idnits 2.17.1 draft-ietf-tcpm-converters-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([This-RFC]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 07, 2019) is 1899 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- == Missing Reference: 'This-RFC' is mentioned on line 1407, but not defined ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Obsolete normative reference: RFC 6824 (Obsoleted by RFC 8684) == Outdated reference: A later version (-02) exists of draft-boucadair-radext-tcpm-converter-01 == Outdated reference: A later version (-03) exists of draft-boucadair-tcpm-dhc-converter-01 == Outdated reference: A later version (-11) exists of draft-olteanu-intarea-socks-6-05 -- Obsolete informational reference (is this intentional?): RFC 1323 (Obsoleted by RFC 7323) Summary: 3 errors (**), 0 flaws (~~), 5 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 TCPM Working Group O. Bonaventure, Ed. 3 Internet-Draft Tessares 4 Intended status: Experimental M. Boucadair, Ed. 5 Expires: August 11, 2019 Orange 6 S. Gundavelli 7 Cisco 8 S. Seo 9 Korea Telecom 10 B. Hesmans 11 Tessares 12 February 07, 2019 14 0-RTT TCP Convert Protocol 15 draft-ietf-tcpm-converters-05 17 Abstract 19 This document specifies an application proxy, called Transport 20 Converter, to assist the deployment of TCP extensions such as 21 Multipath TCP. This proxy is designed to avoid inducing extra delay 22 when involved in a network-assisted connection (that is, 0-RTT). 24 This specification assumes an explicit model, where the proxy is 25 explicitly configured on hosts. 27 -- Editorial Note (To be removed by RFC Editor) 29 Please update these statements with the RFC number to be assigned to 30 this document: [This-RFC] 32 Please update TBA statements with the port number to be assigned to 33 the 0-RTT TCP Convert Protocol. 35 Status of This Memo 37 This Internet-Draft is submitted in full conformance with the 38 provisions of BCP 78 and BCP 79. 40 Internet-Drafts are working documents of the Internet Engineering 41 Task Force (IETF). Note that other groups may also distribute 42 working documents as Internet-Drafts. The list of current Internet- 43 Drafts is at https://datatracker.ietf.org/drafts/current/. 45 Internet-Drafts are draft documents valid for a maximum of six months 46 and may be updated, replaced, or obsoleted by other documents at any 47 time. It is inappropriate to use Internet-Drafts as reference 48 material or to cite them other than as "work in progress." 49 This Internet-Draft will expire on August 11, 2019. 51 Copyright Notice 53 Copyright (c) 2019 IETF Trust and the persons identified as the 54 document authors. All rights reserved. 56 This document is subject to BCP 78 and the IETF Trust's Legal 57 Provisions Relating to IETF Documents 58 (https://trustee.ietf.org/license-info) in effect on the date of 59 publication of this document. Please review these documents 60 carefully, as they describe your rights and restrictions with respect 61 to this document. Code Components extracted from this document must 62 include Simplified BSD License text as described in Section 4.e of 63 the Trust Legal Provisions and are provided without warranty as 64 described in the Simplified BSD License. 66 Table of Contents 68 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 69 2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 5 70 3. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 6 71 3.1. Functional Elements . . . . . . . . . . . . . . . . . . . 6 72 3.2. Theory of Operation . . . . . . . . . . . . . . . . . . . 8 73 3.3. Sample Examples of Outgoing Converter-Assisted Multipath 74 TCP Connections . . . . . . . . . . . . . . . . . . . . . 11 75 3.4. Sample Example of Incoming Converter-Assisted Multipath 76 TCP Connection . . . . . . . . . . . . . . . . . . . . . 12 77 4. The Convert Protocol (Convert) . . . . . . . . . . . . . . . 13 78 4.1. The Convert Fixed Header . . . . . . . . . . . . . . . . 14 79 4.2. Convert TLVs . . . . . . . . . . . . . . . . . . . . . . 14 80 4.2.1. Generic Convert TLV Format . . . . . . . . . . . . . 14 81 4.2.2. Summary of Supported Convert TLVs . . . . . . . . . . 15 82 4.2.3. The Info TLV . . . . . . . . . . . . . . . . . . . . 16 83 4.2.4. Supported TCP Extensions TLV . . . . . . . . . . . . 16 84 4.2.5. Connect TLV . . . . . . . . . . . . . . . . . . . . . 17 85 4.2.6. Extended TCP Header TLV . . . . . . . . . . . . . . . 19 86 4.2.7. The Cookie TLV . . . . . . . . . . . . . . . . . . . 19 87 4.2.8. Error TLV . . . . . . . . . . . . . . . . . . . . . . 20 88 5. Compatibility of Specific TCP Options with the Conversion 89 Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 90 5.1. Base TCP Options . . . . . . . . . . . . . . . . . . . . 23 91 5.2. Window Scale (WS) . . . . . . . . . . . . . . . . . . . . 24 92 5.3. Selective Acknowledgements . . . . . . . . . . . . . . . 24 93 5.4. Timestamp . . . . . . . . . . . . . . . . . . . . . . . . 25 94 5.5. Multipath TCP . . . . . . . . . . . . . . . . . . . . . . 25 95 5.6. TCP Fast Open . . . . . . . . . . . . . . . . . . . . . . 25 96 5.7. TCP User Timeout . . . . . . . . . . . . . . . . . . . . 26 97 5.8. TCP-AO . . . . . . . . . . . . . . . . . . . . . . . . . 26 98 5.9. TCP Experimental Options . . . . . . . . . . . . . . . . 26 99 6. Interactions with Middleboxes . . . . . . . . . . . . . . . . 26 100 7. Security Considerations . . . . . . . . . . . . . . . . . . . 27 101 7.1. Privacy & Ingress Filtering . . . . . . . . . . . . . . . 27 102 7.2. Authorization . . . . . . . . . . . . . . . . . . . . . . 28 103 7.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 28 104 7.4. Traffic Theft . . . . . . . . . . . . . . . . . . . . . . 28 105 7.5. Multipath TCP-specific Considerations . . . . . . . . . . 29 106 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29 107 8.1. Convert Service Port Number . . . . . . . . . . . . . . . 29 108 8.2. The Convert Protocol (Convert) Parameters . . . . . . . . 30 109 8.2.1. Convert Versions . . . . . . . . . . . . . . . . . . 30 110 8.2.2. Convert TLVs . . . . . . . . . . . . . . . . . . . . 30 111 8.2.3. Convert Error Messages . . . . . . . . . . . . . . . 31 112 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 32 113 9.1. Contributors . . . . . . . . . . . . . . . . . . . . . . 33 114 10. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 34 115 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 34 116 11.1. Normative References . . . . . . . . . . . . . . . . . . 34 117 11.2. Informative References . . . . . . . . . . . . . . . . . 35 118 Appendix A. Differences with SOCKSv5 . . . . . . . . . . . . . . 39 119 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 41 121 1. Introduction 123 Transport protocols like TCP evolve regularly [RFC7414]. TCP has 124 been improved in different ways. Some improvements such as changing 125 the initial window size [RFC6928] or modifying the congestion control 126 scheme can be applied independently on clients and servers. Other 127 improvements such as Selective Acknowledgements [RFC2018] or large 128 windows [RFC7323] require a new TCP option or to change the semantics 129 of some fields in the TCP header. These modifications must be 130 deployed on both clients and servers to be actually used on the 131 Internet. Experience with the latter TCP extensions reveals that 132 their deployment can require many years. Fukuda reports in 133 [Fukuda2011] results of a decade of measurements showing the 134 deployment of Selective Acknowledgements, Window Scale and TCP 135 Timestamps. [ANRW17] describes measurements showing that TCP Fast 136 Open (TFO) [RFC7413] is still not widely deployed. 138 There are some situations where the transport stack used on clients 139 (resp. servers) can be upgraded at a faster pace than the transport 140 stack running on servers (resp. clients). In those situations, 141 clients would typically want to benefit from the features of an 142 improved transport protocol even if the servers have not yet been 143 upgraded and conversely. Performance Enhancing Proxies [RFC3135], 144 and other service functions have been deployed as solutions to 145 improve TCP performance over links with specific characteristics. 147 Recent examples of TCP extensions include Multipath TCP [RFC6824] or 148 TCPINC [I-D.ietf-tcpinc-tcpcrypt]. Those extensions provide features 149 that are interesting for clients such as wireless devices. With 150 Multipath TCP, those devices could seamlessly use WLAN (Wireless 151 Local Area Network) and cellular networks, for bonding purposes, 152 faster handovers, or better resiliency. Unfortunately, deploying 153 those extensions on both a wide range of clients and servers remains 154 difficult. 156 More recently, experimentation of 5G bonding, which has very scarce 157 coverage, has been conducted into global range of the incumbent 4G 158 (LTE) connectivity in newly devised clients using Multipath TCP 159 proxy. Even if the 5G and the 4G bonding by using Multipath TCP 160 increases the bandwidth, it is as well crucial to minimize latency 161 for all the way between endhosts regardless of whether intermediate 162 nodes are inside or outside of the mobile core. In order to handle 163 uRLLC (Ultra-Reliable Low-Latency Communication) for the next 164 generation mobile network, Multipath TCP and its proxy mechanism such 165 as the one used to provide Access tTaffic Steering, Switching, and 166 Splitting (ATSSS) must be optimised to reduce latency. 168 This document specifies an application proxy, called Transport 169 Converter. A Transport Converter is a function that is installed by 170 a network operator to aid the deployment of TCP extensions and to 171 provide the benefits of such extensions to clients. A Transport 172 Converter may provide conversion service for one or more TCP 173 extensions. Which TCP extensions are eligible to the conversion 174 service is deployment-specific. The conversion service is provided 175 by means of the 0-RTT TCP Convert Protocol (Convert), that is an 176 application-layer protocol which uses TCP port number TBA 177 (Section 8). 179 The Transport Converter adheres to the main principles drawn in 180 [RFC1919]. In particular, a Transport Converter achieves the 181 following: 183 o Listen for client sessions; 185 o Receive from a client the address of the final target server; 187 o Setup a session to the final server; 189 o Relay control messages and data between the client and the server; 191 o Perform access controls according to local policies. 193 The main advantage of network-assisted conversion services is that 194 they enable new TCP extensions to be used on a subset of the path 195 between endpoints, which encourages the deployment of these 196 extensions. Furthermore, the Transport Converter allows the client 197 and the server to directly negotiate TCP options for the sake of 198 native support along the full path. 200 The Convert Protocol is a generic mechanism to provide 0-RTT 201 conversion service. As a sample applicability use case, this 202 document specifies how the Convert Protocol applies for Multipath 203 TCP. It is out of scope of this document to provide a comprehensive 204 list of all potential conversion services. Applicability document 205 may defined in the future. 207 This document does not assume that all the traffic is eligible to the 208 network-assisted conversion service. Only a subset of the traffic 209 will be forwarded to a Transport Converter according to a set of 210 policies. These policies, and how they are communicated to 211 endpoints, are out of scope. Furthermore, it is possible to bypass 212 the Transport Converter to connect directly to the servers that 213 already support the required TCP extension(s). 215 This document assumes that a client is configured with one or a list 216 of Transport Converters (statically or through protocols such as 217 [I-D.boucadair-tcpm-dhc-converter]). Configuration means are outside 218 the scope of this document. 220 This document is organized as follows. We first provide a brief 221 explanation of the operation of Transport Converters in Section 3. 222 We describe the Convert Protocol in Section 4. We discuss in 223 Section 5 how Transport Converters can be used to support different 224 TCP extensions. We then discuss the interactions with middleboxes 225 (Section 6) and the security considerations (Section 7). 227 Appendix A provides a comparison with SOCKS proxies that are already 228 used to deploy Multipath TCP in some cellular networks (Section 2.2 229 of [RFC8041]). 231 2. Requirements 233 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 234 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 235 "OPTIONAL" in this document are to be interpreted as described in 236 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, 237 as shown here. 239 3. Architecture 241 3.1. Functional Elements 243 The Convert Protocol considers three types of endhosts: 245 o Clients; 247 o Transport Converters; 249 o Servers. 251 A Transport Converter is a network function that relays all data 252 exchanged over one upstream connection to one downstream connection 253 and vice versa (Figure 1). The Transport Converter, thus, maintains 254 state that associates one upstream connection to a corresponding 255 downstream connection. 257 A connection can be initiated from both sides of the Transport 258 Converter (Internet-facing interface, client-facing interface). 260 +------------+ 261 client <- upstream ->| Transport |<- downstream ->server 262 | Converter | 263 +------------+ 265 Figure 1: A Transport Converter relays data between pairs of TCP 266 connections 268 Transport Converters can be operated by network operators or third 269 parties. Nevertheless, this document focuses on the single 270 administrative deployment case where the entity offering the 271 connectivity service to a client is also the entity which owns and 272 operates the Transport Converter. 274 A Transport Converter can be embedded in a standalone device or be 275 activated as a service on a router. How such function is enabled is 276 deployment-specific. A sample deployment is depicted in Figure 2. 278 +-+ +-+ +-+ 279 Client - |R| -- |R| -- |R| - - - Server 280 +-+ +-+ +-+ 281 | 282 +-+ 283 |R| 284 +-+ 285 | 286 +---------+ 287 |Transport| 288 |Converter| 289 +---------+ 291 Figure 2: A Transport Converter can be installed anywhere in the 292 network 294 The architecture assumes that new software will be installed on the 295 Client hosts to interact with one or more Transport Converters. 296 Further, the architecture allows for making use of TCP new extensions 297 even if those are not supported by a given server. 299 The Client is configured, through means that are outside the scope of 300 this document, with the names and/or the addresses of one or more 301 Transport Converters and the TCP extensions that they support. The 302 procedure for selecting a Transport Converter among a list of 303 configured Transport Converters is outside the scope of this 304 document. 306 One of the benefits of this design is that different transport 307 protocol extensions can be used on the upstream and the downstream 308 connections. This encourages the deployment of new TCP extensions 309 until they are widely supported by servers, in particular. 311 The architecture does not mandate anything on the server side. 313 Similar to address sharing mechanisms, the architecture does not 314 interfere with end-to-end TLS connections [RFC8446] between the 315 Client and the Server (Figure 3). 317 Client Transport Server 318 | Converter | 319 | | | 320 /==========================================\ 321 | End-to-end TLS | 322 \==========================================/ 324 * TLS messages exhanged between the Client 325 and the Server are not shown. 327 Figure 3: End-to-end TLS via a Transport Converter 329 3.2. Theory of Operation 331 At a high level, the objective of the Transport Converter is to allow 332 the Client to use a specific extension, e.g., Multipath TCP, on a 333 subset of the path even if the Server does not support this 334 extension. This is illustrated in Figure 4 where the Client 335 initiates a Multipath TCP connection with the Transport Converter 336 (packets belonging to the Multipath TCP connection are shown with 337 "===") while the Transport Converter uses a regular TCP connection 338 with the Server. 340 Transport 341 Client Converter Server 342 ======================> 344 --------------------> 346 <-------------------- 348 <====================== 349 Multipath TCP packets Regular TCP packets 351 Figure 4: An example of network-assisted MPTCP Connection 353 The packets belonging to the pair of connections between the Client 354 and Server passing through a Transport Converter may follow a 355 different path than the packets directly exchanged between the Client 356 and the Server. Deployments should minimize the possible additional 357 delay by carefully selecting the location of the Transport Converter 358 used to reach a given destination. 360 When establishing a connection, the Client can, depending on local 361 policies, either contact the Server directly (e.g., by sending a TCP 362 SYN towards the Server) or create the connection via a Transport 363 Converter. In the latter case, the Client initiates a connection 364 towards the Transport Converter and indicates the IP address and port 365 number of the Server within the connection establishment packet. 366 Doing so enables the Transport Converter to immediately initiate a 367 connection towards that Server, without experiencing an extra delay. 368 The Transport Converter waits until the receipt of the confirmation 369 that the Server agrees to establish the connection before confirming 370 it to the Client. 372 The client places the destination address and port number of the 373 Server in the payload of the SYN sent to the Transport Converter to 374 minimize connection establishment delays. In accordance with 375 [RFC1919], the Transport Converter maintains two connections that are 376 combined together: 378 o the upstream connection is the one between the Client and the 379 Transport Converter. 381 o the downstream connection is between the Transport Converter and 382 the Server. 384 Any user data received by the Transport Converter over the upstream 385 (resp., downstream) connection is relayed over the downstream (resp., 386 upstream) connection. 388 Figure 5 illustrates the establishment of an outbound TCP connection 389 by a Client through a Transport Converter. The information shown 390 between brackets denotes Convert Protocol messages described in 391 Section 4. 393 Transport 394 Client Converter Server 395 --------------------> 396 SYN [->Server:port] 398 --------------------> 399 SYN 401 <-------------------- 402 SYN+ACK 403 <-------------------- 404 SYN+ACK [ ] 406 Figure 5: Establishment of a TCP connection through a Transport 407 Converter (1) 409 The Client sends a SYN destined to the Transport Converter. The 410 payload of this SYN contains the address and port number of the 411 Server. The Transport Converter does not reply immediately to this 412 SYN. It first tries to create a TCP connection towards the target 413 Server. If this upstream connection succeeds, the Transport 414 Converter confirms the establishment of the connection to the Client 415 by returning a SYN+ACK and the first bytes of the bytestream contain 416 information about the TCP options that were negotiated with the 417 Server. This information is sent at the beginning of the bytestream, 418 either directly in the SYN+ACK or in a subsequent packet. For 419 graphical reasons, the figures in this section show that the 420 Transport Converter returns this information in the SYN+ACK packet. 421 An implementation could also place this information in a packet that 422 it sent shortly after the SYN+ACK. 424 The connection can also be established from the Internet towards a 425 Client via a Transport Converter. This is typically the case when an 426 application on the Client listens to a specific port (the Client 427 hosts a server, typically). 429 A Transport Converter MAY operate in address preservation or address 430 sharing modes as discussed in Section 5.4 of 431 [I-D.nam-mptcp-deployment-considerations]. Which behavior to use by 432 a Transport Converter is deployment-specific. If address sharing 433 mode is enabled, the Transport Converter MUST adhere to REQ-2 of 434 [RFC6888] which implies a default "IP address pooling" behavior of 435 "Paired" (as defined in Section 4.1 of [RFC4787]) must be supported. 436 This behavior is meant to avoid breaking applications that depend on 437 the external address remaining constant. 439 Standard TCP ([RFC0793], Section 3.4) allows a SYN packet to carry 440 data inside its payload but forbids the receiver from delivering it 441 to the application until completion of the three-way-handshake. This 442 restriction was motivated by two concerns. First, duplicate SYNs can 443 cause problems for some applications that rely on TCP [RFC7413]. 444 Second, TCP suffers from SYN flooding attacks [RFC4987]. TCP Fast 445 Open [RFC7413] solves these two problems for applications that can 446 tolerate replays by using the TCP Fast Open option that includes a 447 cookie. However, the utilization of this option consumes space in 448 the limited TCP extended header. Furthermore, there are situations, 449 as noted in Section 7.3 of [RFC7413] where it is possible to accept 450 the payload of SYN packets without creating additional security risks 451 such as a network where addresses cannot be spoofed and the Transport 452 Converter only serves a set of hosts that are identified by these 453 addresses. For these reasons, this specification does not mandate 454 the use of the TCP Fast Open option when the Client sends a 455 connection establishment packet towards a Transport Converter. The 456 Convert protocol includes an optional Cookie TLV that provides 457 similar protection as the TCP Fast Open option without consuming 458 space in the extended TCP header. 460 3.3. Sample Examples of Outgoing Converter-Assisted Multipath TCP 461 Connections 463 As an example, let us consider how the Convert protocol can help the 464 deployment of Multipath TCP. We assume that both the Client and the 465 Transport Converter support Multipath TCP, but consider two different 466 cases depending on whether the Server supports Multipath TCP or not. 468 As a reminder, a Multipath TCP connection is created by placing the 469 MP_CAPABLE (MPC) option in the SYN sent by the Client. 471 Figure 6 describes the operation of the Transport Converter if the 472 Server does not support Multipath TCP. 474 Transport 475 Client Converter Server 476 --------------------> 477 SYN, MPC [->Server:port] 479 --------------------> 480 SYN, MPC 482 <-------------------- 483 SYN+ACK 484 <-------------------- 485 SYN+ACK,MPC [.] 487 --------------------> 488 ACK,MPC 489 --------------------> 490 ACK 492 Figure 6: Establishment of a Multipath TCP connection through a 493 Transport Converter towards a Server that does not support Multipath 494 TCP 496 The Client tries to initiate a Multipath TCP connection by sending a 497 SYN with the MP_CAPABLE option (MPC in Figure 6). The SYN includes 498 the address and port number of the target Server, that are extracted 499 and used by the Transport Converter to initiate a Multipath TCP 500 connection towards this Server. Since the Server does not support 501 Multipath TCP, it replies with a SYN+ACK that does not contain the 502 MP_CAPABLE option. The Transport Converter notes that the connection 503 with the Server does not support Multipath TCP and returns the 504 extended TCP header received from the Server to the Client. 506 Figure 7 considers a Server that supports Multipath TCP. In this 507 case, it replies to the SYN sent by the Transport Converter with the 508 MP_CAPABLE option. Upon reception of this SYN+ACK, the Transport 509 Converter confirms the establishment of the connection to the Client 510 and indicates to the Client that the Server supports Multipath TCP. 511 With this information, the Client has discovered that the Server 512 supports Multipath TCP natively. This will enable the Client to 513 bypass the Transport Converter for the subsequent Multipath TCP 514 connections that it will initiate towards this Server. 516 Transport 517 Client Converter Server 518 --------------------> 519 SYN, MPC [->Server:port] 521 --------------------> 522 SYN, MPC 524 <-------------------- 525 SYN+ACK, MPC 526 <-------------------- 527 SYN+ACK, MPC [ MPC supported ] 529 --------------------> 530 ACK, MPC 531 --------------------> 532 ACK, MPC 534 Figure 7: Establishment of a Multipath TCP connection through a 535 converter towards a server that supports Multipath TCP 537 3.4. Sample Example of Incoming Converter-Assisted Multipath TCP 538 Connection 540 An example of an incoming Converter-assisted Multipath TCP connection 541 is depicted in Figure 8. In order to support incoming connections 542 from remote hosts, the Client may use PCP [RFC6887] to instruct the 543 Transport Converter to create dynamic mappings. Those mappings will 544 be used by the Transport Converter to intercept an incoming TCP 545 connection destined to the Client and convert it into a Multipath TCP 546 connection. 548 Typically, the Client sends a PCP request to the Converter asking to 549 create an explicit TCP mapping for (internal IP address, internal 550 port number). The Converter accepts the request by creating a TCP 551 mapping (internal IP address, internal port number, external IP 552 address, external port number). The external IP address and external 553 port number will be then advertised using an out-of-band mechanism so 554 that remote hosts can initiate TCP connections to the Client via the 555 Converter. Note that the external and internal information may be 556 the same. 558 Then, when the Converter receives an incoming SYN, it checks its 559 mapping table to verify if there is an active mapping matching the 560 destination IP address and destination port of that SYN. If an entry 561 is found, the Converter inserts an MP_CAPABLE option and Connect TLV 562 in the SYN packet, rewrites the source IP address to one of its IP 563 addresses and, eventually, the destination IP address and port number 564 in accordance with the information stored in the mapping. SYN-ACK 565 and ACK will be then exchanged between the Client and the Converter 566 to confirm the establishment of the initial subflow. The Client can 567 add new subflows following normal Multipath TCP procedures. 569 Transport 570 Client Converter Remote Host 571 <------------------- 572 SYN 574 <------------------- 575 SYN, MPC[Remote Host:port] 577 ---------------------> 578 SYN+ACK, MPC 579 ---------------------> 580 SYN+ACK 582 <--------------------- 583 ACK 584 <------------------- 585 ACK, MPC 587 Figure 8: Establishment of an Incoming TCP Connection through a 588 Transport Converter 590 4. The Convert Protocol (Convert) 592 This section describes the messages that are exchanged between a 593 Client and a Transport Converter. The Convert Protocol (Convert, for 594 short) uses a 32 bits long fixed header that is sent by both the 595 Client and the Transport Converter over each established connection. 596 This header indicates both the version of the protocol used and the 597 length of the Convert message. 599 4.1. The Convert Fixed Header 601 The Fixed Header is used to convey information about the version and 602 length of the messages exchanged between the Client and the Transport 603 Converter. 605 The Client and the Transport Converter MUST send the fixed-sized 606 header, shown in Figure 9, as the first four bytes of the bytestream. 608 1 2 3 609 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 610 +---------------+---------------+-------------------------------+ 611 | Version | Total Length | Unassigned | 612 +---------------+---------------+-------------------------------+ 614 Figure 9: The fixed-sized header of the Convert protocol 616 The Version is encoded as an 8 bits unsigned integer value. This 617 document specifies version 1. Version 0 is reserved by this document 618 and MUST NOT be used. 620 The Total Length is the number of 32 bits word, including the header, 621 of the bytestream that are consumed by the Convert messages. Since 622 Total Length is also an 8 bits unsigned integer, those messages 623 cannot consume more than 1020 bytes of data. This limits the number 624 of bytes that a Transport Converter needs to process. A Total Length 625 of zero is invalid and the connection MUST be reset upon reception of 626 a header with such total length. 628 The Unassigned field MUST be set to zero in this version of the 629 protocol. These bits are available for future use [RFC8126]. 631 4.2. Convert TLVs 633 4.2.1. Generic Convert TLV Format 635 The Convert protocol uses variable length messages that are encoded 636 using the generic TLV (Type, Length, Value) format depicted in 637 Figure 10. 639 The length of all TLVs used by the Convert protocol is always a 640 multiple of four bytes. All TLVs are aligned on 32 bits boundaries. 641 All TLV fields are encoded using the network byte order. 643 1 2 3 644 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 645 +---------------+---------------+-------------------------------+ 646 | Type | Length | (optional) Value ... | 647 +---------------+---------------+-------------------------------+ 648 | ... (optional) Value | 649 +---------------------------------------------------------------+ 651 Figure 10: Convert Generic TLV Format 653 The Length field is expressed in units of 32 bits words. In general 654 zero padding MUST be added if the value's length in bytes can not be 655 expressed as 2+(4 * n). 657 A given TLV MUST only appear once on a connection. If two or more 658 instances of the same TLV are exchanged over a Convert connection, 659 the associated TCP connections MUST be closed. 661 4.2.2. Summary of Supported Convert TLVs 663 This document specifies the following Convert TLVs: 665 +------+-----+----------+------------------------------------------+ 666 | Type | Hex | Length | Description | 667 +------+-----+----------+------------------------------------------+ 668 | 1 | 0x1 | 1 | Info TLV | 669 | 10 | 0xA | Variable | Connect TLV | 670 | 20 | 0x14| Variable | Extended TCP Header TLV | 671 | 21 | 0x15| Variable | Supported TCP Extensions TLV | 672 | 22 | 0x16| Variable | Cookie TLV | 673 | 30 | 0x1E| Variable | Error TLV | 674 +------+-----+----------+------------------------------------------+ 676 Figure 11: The TLVs used by the Convert protocol 678 Type 0x0 is a reserved valued. Implementations MUST discard messages 679 with such TLV. 681 The Client can request the establishment of connections to servers by 682 using the Connect TLV (Section 4.2.5). If the connection can be 683 established with the final server, the Transport Converter replies 684 with the Extended TCP Header TLV (Section 4.2.4). If not, the 685 Transport Converter returns an Error TLV (Section 4.2.8) and then 686 closes the connection. 688 As a general rule, when an error is encountered an Error TLV with the 689 appropriate error code MUST be returned by the Transport Converter. 691 4.2.3. The Info TLV 693 The Info TLV (Figure 12) is an optional TLV which can be sent by a 694 Client to request the TCP extensions that are supported by a 695 Transport Converter. It is typically sent on the first connection 696 that a Client establishes with a Transport Converter to learn its 697 capabilities. Assuming a Client is entitled to invoke the Transport 698 Converter, the latter replies with the Supported TCP Extensions TLV 699 described in Section 4.2.4. 701 1 2 3 702 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 703 +---------------+---------------+-------------------------------+ 704 | Type=0x1 | Length | Zero | 705 +---------------+---------------+-------------------------------+ 707 Figure 12: The Info TLV 709 4.2.4. Supported TCP Extensions TLV 711 The Supported TCP Extensions TLV (Figure 13) is used by a Transport 712 Converter to announce the TCP options for which it provides a 713 conversion service. A Transport Converter SHOULD include in this 714 list the TCP options that it accepts from Clients and that it 715 includes the SYN packets that it sends to initiate connections. 717 Each supported TCP option is encoded with its TCP option Kind listed 718 in the "TCP Parameters" registry maintained by IANA. 720 1 2 3 721 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 722 +---------------+---------------+-------------------------------+ 723 | Type=0x15 | Length | Unassigned | 724 +---------------+---------------+-------------------------------+ 725 | Kind #1 | Kind #2 | ... | 726 +---------------+---------------+-------------------------------+ 727 / ... / 728 / / 729 +---------------------------------------------------------------+ 731 Figure 13: The Supported TCP Extensions TLV 733 TCP option Kinds 0, 1, and 2 defined in [RFC0793] are supported by 734 all TCP implementations and thus MUST NOT appear in this list. 736 The list of Supported TCP Extension is padded with 0 to end on a 32 737 bits boundary. 739 For example, if the Transport Converter supports Multipath TCP, 740 Kind=30 will be present in the Supported TCP Extensions TLV that it 741 returns in response to Info TLV. 743 4.2.5. Connect TLV 745 The Connect TLV (Figure 14) is used to request the establishment of a 746 connection via a Transport Converter. This connection can be from or 747 to a client. 749 The 'Remote Peer Port' and 'Remote Peer IP Address' fields contain 750 the destination port number and IP address of the Server, for 751 outgoing connections. For incoming connections destined to a Client 752 serviced via a Transport Converter, these fields convey the source 753 port number and IP address. 755 The Remote Peer IP Address MUST be encoded as an IPv6 address. IPv4 756 addresses MUST be encoded using the IPv4-Mapped IPv6 Address format 757 defined in [RFC4291]. Further, Remote Peer IP address field MUST NOT 758 include multicast, broadcast, and host loopback addresses [RFC6890]. 759 Connect TLVs witch such messages MUST be discarded by the Transport 760 Converter. 762 We distinguish two types of Connect TLV based on their length: (1) 763 the base Connect TLV has a length of 20 bytes and contains a remote 764 address and a remote port, (2) the extended Connect TLV spans more 765 than 20 bytes and also includes the optional 'TCP Options' field. 766 This field is used to specify how specific TCP options should be 767 advertised by the Transport Converter to the server. 769 1 2 3 770 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 771 +---------------+---------------+-------------------------------+ 772 | Type=0xA | Length | Remote Peer Port | 773 +---------------+---------------+-------------------------------+ 774 | | 775 | Remote Peer IP Address (128 bits) | 776 | | 777 | | 778 +---------------------------------------------------------------+ 779 | TCP Options (Variable) | 780 | ... | 781 +---------------------------------------------------------------+ 783 Figure 14: The Connect TLV 785 The 'TCP Options' field is a variable length field that carries a 786 list of TCP option fields (Figure 15). Each TCP option field is 787 encoded as a block of 2+n bytes where the first byte is the TCP 788 option Kind and the second byte is the length of the TCP option as 789 specified in [RFC0793]. The minimum value for the TCP option Length 790 is 2. The TCP options that do not include a length subfield, i.e., 791 option types 0 (EOL) and 1 (NOP) defined in [RFC0793] MUST NOT be 792 placed inside the TCP options field of the Connect TLV. The optional 793 Value field contains the variable-length part of the TCP option. A 794 length of two indicates the absence of the Value field. The TCP 795 options field always ends on a 32 bits boundary after being padded 796 with zeros. 798 1 2 3 799 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 800 +---------------+---------------+---------------+---------------+ 801 | TCPOpt kind | TCPOpt Length | Value (opt) | .... | 802 +---------------+---------------+---------------+---------------+ 803 | .... | 804 +---------------------------------------------------------------+ 805 | ... | 806 +---------------------------------------------------------------+ 808 Figure 15: The TCP Options field 810 Upon reception of a Connect TLV, and absent any rate limit policy or 811 resource exhaustion conditions, a Transport Converter MUST attempt to 812 establish a connection to the address and port that it contains. The 813 Transport Converter MUST use by default the TCP options that 814 correspond to its local policy to establish this connection. These 815 are the options that it advertises in the Supported TCP Extensions 816 TLV. 818 Upon reception of an extended Connect TLV, and absent any rate limit 819 policy or resource exhaustion conditions, a Transport Converter MUST 820 attempt to establish a connection to the address and port that it 821 contains. It MUST include the options of the 'TCP Options' subfield 822 in the SYN sent to the Server in addition to the TCP options that it 823 would have used according to its local policies. For the TCP options 824 that are listed without an optional value, the Transport Converter 825 MUST generate its own value. For the TCP options that are included 826 in the 'TCP Options' field with an optional value, it MUST copy the 827 entire option for use in the connection with the destination peer. 828 This feature is required to support TCP Fast Open. 830 The Transport Converter may discard a Connect TLV request for various 831 reasons (e.g., authorization failed, out of resources, invalid 832 address type). An error message indicating the encountered error is 833 returned to the requesting Client (Section 4.2.8). In order to 834 prevent denial-of-service attacks, error messages sent to a Client 835 SHOULD be rate-limited. 837 4.2.6. Extended TCP Header TLV 839 The Extended TCP Header TLV (Figure 16) is used by the Transport 840 Converter to send to the Client the extended TCP header that was 841 returned by the Server in the SYN+ACK packet. This TLV is only sent 842 if the Client sent a Connect TLV to request the establishment of a 843 connection. 845 1 2 3 846 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 847 +---------------+---------------+-------------------------------+ 848 | Type=0x14 | Length | Unassigned | 849 +---------------+---------------+-------------------------------+ 850 | Returned Extended TCP header | 851 | ... | 852 +---------------------------------------------------------------+ 854 Figure 16: The Extended TCP Header TLV 856 The Returned Extended TCP header field is a copy of the extended 857 header that was received in the SYN+ACK by the Transport Converter. 859 The Unassigned field MUST be set to zero by the transmitter and 860 ignored by the receiver. These bits are available for future use 861 [RFC8126]. 863 4.2.7. The Cookie TLV 865 The Cookie TLV (Figure 17 is an optional TLV which use is similar to 866 the TCP Fast Open Cookie [RFC7413]. A Transport Converter may want 867 to verify that its Clients can receive the packets that it sends to 868 prevent attacks from spoofed addresses. This verification can be 869 done by using a Cookie that is bound to, for example, the IP 870 address(es) of the Client. This Cookie can be configured on the 871 Client by means that are outside of this document or provided by the 872 Transport Converter as follows. 874 A Transport Converter that has been configured to use the optional 875 Cookie TLV MUST verify the presence of this TLV in the payload of the 876 received SYN. If this TLV is present, the Transport Converter MUST 877 validate the Cookie by means similar to those in Section 4.1.2 of 878 [RFC7413] (i.e., IsCookieValid). If the Cookie is valid, the 879 connection establishment procedure can continue. Otherwise, the 880 Transport Converter MUST return an Error TLV set to "Not Authorized" 881 and close the connection. 883 If the received SYN did not contain a Cookie TLV, and cookie 884 validation is required, the Transport Converter should compute a 885 Cookie bound to this Client address and return a Convert message 886 containing the fixed header, an Error TLV set to "Missing Cookie" and 887 the computed Cookie and close the connection. The Client will react 888 to this error by storing the received Cookie in its cache and attempt 889 to reestablish a new connection to the Transport Converter that 890 includes the Cookie. 892 The format of the Cookie TLV is shown in the below figure. 894 1 2 3 895 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 896 +---------------+---------------+-------------------------------+ 897 | Type=0x16 | Length | Zero | 898 +---------------+---------------+-------------------------------+ 899 | Opaque Cookie | 900 | ... | 901 +---------------------------------------------------------------+ 903 Figure 17: The Cookie TLV 905 4.2.8. Error TLV 907 The Error TLV (Figure 18) is used by the Transport Converter to 908 provide information about some errors that occurred during the 909 processing of Convert message. This TLV has a variable length. It 910 appears after the Convert fixed-header in the bytestream returned by 911 the Transport Converter. Upon reception of an Error TLV, a Client 912 MUST close the associated connection. 914 1 2 3 915 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 916 +---------------+---------------+----------------+--------------+ 917 | Type=0x1E | Length | Error code | Value | 918 +---------------+---------------+----------------+--------------+ 920 Figure 18: The Error TLV 922 Different types of errors can occur while processing Convert 923 messages. Each error is identified by an Error code represented as 924 an unsigned integer. Four classes of Error codes are defined: 926 o Message validation and processing errors (0-31 range): returned 927 upon reception of an invalid message (including valid messages but 928 with invalid or unknown TLVs). 930 o Client-side errors (32-63 range): the Client sent a request that 931 could not be accepted by the Transport Converter (e.g., 932 unsupported operation). 934 o Converter-side errors (64-95 range): problems encountered on the 935 Transport Converter (e.g., lack of resources) which prevent it 936 from fulfilling the Client's request. 938 o Errors caused by the destination server (96-127 range): the final 939 destination could not be reached or it replied with a reset. 941 The following error codes are defined in this document: 943 o Unsupported Version (0): The version number indicated in the fixed 944 header of a message received from a peer is not supported. 946 This error code MUST be generated by a Transport Converter when it 947 receives a request having a version number that it does not 948 support. 950 The value field MUST be set to the version supported by the 951 Transport Converter. When multiple versions are supported by the 952 Transport Converter, it includes the list of supported version in 953 the value field; each version is encoded in 8 bits. The list of 954 supported versions should be padded with zeros to end on a 32 bits 955 boundary. 957 Upon receipt of this error code, the client checks whether it 958 supports one of the versions returned by the Transport Converter. 959 The highest common supported version MUST be used by the client in 960 subsequent exchanges with the Transport Converter. 962 o Malformed Message (1): This error code is sent to indicate that a 963 message can not be successfully parsed and validated. 965 Typically, this error code is sent by the Transport Converter if 966 it receives a Connect TLV enclosing a multicast, broadcast, or 967 loopback IP address. 969 To ease troubleshooting, the value field MUST echo the received 970 message shifted by one byte to keep to original alignment of the 971 message. 973 o Unsupported Message (2): This error code is sent to indicate that 974 a message type is not supported by the Transport Converter. 976 To ease troubleshooting, the value field MUST echo the received 977 message shifted by one byte to keep to original alignment of the 978 message. 980 o Missing Cookie (3): If a Transport Converter requires the 981 utilization of Cookies to prevent spoofing attacks and a Cookie 982 TLV was not included in the Convert message, the Transport 983 Converter MUST return this error to the requesting client. The 984 first byte of the value field MUST be set to zero and the 985 remaining bytes of the Error TLV contain the Cookie computed by 986 the Transport Converter for this Client. 988 A Client which receives this error code MUST cache the received 989 Cookie and include it in subsequent Convert messages sent to that 990 Transport Converter. 992 o Not Authorized (32): This error code indicates that the Transport 993 Converter refused to create a connection because of a lack of 994 authorization (e.g., administratively prohibited, authorization 995 failure, invalid Cookie TLV, etc.). The Value field MUST be set 996 to zero. 998 This error code MUST be sent by the Transport Converter when a 999 request cannot be successfully processed because the authorization 1000 failed. 1002 o Unsupported TCP Option (33): A TCP option that the Client 1003 requested to advertise to the final Server cannot be safely used. 1005 The Value field is set to the type of the unsupported TCP option. 1006 If several unsupported TCP options were specified in the Connect 1007 TLV, then the list of unsupported TCP options is returned. The 1008 list of unsupported TCP options MUST be padded with zeros to end 1009 on a 32 bits boundary. 1011 o Resource Exceeded (64): This error indicates that the Transport 1012 Converter does not have enough resources to perform the request. 1014 This error MUST be sent by the Transport Converter when it does 1015 not have sufficient resources to handle a new connection. The 1016 Transport Converter may indicate in the Value field the suggested 1017 delay (in seconds) that the Client SHOULD wait before soliciting 1018 the Transport Converter for a new proxied connection. A Value of 1019 zero corresponds to a default delay of at least 30 seconds. 1021 o Network Failure (65): This error indicates that the Transport 1022 Converter is experiencing a network failure to relay the request. 1024 The Transport Converter MUST send this error code when it 1025 experiences forwarding issues to relay a connection. The 1026 Transport Converter may indicate in the Value field the suggested 1027 delay (in seconds) that the Client SHOULD wait before soliciting 1028 the Transport Converter for a new proxied connection. A Value of 1029 zero corresponds to a default delay of at least 30 seconds. 1031 o Connection Reset (96): This error indicates that the final 1032 destination responded with a RST packet. The Value field MUST be 1033 set to zero. 1035 o Destination Unreachable (97): This error indicates that an ICMP 1036 destination unreachable, port unreachable, or network unreachable 1037 was received by the Transport Converter. The Value field MUST 1038 echo the Code field of the received ICMP message. 1040 Figure 19 summarizes the different error codes. 1042 +-------+------+-----------------------------------------------+ 1043 | Error | Hex | Description | 1044 +-------+------+-----------------------------------------------+ 1045 | 0 | 0x00 | Unsupported Version | 1046 | 1 | 0x01 | Malformed Message | 1047 | 2 | 0x02 | Unsupported Message | 1048 | 3 | 0x03 | Missing Cookie | 1049 | 32 | 0x20 | Not Authorized | 1050 | 33 | 0x21 | Unsupported TCP Option | 1051 | 64 | 0x40 | Resource Exceeded | 1052 | 65 | 0x41 | Network Failure | 1053 | 96 | 0x60 | Connection Reset | 1054 | 97 | 0x61 | Destination Unreachable | 1055 +-------+------+-----------------------------------------------+ 1057 Figure 19: Convert Error Values 1059 5. Compatibility of Specific TCP Options with the Conversion Service 1061 In this section, we discuss how several standard track TCP options 1062 can be supported through the Convert protocol. The non-standard 1063 track options and the experimental options will be discussed in other 1064 documents. 1066 5.1. Base TCP Options 1068 Three TCP options were initially defined in [RFC0793]: End-of-Option 1069 List (Kind=0), No-Operation (Kind=1) and Maximum Segment Size 1070 (Kind=2). The first two options are mainly used to pad the TCP 1071 extended header. There is no reason for a client to request a 1072 Transport Converter to specifically send these options towards the 1073 final destination. 1075 The Maximum Segment Size option (Kind=2) is used by a host to 1076 indicate the largest segment that it can receive over each 1077 connection. This value is function of the stack that terminates the 1078 TCP connection. There is no reason for a Client to request a 1079 Transport Converter to advertise a specific MSS value to a remote 1080 server. 1082 A Transport Converter MUST ignore options with Kind=0, 1 or 2 if they 1083 appear in a Connect TLV. It MUST NOT announce them in a Supported 1084 TCP Extensions TLV. 1086 5.2. Window Scale (WS) 1088 The Window Scale option (Kind=3) is defined in [RFC7323]. As for the 1089 MSS option, the window scale factor that is used for a connection 1090 strongly depends on the TCP stack that handles the connection. When 1091 a Transport Converter opens a TCP connection towards a remote server 1092 on behalf of a Client, it SHOULD use a WS option with a scaling 1093 factor that corresponds to the configuration of its stack. A local 1094 configuration MAY allow for WS option in the proxied message to be 1095 function of the scaling factor of the incoming connection. 1097 There is no benefit from a deployment viewpoint in enabling a Client 1098 of a Transport Converter to specifically request the utilisation of 1099 the WS option (Kind=3) with a specific scaling factor towards a 1100 remote Server. For this reason, a Transport Converter MUST ignore 1101 option Kind=3 if it appears in a Connect TLV. It MUST NOT announce 1102 it in a Supported TCP Extensions TLV. 1104 5.3. Selective Acknowledgements 1106 Two distinct TCP options were defined to support selective 1107 acknowledgements in [RFC2018]. This first one, SACK Permitted 1108 (Kind=4), is used to negotiate the utilisation of selective 1109 acknowledgements during the three-way handshake. The second one, 1110 SACK (Kind=5), carries the selective acknowledgements inside regular 1111 segments. 1113 The SACK Permitted option (Kind=4) MAY be advertised by a Transport 1114 Converter in the Supported TCP Extensions TLV. Clients connected to 1115 this Transport Converter MAY include the SACK Permitted option in the 1116 Connect TLV. 1118 The SACK option (Kind=5) cannot be used during the three-way 1119 handshake. For this reason, a Transport Converter MUST ignore option 1120 Kind=5 if it appears in a Connect TLV. It MUST NOT announce it in a 1121 TCP Supported Extensions TLV. 1123 5.4. Timestamp 1125 The Timestamp option was initially defined in [RFC1323] and later 1126 refined in [RFC7323]. It can be used during the three-way handshake 1127 to negotiate the utilization of timestamps during the TCP connection. 1128 It is notably used to improve round-trip-time estimations and to 1129 provide protection against wrapped sequence numbers (PAWS). As for 1130 the WS option, the timestamps are a property of a connection and 1131 there is limited benefit in enabling a client to request a Transport 1132 Converter to use the timestamp option when establishing a connection 1133 to a remote server. Furthermore, the timestamps that are used by TCP 1134 stacks are specific to each stack and there is no benefit in enabling 1135 a client to specify the timestamp value that a Transport Converter 1136 could use to establish a connection to a remote server. 1138 A Transport Converter MAY advertise the Timestamp option (Kind=8) in 1139 the TCP Supported Extensions TLV. The clients connected to this 1140 Transport Converter MAY include the Timestamp option in the Connect 1141 TLV but without any timestamp. 1143 5.5. Multipath TCP 1145 The Multipath TCP options are defined in [RFC6824]. [RFC6824] 1146 defines one variable length TCP option (Kind=30) that includes a 1147 subtype field to support several Multipath TCP options. There are 1148 several operational use cases where clients would like to use 1149 Multipath TCP through a Transport Converter [IETFJ16]. However, none 1150 of these use cases require the Client to specify the content of the 1151 Multipath TCP option that the Transport Converter should send to a 1152 remote server. 1154 A Transport Converter which supports Multipath TCP conversion service 1155 MUST advertise the Multipath TCP option (Kind=30) in the Supported 1156 TCP Extensions TLV. Clients serviced by this Transport Converter may 1157 include the Multipath TCP option in the Connect TLV but without any 1158 content. 1160 5.6. TCP Fast Open 1162 The TCP Fast Open cookie option (Kind=34) is defined in [RFC7413]. 1163 There are two different usages of this option that need to be 1164 supported by Transport Converters. The first utilization of the TCP 1165 Fast Open cookie option is to request a cookie from the server. In 1166 this case, the option is sent with an empty cookie by the client and 1167 the server returns the cookie. The second utilization of the TCP 1168 Fast Open cookie option is to send a cookie to the server. In this 1169 case, the option contains a cookie. 1171 A Transport Converter MAY advertise the TCP Fast Open cookie option 1172 (Kind=34) in the Supported TCP Extensions TLV. If a Transport 1173 Converter has advertised the support for TCP Fast Open in its 1174 Supported TCP Extensions TLV, it needs to be able to process two 1175 types of Connect TLV. If such a Transport Converter receives a 1176 Connect TLV with the TCP Fast Open cookie option that does not 1177 contain a cookie, it MUST add an empty TCP Fast Open cookie option in 1178 the SYN sent to the remote server. If such a Transport Converter 1179 receives a Connect TLV with the TCP Fast Open cookie option that 1180 contains a cookie, it MUST copy the TCP Fast Open cookie option in 1181 the SYN sent to the remote server. 1183 5.7. TCP User Timeout 1185 The TCP User Timeout option is defined in [RFC5482]. The associated 1186 TCP option (Kind=28) does not appear to be widely deployed. 1188 5.8. TCP-AO 1190 TCP-AO [RFC5925] provides a technique to authenticate all the packets 1191 exchanged over a TCP connection. Given the nature of this extension, 1192 it is unlikely that the applications that require their packets to be 1193 authenticated end-to-end would want their connections to pass through 1194 a converter. For this reason, we do not recommend the support of the 1195 TCP-AO option by Transport Converters. The only use cases where it 1196 could make sense to combine TCP-AO and the solution in this document 1197 are those where the TCP-AO-NAT extension [RFC6978] is in use. 1199 A Transport Converter MUST NOT advertise the TCP-AO option (Kind=29) 1200 in the Supported TCP Extensions TLV. If a Transport Converter 1201 receives a Connect TLV that contains the TCP-AO option, it MUST 1202 reject the establishment of the connection with error code set to 1203 "Unsupported TCP Option", except if the TCP-AO-NAT option is used. 1205 5.9. TCP Experimental Options 1207 The TCP Experimental options are defined in [RFC4727]. Given the 1208 variety of semantics for these options and their experimental nature, 1209 it is impossible to discuss them in details in this document. 1211 6. Interactions with Middleboxes 1213 The Convert Protocol is designed to be used in networks that do not 1214 contain middleboxes that interfere with TCP. Under such conditions, 1215 it is assumed that the network provider ensures that all involved on- 1216 path nodes are not breaking TCP signals (e.g., strip TCP options, 1217 discard some SYNs, etc.). 1219 Nevertheless, and in order to allow for a robust service, this 1220 section describes how a Client can detect middlebox interference and 1221 stop using the Transport Converter affected by this interference. 1223 Internet measurements [IMC11] have shown that middleboxes can affect 1224 the deployment of TCP extensions. In this section, we only discuss 1225 the middleboxes that modify SYN and SYN+ACK packets since the Convert 1226 Protocol places its messages in such packets. 1228 Consider a middlebox that removes the SYN payload. The Client can 1229 detect this problem by looking at the acknowledgement number field of 1230 the SYN+ACK returned by the Transport Converter. The Client MUST 1231 stop to use this Transport Converter given the middlebox 1232 interference. 1234 As explained in [RFC7413], some CGNs (Carrier Grade NATs) can affect 1235 the operation of TFO if they assign different IP addresses to the 1236 same end host. Such CGNs could affect the operation of the TFO 1237 Option used by the Convert Protocol. As a reminder CGNs, enabled on 1238 the path between a Client and a Transport Converter, must adhere to 1239 the address preservation defined in [RFC6888]. See also the 1240 discussion in Section 7.1 of [RFC7413]. 1242 7. Security Considerations 1244 7.1. Privacy & Ingress Filtering 1246 The Transport Converter may have access to privacy-related 1247 information (e.g., subscriber credentials). The Transport Converter 1248 is designed to not leak such sensitive information outside a local 1249 domain. 1251 Given its function and its location in the network, a Transport 1252 Converter has access to the payload of all the packets that it 1253 processes. As such, it MUST be protected as a core IP router (e.g., 1254 [RFC1812]). 1256 Furthermore, ingress filtering policies MUST be enforced at the 1257 network boundaries [RFC2827]. 1259 This document assumes that all network attachments are managed by the 1260 same administrative entity. Therefore, enforcing anti-spoofing 1261 filters at these network ensures that hosts are not sending traffic 1262 with spoofed source IP addresses. 1264 7.2. Authorization 1266 The Convert Protocol is intended to be used in managed networks where 1267 end hosts can be identified by their IP address. 1269 Stronger mutual authentication schemes MUST be defined to use the 1270 Convert Protocol in more open network environments. One possibility 1271 is to use TLS to perform mutual authentication between the client and 1272 the Converter. That is, use TLS when a Client retrieves a Cookie 1273 from the Converter and rely on certificate-based client 1274 authentication, pre-shared key based [RFC4279] or raw public key 1275 based client authentication [RFC7250] to secure this connection. If 1276 the authentication succeeds, the Converter returns a cookie whose 1277 content may be, for example, set to a hash using as input the 1278 representation of the Subject Public Key Info (SPKI) of the client 1279 X.509 certificate, the Client raw public key, or the "Pre-Shared Key 1280 (PSK) identity" used by the Client in the TLS ClientKeyExchange 1281 message. Subsequent Connect messages will be authorized as a 1282 function of the content of the Cookie TLV. The client MUST also 1283 authenticate. 1285 See below for authorization considerations that are specific for 1286 Multipath TCP. 1288 7.3. Denial of Service 1290 Another possible risk is the amplification attacks since a Transport 1291 Converter sends a SYN towards a remote Server upon reception of a SYN 1292 from a Client. This could lead to amplification attacks if the SYN 1293 sent by the Transport Converter were larger than the SYN received 1294 from the Client or if the Transport Converter retransmits the SYN. 1295 To mitigate such attacks, the Transport Converter SHOULD rate limit 1296 the number of pending requests for a given Client. It SHOULD also 1297 avoid sending to remote Servers SYNs that are significantly longer 1298 than the SYN received from the Client. Finally, the Transport 1299 Converter SHOULD only retransmit a SYN to a Server after having 1300 received a retransmitted SYN from the corresponding Client. Means to 1301 protect against SYN flooding attacks MUST also be enabled [RFC4987]. 1303 7.4. Traffic Theft 1305 Traffic theft is a risk if an illegitimate Converter is inserted in 1306 the path. Indeed, inserting an illegitimate Converter in the 1307 forwarding path allows traffic interception and can therefore provide 1308 access to sensitive data issued by or destined to a host. Converter 1309 discovery and configuration are out of scope of this document. 1311 7.5. Multipath TCP-specific Considerations 1313 Multipath TCP-related security threats are discussed in [RFC6181] and 1314 [RFC6824]. 1316 The operator that manages the various network attachments (including 1317 the Transport Converters) can enforce authentication and 1318 authorization policies using appropriate mechanisms. For example, a 1319 non-exhaustive list of methods to achieve authorization is provided 1320 hereafter: 1322 o The network provider may enforce a policy based on the 1323 International Mobile Subscriber Identity (IMSI) to verify that a 1324 user is allowed to benefit from the aggregation service. If that 1325 authorization fails, the Packet Data Protocol (PDP) context/bearer 1326 will not be mounted. This method does not require any interaction 1327 with the Transport Converter. 1329 o The network provider may enforce a policy based upon Access 1330 Control Lists (ACLs), e.g., at a Broadband Network Gateway (BNG) 1331 to control the hosts that are authorized to communicate with a 1332 Transport Converter. These ACLs may be installed as a result of 1333 RADIUS exchanges, e.g. [I-D.boucadair-radext-tcpm-converter]. 1334 This method does not require any interaction with the Transport 1335 Converter. 1337 o A device that embeds a Transport Converter may also host a RADIUS 1338 client that will solicit an AAA server to check whether 1339 connections received from a given source IP address are authorized 1340 or not [I-D.boucadair-radext-tcpm-converter]. 1342 A first safeguard against the misuse of Transport Converter resources 1343 by illegitimate users (e.g., users with access networks that are not 1344 managed by the same provider that operates the Transport Converter) 1345 is the Transport Converter to reject Multipath TCP connections 1346 received on its Internet-facing interfaces. Only Multipath TCP 1347 connections received on the customer-facing interfaces of a Transport 1348 Converter will be accepted. 1350 8. IANA Considerations 1352 8.1. Convert Service Port Number 1354 IANA is requested to assign a TCP port number (TBA) for the Convert 1355 Protocol from the "Service Name and Transport Protocol Port Number 1356 Registry" available at https://www.iana.org/assignments/service- 1357 names-port-numbers/service-names-port-numbers.xhtml. 1359 8.2. The Convert Protocol (Convert) Parameters 1361 IANA is requested to create a new "The Convert Protocol (Convert) 1362 Parameters" registry. 1364 The following subsections detail new registries within "The Convert 1365 Protocol (Convert) Parameters" registry. 1367 8.2.1. Convert Versions 1369 IANA is requested to create the "Convert versions" sub-registry. New 1370 values are assigned via Standards Action. 1372 The initial values to be assigned at the creation of the registry are 1373 as follows: 1375 +---------+--------------------------------------+-------------+ 1376 | Version | Description | Reference | 1377 +---------+--------------------------------------+-------------+ 1378 | 0 | Reserved by this document | [This-RFC] | 1379 | 1 | Assigned by this document | [This-RFC] | 1380 +---------+--------------------------------------+-------------+ 1382 8.2.2. Convert TLVs 1384 IANA is requested to create the "Convert TLVs" sub-registry. The 1385 procedure for assigning values from this registry is as follows: 1387 o The values in the range 1-127 can be assigned via Standards 1388 Action. 1390 o The values in the range 128-191 can be assigned via Specification 1391 Required. 1393 o The values in the range 192-255 can be assigned for Private Use. 1395 The initial values to be assigned at the creation of the registry are 1396 as follows: 1398 +---------+--------------------------------------+-------------+ 1399 | Code | Name | Reference | 1400 +---------+--------------------------------------+-------------+ 1401 | 0 | Reserved | [This-RFC] | 1402 | 1 | Info TLV | [This-RFC] | 1403 | 10 | Connect TLV | [This-RFC] | 1404 | 20 | Extended TCP Header TLV | [This-RFC] | 1405 | 21 | Supported TCP Extension TLV | [This-RFC] | 1406 | 22 | Cookie TLV | [This-RFC] | 1407 | 30 | Error TLV | [This-RFC] | 1408 +---------+--------------------------------------+-------------+ 1410 8.2.3. Convert Error Messages 1412 IANA is requested to create the "Convert Errors" sub-registry. Codes 1413 in this registry are assigned as a function of the error type. Four 1414 types are defined; the following ranges are reserved for each of 1415 these types: 1417 o Message validation and processing errors: 0-31 1419 o Client-side errors: 32-63 1421 o Transport Converter-side errors: 64-95 1423 o Errors caused by destination server: 96-127 1425 The procedure for assigning values from this sub-registry is as 1426 follows: 1428 o 0-191: Values in this range are assigned via Standards Action. 1430 o 192-255: Values in this range are assigned via Specification 1431 Required. 1433 The initial values to be assigned at the creation of the registry are 1434 as follows: 1436 +-------+------+-----------------------------------+-----------+ 1437 | Error | Hex | Description | Reference | 1438 +-------+------+-----------------------------------+-----------+ 1439 | 0 | 0x00 | Unsupported Version | [This-RFC]| 1440 | 1 | 0x01 | Malformed Message | [This-RFC]| 1441 | 2 | 0x02 | Unsupported Message | [This-RFC]| 1442 | 3 | 0x03 | Missing Cookie | [This-RFC]| 1443 | 32 | 0x20 | Not Authorized | [This-RFC]| 1444 | 33 | 0x21 | Unsupported TCP Option | [This-RFC]| 1445 | 64 | 0x40 | Resource Exceeded | [This-RFC]| 1446 | 65 | 0x41 | Network Failure | [This-RFC]| 1447 | 96 | 0x60 | Connection Reset | [This-RFC]| 1448 | 97 | 0x61 | Destination Unreachable | [This-RFC]| 1449 +-------+------+-----------------------------------+-----------+ 1451 Figure 20: The Convert Error Codes 1453 9. Acknowledgements 1455 Although they could disagree with the contents of the document, we 1456 would like to thank Joe Touch and Juliusz Chroboczek whose comments 1457 on the MPTCP mailing list have forced us to reconsider the design of 1458 the solution several times. 1460 We would like to thank Raphael Bauduin, Stefano Secci, Anandatirtha 1461 Nandugudi and Gregory Vander Schueren for their help in preparing 1462 this document. Nandini Ganesh provided valuable feedback about the 1463 handling of TFO and the error codes. Thanks to them. 1465 This document builds upon earlier documents that proposed various 1466 forms of Multipath TCP proxies [I-D.boucadair-mptcp-plain-mode], 1467 [I-D.peirens-mptcp-transparent] and [HotMiddlebox13b]. 1469 From [I-D.boucadair-mptcp-plain-mode]: 1471 Many thanks to Chi Dung Phung, Mingui Zhang, Rao Shoaib, Yoshifumi 1472 Nishida, and Christoph Paasch for their valuable comments. 1474 Thanks to Ian Farrer, Mikael Abrahamsson, Alan Ford, Dan Wing, and 1475 Sri Gundavelli for the fruitful discussions in IETF#95 (Buenos 1476 Aires). 1478 Special thanks to Pierrick Seite, Yannick Le Goff, Fred Klamm, and 1479 Xavier Grall for their inputs. 1481 Thanks also to Olaf Schleusing, Martin Gysi, Thomas Zasowski, Andreas 1482 Burkhard, Silka Simmen, Sandro Berger, Michael Melloul, Jean-Yves 1483 Flahaut, Adrien Desportes, Gregory Detal, Benjamin David, Arun 1484 Srinivasan, and Raghavendra Mallya for the discussion. 1486 9.1. Contributors 1488 Bart Peirens contributed to an early version of the document. 1490 As noted above, this document builds on two previous documents. 1492 The authors of [I-D.boucadair-mptcp-plain-mode] were: 1494 o Mohamed Boucadair 1496 o Christian Jacquenet 1498 o Olivier Bonaventure 1500 o Denis Behaghel 1502 o Stefano Secci 1504 o Wim Henderickx 1506 o Robert Skog 1508 o Suresh Vinapamula 1510 o SungHoon Seo 1512 o Wouter Cloetens 1514 o Ullrich Meyer 1516 o Luis M. Contreras 1518 o Bart Peirens 1520 The authors of [I-D.peirens-mptcp-transparent] were: 1522 o Bart Peirens 1524 o Gregory Detal 1526 o Sebastien Barre 1528 o Olivier Bonaventure 1530 10. Change Log 1532 This section to be removed before publication. 1534 o 00 : initial version, designed to support Multipath TCP and TFO 1535 only 1537 o 00 to -01 : added section Section 5 describing the support of 1538 different standard tracks TCP options by Transport Converters, 1539 clarification of the IANA section, moved the SOCKS comparison to 1540 the appendix and various minor modifications 1542 o 01 to -02 : Minor modifications 1544 o 02 to -03 : Minor modifications 1546 o 03 to -04 : Minor modifications 1548 11. References 1550 11.1. Normative References 1552 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 1553 RFC 793, DOI 10.17487/RFC0793, September 1981, 1554 . 1556 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1557 Requirement Levels", BCP 14, RFC 2119, 1558 DOI 10.17487/RFC2119, March 1997, 1559 . 1561 [RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key 1562 Ciphersuites for Transport Layer Security (TLS)", 1563 RFC 4279, DOI 10.17487/RFC4279, December 2005, 1564 . 1566 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing 1567 Architecture", RFC 4291, DOI 10.17487/RFC4291, February 1568 2006, . 1570 [RFC4727] Fenner, B., "Experimental Values In IPv4, IPv6, ICMPv4, 1571 ICMPv6, UDP, and TCP Headers", RFC 4727, 1572 DOI 10.17487/RFC4727, November 2006, 1573 . 1575 [RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common 1576 Mitigations", RFC 4987, DOI 10.17487/RFC4987, August 2007, 1577 . 1579 [RFC5482] Eggert, L. and F. Gont, "TCP User Timeout Option", 1580 RFC 5482, DOI 10.17487/RFC5482, March 2009, 1581 . 1583 [RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP 1584 Authentication Option", RFC 5925, DOI 10.17487/RFC5925, 1585 June 2010, . 1587 [RFC6824] Ford, A., Raiciu, C., Handley, M., and O. Bonaventure, 1588 "TCP Extensions for Multipath Operation with Multiple 1589 Addresses", RFC 6824, DOI 10.17487/RFC6824, January 2013, 1590 . 1592 [RFC6890] Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman, 1593 "Special-Purpose IP Address Registries", BCP 153, 1594 RFC 6890, DOI 10.17487/RFC6890, April 2013, 1595 . 1597 [RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J., 1598 Weiler, S., and T. Kivinen, "Using Raw Public Keys in 1599 Transport Layer Security (TLS) and Datagram Transport 1600 Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250, 1601 June 2014, . 1603 [RFC7413] Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP 1604 Fast Open", RFC 7413, DOI 10.17487/RFC7413, December 2014, 1605 . 1607 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 1608 Writing an IANA Considerations Section in RFCs", BCP 26, 1609 RFC 8126, DOI 10.17487/RFC8126, June 2017, 1610 . 1612 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1613 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1614 May 2017, . 1616 11.2. Informative References 1618 [ANRW17] Trammell, B., Kuhlewind, M., De Vaere, P., Learmonth, I., 1619 and G. Fairhurst, "Tracking transport-layer evolution with 1620 PATHspider", Applied Networking Research Workshop 2017 1621 (ANRW17) , July 2017. 1623 [Fukuda2011] 1624 Fukuda, K., "An Analysis of Longitudinal TCP Passive 1625 Measurements (Short Paper)", Traffic Monitoring and 1626 Analysis. TMA 2011. Lecture Notes in Computer Science, vol 1627 6613. , 2011. 1629 [HotMiddlebox13b] 1630 Detal, G., Paasch, C., and O. Bonaventure, "Multipath in 1631 the Middle(Box)", HotMiddlebox'13 , December 2013, 1632 . 1635 [I-D.arkko-arch-low-latency] 1636 Arkko, J. and J. Tantsura, "Low Latency Applications and 1637 the Internet Architecture", draft-arkko-arch-low- 1638 latency-02 (work in progress), October 2017. 1640 [I-D.boucadair-mptcp-plain-mode] 1641 Boucadair, M., Jacquenet, C., Bonaventure, O., Behaghel, 1642 D., stefano.secci@lip6.fr, s., Henderickx, W., Skog, R., 1643 Vinapamula, S., Seo, S., Cloetens, W., Meyer, U., 1644 Contreras, L., and B. Peirens, "Extensions for Network- 1645 Assisted MPTCP Deployment Models", draft-boucadair-mptcp- 1646 plain-mode-10 (work in progress), March 2017. 1648 [I-D.boucadair-radext-tcpm-converter] 1649 Boucadair, M. and C. Jacquenet, "RADIUS Extensions for 1650 0-RTT TCP Converters", draft-boucadair-radext-tcpm- 1651 converter-01 (work in progress), October 2018. 1653 [I-D.boucadair-tcpm-dhc-converter] 1654 Boucadair, M., Jacquenet, C., and R. K, "DHCP Options for 1655 0-RTT TCP Converters", draft-boucadair-tcpm-dhc- 1656 converter-01 (work in progress), October 2018. 1658 [I-D.ietf-tcpinc-tcpcrypt] 1659 Bittau, A., Giffin, D., Handley, M., Mazieres, D., Slack, 1660 Q., and E. Smith, "Cryptographic protection of TCP Streams 1661 (tcpcrypt)", draft-ietf-tcpinc-tcpcrypt-15 (work in 1662 progress), December 2018. 1664 [I-D.nam-mptcp-deployment-considerations] 1665 Boucadair, M., Jacquenet, C., Bonaventure, O., Henderickx, 1666 W., and R. Skog, "Network-Assisted MPTCP: Use Cases, 1667 Deployment Scenarios and Operational Considerations", 1668 draft-nam-mptcp-deployment-considerations-01 (work in 1669 progress), December 2016. 1671 [I-D.olteanu-intarea-socks-6] 1672 Olteanu, V. and D. Niculescu, "SOCKS Protocol Version 6", 1673 draft-olteanu-intarea-socks-6-05 (work in progress), 1674 October 2018. 1676 [I-D.peirens-mptcp-transparent] 1677 Peirens, B., Detal, G., Barre, S., and O. Bonaventure, 1678 "Link bonding with transparent Multipath TCP", draft- 1679 peirens-mptcp-transparent-00 (work in progress), July 1680 2016. 1682 [IETFJ16] Bonaventure, O. and S. Seo, "Multipath TCP Deployment", 1683 IETF Journal, Fall 2016 , n.d.. 1685 [IMC11] Honda, K., Nishida, Y., Raiciu, C., Greenhalgh, A., 1686 Handley, M., and T. Hideyuki, "Is it still possible to 1687 extend TCP ?", Proceedings of the 2011 ACM SIGCOMM 1688 conference on Internet measurement conference , 2011. 1690 [RFC1323] Jacobson, V., Braden, R., and D. Borman, "TCP Extensions 1691 for High Performance", RFC 1323, DOI 10.17487/RFC1323, May 1692 1992, . 1694 [RFC1812] Baker, F., Ed., "Requirements for IP Version 4 Routers", 1695 RFC 1812, DOI 10.17487/RFC1812, June 1995, 1696 . 1698 [RFC1919] Chatel, M., "Classical versus Transparent IP Proxies", 1699 RFC 1919, DOI 10.17487/RFC1919, March 1996, 1700 . 1702 [RFC1928] Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., and 1703 L. Jones, "SOCKS Protocol Version 5", RFC 1928, 1704 DOI 10.17487/RFC1928, March 1996, 1705 . 1707 [RFC2018] Mathis, M., Mahdavi, J., Floyd, S., and A. Romanow, "TCP 1708 Selective Acknowledgment Options", RFC 2018, 1709 DOI 10.17487/RFC2018, October 1996, 1710 . 1712 [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: 1713 Defeating Denial of Service Attacks which employ IP Source 1714 Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827, 1715 May 2000, . 1717 [RFC3135] Border, J., Kojo, M., Griner, J., Montenegro, G., and Z. 1718 Shelby, "Performance Enhancing Proxies Intended to 1719 Mitigate Link-Related Degradations", RFC 3135, 1720 DOI 10.17487/RFC3135, June 2001, 1721 . 1723 [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address 1724 Translation (NAT) Behavioral Requirements for Unicast 1725 UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 1726 2007, . 1728 [RFC6181] Bagnulo, M., "Threat Analysis for TCP Extensions for 1729 Multipath Operation with Multiple Addresses", RFC 6181, 1730 DOI 10.17487/RFC6181, March 2011, 1731 . 1733 [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and 1734 P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, 1735 DOI 10.17487/RFC6887, April 2013, 1736 . 1738 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 1739 A., and H. Ashida, "Common Requirements for Carrier-Grade 1740 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 1741 April 2013, . 1743 [RFC6928] Chu, J., Dukkipati, N., Cheng, Y., and M. Mathis, 1744 "Increasing TCP's Initial Window", RFC 6928, 1745 DOI 10.17487/RFC6928, April 2013, 1746 . 1748 [RFC6978] Touch, J., "A TCP Authentication Option Extension for NAT 1749 Traversal", RFC 6978, DOI 10.17487/RFC6978, July 2013, 1750 . 1752 [RFC7323] Borman, D., Braden, B., Jacobson, V., and R. 1753 Scheffenegger, Ed., "TCP Extensions for High Performance", 1754 RFC 7323, DOI 10.17487/RFC7323, September 2014, 1755 . 1757 [RFC7414] Duke, M., Braden, R., Eddy, W., Blanton, E., and A. 1758 Zimmermann, "A Roadmap for Transmission Control Protocol 1759 (TCP) Specification Documents", RFC 7414, 1760 DOI 10.17487/RFC7414, February 2015, 1761 . 1763 [RFC8041] Bonaventure, O., Paasch, C., and G. Detal, "Use Cases and 1764 Operational Experience with Multipath TCP", RFC 8041, 1765 DOI 10.17487/RFC8041, January 2017, 1766 . 1768 [RFC8305] Schinazi, D. and T. Pauly, "Happy Eyeballs Version 2: 1769 Better Connectivity Using Concurrency", RFC 8305, 1770 DOI 10.17487/RFC8305, December 2017, 1771 . 1773 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 1774 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 1775 . 1777 Appendix A. Differences with SOCKSv5 1779 At a first glance, the solution proposed in this document could seem 1780 similar to the SOCKS v5 protocol [RFC1928] which is used to proxy TCP 1781 connections. The Client creates a connection to a SOCKS proxy, 1782 exchanges authentication information and indicates the destination 1783 address and port of the final server. At this point, the SOCKS proxy 1784 creates a connection towards the final server and relays all data 1785 between the two proxied connections. The operation of an 1786 implementation based on SOCKSv5 is illustrated in Figure 21. 1788 Client SOCKS Proxy Server 1789 --------------------> 1790 SYN 1791 <-------------------- 1792 SYN+ACK 1793 --------------------> 1794 ACK 1796 --------------------> 1797 Version=5, Auth Methods 1798 <-------------------- 1799 Method 1800 --------------------> 1801 Auth Request (unless "No auth" method negotiated) 1802 <-------------------- 1803 Auth Response 1804 --------------------> 1805 Connect Server:Port --------------------> 1806 SYN 1808 <-------------------- 1809 SYN+ACK 1810 <-------------------- 1811 Succeeded 1813 --------------------> 1814 Data1 1815 --------------------> 1816 Data1 1818 <-------------------- 1819 Data2 1820 <-------------------- 1821 Data2 1823 Figure 21: Establishment of a TCP connection through a SOCKS proxy 1824 without authentication 1826 The Convert protocol also relays data between an upstream and a 1827 downstream connection, but there are important differences with 1828 SOCKSv5. 1830 A first difference is that the Convert protocol leverages the TFO 1831 option [RFC7413] to exchange all control information during the 1832 three-way handshake. This reduces the connection establishment delay 1833 compared to SOCKS that requires two or more round-trip-times before 1834 the establishment of the downstream connection towards the final 1835 destination. In today's Internet, latency is a important metric and 1836 various protocols have been tuned to reduce their latency 1837 [I-D.arkko-arch-low-latency]. A recently proposed extension to SOCKS 1838 also leverages the TFO option [I-D.olteanu-intarea-socks-6]. 1840 A second difference is that the Convert protocol explicitly takes the 1841 TCP extensions into account. By using the Convert protocol, the 1842 Client can learn whether a given TCP extension is supported by the 1843 destination Server. This enables the Client to bypass the Transport 1844 Converter when the destination supports the required TCP extension. 1845 Neither SOCKS v5 [RFC1928] nor the proposed SOCKS v6 1846 [I-D.olteanu-intarea-socks-6] provide such a feature. 1848 A third difference is that a Transport Converter will only accept the 1849 connection initiated by the Client provided that the downstream 1850 connection is accepted by the Server. If the Server refuses the 1851 connection establishment attempt from the Transport Converter, then 1852 the upstream connection from the Client is rejected as well. This 1853 feature is important for applications that check the availability of 1854 a Server or use the time to connect as a hint on the selection of a 1855 Server [RFC8305]. 1857 A fourth difference is that the Convert protocol only allows the 1858 client to specify the address/port of the destination server and not 1859 a DNS name. We evaluated an alternate design for the Connect TLV 1860 that included the DNS name of the remote peer instead of its IP 1861 address as in SOCKS [RFC1928]. However, that design was not adopted 1862 because it induces both an extra load and increased delays on the 1863 Transport Converter to handle and manage DNS resolution requests. 1865 Authors' Addresses 1867 Olivier Bonaventure (editor) 1868 Tessares 1870 Email: Olivier.Bonaventure@tessares.net 1872 Mohamed Boucadair (editor) 1873 Orange 1875 Email: mohamed.boucadair@orange.com 1877 Sri Gundavelli 1878 Cisco 1880 Email: sgundave@cisco.com 1881 SungHoon Seo 1882 Korea Telecom 1884 Email: sh.seo@kt.com 1886 Benjamin Hesmans 1887 Tessares 1889 Email: Benjamin.Hesmans@tessares.net