiver's token. In the SYN+ACK and the third ACK, the MP_JOIN options have a length of 4 bytes. Justification: The network leg between the directly- connected host and a concentrator instance is trusted. There is thus no risk of attack on this part of the network. Item 5: If the concentrator's reachability information is explicitly configured on the MPTCP host, and the concentrator is aware of addresses assigned to the MPTCP host, then the ADD_ADDR Boucadair, et al. Expires January 4, 2016 [Page 6] Internet-Draft Transport Profiles July 2015 option SHOULD NOT be supported. In such case, the host MUST rely upon the provided configuration information to manage an MPTCP connection. Justification: A host that is configured with the addresses of a concentrator can use these addresses to establish one or multiple subflows for a given connection; each connection is then bound to an IP address of the concentrator that has been "assigned" to the host, as per the concentrator's reachability information (a name, an IP address, etc.) provided to the host. The locators of the concentrators are likely to be stable. A locator can be a name, IPv4/v6 addresses, etc. Item 6: If the MPTCP endpoint is explicitly configured so that it behaves in a network-assisted mode, subflows can be created to the remote MPTCP concentrator, using a locally configured set of addresses, without advertising the available set of addresses. Triggers to decide how many sub-flows are to be initiated or when to establish additional ones are application-specific. Justification: Multiple addresses are configured out of band (e.g., using DHCP [I-D.boucadair-mptcp-dhc], TR-69, etc.). The use of out-of-band configuration mechanism is justified in some deployments for engineering purpose (e.g., assign the concentrator to service a host based on criteria such as the load of the concentrator, geo-proximity, etc.). Item 7: If the concentrator has access to the information about address(es) assigned to a directly-connected host and their associated leases (e.g., because the concentrator is collocated with a DHCP relay or acquires such information by means of an out-of-band mechanism), the concentrator SHOULD undertake actions for a better quality of experience of MPTCP connections such as: add a new sub-flow even if the concentrator is not the initiator of the MPTCP connection, migrate flows to another alternate address if the remote address is not valid anymore or because its validity timeout will expire soon, etc. Justification: This approach is meant to anticipate retransmissions that may be induced by the invalidity of an IP address. Also, this allows to reduce the delay from waiting for a notification from a remote peer. The concentrator can also decide to add new subflows for better quality of experience based, for example, on local policies. Boucadair, et al. Expires January 4, 2016 [Page 7] Internet-Draft Transport Profiles July 2015 Item 8: Address management MAY not be specific to each active MPTCP connection, but MAY be on a per host basis. Justification: This is because all the MPTCP connections initiated by a host (resp. a concentrator) involve the same MPTCP endpoint (concentrator). How such address management is actually achieved is implementation-specific. Nevertheless, for illustration purposes, a dedicated session can be enabled between an MPTCP-enabled host and a concentrator for control purposes. This information exchanged in this dedicated connection will be used to adjust other (data) connections. Item 9: The maximum number of subflows for a given connection SHOULD be set by default to 4. Justification: For dimensioning purposes, an operator needs to control the number of flows to be handled by a concentrator. 4 corresponds to a dual-homed host that is assigned both an IPv4 address and an IPv6 prefix for each network attachment. An MPTCP endpoint that is dimensioned to maintain a maximum number of subflows per MPTCP connection may accept to maintain more subflows for some connections. 5. IANA Considerations This document makes no request of IANA. 6. Security Considerations The concentrator may have access to privacy-related information (e.g., IMSI, link identifier, subscriber credentials, etc.). The concentrator must not leak such sensitive information outside a local domain. Means to protect the MPTCP concentrator against Denial-of-Service (DoS) attacks must be enabled. Such means include the enforcement of ingress filtering policies at the boundaries of the network. In order to prevent exhausting the resources of the concentrator by creating an aggressive number of simultaneous subflows for each MPTCP connection, the administrator should limit the number of allowed subflows per host for a given connection. This profile recommends this value to be set to 4. Boucadair, et al. Expires January 4, 2016 [Page 8] Internet-Draft Transport Profiles July 2015 Attacks outside the domain can be prevented if ingress filtering is enforced. Nevertheless, attacks from within the network between a host and a concentrator instance are another yet actual threat. Means to ensure that illegitimate nodes cannot connect to a network should be implemented. Traffic theft can be achieved if an illegitimate concentrator is inserted in the path. Indeed, inserting an illegitimate concentrator in the forwarding path allows to intercept traffic and therefore have access to sensitive data issued by or destined to a host. To mitigate this threat, secure means to discover a concentrator (for non-transparent modes) should be enabled. This document relax checksum validations (Item (1), Section 4) and MP_JOIN authentication constraints (Item (4), Section 4) because the networks between two MPTCP endpoints is trusted. Furthermore, ingress filtering is enforced at these networks for source address validation. 7. Acknowledgements TBC. 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC6824] Ford, A., Raiciu, C., Handley, M., and O. Bonaventure, "TCP Extensions for Multipath Operation with Multiple Addresses", RFC 6824, January 2013. 8.2. Informative References [I-D.boucadair-mptcp-dhc] Boucadair, M., Jacquenet, C., and T. Reddy, "IP Flow Information Export (IPFIX) Entities", July 2015, . [I-D.deng-mptcp-proxy] Lingli, D., Liu, D., Sun, T., Boucadair, M., and G. Cauchie, "Use-cases and Requirements for MPTCP Proxy in ISP Networks", draft-deng-mptcp-proxy-01 (work in progress), October 2014. Boucadair, et al. Expires January 4, 2016 [Page 9] Internet-Draft Transport Profiles July 2015 [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, May 2000. [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network Address Translator (Traditional NAT)", RFC 3022, January 2001. [RFC4908] Nagami, K., Uda, S., Ogashiwa, N., Esaki, H., Wakikawa, R., and H. Ohnishi, "Multi-homing for small scale fixed network Using Mobile IP and NEMO", RFC 4908, June 2007. [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers", RFC 6146, April 2011. [RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix Translation", RFC 6296, June 2011. [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- Stack Lite Broadband Deployments Following IPv4 Exhaustion", RFC 6333, August 2011. [RFC6888] Perreault, S., Yamagata, I., Miyakawa, S., Nakagawa, A., and H. Ashida, "Common Requirements for Carrier-Grade NATs (CGNs)", BCP 127, RFC 6888, April 2013. [RFC6967] Boucadair, M., Touch, J., Levis, P., and R. Penno, "Analysis of Potential Solutions for Revealing a Host Identifier (HOST_ID) in Shared Address Deployments", RFC 6967, June 2013. Authors' Addresses Mohamed Boucadair France Telecom Rennes 35000 France Email: mohamed.boucadair@orange.com Christian Jacquenet France Telecom Rennes France Email: christian.jacquenet@orange.com Boucadair, et al. Expires January 4, 2016 [Page 10] Internet-Draft Transport Profiles July 2015 Pierrick Seite France Telecom Rennes France Email: pierrick.seite@orange.com Olivier Bonaventure Tessares Email: Olivier.Bonaventure@tessares.net URI: http://www.tessares.net Lingli Deng China Mobile Email: denglingli@chinamobile.com Boucadair, et al. Expires January 4, 2016 [Page 11]