An MPTCP Option for
Network-Assisted MPTCPOrangeRennes35000Francemohamed.boucadair@orange.comOrangeRennesFrancechristian.jacquenet@orange.comTessaresBelgiumolivier.bonaventure@tessares.netOneAccessDenis.Behaghel@oneaccess-net.comUPMCstefano.secci@lip6.frNokia/Alcatel-LucentBelgiumwim.henderickx@alcatel-lucent.comEricssonrobert.skog@ericsson.comJuniper1137 Innovation WaySunnyvaleCA94089USASureshk@juniper.netKorea TelecomSeoulKoreash.seo@kt.comSoftAtHomeVaartdijk 3 7013018 WijgmaalBelgiumwouter.cloetens@softathome.comVodafoneGermanyullrich.meyer@vodafone.comTelefonicaSpainluismiguel.contrerasmurillo@telefonica.comProximusbart.peirens@proximus.comBecause of the lack of Multipath TCP (MPTCP) support at the server
side, some service providers now consider a network-assisted model that
relies upon the activation of a dedicated function called MPTCP
Conversion Point (MCP). Network-Assisted MPTCP deployment models are
designed to facilitate the adoption of MPTCP for the establishment of
multi-path communications without making any assumption about the
support of MPTCP by the communicating peers. MCPs located in the network
are responsible for establishing multi-path communications on behalf of
endpoints, thereby taking advantage of MPTCP capabilities to achieve
different goals that include (but are not limited to) optimization of
resource usage (e.g., bandwidth aggregation), of resiliency (e.g.,
primary/backup communication paths), and traffic offload management.This document specifies an MPTCP option that is used in the context
of Network-Assisted MPTCP: MP_CONVERT.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119.The overall quality of connectivity services can be enhanced by
combining several access network links for various purposes - resource
optimization, better resiliency, etc. Some transport protocols, such as
Multipath TCP , can help achieve such
better quality, but failed to be massively deployed so far.The support of multipath transport capabilities by communicating
hosts remains a privileged target design so that such hosts can directly
use the available resources provided by a variety of access networks
they can connect to. Nevertheless, network operators do not control end
hosts while the support of MPTCP by content servers remains close to
zero.Network-Assisted MPTCP deployment models are designed to facilitate
the adoption of MPTCP for the establishment of multi-path communications
without making any assumption about the support of MPTCP capabilities by
communicating peers. Network-Assisted MPTCP deployment models rely upon
MPTCP Conversion Points (MCPs) that act on behalf of hosts so that they
can take advantage of establishing communications over multiple paths.
MCPs can be deployed in CPEs (Customer Premises Equipment), as well as
in the provider's network. MCPs are responsible for establishing
multi-path communications on behalf of endpoints. Further details about
the target use cases are provided in .Most of the current operational deployments that take advantage of
multi-interfaced devices rely upon the use of an encapsulation scheme
(such as , ). The use of encapsulation is motivated by the
need to steer traffic towards the concentrator and also to allow the
distribution of any kind of traffic besides TCP (e.g., UDP) among the
available paths without requiring any advanced traffic engineering
tweaking technique in the network to intercept traffic and redirect it
towards the appropriate MCP.Current operational MPTCP deployments by network operators are
focused on the forwarding of TCP traffic. The design of such deployments
sometimes assumes the use of extra signalling provided by SOCKS , at the cost of additional management
complexity and possible service degradation (e.g., up to 8 SOCKS
messages may have to be exchanged between two MCPs before an MPTCP
connection is established, thereby yielding several tens of milliseconds
of extra delay before the connection is established) .To avoid the burden of encapsulation and additional signalling
between MCPs, this document explains how a plain transport mode is
enabled, so that packets are exchanged between a device and its upstream
MCP without requiring the activation of any encapsulation scheme (e.g.,
IP-in-IP , GRE ). This plain transport mode also avoids the
need for out-of-band signalling, unlike the aforementioned SOCKS
context.The solution described in this document also works properly when NATs
are present in the communication path between a device and its upstream
MCP. In particular, the solution in this document accommodates
deployments that involve CGN (Carrier Grade NAT) upstream the MCP.Network-Assisted MPTCP deployment and operational considerations are
discussed in .The plain transport mode is characterized as follows:No encapsulation required (no tunnels, whatsoever).No out-of-band signaling for each MPTCP subflow is required.Carries any protocol for the benefit of massive MPTCP
adoption.Avoids interference with native MPTCP connections.Targets both on-path and off-path MCPs.Accommodates various deployment contexts, such as those that
require the preservation of the source IP address and others
characterized by an address sharing design.The reader should be familiar with the terminology defined in .This document makes use of the following terms:Client: an endhost that initiates transport flows forwarded along
a single path. Such endhost is not assumed to support multipath
transport capabilities.Server: an endhost that communicates with a client. Such endhost
is not assumed to support multipath transport capabilities.Multipath Client: a Client that supports multipath transport
capabilities.Multipath Server: a Server that supports multipath transport
capabilities. Both the client and the server can be single-homed or
multi-homed. However, for the use cases discussed in this document,
the number of interfaces available at the endhosts is not
relevant.Transport flow: a sequence of packets that belong to a
unidirectional transport flow and which share at least one common
characteristic (e.g., the same destination address). TCP and SCTP
flows are composed of packets that have the same source and
destination addresses, the same protocol number and the same source
and destination ports.Multipath Conversion Point (MCP): a function that terminates a
transport flow and relays all data carried in the flow into another
transport flow. MCP is a function that
converts a multipath transport flow and relays it over a single path
transport flow and vice versa.We consider two important use cases in this document. We briefly
introduce them in this section and leave the details to and . The first use case
is a Multipath Client that interacts with a remote Server through a MCP
(). The second use case is a multi-homed CPE
that includes a MCP and interacts with a remote Server through a
downstream MCP ().In this use case, the Multipath Client would like to take advantage
of MPTCP even if the Server does not support MPTCP. A typical example
is a smartphone that could use both WLAN and LTE access networks to
reach a Server in order to achieve higher bandwidth or better
resilience.In reference to , the MCP
terminates the MPTCP connection established by the Client and binds it
to a TCP connection towards the remote Server. Two deployments of this
use case are possible.A first deployment is when the MCP is on the path between the
Multipath Client and the Server. In this case, the MCP can terminate
the MPTCP connection initiated by the Client and binds it to a TCP
connection that the MCP establishes with the Server. Because the MCP
is not located on all default forwarding paths, the MPTCP connection
must be initiated by using the path where the MCP is located.A second deployment is when the MCP is not on the path between the
Multipath Client and the Server. In this case, the Client must first
initiate a connection towards the MCP and request it to initiate a TCP
connection towards the Server. This is what the SOCKS protocol
performs by exchanging control messages to create appropriate mappings
to handle the connection. Unfortunately, this requires additional
round-trip-time that affects the performance of the end-to-end data
transfer, in particular for short-lived connections. This document
proposes the MP_CONVERT option which is carried in the SYN segment of
the initial subflow. This SYN segment is sent towards the MCP. The
MP_CONVERT option contains the destination address (and optionally a
port number) of the Server. Thanks to this information, the MCP can
immediately establish the TCP connection with the Server without any
additional round-trip-time, unlike a SOCKS-based design.In this use case, neither the Client nor the Server support MPTCP.
Two MCPs are used as illustrated in . The
upstream MCP is embedded in the CPE while the downstream MCP is
located in the provider's network. The CPE is attached to multiple
access networks (e.g., xDSL and LTE). The upstream MCP transparently
terminates the TCP connections initiated by the Client and converts
them into MPTCP connections.The same considerations detailed in
apply for the insertion of the downstream MCP in an MPTCP
connection.The MP_CONVERT (MC) option carries the source/destination IP
addresses and/or port numbers of the origin source and destination
nodes. It is also used to indicate whether the data carried in the
packet is relayed from a native TCP connection or refers to the use of
another transport protocol.The format of the option is shown in .The description of the fields is as follows:Kind and Length: are the same as those defined in Section 3 of
. The minimum size of this option is 4
bytes.Subtype: to be defined by IANA ().
Implementations may use the "0xe" subtype encoding for early
deployment purposes in managed networks.D-bit (Direction bit): this flag indicates whether the enclosed
IP address (and port number) reflects the source or the destination
IP address (and port number). When the D-bit is set, the enclosed IP
address must be interpreted as the source IP address. When the D-bit
is unset, the enclosed IP address must be interpreted as the
destination IP address."Flags" bits: are reserved bits for future assignment as
additional flag bits. These additional flag bits MUST each be set to
zero and MUST be ignored upon receipt.Protocol: conveys the protocol number as assigned by IANA .Address: includes a source or destination IP address. The address
family is determined by the "Length" field. Concretely, a MP_CONVERT
option that carries an IPv4 address has a Length field of 8 bytes
(or 10, if a port number is included). A MP_CONVERT option that
carries an IPv6 address has a Length of 20 bytes (or 22, if a port
number is included). This field is optional.Port: If the D-bit is set (resp. unset), a source (resp.
destination) port number may be associated with the IP address. This
field is valid for protocols that use a 16 bit port number (e.g.,
UDP, TCP, SCTP). This field is optional.The MP_CONVERT option is a variable length MPTCP option that MUST NOT
be used in TCP segments whose SYN flag is reset. This option can only
appear in the SYN used to create the initial subflow of a Multipath TCP
connection (see the example in ). Up to two MP_CONVERT options can appear inside a SYN segment. If two
MP_CONVERT options are included, these options MUST NOT have the same
D-bit value.The MP_CONVERT option MUST be included in the SYN payload.
NOTE 1: Given the length of the MP_CONVERT option, especially
when IPv6 addresses are used, and the set of TCP options that are
likely to be included in a SYN message, it will not always be
possible to place the MP_CONVERT option inside the dedicated TCP
option space.NOTE 2: Including data in a SYN payload is allowed as per Section
3.4 of .NOTE 3: Stateless approaches that rely on inserting the
MP_CONVERT option in all packets are out of scope.DISCUSSION NOTE: ADD DETAILS ABOUT THE NEED FOR AN EXPLICIT
SIGNAL THAT MPTCP OPTIONS ARE INCLUDED IN THE SYN PAYLOAD?If the MP_CONVERT option appears in either a SYN segment that does
not include the MP_CAPABLE option or a segment whose SYN flag is reset,
it MUST be ignored. An implementation MAY log this event since it likely
indicates an operational issue.If the original SYN message contains data in its payload (e.g., ), that data MUST be placed right after the
MP_CONVERT and "End of Options List" (EOL) options when generating the
SYN in the MPTCP leg. The EOL option serves as a marker to delineate the
end of the TCP options and the beginning of the data included in the
original SYN .An implementation MUST ignore MP_CONVERT options that include
multicast, broadcast, and host loopback addresses . Concretely, an implementation that receives an
MP_CONVERT option with such addresses MUST silently tear down the MPTCP
connection.When an MCP creates an MPTCP connection triggered by an incoming
packet, it MUST copy in the 'Protocol' field of the MP_CONVERT option
the value of the 'Protocol' field (resp. type of the transport header)
of the IPv4 (resp. IPv6) header of this incoming packet. The MCP may be
configured to enable traffic aggregation for some transport protocols
because of the nature of the service they relate to. By default, the
'Protocol' field MUST be set to 6 (TCP).The simplest usage of the MP_CONVERT option is when a Multipath TCP
Client wants to use MPTCP to efficiently utilise different network
paths (e.g., WLAN and LTE from a smartphone) to reach a server that
does not support Multipath TCP. The basic operation is illustrated in
.To use its multipath capabilities to establish an MPTCP connection
over the available networks, the Client splits its end-to-end
connection towards the TCP Server into two:An MPTCP connection, that typically relies upon the
establishment of one subflow per network path, is established
between the client and the MCP.A TCP connection that is established by the MCP with the
server.Any data that is eligible to be transported over the MPTCP
connection is sent by the Client towards the MCP over the MPTCP
connection. The MCP then forwards these data over the regular TCP
connection until they reach the server. The same forwarding principle
applies for the data sent by the Server over the TCP connection with
the MCP.We assume in this section that the Multipath TCP Client has been
configured with the IP address of one or more MCPs which convert the
Multipath TCP connection into a regular TCP connection. The address of
such MCPs can be statically configured on the Client, dynamically
provisioned to the MPTCP Client by means of a DHCP option or by any other means that
are outside the scope of this document.Conceptually, the MCP acts as a relay between an upstream MPTCP
connection and a downstream TCP connection. The MCP has at least a
single IP address that is reachable from the Multipath TCP Client. It
may be assigned other IP addresses. For the sake of simplicity, we
assume in this section that the MCP has a single IP address denoted
MCP@. Similarly, we assume that the client has two addresses C@1 and
C@2 while address S@ is assigned to the server.The MCP maps an upstream MPTCP connection (and its associated
subflows) onto a downstream TCP connection. On the MCP, an established
Multipath TCP connection can be identified by the local Token that was
assigned upon reception of the SYN segment.This Token is guaranteed to be unique on the MCP (provided that it
has a single IP address) during the entire lifetime of the MPTCP
connection. The 4-tuple (IP src, IP dst, Port src, Port dst) is used
to identify the downstream TCP connection.To initiate a connection to a remote server S, the Multipath TCP
Client sends a SYN segment towards the MCP that includes the
MP_CONVERT option described in . The
destination address of the SYN segment is the IP address of the MCP.
The MP_CONVERT option included in the SYN contains the IP address and
optionally the destination port of the Server (see ).The MCP processes this SYN segment as follows. First, it generates
the local key and a unique Token for the Multipath TCP connection.
This Token identifies the MPTCP connection. It is passed to the MCP
together with the contents of the MP_CONVERT option (i.e., the address
of the destination server) and the destination port.The MCP then establishes a TCP connection with the destination
server. If the received MP_CONVERT option contains a port number, it
is used as the destination port of the outgoing TCP connection that is
being established by the MCP. Otherwise, the destination port of the
upstream MPTCP connection is used as the destination port of the
downstream TCP connection. The MCP creates a flow entry for the
downstream TCP connection and maps the upstream MPTCP connection onto
the downstream TCP connection.The downstream TCP connection is considered to be active upon
reception of the SYN+ACK segment sent by the destination server. The
reception of this segment triggers the MCP that confirms the
establishment of the upstream MPTCP connection by sending a SYN+ACK
segment towards the Multipath TCP Client.At this point, there are two established connections. The endpoints
of the upstream Multipath TCP connection are the Multipath TCP Client
and the MCP. The endpoints of the downstream TCP connection are the
MCP and the Server. These two connections are bound by the MCP.All the techniques defined in can be
used by the upstream Multipath TCP connection. In particular, the
subflows established over the different network paths can be
controlled by either the Multipath TCP Client or the MCP. It is likely
that the network operators that deploy MCPs will define policies for
the utilisation of the MCP. These policies are discussed in .Any data received by the MCP on the upstream Multipath TCP
connection will be forwarded by the MCP over the bound downstream TCP
connection. The same applies for data received over the downstream TCP
connection which will be forwarded by the MCP over the upstream
Multipath TCP connection.One of the functions of the MCP is to maintain the binding between
the upstream Multipath TCP connection and the downstream TCP
connection. If the downstream TCP connection fails for some reason
(excessive retransmissions, reception of a RST segment, etc.), then
the MCP SHOULD force the teardown of the upstream Multipath TCP
connection by transmitting a FASTCLOSE. Similarly, if the upstream
Multipath TCP connection fails for some reason (e.g., reception of a
FASTCLOSE), the MCP SHOULD tear the downstream TCP connection down and
remove the flow entries.The same reasoning applies when the upstream Multipath TCP
connection ends with the transmission of DATA_FINs. In this case, the
MCP SHOULD also terminate the bound downstream TCP connection by using
FIN segments. If the downstream TCP connection terminates with the
exchange of FIN segments, the MCP SHOULD initiate a graceful
termination of the bound upstream Multipath TCP connection.An MCP SHOULD associate a lifetime with the Multipath TCP and TCP
flow entries. In this case, it SHOULD use the same lifetime for each
pair of bounded connections.There are situations where neither the client nor the server can
use multipath transport protocols albeit network providers would want
to optimize network resource usage by means of multi-path
communication techniques. Hybrid access service offerings are typical
business incentives for such situations, where network operators
combine a fixed network (e.g., xDSL) with a wireless network (e.g.,
LTE). In this case, as illustrated in , two
MCPs are used for each flow. The first MCP, located downstream of the
client, converts the single path TCP connection originated from the
client into a Multipath TCP connection established with a second MCP.
The latter will then establish a TCP connection with the destination
server.The downstream MCP can be deployed on-path or off-path. If the
downstream MCP is deployed off-path, its behavior is described in
.If the downstream MCP is deployed on-path, it only terminates
MPTCP connections that carry an empty MP_CONVERT option inside their
SYN (i.e., no address is conveyed). If the MCP receives a SYN
segment that contains the MP_CAPABLE option but no MP_CONVERT
option, it MUST forward the SYN to its final destination without any
modification.The upstream and downstream MCPs cooperate. The upstream MCP may
be configured with the addresses of downstream MCPs. If the
downstream MCP is deployed on-path, the upstream MCP inserts an
MP_CONVERT option that carries no IP address.In this section, we assume that the upstream MCP has been
configured with one address of the downstream MCP. This address can
be configured statically, dynamically distributed by means of a DHCP
option or by any
other means that are outside the scope of this document.We assume that the upstream MCP has two addresses uMCP@1 and
uMCP@2 while the downstream MCP is assigned a single IP address
dMCP@.The upstream MCP maps an upstream TCP connection onto a
downstream MPTCP connection (and its associated subflows) . On the
upstream MCP, an established MPTCP connection can be identified by
the local Token that was assigned upon reception of the SYN segment
from the Client.To initiate a connection with a remote server S, the Client sends
a SYN segment that is intercepted by the upstream MCP which in turns
initiates an MPTCP connection towards its downstream MCP that
includes the MP_CONVERT option described in . The destination address of the SYN segment is
the IP address of the downstream MCP. The MP_CONVERT option included
in the SYN contains the IP address and optionally the destination
port of the Server; this information is extracted from the SYN
message received over the upstream TCP connection.Concretely, the upstream MCP processes the SYN segment received
from the Client as follows.First, it generates the local key and a unique Token for the
Multipath TCP connection to identify the MPTCP connection. It
extracts the destination IP address and, optionally, the destination
port that will then be carried in a MP_CONVERT option. The upstream
MCP establishes an MPTCP connection with the downstream MCP. The
upstream MCP creates a flow entry for the downstream MPTCP
connection and maps the upstream TCP connection onto the downstream
MPTCP connection.The downstream MPTCP connection is considered to be active upon
reception of the SYN+ACK segment from the downstream MCP. The
reception of this segment triggers the upstream MCP that confirms
the establishment of the upstream TCP connection by sending a
SYN+ACK segment towards the TCP Client.At this point, there are two established connections maintained
by the upstream MCP:The endpoints of the upstream TCP connection are the Client
and the upstream MCP.The endpoints of the downstream MPTCP connection are the
upstream MCP and the downstream MCP.These two connections are bound by the upstream MCP. An example
is shown in .All the techniques defined in can be used by the MPTCP connection. In
particular, the utilisation of the different network paths can be
controlled by one MCP or the other.Any data received by the upstream MCP over the upstream TCP
connection will be forwarded by the MCP over the bound downstream
MPTCP connection, assuming such data are eligible to MPTCP
transport. The same applies for data received over the downstream
MPTCP connection which will be forwarded by the upstream MCP over
the upstream TCP connection.The same considerations as in
apply for the maintenance of the connections by the upstream
MCP. assumes that the Clients that use the
upstream MCP do not support MPTCP. If a Multipath Client is attached to
the upstream MCP, it should be possible for this client to establish an
MPTCP connection with a Multipath Server without using the MCPs.Because MPTCP connections are not destined explicitly to an MCP, an
on-path MCP instance will need extra means to distinguish "native" MPTCP
connections from "proxied" ones. The subsequent risk is that native
MPTCP communications will be reverted to TCP connections as shown in
. In this example, we suppose that C2 and S2
are MPTCP-compatible, but C1 and S1 are not.To mitigate this, the upstream MCP may be instructed to insert a
MP_CONVERT option only for the MPTCP connections it establishes. The
absence of MP_CONVERT option instances is an explicit indication that
this MPTCP connection is a native one. As such, an on-path MCP will not
revert this connection into a TCP connection, but will forward packets
without any modification to the next hop. illustrates the results of such
procedure: native MPTCP connections are established between
MPTCP-compliant client and server, while Networok-Assisted MPTCP
connections are established with the help of MCPs.Concretely, if the upstream MCP receives a SYN that includes the
MP_CAPABLE option, it MAY decide to forward it towards its final
destination without modifying it. When the downstream MCP receives a SYN
that does not include an MP_CONVERT option, it forwards it towards its
final destination.This document requests an MPTCP subtype code for this option:MP_CONVERT optionNOTE: Implementations
may use "0xe" subtype encoding for early deployment purposes in
managed networks.MPTCP-related security threats are discussed in and . Additional
considerations are discussed in the following sub-sections.The MCP may have access to privacy-related information (e.g., IMSI,
link identifier, subscriber credentials, etc.). The MCP MUST NOT leak
such sensitive information outside a local domain.Means to protect the MCP against Denial-of-Service (DoS) attacks
MUST be enabled. Such means include the enforcement of ingress
filtering policies at the network boundaries .In order to prevent the exhaustion of MCP resources by establishing
a great number of simultaneous subflows for each MPTCP connection, the
MCP administrator SHOULD limit the number of allowed subflows per CPE
for a given connection. Means to protect against SYN flooding attacks
MUST also be enabled ().Attacks that originate outside of the domain can be prevented if
ingress filtering policies are enforced. Nevertheless, attacks from
within the network between a host and an MCP instance are yet another
actual threat. Means to ensure that illegitimate nodes cannot connect
to a network should be implemented.Traffic theft is a risk if an illegitimate MCP is inserted in the
path. Indeed, inserting an illegitimate MCP in the forwarding path
allows traffic intercept and can therefore provide access to sensitive
data issued by or destined to a host. To mitigate this threat, secure
means to discover an MCP should be enabled.Many thanks to Chi Dung Phung, Mingui Zhang, Rao Shoaib, Yoshifumi
Nishida, and Christoph Paasch for their valuable comments.Thanks to Ian Farrer, Mikael Abrahamsson, Alan Ford, Dan Wing, and
Sri Gundavelli for the fruitful discussions in IETF#95 (Buenos
Aires).Special thanks to Pierrick Seite, Yannick Le Goff, Fred Klamm, and
Xavier Grall for their inputs.Thanks also to Olaf Schleusing, Martin Gysi, Thomas Zasowski, Andreas
Burkhard, Silka Simmen, Sandro Berger, Michael Melloul, Jean-Yves
Flahaut, Adrien Desportes, Gregory Detal, Benjamin David, Arun
Srinivasan, and Raghavendra Mallya for the discussion.Protocol Numbershttp://www.iana.org/assignments/protocol-numbersHybrid Access Broadband Network ArchitectureBBF