idnits 2.17.1 draft-ietf-tcpm-converters-14.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([This-RFC]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 04, 2019) is 1635 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- == Missing Reference: 'This-RFC' is mentioned on line 1670, but not defined ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Obsolete normative reference: RFC 6824 (Obsoleted by RFC 8684) == Outdated reference: A later version (-11) exists of draft-olteanu-intarea-socks-6-07 -- Obsolete informational reference (is this intentional?): RFC 1323 (Obsoleted by RFC 7323) Summary: 3 errors (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 TCPM Working Group O. Bonaventure, Ed. 3 Internet-Draft Tessares 4 Intended status: Experimental M. Boucadair, Ed. 5 Expires: May 7, 2020 Orange 6 S. Gundavelli 7 Cisco 8 S. Seo 9 Korea Telecom 10 B. Hesmans 11 Tessares 12 November 04, 2019 14 0-RTT TCP Convert Protocol 15 draft-ietf-tcpm-converters-14 17 Abstract 19 This document specifies an application proxy, called Transport 20 Converter, to assist the deployment of TCP extensions such as 21 Multipath TCP. This proxy is designed to avoid inducing extra delay 22 when involved in a network-assisted connection (that is, 0-RTT). 24 This specification assumes an explicit model, where the proxy is 25 explicitly configured on hosts. 27 -- Editorial Note (To be removed by RFC Editor) 29 Please update these statements with the RFC number to be assigned to 30 this document: [This-RFC] 32 Please update TBA statements with the port number to be assigned to 33 the 0-RTT TCP Convert Protocol. 35 Status of This Memo 37 This Internet-Draft is submitted in full conformance with the 38 provisions of BCP 78 and BCP 79. 40 Internet-Drafts are working documents of the Internet Engineering 41 Task Force (IETF). Note that other groups may also distribute 42 working documents as Internet-Drafts. The list of current Internet- 43 Drafts is at https://datatracker.ietf.org/drafts/current/. 45 Internet-Drafts are draft documents valid for a maximum of six months 46 and may be updated, replaced, or obsoleted by other documents at any 47 time. It is inappropriate to use Internet-Drafts as reference 48 material or to cite them other than as "work in progress." 49 This Internet-Draft will expire on May 7, 2020. 51 Copyright Notice 53 Copyright (c) 2019 IETF Trust and the persons identified as the 54 document authors. All rights reserved. 56 This document is subject to BCP 78 and the IETF Trust's Legal 57 Provisions Relating to IETF Documents 58 (https://trustee.ietf.org/license-info) in effect on the date of 59 publication of this document. Please review these documents 60 carefully, as they describe your rights and restrictions with respect 61 to this document. Code Components extracted from this document must 62 include Simplified BSD License text as described in Section 4.e of 63 the Trust Legal Provisions and are provided without warranty as 64 described in the Simplified BSD License. 66 Table of Contents 68 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 69 1.1. The Problem . . . . . . . . . . . . . . . . . . . . . . . 3 70 1.2. Network-Assisted Connections: The Rationale . . . . . . . 4 71 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 6 72 3. Architecture & Behaviors . . . . . . . . . . . . . . . . . . 7 73 3.1. Functional Elements . . . . . . . . . . . . . . . . . . . 7 74 3.2. Theory of Operation . . . . . . . . . . . . . . . . . . . 9 75 3.3. Data Processing at the Transport Converter . . . . . . . 12 76 3.3.1. Base Behavior . . . . . . . . . . . . . . . . . . . . 12 77 3.3.2. Multipath TCP Specifics . . . . . . . . . . . . . . . 14 78 4. Sample Examples . . . . . . . . . . . . . . . . . . . . . . . 15 79 4.1. Outgoing Converter-Assisted Multipath TCP Connections . . 15 80 4.2. Incoming Converter-Assisted Multipath TCP Connection . . 16 81 5. The Convert Protocol (Convert) . . . . . . . . . . . . . . . 17 82 5.1. The Convert Fixed Header . . . . . . . . . . . . . . . . 18 83 5.2. Convert TLVs . . . . . . . . . . . . . . . . . . . . . . 18 84 5.2.1. Generic Convert TLV Format . . . . . . . . . . . . . 18 85 5.2.2. Summary of Supported Convert TLVs . . . . . . . . . . 19 86 5.2.3. The Info TLV . . . . . . . . . . . . . . . . . . . . 20 87 5.2.4. Supported TCP Extensions TLV . . . . . . . . . . . . 20 88 5.2.5. Connect TLV . . . . . . . . . . . . . . . . . . . . . 21 89 5.2.6. Extended TCP Header TLV . . . . . . . . . . . . . . . 23 90 5.2.7. The Cookie TLV . . . . . . . . . . . . . . . . . . . 24 91 5.2.8. Error TLV . . . . . . . . . . . . . . . . . . . . . . 24 92 6. Compatibility of Specific TCP Options with the Conversion 93 Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 94 6.1. Base TCP Options . . . . . . . . . . . . . . . . . . . . 28 95 6.2. Window Scale (WS) . . . . . . . . . . . . . . . . . . . . 29 96 6.3. Selective Acknowledgments . . . . . . . . . . . . . . . . 29 97 6.4. Timestamp . . . . . . . . . . . . . . . . . . . . . . . . 29 98 6.5. Multipath TCP . . . . . . . . . . . . . . . . . . . . . . 30 99 6.6. TCP Fast Open . . . . . . . . . . . . . . . . . . . . . . 30 100 6.7. TCP User Timeout . . . . . . . . . . . . . . . . . . . . 31 101 6.8. TCP-AO . . . . . . . . . . . . . . . . . . . . . . . . . 31 102 6.9. TCP Experimental Options . . . . . . . . . . . . . . . . 31 103 7. Interactions with Middleboxes . . . . . . . . . . . . . . . . 31 104 8. Security Considerations . . . . . . . . . . . . . . . . . . . 32 105 8.1. Privacy & Ingress Filtering . . . . . . . . . . . . . . . 32 106 8.2. Authorization . . . . . . . . . . . . . . . . . . . . . . 33 107 8.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 34 108 8.4. Traffic Theft . . . . . . . . . . . . . . . . . . . . . . 34 109 8.5. Multipath TCP-specific Considerations . . . . . . . . . . 34 110 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35 111 9.1. Convert Service Port Number . . . . . . . . . . . . . . . 35 112 9.2. The Convert Protocol (Convert) Parameters . . . . . . . . 35 113 9.2.1. Convert Versions . . . . . . . . . . . . . . . . . . 35 114 9.2.2. Convert TLVs . . . . . . . . . . . . . . . . . . . . 36 115 9.2.3. Convert Error Messages . . . . . . . . . . . . . . . 36 116 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 37 117 10.1. Normative References . . . . . . . . . . . . . . . . . . 37 118 10.2. Informative References . . . . . . . . . . . . . . . . . 39 119 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 42 120 Appendix B. Example Socket API Changes to Support the 0-RTT 121 Convert Protocol . . . . . . . . . . . . . . . . . . 44 122 B.1. Active Open (Client Side) . . . . . . . . . . . . . . . . 44 123 B.2. Passive Open (Converter Side) . . . . . . . . . . . . . . 45 124 Appendix C. Some Design Considerations . . . . . . . . . . . . . 46 125 Appendix D. Address Preservation vs. Address Sharing . . . . . . 46 126 D.1. Address Preservation . . . . . . . . . . . . . . . . . . 46 127 D.2. Address/Prefix Sharing . . . . . . . . . . . . . . . . . 47 128 Appendix E. Differences with SOCKSv5 . . . . . . . . . . . . . . 48 129 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 50 130 Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 51 131 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 52 133 1. Introduction 135 1.1. The Problem 137 Transport protocols like TCP evolve regularly [RFC7414]. TCP has 138 been improved in different ways. Some improvements such as changing 139 the initial window size [RFC6928] or modifying the congestion control 140 scheme can be applied independently on clients and servers. Other 141 improvements such as Selective Acknowledgments [RFC2018] or large 142 windows [RFC7323] require a new TCP option or to change the semantics 143 of some fields in the TCP header. These modifications must be 144 deployed on both clients and servers to be actually used on the 145 Internet. Experience with the latter TCP extensions reveals that 146 their deployment can require many years. Fukuda reports in 147 [Fukuda2011] results of a decade of measurements showing the 148 deployment of Selective Acknowledgments, Window Scale and TCP 149 Timestamps. [ANRW17] describes measurements showing that TCP Fast 150 Open (TFO) [RFC7413] is still not widely deployed. 152 There are some situations where the transport stack used on clients 153 (or servers) can be upgraded at a faster pace than the transport 154 stack running on servers (or clients). In those situations, clients 155 would typically want to benefit from the features of an improved 156 transport protocol even if the servers have not yet been upgraded and 157 conversely. Some assistance from the network to make use of these 158 features is valuable. For example, Performance Enhancing Proxies 159 [RFC3135], and other service functions have been deployed as 160 solutions to improve TCP performance over links with specific 161 characteristics. 163 Recent examples of TCP extensions include Multipath TCP (MPTCP) 164 [RFC6824] or TCPINC [RFC8548]. Those extensions provide features 165 that are interesting for clients such as wireless devices. With 166 Multipath TCP, those devices could seamlessly use WLAN (Wireless 167 Local Area Network) and cellular networks, for bonding purposes, 168 faster hand-overs, or better resiliency. Unfortunately, deploying 169 those extensions on both a wide range of clients and servers remains 170 difficult. 172 More recently, 5G bonding experimentation has been conducted into 173 global range of the incumbent 4G (LTE) connectivity using newly 174 devised clients and a Multipath TCP proxy. Even if the 5G and the 4G 175 bonding relying upon Multipath TCP increases the bandwidth, it is as 176 well crucial to minimize latency for all the way between endhosts 177 regardless of whether intermediate nodes are inside or outside of the 178 mobile core. In order to handle URLLC (Ultra Reliable Low Latency 179 Communication) for the next generation mobile network, Multipath TCP 180 and its proxy mechanism such as the one used to provide Access 181 Traffic Steering, Switching, and Splitting (ATSSS) must be optimized 182 to reduce latency [TS23501]. 184 1.2. Network-Assisted Connections: The Rationale 186 This document specifies an application proxy, called Transport 187 Converter. A Transport Converter is a function that is installed by 188 a network operator to aid the deployment of TCP extensions and to 189 provide the benefits of such extensions to clients. A Transport 190 Converter may provide conversion service for one or more TCP 191 extensions. Which TCP extensions are eligible to the conversion 192 service is deployment-specific. The conversion service is provided 193 by means of the 0-RTT TCP Convert Protocol (Convert), that is an 194 application-layer protocol which uses TCP port number TBA 195 (Section 9). 197 The Convert Protocol provides 0-RTT (Zero Round-Trip Time) conversion 198 service since no extra delay is induced by the protocol compared to 199 connections that are not proxied. Particularly, the Convert Protocol 200 does not require extra signaling setup delays before making use of 201 the conversion service. The Convert Protocol does not require any 202 encapsulation (no tunnels, whatsoever). 204 The Transport Converter adheres to the main principles drawn in 205 [RFC1919]. In particular, a Transport Converter achieves the 206 following: 208 o Listen for client sessions; 210 o Receive from a client the address of the final target server; 212 o Setup a session to the final server; 214 o Relay control messages and data between the client and the server; 216 o Perform access controls according to local policies. 218 The main advantage of network-assisted conversion services is that 219 they enable new TCP extensions to be used on a subset of the path 220 between endpoints, which encourages the deployment of these 221 extensions. Furthermore, the Transport Converter allows the client 222 and the server to directly negotiate TCP extensions for the sake of 223 native support along the full path. 225 The Convert Protocol is a generic mechanism to provide 0-RTT 226 conversion service. As a sample applicability use case, this 227 document specifies how the Convert Protocol applies for Multipath 228 TCP. It is out of scope of this document to provide a comprehensive 229 list of all potential conversion services. Applicability documents 230 may be defined in the future. 232 This document does not assume that all the traffic is eligible to the 233 network-assisted conversion service. Only a subset of the traffic 234 will be forwarded to a Transport Converter according to a set of 235 policies. These policies, and how they are communicated to 236 endpoints, are out of scope. Furthermore, it is possible to bypass 237 the Transport Converter to connect directly to the servers that 238 already support the required TCP extension(s). 240 This document assumes an explicit model in which a client is 241 configured with one or a list of Transport Converters (statically or 242 through protocols such as [I-D.boucadair-tcpm-dhc-converter]). 243 Configuration means are outside the scope of this document. 245 The use of a Transport Converter means that there is no end-to-end 246 transport connection between the client and server. This could 247 potentially create problems in some scenarios such as those discussed 248 in Section 4 of [RFC3135]. Some of these problems may not be 249 applicable, for example, a Transport Converter can inform a client by 250 means of Network Failure (65) or Destination Unreachable (97) error 251 messages (Section 5.2.8) that it encounters a failure problem; the 252 client can react accordingly. An endpoint, or its network 253 administrator, can assess the benefit provided by the Transport 254 Converter service versus the risk. This is one reason why the 255 Transport Converter functionality has to be explicitly requested by 256 an endpoint. 258 This document is organized as follows. First, Section 3 provides a 259 brief explanation of the operation of Transport Converters. Then, 260 Section 5 describes the Convert Protocol. Section 6 discusses how 261 Transport Converters can be used to support different TCP extensions. 262 Section 7 then discusses the interactions with middleboxes, while 263 Section 8 focuses on the security considerations. 265 Appendix B describes how a TCP stack would need to support the 266 protocol described in this document. Appendix C records some 267 considerations that impacted the design of the protocol. Appendix E 268 provides a comparison with SOCKS proxies that are already used to 269 deploy Multipath TCP in some cellular networks (Section 2.2 of 270 [RFC8041]). 272 2. Conventions and Definitions 274 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 275 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 276 "OPTIONAL" in this document are to be interpreted as described in BCP 277 14 [RFC2119][RFC8174] when, and only when, they appear in all 278 capitals, as shown here. 280 The information shown between brackets in the figures refers to 281 Convert Protocol messages described in Section 5. 283 Only the exchange of control messages is depicted in the figures. 285 3. Architecture & Behaviors 287 3.1. Functional Elements 289 The Convert Protocol considers three functional elements: 291 o Clients; 293 o Transport Converters; 295 o Servers. 297 A Transport Converter is a network function that proxies all data 298 exchanged over one upstream connection to one downstream connection 299 and vice versa (Figure 1). The Transport Converter, thus, maintains 300 state that associates one upstream connection to a corresponding 301 downstream connection. 303 A connection can be initiated from both sides of the Transport 304 Converter (Internet-facing interface, customer-facing interface). 306 | 307 : 308 | 309 +------------+ 310 Client <- upstream ->| Transport |<- downstream -> Server 311 connection | Converter | connection 312 +------------+ 313 | 314 customer-facing interface : Internet-facing interface 315 | 317 Figure 1: A Transport Converter Proxies Data between Pairs of TCP 318 Connections 320 "Client" refers to a software instance embedded on a host that can 321 reach a Transport Converter via its customer-facing interface. The 322 "Client" can initiate connections via a Transport Converter (referred 323 to as outgoing connections (Section 4.1)). Also, the "Client" can 324 accept incoming connections via a Transport Converter (referred to as 325 incoming connections (Section 4.2)). 327 Transport Converters can be operated by network operators or third 328 parties. Nevertheless, this document focuses on the single 329 administrative deployment case where the entity offering the 330 connectivity service to a client is also the entity which owns and 331 operates the Transport Converter. 333 A Transport Converter can be embedded in a standalone device or be 334 activated as a service on a router. How such function is enabled is 335 deployment-specific. A sample deployment is depicted in Figure 2. 337 +-+ +-+ +-+ 338 Client - |R| -- |R| -- |R| - - - Server 339 +-+ +-+ +-+ 340 | 341 +-+ 342 |R| 343 +-+ 344 | 345 +---------+ 346 |Transport| 347 |Converter| 348 +---------+ 349 R: Router 351 Figure 2: A Transport Converter Can Be Installed Anywhere in the 352 Network 354 The architecture assumes that new software will be installed on the 355 Client hosts to interact with one or more Transport Converters. 356 Furthermore, the architecture allows for making use of new TCP 357 extensions even if those are not supported by a given server. 359 A Client is configured, through means that are outside the scope of 360 this document, with the names and/or the addresses of one or more 361 Transport Converters and the TCP extensions that they support. The 362 procedure for selecting a Transport Converter among a list of 363 configured Transport Converters is outside the scope of this 364 document. 366 One of the benefits of this design is that different transport 367 protocol extensions can be used on the upstream and the downstream 368 connections. This encourages the deployment of new TCP extensions 369 until they are widely supported by servers, in particular. 371 The architecture does not mandate anything on the Server side. 373 Similar to address sharing mechanisms, the architecture does not 374 interfere with end-to-end TLS connections [RFC8446] between the 375 Client and the Server (Figure 3). In other words, end-to-end TLS is 376 supported in the presence of a Converter. 378 Client Transport Server 379 | Converter | 380 | | | 381 /==========================================\ 382 | End-to-end TLS | 383 \==========================================/ 385 * TLS messages exchanged between the Client 386 and the Server are not shown. 388 Figure 3: End-to-end TLS via a Transport Converter 390 It is out of scope of this document to elaborate on specific 391 considerations related to the use of TLS in the Client-Converter 392 connection leg to exchange Convert messages (in addition to the end- 393 to-end TLS connection). 395 3.2. Theory of Operation 397 At a high level, the objective of the Transport Converter is to allow 398 the use a specific extension, e.g., Multipath TCP, on a subset of the 399 path even if the peer does not support this extension. This is 400 illustrated in Figure 4 where the Client initiates a Multipath TCP 401 connection with the Transport Converter (packets belonging to the 402 Multipath TCP connection are shown with "===") while the Transport 403 Converter uses a regular TCP connection with the Server. 405 Client Transport Server 406 | Converter | 407 | | | 408 |==================>|--------------------->| 409 | | | 410 |<==================|<---------------------| 411 | | | 412 Multipath TCP packets Regular TCP packets 414 Figure 4: An Example of 0-RTT Network-Assisted Outgoing MPTCP 415 Connection 417 The packets belonging to the pair of connections between the Client 418 and Server passing through a Transport Converter may follow a 419 different path than the packets directly exchanged between the Client 420 and the Server. Deployments should minimize the possible additional 421 delay by carefully selecting the location of the Transport Converter 422 used to reach a given destination. 424 When establishing a connection, the Client can, depending on local 425 policies, either contact the Server directly (e.g., by sending a TCP 426 SYN towards the Server) or create the connection via a Transport 427 Converter. In the latter case (that is, the conversion service is 428 used), the Client initiates a connection towards the Transport 429 Converter and indicates the IP address and port number of the Server 430 within the connection establishment packet. Doing so enables the 431 Transport Converter to immediately initiate a connection towards that 432 Server, without experiencing an extra delay. The Transport Converter 433 waits until the receipt of the confirmation that the Server agrees to 434 establish the connection before confirming it to the Client. 436 The Client places the destination address and port number of the 437 Server in the payload of the SYN sent to the Transport Converter to 438 minimize connection establishment delays. The Transport Converter 439 maintains two connections that are combined together: 441 o the upstream connection is the one between the Client and the 442 Transport Converter. 444 o the downstream connection is between the Transport Converter and 445 the Server. 447 Any user data received by the Transport Converter over the upstream 448 (or downstream) connection is proxied over the downstream (or 449 upstream) connection. In particular, if the initial SYN message 450 contains data in its payload (e.g., [RFC7413]), that data MUST be 451 placed right after the Convert TLVs when generating the SYN. 453 The Converter associates a lifetime with state entries used to bind 454 an upstream connection with its downstream connection. 456 Figure 5 illustrates the establishment of an outgoing TCP connection 457 by a Client through a Transport Converter. 459 Transport 460 Client Converter Server 461 | | | 462 |SYN [->Server:port]| SYN | 463 |------------------>|--------------------->| 464 |<------------------|<---------------------| 465 | SYN+ACK [ ] | SYN+ACK | 466 | ... | ... | 468 Figure 5: Establishment of an Outgoing TCP Connection Through a 469 Transport Converter 471 The Client sends a SYN destined to the Transport Converter. The 472 payload of this SYN contains the address and port number of the 473 Server. The Transport Converter does not reply immediately to this 474 SYN. It first tries to create a TCP connection towards the target 475 Server. If this upstream connection succeeds, the Transport 476 Converter confirms the establishment of the connection to the Client 477 by returning a SYN+ACK and the first bytes of the bytestream contain 478 information about the TCP options that were negotiated with the 479 Server. Also, a state entry is instantiated for this connection. 480 This state entry is used by the Converter to handle subsequent 481 messages belonging to the connection. 483 The connection can also be established from the Internet towards a 484 Client via a Transport Converter (Figure 6). This is typically the 485 case when an application on the Client listens to a specific port 486 (the Client hosts an application server, typically). When the 487 Converter receives an incoming SYN from a remote host, it checks if 488 it can provide the conversion service for the destination IP address 489 and destination port number of that SYN. If the check fails, the 490 packet is silently ignored by the Converter. If the check is 491 successful, the Converter inserts the source IP address and source 492 port number in the SYN packet, rewrites the source IP address to one 493 of its IP addresses and, eventually (i.e., only when the Converter is 494 configured in an address sharing mode), the destination IP address 495 and port number in accordance with any information stored locally. 496 That SYN is then forwarded to the next hop. A transport session 497 entry is created by the Converter for this connection. SYN+ACK and 498 ACK will be then exchanged between the Client, the Converter, and 499 remote host to confirm the establishment of the connection. The 500 Converter uses the transport session entry to proxy packets belonging 501 to the connection. 503 Transport Remote 504 Client Converter Host (RH) 505 | | | 506 |SYN [<-RH IP@:port]| SYN | 507 |<------------------|<---------------------| 508 |------------------>|--------------------->| 509 | SYN+ACK [ ] | SYN+ACK | 510 | ... | ... | 512 Figure 6: Establishment of an Incoming TCP Connection Through a 513 Transport Converter 515 Standard TCP ([RFC0793], Section 3.4) allows a SYN packet to carry 516 data inside its payload but forbids the receiver from delivering it 517 to the application until completion of the three-way-handshake. To 518 enable applications to exchange data in a TCP handshake, this 519 specification follows an approach similar to TCP Fast Open [RFC7413] 520 and thus removes the constraint by allowing data in SYN packets to be 521 delivered to the Transport Converter application. 523 As discussed in [RFC7413], such change to TCP semantic raises two 524 issues. First, duplicate SYNs can cause problems for some 525 applications that rely on TCP. Second, TCP suffers from SYN flooding 526 attacks [RFC4987]. TFO solves these two problems for applications 527 that can tolerate replays by using the TCP Fast Open option that 528 includes a cookie. However, the utilization of this option consumes 529 space in the limited TCP header. Furthermore, there are situations, 530 as noted in Section 7.3 of [RFC7413] where it is possible to accept 531 the payload of SYN packets without creating additional security risks 532 such as a network where addresses cannot be spoofed and the Transport 533 Converter only serves a set of hosts that are identified by these 534 addresses. 536 For these reasons, this specification does not mandate the use of the 537 TCP Fast Open option when the Client sends a connection establishment 538 packet towards a Transport Converter. The Convert Protocol includes 539 an optional Cookie TLV that provides similar protection as the TCP 540 Fast Open option without consuming space in the extended TCP header. 541 In particular, this design allows for the use of longer cookies. 543 If the downstream (or upstream) connection fails for some reason 544 (excessive retransmissions, reception of an RST segment, etc.), then 545 the Converter should force the tear-down of the upstream (or 546 downstream) connection. 548 The same reasoning applies when the upstream connection ends. In 549 this case, the Converter should also terminate the downstream 550 connection by using FIN segments. If the downstream connection 551 terminates with the exchange of FIN segments, the Converter should 552 initiate a graceful termination of the upstream connection. 554 3.3. Data Processing at the Transport Converter 556 3.3.1. Base Behavior 558 As mentioned in Section 3.2, the Transport Converter acts as a TCP 559 proxy between the upstream connection (i.e., between the Client and 560 the Transport Converter) and the downstream connection (i.e., between 561 the Transport Converter and the Server). 563 The control messages, discussed in Section 5, establish state 564 (called, transport session entry) in the Transport Converter that 565 will enable it to proxy between the two TCP connections. 567 The Transport Converter uses the transport session entry to proxy 568 packets belonging to the connection. An implementation example of a 569 transport session entry for TCP connections is shown in Figure 7. 571 (C,c) <--> (T,t), (S,s), Lifetime 573 Where: 574 * C and c are the source IP address and source port number 575 used by the Client for the upstream connection. 576 * S and s are the Server's IP address and port number. 577 * T and t are the source IP address and source port number 578 used by the Transport Converter to proxy the connection. 579 * Lifetime is the validity lifetime of the entry as assigned 580 by the Converter. 582 Figure 7: An Example of Transport Session Entry (TCP) 584 Clients send packets bound to connections eligible to the conversion 585 service to the provisioned Transport Converter using TBA as 586 destination port number. This applies for both control messages and 587 data. Additional information is supplied by Clients to the Transport 588 Converter by means of Convert messages as detailed in Section 5. 589 User data can be included in SYN or non-SYN messages. User data is 590 unambiguously distinguished from Convert TLVs by a Transport 591 Converter owing to the Convert Fixed Header in the Convert messages 592 (Section 5.1). These Convert TLVs are destined to the Transport 593 Convert and are, thus, removed by the Transport Converter when 594 proxying between the two connections. 596 Upon receipt of a Non-SYN (or a secondary subflow for Multipath TCP) 597 on port number TBA by the Transport Converter from a Client, the 598 Converter checks if the packet matches an active transport session 599 entry. If no entry is found, the Transport Converter MUST silently 600 ignore the packet. If an entry is found, the user data is proxied to 601 the Server using the information stored in the corresponding 602 transport session entry. For example, in reference to Figure 7, the 603 Transport Converter proxies the data received from (C, c) downstream 604 using (T,t) as source transport address and (S,s) as destination 605 transport address. 607 A similar process happens for data sent from the Server. The 608 Converter acts as a TCP proxy and sends the data to the Client 609 relying upon the information stored in a transport session entry. 611 Considerations that are specific to Multipath TCP are described in 612 Section 3.3.2. 614 A Transport Converter may operate in address preservation mode (that 615 is, the Converter does not rewrite the source IP address (i.e., 616 C==T)) or address sharing mode (that is, an address pool is shared 617 among all Clients serviced by the Converter (i.e., C!=T)); refer to 618 Appendix D for more details. Which behavior to use by a Transport 619 Converter is deployment-specific. If address sharing mode is 620 enabled, the Transport Converter MUST adhere to REQ-2 of [RFC6888] 621 which implies a default "IP address pooling" behavior of "Paired" (as 622 defined in Section 4.1 of [RFC4787]) must be supported. This 623 behavior is meant to avoid breaking applications that depend on the 624 source address remaining constant. 626 3.3.2. Multipath TCP Specifics 628 Note that for the Multipath TCP case, the Convert TLVs are only 629 exchanged during the establishment of the initial subflow. 631 The Transport Converter identifies an MPTCP connection by means, 632 e.g., of the token assigned to the MPTCP connection (Section 2.2 of 633 [RFC6824]). An implementation example of an MPTCP transport session 634 entry maintained by a Transport Converter is shown in Figure 8. The 635 entry needs to be updated whenever subflows are added to, or deleted 636 from, the MPTCP connection. 638 token, {(C1,c1), .., (Cn, cn)} <--> (T,t), (S,s), Lifetime 640 Where: 641 * Token is a locally unique identifier given to a (upstream) 642 multipath connection by the Transport Converter. The token 643 is a one-way hash of the MPTCP key. 644 * Ci and ci are the source IP address and source port number 645 used by the Client for a subflow of an (upstream) MPTCP 646 connection. 647 * S and s are the Server's IP address and port number. 648 * T and t are the source IP address and source port number 649 used by the Transport Converter to proxy the connection. 650 * Lifetime is the validity lifetime of the entry as assigned 651 by the Converter. 653 Figure 8: An Example of MPTCP Transport Session Entry 655 Upon receipt of a secondary subflow by the Transport Converter from a 656 Client, the Converter follows the same behavior specified in 657 Section 3.3.1 for processing Non-SYNs. For example, in reference to 658 Figure 8, the Transport Converter proxies the data received from a 659 new subflow of an existing Multipath TCP connection (Cn, cn) 660 downstream using (T,t) as source transport address and (S,s) as 661 destination transport address. 663 4. Sample Examples 665 4.1. Outgoing Converter-Assisted Multipath TCP Connections 667 As an example, let us consider how the Convert Protocol can help the 668 deployment of Multipath TCP. We assume that both the Client and the 669 Transport Converter support Multipath TCP, but consider two different 670 cases depending on whether the Server supports Multipath TCP or not. 672 As a reminder, a Multipath TCP connection is created by placing the 673 MP_CAPABLE (MPC) option in the SYN sent by the Client. 675 Figure 9 describes the operation of the Transport Converter if the 676 Server does not support Multipath TCP. 678 Transport 679 Client Converter Server 680 |SYN, | | 681 |MPC [->Server:port]| SYN, MPC | 682 |------------------>|--------------------->| 683 |<------------------|<---------------------| 684 | SYN+ACK,MPC [.] | SYN+ACK | 685 |------------------>|--------------------->| 686 | ACK, MPC | ACK | 687 | ... | ... | 689 Figure 9: Establishment of a Multipath TCP Connection Through a 690 Transport Converter towards a Server that Does Not Support Multipath 691 TCP 693 The Client tries to initiate a Multipath TCP connection by sending a 694 SYN with the MP_CAPABLE option (MPC in Figure 9). The SYN includes 695 the address and port number of the target Server, that are extracted 696 and used by the Transport Converter to initiate a Multipath TCP 697 connection towards this Server. Since the Server does not support 698 Multipath TCP, it replies with a SYN+ACK that does not contain the 699 MP_CAPABLE option. The Transport Converter notes that the connection 700 with the Server does not support Multipath TCP and returns the 701 extended TCP header received from the Server to the Client. 703 Note that, if the TCP connection fails for some reason, the Converter 704 tears down the Multipath TCP connection by transmitting a 705 MP_FASTCLOSE. Likewise, if the Multipath TCP connection ends with 706 the transmission of DATA_FINs, the Converter terminates the TCP 707 connection by using FIN segments. As a side note, given that with 708 Multipath TCP, RST only has the scope of the subflow and will only 709 close the concerned subflow but not affect the remaining subflows, 710 the Converter does not terminate the TCP connection upon receipt of 711 an RST over a Multipath subflow. 713 Figure 10 considers a Server that supports Multipath TCP. In this 714 case, it replies to the SYN sent by the Transport Converter with the 715 MP_CAPABLE option. Upon reception of this SYN+ACK, the Transport 716 Converter confirms the establishment of the connection to the Client 717 and indicates to the Client that the Server supports Multipath TCP. 718 With this information, the Client has discovered that the Server 719 supports Multipath TCP natively. This will enable the Client to 720 bypass the Transport Converter for the subsequent Multipath TCP 721 connections that it will initiate towards this Server. 723 Transport 724 Client Converter Server 725 |SYN, | | 726 |MPC [->Server:port]| SYN, MPC | 727 |------------------>|--------------------->| 728 |<------------------|<---------------------| 729 |SYN+ACK, | SYN+ACK, MPC | 730 |MPC [MPC supported]| | 731 |------------------>|--------------------->| 732 | ACK, MPC | ACK, MPC | 733 | ... | ... | 735 Figure 10: Establishment of a Multipath TCP Connection Through a 736 Converter Towards an MPTCP-capable Server 738 4.2. Incoming Converter-Assisted Multipath TCP Connection 740 An example of an incoming Converter-assisted Multipath TCP connection 741 is depicted in Figure 11. In order to support incoming connections 742 from remote hosts, the Client may use PCP [RFC6887] to instruct the 743 Transport Converter to create dynamic mappings. Those mappings will 744 be used by the Transport Converter to intercept an incoming TCP 745 connection destined to the Client and convert it into a Multipath TCP 746 connection. 748 Typically, the Client sends a PCP request to the Converter asking to 749 create an explicit TCP mapping for (internal IP address, internal 750 port number). The Converter accepts the request by creating a TCP 751 mapping (internal IP address, internal port number, external IP 752 address, external port number). The external IP address and external 753 port number will be then advertised using an out-of-band mechanism so 754 that remote hosts can initiate TCP connections to the Client via the 755 Converter. Note that the external and internal information may be 756 the same. 758 Then, when the Converter receives an incoming SYN, it checks its 759 mapping table to verify if there is an active mapping matching the 760 destination IP address and destination port of that SYN. If no entry 761 is found, the Converter silently ignores the message. If an entry is 762 found, the Converter inserts an MP_CAPABLE option and Connect TLV in 763 the SYN packet, rewrites the source IP address to one of its IP 764 addresses and, eventually, the destination IP address and port number 765 in accordance with the information stored in the mapping. SYN+ACK 766 and ACK will be then exchanged between the Client and the Converter 767 to confirm the establishment of the initial subflow. The Client can 768 add new subflows following normal Multipath TCP procedures. 770 Transport Remote 771 Client Converter Host 772 | | | 773 |<--------------------|<-------------------| 774 |SYN, | SYN | 775 |MPC[Remote Host:port]| | 776 |-------------------->|------------------->| 777 | SYN+ACK, MPC | SYN+ACK | 778 |<--------------------|<-------------------| 779 | ACK, MPC | ACK | 780 | ... | ... | 782 Figure 11: Establishment of an Incoming Multipath TCP Connection 783 through a Transport Converter 785 It is out of scope of this document to define specific Convert TLVs 786 to manage incoming connections. These TLVs can be defined in a 787 separate document. 789 5. The Convert Protocol (Convert) 791 This section defines the Convert Protocol (Convert, for short) 792 messages that are exchanged between a Client and a Transport 793 Converter. 795 By default, the Transport Converter listens on TCP port number TBA 796 for Convert messages from Clients. 798 Convert messages may appear only in a SYN, SYN+ACK, or ACK. 800 Convert messages MUST be included as the first bytes of the 801 bytestream. All Convert messages starts with a 32 bits long fixed 802 header (Section 5.1) followed by one or more Convert TLVs (Type, 803 Length, Value) (Section 5.2). 805 5.1. The Convert Fixed Header 807 The Convert Protocol uses a 32 bits long fixed header that is sent by 808 both the Client and the Transport Converter over each established 809 connection. This header indicates both the version of the protocol 810 used and the length of the Convert message. 812 The Client and the Transport Converter MUST send the fixed-sized 813 header, shown in Figure 12, as the first four bytes of the 814 bytestream. 816 1 2 3 817 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 818 +---------------+---------------+-------------------------------+ 819 | Version | Total Length | Unassigned | 820 +---------------+---------------+-------------------------------+ 822 Figure 12: The Convert Fixed Header 824 The Version is encoded as an 8 bits unsigned integer value. This 825 document specifies version 1. Version 0 is reserved by this document 826 and MUST NOT be used. 828 The Total Length is the number of 32 bits word, including the header, 829 of the bytestream that are consumed by the Convert messages. Since 830 Total Length is also an 8 bits unsigned integer, those messages 831 cannot consume more than 1020 bytes of data. This limits the number 832 of bytes that a Transport Converter needs to process. A Total Length 833 of zero is invalid and the connection MUST be reset upon reception of 834 a header with such total length. 836 The Unassigned field MUST be set to zero in this version of the 837 protocol. These bits are available for future use [RFC8126]. 839 Data added by the Convert Protocol to the TCP bytestream is 840 unambiguously distinguished from payload data by the Total Length 841 field in the Convert messages. 843 5.2. Convert TLVs 845 5.2.1. Generic Convert TLV Format 847 The Convert Protocol uses variable length messages that are encoded 848 using the generic TLV format depicted in Figure 13. 850 The length of all TLVs used by the Convert Protocol is always a 851 multiple of four bytes. All TLVs are aligned on 32 bits boundaries. 852 All TLV fields are encoded using the network byte order. 854 1 2 3 855 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 856 +---------------+---------------+-------------------------------+ 857 | Type | Length | Value ... | 858 +---------------+---------------+-------------------------------+ 859 // ... (optional) Value // 860 +---------------------------------------------------------------+ 862 Figure 13: Convert Generic TLV Format 864 The Length field covers Type, Length, and Value fields. It is 865 expressed in units of 32 bits words. If necessary, Value MUST be 866 padded with zeroes so that the length of the TLV is a multiple of 32 867 bits. 869 A given TLV MUST only appear once on a connection. If two or more 870 instances of the same TLV are exchanged over a Convert connection, 871 the associated TCP connections MUST be closed. 873 5.2.2. Summary of Supported Convert TLVs 875 This document specifies the following Convert TLVs: 877 +------+-----+----------+------------------------------------------+ 878 | Type | Hex | Length | Description | 879 +------+-----+----------+------------------------------------------+ 880 | 1 | 0x1 | 1 | Info TLV | 881 | 10 | 0xA | Variable | Connect TLV | 882 | 20 | 0x14| Variable | Extended TCP Header TLV | 883 | 21 | 0x15| Variable | Supported TCP Extensions TLV | 884 | 22 | 0x16| Variable | Cookie TLV | 885 | 30 | 0x1E| Variable | Error TLV | 886 +------+-----+----------+------------------------------------------+ 888 Figure 14: The TLVs used by the Convert Protocol 890 Type 0x0 is a reserved valued. Implementations MUST discard messages 891 with such TLV. 893 The Client typically sends in the first connection it established 894 with a Transport Converter the Info TLV (Section 5.2.3) to learn its 895 capabilities. Assuming the Client is authorized to invoke the 896 Transport Converter, the latter replies with the Supported TCP 897 Extensions TLV (Section 5.2.4). 899 The Client can request the establishment of connections to servers by 900 using the Connect TLV (Section 5.2.5). If the connection can be 901 established with the final server, the Transport Converter replies 902 with the Extended TCP Header TLV (Section 5.2.6). If not, the 903 Transport Converter returns an Error TLV (Section 5.2.8) and then 904 closes the connection. 906 When an error is encountered an Error TLV with the appropriate error 907 code MUST be returned by the Transport Converter. 909 5.2.3. The Info TLV 911 The Info TLV (Figure 15) is an optional TLV which can be sent by a 912 Client to request the TCP extensions that are supported by a 913 Transport Converter. It is typically sent on the first connection 914 that a Client establishes with a Transport Converter to learn its 915 capabilities. Assuming a Client is entitled to invoke the Transport 916 Converter, the latter replies with the Supported TCP Extensions TLV 917 described in Section 5.2.4. 919 1 2 3 920 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 921 +---------------+---------------+-------------------------------+ 922 | Type=0x1 | Length | Zero | 923 +---------------+---------------+-------------------------------+ 925 Figure 15: The Info TLV 927 5.2.4. Supported TCP Extensions TLV 929 The Supported TCP Extensions TLV (Figure 16) is used by a Transport 930 Converter to announce the TCP options for which it provides a 931 conversion service. A Transport Converter SHOULD include in this 932 list the TCP options that it accepts from Clients; these options are 933 included by the Transport Converter in the SYN packets that it sends 934 to initiate connections. 936 Each supported TCP option is encoded with its TCP option Kind listed 937 in the "TCP Parameters" registry maintained by IANA. 939 1 2 3 940 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 941 +---------------+---------------+-------------------------------+ 942 | Type=0x15 | Length | Unassigned | 943 +---------------+---------------+-------------------------------+ 944 | Kind #1 | Kind #2 | ... | 945 +---------------+---------------+-------------------------------+ 946 / ... / 947 / / 948 +---------------------------------------------------------------+ 950 Figure 16: The Supported TCP Extensions TLV 952 TCP option Kinds 0, 1, and 2 defined in [RFC0793] are supported by 953 all TCP implementations and thus MUST NOT appear in this list. 955 The list of Supported TCP Extensions is padded with 0 to end on a 32 956 bits boundary. 958 For example, if the Transport Converter supports Multipath TCP, 959 Kind=30 will be present in the Supported TCP Extensions TLV that it 960 returns in response to Info TLV. 962 5.2.5. Connect TLV 964 The Connect TLV (Figure 17) is used to request the establishment of a 965 connection via a Transport Converter. This connection can be from or 966 to a Client. 968 The 'Remote Peer Port' and 'Remote Peer IP Address' fields contain 969 the destination port number and IP address of the Server, for 970 outgoing connections. For incoming connections destined to a Client 971 serviced via a Transport Converter, these fields convey the source 972 port number and IP address. 974 The Remote Peer IP Address MUST be encoded as an IPv6 address. IPv4 975 addresses MUST be encoded using the IPv4-Mapped IPv6 Address format 976 defined in [RFC4291]. Further, Remote Peer IP address field MUST NOT 977 include multicast, broadcast, and host loopback addresses [RFC6890]. 978 Connect TLVs witch such messages MUST be discarded by the Transport 979 Converter. 981 We distinguish two types of Connect TLV based on their length: (1) 982 the base Connect TLV has a length of 20 bytes and contains a remote 983 address and a remote port, (2) the extended Connect TLV spans more 984 than 20 bytes and also includes the optional 'TCP Options' field. 985 This field is used to specify how specific TCP options should be 986 advertised by the Transport Converter to the server. 988 1 2 3 989 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 990 +---------------+---------------+-------------------------------+ 991 | Type=0xA | Length | Remote Peer Port | 992 +---------------+---------------+-------------------------------+ 993 | | 994 | Remote Peer IP Address (128 bits) | 995 | | 996 | | 997 +---------------------------------------------------------------+ 998 / TCP Options (Variable) / 999 / ... / 1000 +---------------------------------------------------------------+ 1002 Figure 17: The Connect TLV 1004 The 'TCP Options' field is a variable length field that carries a 1005 list of TCP option fields (Figure 18). Each TCP option field is 1006 encoded as a block of 2+n bytes where the first byte is the TCP 1007 option Kind and the second byte is the length of the TCP option as 1008 specified in [RFC0793]. The minimum value for the TCP option Length 1009 is 2. The TCP options that do not include a length sub-field, i.e., 1010 option types 0 (EOL) and 1 (NOP) defined in [RFC0793] MUST NOT be 1011 placed inside the TCP options field of the Connect TLV. The optional 1012 Value field contains the variable-length part of the TCP option. A 1013 length of two indicates the absence of the Value field. The TCP 1014 options field always ends on a 32 bits boundary after being padded 1015 with zeros. 1017 1 2 3 1018 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1019 +---------------+---------------+---------------+---------------+ 1020 | TCPOpt kind | TCPOpt Length | Value (opt) | .... | 1021 +---------------+---------------+---------------+---------------+ 1022 | .... | 1023 +---------------------------------------------------------------+ 1024 | ... | 1025 +---------------------------------------------------------------+ 1027 Figure 18: The TCP Options Field 1029 Upon reception of a Connect TLV, and absent any policy (e.g., rate- 1030 limit) or resource exhaustion conditions, a Transport Converter 1031 attempts to establish a connection to the address and port that it 1032 contains. The Transport Converter MUST use by default the TCP 1033 options that correspond to its local policy to establish this 1034 connection. These are the options that it advertises in the 1035 Supported TCP Extensions TLV. 1037 Upon reception of an extended Connect TLV, and absent any rate limit 1038 policy or resource exhaustion conditions, a Transport Converter MUST 1039 attempt to establish a connection to the address and port that it 1040 contains. It MUST include the options of the 'TCP Options' sub-field 1041 in the SYN sent to the Server in addition to the TCP options that it 1042 would have used according to its local policies. For the TCP options 1043 that are listed without an optional value, the Transport Converter 1044 MUST generate its own value. For the TCP options that are included 1045 in the 'TCP Options' field with an optional value, it MUST copy the 1046 entire option for use in the connection with the destination peer. 1047 This feature is required to support TCP Fast Open. 1049 The Transport Converter may discard a Connect TLV request for various 1050 reasons (e.g., authorization failed, out of resources, invalid 1051 address type). An error message indicating the encountered error is 1052 returned to the requesting Client (Section 5.2.8). In order to 1053 prevent denial-of-service attacks, error messages sent to a Client 1054 SHOULD be rate-limited. 1056 5.2.6. Extended TCP Header TLV 1058 The Extended TCP Header TLV (Figure 19) is used by the Transport 1059 Converter to send to the Client the extended TCP header that was 1060 returned by the Server in the SYN+ACK packet. This TLV is only sent 1061 if the Client sent a Connect TLV to request the establishment of a 1062 connection. 1064 1 2 3 1065 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1066 +---------------+---------------+-------------------------------+ 1067 | Type=0x14 | Length | Unassigned | 1068 +---------------+---------------+-------------------------------+ 1069 / Returned Extended TCP header / 1070 / ... / 1071 +---------------------------------------------------------------+ 1073 Figure 19: The Extended TCP Header TLV 1075 The Returned Extended TCP header field is a copy of the extended 1076 header that was received in the SYN+ACK by the Transport Converter. 1078 The Unassigned field MUST be set to zero by the sender and ignored by 1079 the receiver. These bits are available for future use [RFC8126]. 1081 5.2.7. The Cookie TLV 1083 The Cookie TLV (Figure 20 is an optional TLV which use is similar to 1084 the TCP Fast Open Cookie [RFC7413]. A Transport Converter may want 1085 to verify that a Client can receive the packets that it sends to 1086 prevent attacks from spoofed addresses. This verification can be 1087 done by using a Cookie that is bound to, for example, the IP 1088 address(es) of the Client. This Cookie can be configured on the 1089 Client by means that are outside of this document or provided by the 1090 Transport Converter as follows. 1092 A Transport Converter that has been configured to use the optional 1093 Cookie TLV MUST verify the presence of this TLV in the payload of the 1094 received SYN. If this TLV is present, the Transport Converter MUST 1095 validate the Cookie by means similar to those in Section 4.1.2 of 1096 [RFC7413] (i.e., IsCookieValid). If the Cookie is valid, the 1097 connection establishment procedure can continue. Otherwise, the 1098 Transport Converter MUST return an Error TLV set to "Not Authorized" 1099 and close the connection. 1101 If the received SYN did not contain a Cookie TLV, and cookie 1102 validation is required, the Transport Converter should compute a 1103 Cookie bound to this Client address and return a Convert message 1104 containing the fixed header, an Error TLV set to "Missing Cookie" and 1105 the computed Cookie and close the connection. The Client will react 1106 to this error by storing the received Cookie in its cache and attempt 1107 to reestablish a new connection to the Transport Converter that 1108 includes the Cookie TLV. 1110 The format of the Cookie TLV is shown in Figure 20. 1112 1 2 3 1113 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1114 +---------------+---------------+-------------------------------+ 1115 | Type=0x16 | Length | Zero | 1116 +---------------+---------------+-------------------------------+ 1117 / Opaque Cookie / 1118 / ... / 1119 +---------------------------------------------------------------+ 1121 Figure 20: The Cookie TLV 1123 5.2.8. Error TLV 1125 The Error TLV (Figure 21) is meant to provide information about some 1126 errors that occurred during the processing of a Convert message. 1127 This TLV has a variable length. Upon reception of an Error TLV, a 1128 Client MUST close the associated connection. 1130 1 2 3 1131 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1132 +---------------+---------------+----------------+--------------+ 1133 | Type=0x1E | Length | Error Code | Value | 1134 +---------------+---------------+----------------+--------------+ 1135 // ... (optional) Value // 1136 +---------------------------------------------------------------+ 1138 Figure 21: The Error TLV 1140 Different types of errors can occur while processing Convert 1141 messages. Each error is identified by an Error Code represented as 1142 an unsigned integer. Four classes of error codes are defined: 1144 o Message validation and processing errors (0-31 range): returned 1145 upon reception of an invalid message (including valid messages but 1146 with invalid or unknown TLVs). 1148 o Client-side errors (32-63 range): the Client sent a request that 1149 could not be accepted by the Transport Converter (e.g., 1150 unsupported operation). 1152 o Converter-side errors (64-95 range): problems encountered on the 1153 Transport Converter (e.g., lack of resources) which prevent it 1154 from fulfilling the Client's request. 1156 o Errors caused by the destination server (96-127 range): the final 1157 destination could not be reached or it replied with a reset. 1159 The following error codes are defined in this document: 1161 o Unsupported Version (0): The version number indicated in the fixed 1162 header of a message received from a peer is not supported. 1164 This error code MUST be generated by a Transport Converter (or 1165 Client) when it receives a request having a version number that it 1166 does not support. 1168 The value field MUST be set to the version supported by the 1169 Transport Converter (or Client). When multiple versions are 1170 supported by the Transport Converter (or Client), it includes the 1171 list of supported version in the value field; each version is 1172 encoded in 8 bits. The list of supported versions should be 1173 padded with zeros to end on a 32 bits boundary. 1175 Upon receipt of this error code, the Client (or Transport 1176 Converter) checks whether it supports one of the versions returned 1177 by the Transport Converter (or Client). The highest common 1178 supported version MUST be used by the Client (or Transport 1179 Converter) in subsequent exchanges with the Transport Converter 1180 (or Client). 1182 o Malformed Message (1): This error code is sent to indicate that a 1183 message received from a peer is can not be successfully parsed and 1184 validated. 1186 Typically, this error code is sent by the Transport Converter if 1187 it receives a Connect TLV enclosing a multicast, broadcast, or 1188 loopback IP address. 1190 To ease troubleshooting, the value field MUST echo the received 1191 message shifted by one byte to keep to original alignment of the 1192 message. 1194 o Unsupported Message (2): This error code is sent to indicate that 1195 a message type received from a peer is not supported. 1197 To ease troubleshooting, the value field MUST echo the received 1198 message shifted by one byte to keep to original alignment of the 1199 message. 1201 o Missing Cookie (3): If a Transport Converter requires the 1202 utilization of Cookies to prevent spoofing attacks and a Cookie 1203 TLV was not included in the Convert message, the Transport 1204 Converter MUST return this error to the requesting client. The 1205 first byte of the value field MUST be set to zero and the 1206 remaining bytes of the Error TLV contain the Cookie computed by 1207 the Transport Converter for this Client. 1209 A Client which receives this error code MUST cache the received 1210 Cookie and include it in subsequent Convert messages sent to that 1211 Transport Converter. 1213 o Not Authorized (32): This error code indicates that the Transport 1214 Converter refused to create a connection because of a lack of 1215 authorization (e.g., administratively prohibited, authorization 1216 failure, invalid Cookie TLV, etc.). The Value field MUST be set 1217 to zero. 1219 This error code MUST be sent by the Transport Converter when a 1220 request cannot be successfully processed because the authorization 1221 failed. 1223 o Unsupported TCP Option (33): A TCP option that the Client 1224 requested to advertise to the final Server cannot be safely used. 1226 The Value field is set to the type of the unsupported TCP option. 1227 If several unsupported TCP options were specified in the Connect 1228 TLV, then the list of unsupported TCP options is returned. The 1229 list of unsupported TCP options MUST be padded with zeros to end 1230 on a 32 bits boundary. 1232 o Resource Exceeded (64): This error indicates that the Transport 1233 Converter does not have enough resources to perform the request. 1235 This error MUST be sent by the Transport Converter when it does 1236 not have sufficient resources to handle a new connection. The 1237 Transport Converter may indicate in the Value field the suggested 1238 delay (in seconds) that the Client SHOULD wait before soliciting 1239 the Transport Converter for a new proxied connection. A Value of 1240 zero corresponds to a default delay of at least 30 seconds. 1242 o Network Failure (65): This error indicates that the Transport 1243 Converter is experiencing a network failure to proxy the request. 1245 The Transport Converter MUST send this error code when it 1246 experiences forwarding issues to proxy a connection. The 1247 Transport Converter may indicate in the Value field the suggested 1248 delay (in seconds) that the Client SHOULD wait before soliciting 1249 the Transport Converter for a new proxied connection. A Value of 1250 zero corresponds to a default delay of at least 30 seconds. 1252 o Connection Reset (96): This error indicates that the final 1253 destination responded with an RST packet. The Value field MUST be 1254 set to zero. 1256 o Destination Unreachable (97): This error indicates that an ICMP 1257 destination unreachable, port unreachable, or network unreachable 1258 was received by the Transport Converter. The Value field MUST 1259 echo the Code field of the received ICMP message. 1261 Figure 22 summarizes the different error codes. 1263 +-------+------+-----------------------------------------------+ 1264 | Error | Hex | Description | 1265 +-------+------+-----------------------------------------------+ 1266 | 0 | 0x00 | Unsupported Version | 1267 | 1 | 0x01 | Malformed Message | 1268 | 2 | 0x02 | Unsupported Message | 1269 | 3 | 0x03 | Missing Cookie | 1270 | 32 | 0x20 | Not Authorized | 1271 | 33 | 0x21 | Unsupported TCP Option | 1272 | 64 | 0x40 | Resource Exceeded | 1273 | 65 | 0x41 | Network Failure | 1274 | 96 | 0x60 | Connection Reset | 1275 | 97 | 0x61 | Destination Unreachable | 1276 +-------+------+-----------------------------------------------+ 1278 Figure 22: Convert Error Values 1280 6. Compatibility of Specific TCP Options with the Conversion Service 1282 In this section, we discuss how several standard track TCP options 1283 can be supported through the Convert Protocol. The non-standard 1284 track options and the experimental options will be discussed in other 1285 documents. 1287 6.1. Base TCP Options 1289 Three TCP options were initially defined in [RFC0793]: End-of-Option 1290 List (Kind=0), No-Operation (Kind=1) and Maximum Segment Size 1291 (Kind=2). The first two options are mainly used to pad the TCP 1292 header. There is no reason for a client to request a Transport 1293 Converter to specifically send these options towards the final 1294 destination. 1296 The Maximum Segment Size option (Kind=2) is used by a host to 1297 indicate the largest segment that it can receive over each 1298 connection. This value is function of the stack that terminates the 1299 TCP connection. There is no reason for a Client to request a 1300 Transport Converter to advertise a specific MSS value to a remote 1301 server. 1303 A Transport Converter MUST ignore options with Kind=0, 1 or 2 if they 1304 appear in a Connect TLV. It MUST NOT announce them in a Supported 1305 TCP Extensions TLV. 1307 6.2. Window Scale (WS) 1309 The Window Scale (WS) option (Kind=3) is defined in [RFC7323]. As 1310 for the MSS option, the window scale factor that is used for a 1311 connection strongly depends on the TCP stack that handles the 1312 connection. When a Transport Converter opens a TCP connection 1313 towards a remote server on behalf of a Client, it SHOULD use a WS 1314 option with a scaling factor that corresponds to the configuration of 1315 its stack. A local configuration MAY allow for WS option in the 1316 proxied message to be function of the scaling factor of the incoming 1317 connection. 1319 There is no benefit from a deployment viewpoint in enabling a Client 1320 of a Transport Converter to specifically request the utilization of 1321 the WS option (Kind=3) with a specific scaling factor towards a 1322 remote Server. For this reason, a Transport Converter MUST ignore 1323 option Kind=3 if it appears in a Connect TLV. It MUST NOT announce 1324 it in a Supported TCP Extensions TLV. 1326 6.3. Selective Acknowledgments 1328 Two distinct TCP options were defined to support selective 1329 acknowledgments in [RFC2018]. This first one, SACK Permitted 1330 (Kind=4), is used to negotiate the utilization of selective 1331 acknowledgments during the three-way handshake. The second one, SACK 1332 (Kind=5), carries the selective acknowledgments inside regular 1333 segments. 1335 The SACK Permitted option (Kind=4) MAY be advertised by a Transport 1336 Converter in the Supported TCP Extensions TLV. Clients connected to 1337 this Transport Converter MAY include the SACK Permitted option in the 1338 Connect TLV. 1340 The SACK option (Kind=5) cannot be used during the three-way 1341 handshake. For this reason, a Transport Converter MUST ignore option 1342 Kind=5 if it appears in a Connect TLV. It MUST NOT announce it in a 1343 TCP Supported Extensions TLV. 1345 6.4. Timestamp 1347 The Timestamp option was initially defined in [RFC1323] and later 1348 refined in [RFC7323]. It can be used during the three-way handshake 1349 to negotiate the utilization of timestamps during the TCP connection. 1350 It is notably used to improve round-trip-time estimations and to 1351 provide protection against wrapped sequence numbers (PAWS). As for 1352 the WS option, the timestamps are a property of a connection and 1353 there is limited benefit in enabling a client to request a Transport 1354 Converter to use the timestamp option when establishing a connection 1355 to a remote server. Furthermore, the timestamps that are used by TCP 1356 stacks are specific to each stack and there is no benefit in enabling 1357 a client to specify the timestamp value that a Transport Converter 1358 could use to establish a connection to a remote server. 1360 A Transport Converter MAY advertise the Timestamp option (Kind=8) in 1361 the TCP Supported Extensions TLV. The clients connected to this 1362 Transport Converter MAY include the Timestamp option in the Connect 1363 TLV but without any timestamp. 1365 6.5. Multipath TCP 1367 The Multipath TCP options are defined in [RFC6824]. [RFC6824] 1368 defines one variable length TCP option (Kind=30) that includes a sub- 1369 type field to support several Multipath TCP options. There are 1370 several operational use cases where clients would like to use 1371 Multipath TCP through a Transport Converter [IETFJ16]. However, none 1372 of these use cases require the Client to specify the content of the 1373 Multipath TCP option that the Transport Converter should send to a 1374 remote server. 1376 A Transport Converter which supports Multipath TCP conversion service 1377 MUST advertise the Multipath TCP option (Kind=30) in the Supported 1378 TCP Extensions TLV. Clients serviced by this Transport Converter may 1379 include the Multipath TCP option in the Connect TLV but without any 1380 content. 1382 6.6. TCP Fast Open 1384 The TCP Fast Open cookie option (Kind=34) is defined in [RFC7413]. 1385 There are two different usages of this option that need to be 1386 supported by Transport Converters. The first utilization of the TCP 1387 Fast Open cookie option is to request a cookie from the server. In 1388 this case, the option is sent with an empty cookie by the client and 1389 the server returns the cookie. The second utilization of the TCP 1390 Fast Open cookie option is to send a cookie to the server. In this 1391 case, the option contains a cookie. 1393 A Transport Converter MAY advertise the TCP Fast Open cookie option 1394 (Kind=34) in the Supported TCP Extensions TLV. If a Transport 1395 Converter has advertised the support for TCP Fast Open in its 1396 Supported TCP Extensions TLV, it needs to be able to process two 1397 types of Connect TLV. If such a Transport Converter receives a 1398 Connect TLV with the TCP Fast Open cookie option that does not 1399 contain a cookie, it MUST add an empty TCP Fast Open cookie option in 1400 the SYN sent to the remote server. If such a Transport Converter 1401 receives a Connect TLV with the TCP Fast Open cookie option that 1402 contains a cookie, it MUST copy the TCP Fast Open cookie option in 1403 the SYN sent to the remote server. 1405 6.7. TCP User Timeout 1407 The TCP User Timeout option is defined in [RFC5482]. The associated 1408 TCP option (Kind=28) does not appear to be widely deployed. 1410 6.8. TCP-AO 1412 TCP-AO [RFC5925] provides a technique to authenticate all the packets 1413 exchanged over a TCP connection. Given the nature of this extension, 1414 it is unlikely that the applications that require their packets to be 1415 authenticated end-to-end would want their connections to pass through 1416 a converter. For this reason, we do not recommend the support of the 1417 TCP-AO option by Transport Converters. The only use cases where it 1418 could make sense to combine TCP-AO and the solution in this document 1419 are those where the TCP-AO-NAT extension [RFC6978] is in use. 1421 A Transport Converter MUST NOT advertise the TCP-AO option (Kind=29) 1422 in the Supported TCP Extensions TLV. If a Transport Converter 1423 receives a Connect TLV that contains the TCP-AO option, it MUST 1424 reject the establishment of the connection with error code set to 1425 "Unsupported TCP Option", except if the TCP-AO-NAT option is used. 1427 6.9. TCP Experimental Options 1429 The TCP Experimental options are defined in [RFC4727]. Given the 1430 variety of semantics for these options and their experimental nature, 1431 it is impossible to discuss them in details in this document. 1433 7. Interactions with Middleboxes 1435 The Convert Protocol is designed to be used in networks that do not 1436 contain middleboxes that interfere with TCP. Under such conditions, 1437 it is assumed that the network provider ensures that all involved on- 1438 path nodes are not breaking TCP signals (e.g., strip TCP options, 1439 discard some SYNs, etc.). 1441 Nevertheless, and in order to allow for a robust service, this 1442 section describes how a Client can detect middlebox interference and 1443 stop using the Transport Converter affected by this interference. 1445 Internet measurements [IMC11] have shown that middleboxes can affect 1446 the deployment of TCP extensions. In this section, we only discuss 1447 the middleboxes that modify SYN and SYN+ACK packets since the Convert 1448 Protocol places its messages in such packets. 1450 Consider a middlebox that removes the SYN payload. The Client can 1451 detect this problem by looking at the acknowledgment number field of 1452 the SYN+ACK returned by the Transport Converter. The Client MUST 1453 stop to use this Transport Converter given the middlebox 1454 interference. 1456 Consider now a middlebox that drops SYN/ACKs with a payload. The 1457 Client won't be able to establish a connection via the Transport 1458 Converter. 1460 The case of a middlebox that removes the payload of SYN+ACKs (but not 1461 the payload of SYN) can be detected by a Client. This is hinted by 1462 the absence of an Error or Extended TCP Header TLV in a response. If 1463 an Error was returned by the Transport Converter, a message to close 1464 the connection would normally follow from the Converter. If no such 1465 message is received, the Client may continue to use this Converter. 1467 As explained in [RFC7413], some CGNs (Carrier Grade NATs) can affect 1468 the operation of TFO if they assign different IP addresses to the 1469 same end host. Such CGNs could affect the operation of the cookie 1470 validation used by the Convert Protocol. As a reminder CGNs, enabled 1471 on the path between a Client and a Transport Converter, must adhere 1472 to the address preservation defined in [RFC6888]. See also the 1473 discussion in Section 7.1 of [RFC7413]. 1475 8. Security Considerations 1477 8.1. Privacy & Ingress Filtering 1479 The Transport Converter may have access to privacy-related 1480 information (e.g., subscriber credentials). The Transport Converter 1481 is designed to not leak such sensitive information outside a local 1482 domain. 1484 Given its function and its location in the network, a Transport 1485 Converter has access to the payload of all the packets that it 1486 processes. As such, it MUST be protected as a core IP router (e.g., 1487 [RFC1812]). 1489 Furthermore, ingress filtering policies MUST be enforced at the 1490 network boundaries [RFC2827]. 1492 This document assumes that all network attachments are managed by the 1493 same administrative entity. Therefore, enforcing anti-spoofing 1494 filters at these network ensures that hosts are not sending traffic 1495 with spoofed source IP addresses. 1497 8.2. Authorization 1499 The Convert Protocol is intended to be used in managed networks where 1500 end hosts can be identified by their IP address. 1502 Stronger mutual authentication schemes MUST be defined to use the 1503 Convert Protocol in more open network environments. One possibility 1504 is to use TLS to perform mutual authentication between the client and 1505 the Converter. That is, use TLS when a Client retrieves a Cookie 1506 from the Converter and rely on certificate-based client 1507 authentication, pre-shared key based [RFC4279] or raw public key 1508 based client authentication [RFC7250] to secure this connection. 1510 If the authentication succeeds, the Converter returns a cookie to the 1511 Client. Subsequent Connect messages will be authorized as a function 1512 of the content of the Cookie TLV. 1514 In deployments where network-assisted connections are not allowed 1515 between hosts of a domain (i.e., hairpinning), the Converter may be 1516 instructed to discard such connections. Hairpinned connections are 1517 thus rejected by the Transport Converter by returning an Error TLV 1518 set to "Not Authorized". Absent explicit configuration otherwise, 1519 hairpinning is enabled by the Converter (see Figure 23. 1521 <===Network Provider===> 1523 +----+ from X1:x1 to X2':x2' +-----+ X1':x1' 1524 | C1 |>>>>>>>>>>>>>>>>>>>>>>>>>>>>>--+--- 1525 +----+ | v | 1526 | v | 1527 | v | 1528 | v | 1529 +----+ from X1':x1' to X2:x2 | v | X2':x2' 1530 | C2 |<<<<<<<<<<<<<<<<<<<<<<<<<<<<<--+--- 1531 +----+ +-----+ 1532 Converter 1534 Note: X2':x2' may be equal to 1535 X2:x2 1537 Figure 23: Hairpinning Example 1539 See below for authorization considerations that are specific for 1540 Multipath TCP. 1542 8.3. Denial of Service 1544 Another possible risk is the amplification attacks since a Transport 1545 Converter sends a SYN towards a remote Server upon reception of a SYN 1546 from a Client. This could lead to amplification attacks if the SYN 1547 sent by the Transport Converter were larger than the SYN received 1548 from the Client or if the Transport Converter retransmits the SYN. 1549 To mitigate such attacks, the Transport Converter SHOULD rate limit 1550 the number of pending requests for a given Client. It SHOULD also 1551 avoid sending to remote Servers SYNs that are significantly longer 1552 than the SYN received from the Client. Finally, the Transport 1553 Converter SHOULD only retransmit a SYN to a Server after having 1554 received a retransmitted SYN from the corresponding Client. Means to 1555 protect against SYN flooding attacks MUST also be enabled [RFC4987]. 1557 8.4. Traffic Theft 1559 Traffic theft is a risk if an illegitimate Converter is inserted in 1560 the path. Indeed, inserting an illegitimate Converter in the 1561 forwarding path allows traffic interception and can therefore provide 1562 access to sensitive data issued by or destined to a host. Converter 1563 discovery and configuration are out of scope of this document. 1565 8.5. Multipath TCP-specific Considerations 1567 Multipath TCP-related security threats are discussed in [RFC6181] and 1568 [RFC6824]. 1570 The operator that manages the various network attachments (including 1571 the Transport Converters) can enforce authentication and 1572 authorization policies using appropriate mechanisms. For example, a 1573 non-exhaustive list of methods to achieve authorization is provided 1574 hereafter: 1576 o The network provider may enforce a policy based on the 1577 International Mobile Subscriber Identity (IMSI) to verify that a 1578 user is allowed to benefit from the Multipath TCP converter 1579 service. If that authorization fails, the Packet Data Protocol 1580 (PDP) context/bearer will not be mounted. This method does not 1581 require any interaction with the Transport Converter for 1582 authorization matters. 1584 o The network provider may enforce a policy based upon Access 1585 Control Lists (ACLs), e.g., at a Broadband Network Gateway (BNG) 1586 to control the hosts that are authorized to communicate with a 1587 Transport Converter. These ACLs may be installed as a result of 1588 RADIUS exchanges, e.g., [I-D.boucadair-radext-tcpm-converter]. 1590 This method does not require any interaction with the Transport 1591 Converter for authorization matters. 1593 o A device that embeds a Transport Converter may also host a RADIUS 1594 client that will solicit an AAA server to check whether 1595 connections received from a given source IP address are authorized 1596 or not [I-D.boucadair-radext-tcpm-converter]. 1598 A first safeguard against the misuse of Transport Converter resources 1599 by illegitimate users (e.g., users with access networks that are not 1600 managed by the same provider that operates the Transport Converter) 1601 is the Transport Converter to reject Multipath TCP connections 1602 received on its Internet-facing interfaces. Only Multipath TCP 1603 connections received on the customer-facing interfaces of a Transport 1604 Converter will be accepted. 1606 9. IANA Considerations 1608 9.1. Convert Service Port Number 1610 IANA is requested to assign a TCP port number (TBA) for the Convert 1611 Protocol from the "Service Name and Transport Protocol Port Number 1612 Registry" available at https://www.iana.org/assignments/service- 1613 names-port-numbers/service-names-port-numbers.xhtml. 1615 Service Name: convert 1616 Port Number: TBD 1617 Transport Protocol(s): TCP 1618 Description: 0-RTT TCP Convert Protocol 1619 Assignee: IESG 1620 Contact: IETF Chair 1621 Reference: RFC XXXX 1623 9.2. The Convert Protocol (Convert) Parameters 1625 IANA is requested to create a new "The Convert Protocol (Convert) 1626 Parameters" registry. 1628 The following subsections detail new registries within "The Convert 1629 Protocol (Convert) Parameters" registry. 1631 9.2.1. Convert Versions 1633 IANA is requested to create the "Convert versions" sub-registry. New 1634 values are assigned via IETF Review (Section 4.8 of [RFC8126]). 1636 The initial values to be assigned at the creation of the registry are 1637 as follows: 1639 +---------+--------------------------------------+-------------+ 1640 | Version | Description | Reference | 1641 +---------+--------------------------------------+-------------+ 1642 | 0 | Reserved by this document | [This-RFC] | 1643 | 1 | Assigned by this document | [This-RFC] | 1644 +---------+--------------------------------------+-------------+ 1646 9.2.2. Convert TLVs 1648 IANA is requested to create the "Convert TLVs" sub-registry. The 1649 procedure for assigning values from this registry is as follows: 1651 o The values in the range 1-127 can be assigned via IETF Review. 1653 o The values in the range 128-191 can be assigned via Specification 1654 Required. 1656 o The values in the range 192-255 can be assigned for Private Use. 1658 The initial values to be assigned at the creation of the registry are 1659 as follows: 1661 +---------+--------------------------------------+-------------+ 1662 | Code | Name | Reference | 1663 +---------+--------------------------------------+-------------+ 1664 | 0 | Reserved | [This-RFC] | 1665 | 1 | Info TLV | [This-RFC] | 1666 | 10 | Connect TLV | [This-RFC] | 1667 | 20 | Extended TCP Header TLV | [This-RFC] | 1668 | 21 | Supported TCP Extension TLV | [This-RFC] | 1669 | 22 | Cookie TLV | [This-RFC] | 1670 | 30 | Error TLV | [This-RFC] | 1671 +---------+--------------------------------------+-------------+ 1673 9.2.3. Convert Error Messages 1675 IANA is requested to create the "Convert Errors" sub-registry. Codes 1676 in this registry are assigned as a function of the error type. Four 1677 types are defined; the following ranges are reserved for each of 1678 these types: 1680 o Message validation and processing errors: 0-31 1682 o Client-side errors: 32-63 1684 o Transport Converter-side errors: 64-95 1686 o Errors caused by destination server: 96-127 1687 The procedure for assigning values from this sub-registry is as 1688 follows: 1690 o 0-127: Values in this range are assigned via IETF Review. 1692 o 128-191: Values in this range are assigned via Specification 1693 Required. 1695 o 192-255: Values in this range are assigned for Private Use. 1697 The initial values to be assigned at the creation of the registry are 1698 as follows: 1700 +-------+------+-----------------------------------+-----------+ 1701 | Error | Hex | Description | Reference | 1702 +-------+------+-----------------------------------+-----------+ 1703 | 0 | 0x00 | Unsupported Version | [This-RFC]| 1704 | 1 | 0x01 | Malformed Message | [This-RFC]| 1705 | 2 | 0x02 | Unsupported Message | [This-RFC]| 1706 | 3 | 0x03 | Missing Cookie | [This-RFC]| 1707 | 32 | 0x20 | Not Authorized | [This-RFC]| 1708 | 33 | 0x21 | Unsupported TCP Option | [This-RFC]| 1709 | 64 | 0x40 | Resource Exceeded | [This-RFC]| 1710 | 65 | 0x41 | Network Failure | [This-RFC]| 1711 | 96 | 0x60 | Connection Reset | [This-RFC]| 1712 | 97 | 0x61 | Destination Unreachable | [This-RFC]| 1713 +-------+------+-----------------------------------+-----------+ 1715 Figure 24: The Convert Error Codes 1717 10. References 1719 10.1. Normative References 1721 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 1722 RFC 793, DOI 10.17487/RFC0793, September 1981, 1723 . 1725 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1726 Requirement Levels", BCP 14, RFC 2119, 1727 DOI 10.17487/RFC2119, March 1997, 1728 . 1730 [RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key 1731 Ciphersuites for Transport Layer Security (TLS)", 1732 RFC 4279, DOI 10.17487/RFC4279, December 2005, 1733 . 1735 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing 1736 Architecture", RFC 4291, DOI 10.17487/RFC4291, February 1737 2006, . 1739 [RFC4727] Fenner, B., "Experimental Values In IPv4, IPv6, ICMPv4, 1740 ICMPv6, UDP, and TCP Headers", RFC 4727, 1741 DOI 10.17487/RFC4727, November 2006, 1742 . 1744 [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address 1745 Translation (NAT) Behavioral Requirements for Unicast 1746 UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 1747 2007, . 1749 [RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common 1750 Mitigations", RFC 4987, DOI 10.17487/RFC4987, August 2007, 1751 . 1753 [RFC5482] Eggert, L. and F. Gont, "TCP User Timeout Option", 1754 RFC 5482, DOI 10.17487/RFC5482, March 2009, 1755 . 1757 [RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP 1758 Authentication Option", RFC 5925, DOI 10.17487/RFC5925, 1759 June 2010, . 1761 [RFC6824] Ford, A., Raiciu, C., Handley, M., and O. Bonaventure, 1762 "TCP Extensions for Multipath Operation with Multiple 1763 Addresses", RFC 6824, DOI 10.17487/RFC6824, January 2013, 1764 . 1766 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 1767 A., and H. Ashida, "Common Requirements for Carrier-Grade 1768 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 1769 April 2013, . 1771 [RFC6890] Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman, 1772 "Special-Purpose IP Address Registries", BCP 153, 1773 RFC 6890, DOI 10.17487/RFC6890, April 2013, 1774 . 1776 [RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J., 1777 Weiler, S., and T. Kivinen, "Using Raw Public Keys in 1778 Transport Layer Security (TLS) and Datagram Transport 1779 Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250, 1780 June 2014, . 1782 [RFC7413] Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP 1783 Fast Open", RFC 7413, DOI 10.17487/RFC7413, December 2014, 1784 . 1786 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 1787 Writing an IANA Considerations Section in RFCs", BCP 26, 1788 RFC 8126, DOI 10.17487/RFC8126, June 2017, 1789 . 1791 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1792 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1793 May 2017, . 1795 10.2. Informative References 1797 [ANRW17] Trammell, B., Kuhlewind, M., De Vaere, P., Learmonth, I., 1798 and G. Fairhurst, "Tracking transport-layer evolution with 1799 PATHspider", Applied Networking Research Workshop 2017 1800 (ANRW17) , July 2017. 1802 [Fukuda2011] 1803 Fukuda, K., "An Analysis of Longitudinal TCP Passive 1804 Measurements (Short Paper)", Traffic Monitoring and 1805 Analysis. TMA 2011. Lecture Notes in Computer Science, vol 1806 6613. , 2011. 1808 [HotMiddlebox13b] 1809 Detal, G., Paasch, C., and O. Bonaventure, "Multipath in 1810 the Middle(Box)", HotMiddlebox'13 , December 2013, 1811 . 1814 [I-D.arkko-arch-low-latency] 1815 Arkko, J. and J. Tantsura, "Low Latency Applications and 1816 the Internet Architecture", draft-arkko-arch-low- 1817 latency-02 (work in progress), October 2017. 1819 [I-D.boucadair-mptcp-plain-mode] 1820 Boucadair, M., Jacquenet, C., Bonaventure, O., Behaghel, 1821 D., stefano.secci@lip6.fr, s., Henderickx, W., Skog, R., 1822 Vinapamula, S., Seo, S., Cloetens, W., Meyer, U., 1823 Contreras, L., and B. Peirens, "Extensions for Network- 1824 Assisted MPTCP Deployment Models", draft-boucadair-mptcp- 1825 plain-mode-10 (work in progress), March 2017. 1827 [I-D.boucadair-radext-tcpm-converter] 1828 Boucadair, M. and C. Jacquenet, "RADIUS Extensions for 1829 0-RTT TCP Converters", draft-boucadair-radext-tcpm- 1830 converter-02 (work in progress), April 2019. 1832 [I-D.boucadair-tcpm-dhc-converter] 1833 Boucadair, M., Jacquenet, C., and R. K, "DHCP Options for 1834 0-RTT TCP Converters", draft-boucadair-tcpm-dhc- 1835 converter-03 (work in progress), October 2019. 1837 [I-D.olteanu-intarea-socks-6] 1838 Olteanu, V. and D. Niculescu, "SOCKS Protocol Version 6", 1839 draft-olteanu-intarea-socks-6-07 (work in progress), July 1840 2019. 1842 [I-D.peirens-mptcp-transparent] 1843 Peirens, B., Detal, G., Barre, S., and O. Bonaventure, 1844 "Link bonding with transparent Multipath TCP", draft- 1845 peirens-mptcp-transparent-00 (work in progress), July 1846 2016. 1848 [IETFJ16] Bonaventure, O. and S. Seo, "Multipath TCP Deployment", 1849 IETF Journal, Fall 2016 , n.d.. 1851 [IMC11] Honda, K., Nishida, Y., Raiciu, C., Greenhalgh, A., 1852 Handley, M., and T. Hideyuki, "Is it still possible to 1853 extend TCP?", Proceedings of the 2011 ACM SIGCOMM 1854 conference on Internet measurement conference , 2011. 1856 [RFC1323] Jacobson, V., Braden, R., and D. Borman, "TCP Extensions 1857 for High Performance", RFC 1323, DOI 10.17487/RFC1323, May 1858 1992, . 1860 [RFC1812] Baker, F., Ed., "Requirements for IP Version 4 Routers", 1861 RFC 1812, DOI 10.17487/RFC1812, June 1995, 1862 . 1864 [RFC1919] Chatel, M., "Classical versus Transparent IP Proxies", 1865 RFC 1919, DOI 10.17487/RFC1919, March 1996, 1866 . 1868 [RFC1928] Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., and 1869 L. Jones, "SOCKS Protocol Version 5", RFC 1928, 1870 DOI 10.17487/RFC1928, March 1996, 1871 . 1873 [RFC2018] Mathis, M., Mahdavi, J., Floyd, S., and A. Romanow, "TCP 1874 Selective Acknowledgment Options", RFC 2018, 1875 DOI 10.17487/RFC2018, October 1996, 1876 . 1878 [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: 1879 Defeating Denial of Service Attacks which employ IP Source 1880 Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827, 1881 May 2000, . 1883 [RFC3135] Border, J., Kojo, M., Griner, J., Montenegro, G., and Z. 1884 Shelby, "Performance Enhancing Proxies Intended to 1885 Mitigate Link-Related Degradations", RFC 3135, 1886 DOI 10.17487/RFC3135, June 2001, 1887 . 1889 [RFC6181] Bagnulo, M., "Threat Analysis for TCP Extensions for 1890 Multipath Operation with Multiple Addresses", RFC 6181, 1891 DOI 10.17487/RFC6181, March 2011, 1892 . 1894 [RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and 1895 P. Roberts, "Issues with IP Address Sharing", RFC 6269, 1896 DOI 10.17487/RFC6269, June 2011, 1897 . 1899 [RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix 1900 Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011, 1901 . 1903 [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and 1904 P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, 1905 DOI 10.17487/RFC6887, April 2013, 1906 . 1908 [RFC6928] Chu, J., Dukkipati, N., Cheng, Y., and M. Mathis, 1909 "Increasing TCP's Initial Window", RFC 6928, 1910 DOI 10.17487/RFC6928, April 2013, 1911 . 1913 [RFC6978] Touch, J., "A TCP Authentication Option Extension for NAT 1914 Traversal", RFC 6978, DOI 10.17487/RFC6978, July 2013, 1915 . 1917 [RFC7323] Borman, D., Braden, B., Jacobson, V., and R. 1918 Scheffenegger, Ed., "TCP Extensions for High Performance", 1919 RFC 7323, DOI 10.17487/RFC7323, September 2014, 1920 . 1922 [RFC7414] Duke, M., Braden, R., Eddy, W., Blanton, E., and A. 1923 Zimmermann, "A Roadmap for Transmission Control Protocol 1924 (TCP) Specification Documents", RFC 7414, 1925 DOI 10.17487/RFC7414, February 2015, 1926 . 1928 [RFC8041] Bonaventure, O., Paasch, C., and G. Detal, "Use Cases and 1929 Operational Experience with Multipath TCP", RFC 8041, 1930 DOI 10.17487/RFC8041, January 2017, 1931 . 1933 [RFC8305] Schinazi, D. and T. Pauly, "Happy Eyeballs Version 2: 1934 Better Connectivity Using Concurrency", RFC 8305, 1935 DOI 10.17487/RFC8305, December 2017, 1936 . 1938 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 1939 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 1940 . 1942 [RFC8548] Bittau, A., Giffin, D., Handley, M., Mazieres, D., Slack, 1943 Q., and E. Smith, "Cryptographic Protection of TCP Streams 1944 (tcpcrypt)", RFC 8548, DOI 10.17487/RFC8548, May 2019, 1945 . 1947 [TS23501] 3GPP (3rd Generation Partnership Project), ., "Technical 1948 Specification Group Services and System Aspects; System 1949 Architecture for the 5G System; Stage 2 (Release 16)", 1950 2019, . 1953 Appendix A. Change Log 1955 This section to be removed before publication. 1957 o 00 : initial version, designed to support Multipath TCP and TFO 1958 only 1960 o 00 to -01 : added section Section 6 describing the support of 1961 different standard tracks TCP options by Transport Converters, 1962 clarification of the IANA section, moved the SOCKS comparison to 1963 the appendix and various minor modifications 1965 o 01 to -02: Minor modifications 1967 o 02 to -03: Minor modifications 1969 o 03 to -04: Minor modifications 1970 o 04 to -05: Integrate a lot of feedback from implementors who have 1971 worked on client and server side implementations. The main 1972 modifications are the following : 1974 * TCP Fast Open is not strictly required anymore. Several 1975 implementors expressed concerns about this requirement. The 1976 TFO Cookie protects from some attack scenarios that affect open 1977 servers like web servers. The Convert Protocol is different 1978 and as discussed in RFC7413, there are different ways to 1979 protect from such attacks. Instead of using a TFO cookie 1980 inside the TCP options, which consumes precious space in the 1981 extended TCP header, this version supports the utilization of a 1982 Cookie that is placed in the SYN payload. This provides the 1983 same level of protection as a TFO Cookie in environments were 1984 such protection is required. 1986 * the Bootstrap procedure has been simplified based on feedback 1987 from implementors 1989 * Error messages are not included in RST segments anymore but 1990 sent in the bytestream. Implementors have indicated that 1991 processing such segments on clients was difficult on some 1992 platforms. This change simplifies client implementations. 1994 * Many minor editorial changes to clarify the text based on 1995 implementors feedback. 1997 o 05 to -06: Many clarifications to integrate the comments from the 1998 chairs in preparation to the WGLC: 2000 * Updated IANA policy to require "IETF Review" instead of 2001 "Standard Action" 2003 * Call out explicitly that data in SYNs are relayed by the 2004 Converter 2006 * Reiterate the scope 2008 * Hairpinning behavior can be disabled (policy-based) 2010 * Fix nits 2012 o 07: 2014 * Update the text about supplying data in SYNs to make it clear 2015 that a constraint defined in RFC793 is relaxed following the 2016 same rationale as in RFC7413. 2018 * Nits 2020 * Added Appendix A on example Socket API changes 2022 o 08: 2024 * Added short discussion on the termination of connections 2026 o 09: 2028 * Address various comments received during last call 2030 o 10-13: 2032 * Changes to address the comments from Phil: Add a new section to 2033 group data plane considerations in one place + add a new 2034 appendix with more details on address modes + rearrange the 2035 MPTCP text. 2037 o 14: fixed nits (the shepherd write-up) 2039 Appendix B. Example Socket API Changes to Support the 0-RTT Convert 2040 Protocol 2042 B.1. Active Open (Client Side) 2044 On the client side, the support of the 0-RTT Converter protocol does 2045 not require any other changes than those identified in Appendix A of 2046 [RFC7413]. Those modifications are already supported by multiple TCP 2047 stacks. 2049 As an example, on Linux, a client can send the 0-RTT Convert message 2050 inside a SYN by using sendto with the MSG_FASTOPEN flag as shown in 2051 the example below: 2053 s = socket(AF_INET, SOCK_STREAM, 0); 2055 sendto(s, buffer, buffer_len, MSG_FASTOPEN, 2056 (struct sockaddr *) &server_addr, addr_len); 2058 The client side of the Linux TCP TFO can be used in two different 2059 modes depending on the host configuration (sysctl tcp_fastopen 2060 variable): 2062 o 0x1: (client) enables sending data in the opening SYN on the 2063 client. 2065 o 0x4: (client) send data in the opening SYN regardless of cookie 2066 availability and without a cookie option. 2068 By setting this configuration variable to 0x5, a Linux client using 2069 the above code would send data inside the SYN without using a TFO 2070 option. 2072 B.2. Passive Open (Converter Side) 2074 The Converter needs to enable the reception of data inside the SYN 2075 independently of the utilization of the TFO option. This implies 2076 that the Transport Converter application cannot rely on the TFO 2077 cookies to validate the reachability of the IP address that sent the 2078 SYN. It must rely on other techniques, such as the Cookie TLV 2079 described in this document, to verify this reachability. 2081 [RFC7413] suggested the utilization of a TCP_FASTOPEN socket option 2082 the enable the reception of SYNs containing data. Later, Appendix A 2083 of [RFC7413], mentioned: 2085 Traditionally, accept() returns only after a socket is connected. 2086 But, for a Fast Open connection, accept() returns upon receiving 2087 SYN with a valid Fast Open cookie and data, and the data is available 2088 to be read through, e.g., recvmsg(), read(). 2090 To support the 0-RTT Convert Protocol, this behavior should be 2091 modified as follows: 2093 Traditionally, accept() returns only after a socket is connected. 2094 But, for a Fast Open connection, accept() returns upon receiving a 2095 SYN with data, and the data is available to be read through, e.g., 2096 recvmsg(), read(). The application that receives such SYNs with data 2097 must be able to validate the reachability of the source of the SYN 2098 and also deal with replayed SYNs. 2100 The Linux server side can be configured with the following sysctls: 2102 o 0x2: (server) enables the server support, i.e., allowing data in a 2103 SYN packet to be accepted and passed to the application before 2104 3-way handshake finishes. 2106 o 0x200: (server) accept data-in-SYN w/o any cookie option present. 2108 However, this configuration is system-wide. This is convenient for 2109 typical Transport Converter deployments where no other applications 2110 relying on TFO are collocated on the same device. 2112 Recently, the TCP_FASTOPEN_NO_COOKIE socket option has been added to 2113 provide the same behavior on a per socket basis. This enables a 2114 single host to support both servers that require the TFO cookie and 2115 servers that do not use it. 2117 Appendix C. Some Design Considerations 2119 Several implementors expressed concerns about the use of TFO. As a 2120 reminder, the TFO Cookie protects from some attack scenarios that 2121 affect open servers like web servers. The Convert Protocol is 2122 different and, as discussed in RFC7413, there are different ways to 2123 protect from such attacks. Instead of using a TFO cookie inside the 2124 TCP options, which consumes precious space in the extended TCP 2125 header, the Convert Protocol supports the utilization of a Cookie 2126 that is placed in the SYN payload. This provides the same level of 2127 protection as a TFO Cookie in environments were such protection is 2128 required. 2130 Error messages are not included in RST segments but sent in the 2131 bytestream. Implementors have indicated that processing such 2132 segments on clients was difficult on some platforms. This change 2133 simplifies client implementations. 2135 Appendix D. Address Preservation vs. Address Sharing 2137 The Transport Converter is provided with instructions about the 2138 behavior to adopt with regards to the processing of source addresses 2139 of outgoing packets. The following sub-sections discusses two 2140 deployment models for illustration purposes. It is out of the scope 2141 of this document to make a recommendation. 2143 D.1. Address Preservation 2145 In this model, the visible source IP address of a packet proxied by a 2146 Transport Converter to a Server is an IP address of the end host 2147 (Client). No dedicated IP address pool is provisioned to the 2148 Transport Converter. 2150 For Multipath TCP, the Transport Converter preserves the source IP 2151 address used by the Client when establishing the initial subflow. 2152 Data conveyed in secondary subflows will be proxied by the Transport 2153 Converter using the source IP address of the initial subflow. An 2154 example of a proxied Multipath TCP connection with address 2155 preservation is shown in Figure 25. 2157 Transport 2158 Client Converter Server 2160 @:C1,C2 @:Tc @:S 2161 || | | 2162 |src:C1 SYN dst:Tc|src:C1 dst:S| 2163 |-------MPC [->S:port]------->|-------SYN------->| 2164 || | | 2165 ||dst:C1 src:Tc|dst:C1 src:S| 2166 |<---------SYN/ACK------------|<-----SYN/ACK-----| 2167 || | | 2168 |src:C1 dst:Tc|src:C1 dst:S| 2169 |------------ACK------------->|-------ACK------->| 2170 | | | 2171 |src:C2 ... dst:Tc| ... | 2172 ||<-----Secondary Subflow---->|src:C1 dst:S| 2173 || |-------data------>| 2174 | .. | ... | 2176 Legend: 2177 Tc: IP address used by the Transport Converter on its customer-facing 2178 interface. 2180 Figure 25: Example of Address Preservation 2182 The Transport Converter must be on the forwarding path of incoming 2183 traffic. Because the same (destination) IP address is used for both 2184 proxied and non-proxied connections, the Transport Converter should 2185 not drop incoming packets it intercepts if no matching entry is found 2186 for the packets. Unless explicitly configured otherwise, such 2187 packets are forwarded according to the instructions of a local 2188 forwarding table. 2190 D.2. Address/Prefix Sharing 2192 A pool of global IPv4 addresses is provisioned to the Transport 2193 Converter along with possible instructions about the address sharing 2194 ratio to apply (see Appendix B of [RFC6269]). An address is thus 2195 shared among multiple clients. 2197 Likewise, rewriting the source IPv6 prefix [RFC6296] may be used to 2198 ease redirection of incoming IPv6 traffic towards the appropriate 2199 Transport Converter. A pool of IPv6 prefixes is then provisioned to 2200 the Transport Converter for this purpose. 2202 Adequate forwarding policies are enforced so that traffic destined to 2203 an address of such pool is intercepted by the appropriate Transport 2204 Converter. Unlike Appendix D.1, the Transport Converter drops 2205 incoming packets which do not match an active transport session 2206 entry. 2208 An example is shown in Figure 26. 2210 Transport 2211 Client Converter Server 2213 @:C @:Tc|Te @:S 2214 | | | 2215 |src:C dst:Tc|src:Te dst:S| 2216 |-------SYN [->S:port]------->|-------SYN------->| 2217 | | | 2218 |dst:C src:Tc|dst:Te src:S| 2219 |<---------SYN/ACK------------|<-----SYN/ACK-----| 2220 | | | 2221 |src:C dst:Tc|src:Te dst:S| 2222 |------------ACK------------->|-------ACK------->| 2223 | | | 2224 | ... | ... | 2226 Legend: 2227 Tc: IP address used by the Transport Converter for its customer-facing 2228 interface. 2229 Te: IP address used by the Transport Converter for its Internet-facing 2230 interface. 2232 Figure 26: Address Sharing 2234 Appendix E. Differences with SOCKSv5 2236 At a first glance, the solution proposed in this document could seem 2237 similar to the SOCKS v5 protocol [RFC1928] which is used to proxy TCP 2238 connections. The Client creates a connection to a SOCKS proxy, 2239 exchanges authentication information and indicates the destination 2240 address and port of the final server. At this point, the SOCKS proxy 2241 creates a connection towards the final server and relays all data 2242 between the two proxied connections. The operation of an 2243 implementation based on SOCKSv5 is illustrated in Figure 27. 2245 Client SOCKS Proxy Server 2246 --------------------> 2247 SYN 2248 <-------------------- 2249 SYN+ACK 2250 --------------------> 2251 ACK 2253 --------------------> 2254 Version=5, Auth Methods 2255 <-------------------- 2256 Method 2257 --------------------> 2258 Auth Request (unless "No auth" method negotiated) 2259 <-------------------- 2260 Auth Response 2261 --------------------> 2262 Connect Server:Port --------------------> 2263 SYN 2265 <-------------------- 2266 SYN+ACK 2267 <-------------------- 2268 Succeeded 2270 --------------------> 2271 Data1 2272 --------------------> 2273 Data1 2275 <-------------------- 2276 Data2 2277 <-------------------- 2278 Data2 2280 Figure 27: Establishment of a TCP connection through a SOCKS proxy 2281 without authentication 2283 The Convert Protocol also relays data between an upstream and a 2284 downstream connection, but there are important differences with 2285 SOCKSv5. 2287 A first difference is that the Convert Protocol exchanges all control 2288 information during the three-way handshake. This reduces the 2289 connection establishment delay compared to SOCKS that requires two or 2290 more round-trip-times before the establishment of the downstream 2291 connection towards the final destination. In today's Internet, 2292 latency is a important metric and various protocols have been tuned 2293 to reduce their latency [I-D.arkko-arch-low-latency]. A recently 2294 proposed extension to SOCKS leverages the TFO option 2295 [I-D.olteanu-intarea-socks-6]. 2297 A second difference is that the Convert Protocol explicitly takes the 2298 TCP extensions into account. By using the Convert Protocol, the 2299 Client can learn whether a given TCP extension is supported by the 2300 destination Server. This enables the Client to bypass the Transport 2301 Converter when the destination supports the required TCP extension. 2302 Neither SOCKS v5 [RFC1928] nor the proposed SOCKS v6 2303 [I-D.olteanu-intarea-socks-6] provide such a feature. 2305 A third difference is that a Transport Converter will only accept the 2306 connection initiated by the Client provided that the downstream 2307 connection is accepted by the Server. If the Server refuses the 2308 connection establishment attempt from the Transport Converter, then 2309 the upstream connection from the Client is rejected as well. This 2310 feature is important for applications that check the availability of 2311 a Server or use the time to connect as a hint on the selection of a 2312 Server [RFC8305]. 2314 A fourth difference is that the Convert Protocol only allows the 2315 client to specify the address/port of the destination server and not 2316 a DNS name. We evaluated an alternate design for the Connect TLV 2317 that included the DNS name of the remote peer instead of its IP 2318 address as in SOCKS [RFC1928]. However, that design was not adopted 2319 because it induces both an extra load and increased delays on the 2320 Transport Converter to handle and manage DNS resolution requests. 2322 Acknowledgments 2324 Although they could disagree with the contents of the document, we 2325 would like to thank Joe Touch and Juliusz Chroboczek whose comments 2326 on the MPTCP mailing list have forced us to reconsider the design of 2327 the solution several times. 2329 We would like to thank Raphael Bauduin, Stefano Secci, Anandatirtha 2330 Nandugudi and Gregory Vander Schueren for their help in preparing 2331 this document. Nandini Ganesh provided valuable feedback about the 2332 handling of TFO and the error codes. Yuchung Cheng and Praveen 2333 Balasubramanian helped to clarify the discussion on supplying data in 2334 SYNs. Phil Eardley and Michael Scharf's helped to clarify different 2335 parts of the text. 2337 This document builds upon earlier documents that proposed various 2338 forms of Multipath TCP proxies [I-D.boucadair-mptcp-plain-mode], 2339 [I-D.peirens-mptcp-transparent] and [HotMiddlebox13b]. 2341 From [I-D.boucadair-mptcp-plain-mode]: 2343 Many thanks to Chi Dung Phung, Mingui Zhang, Rao Shoaib, Yoshifumi 2344 Nishida, and Christoph Paasch for their valuable comments. 2346 Thanks to Ian Farrer, Mikael Abrahamsson, Alan Ford, Dan Wing, and 2347 Sri Gundavelli for the fruitful discussions in IETF#95 (Buenos 2348 Aires). 2350 Special thanks to Pierrick Seite, Yannick Le Goff, Fred Klamm, and 2351 Xavier Grall for their inputs. 2353 Thanks also to Olaf Schleusing, Martin Gysi, Thomas Zasowski, Andreas 2354 Burkhard, Silka Simmen, Sandro Berger, Michael Melloul, Jean-Yves 2355 Flahaut, Adrien Desportes, Gregory Detal, Benjamin David, Arun 2356 Srinivasan, and Raghavendra Mallya for the discussion. 2358 Contributors 2360 Bart Peirens contributed to an early version of the document. 2362 As noted above, this document builds on two previous documents. 2364 The authors of [I-D.boucadair-mptcp-plain-mode] were: 2366 o Mohamed Boucadair 2368 o Christian Jacquenet 2370 o Olivier Bonaventure 2372 o Denis Behaghel 2374 o Stefano Secci 2376 o Wim Henderickx 2378 o Robert Skog 2380 o Suresh Vinapamula 2382 o SungHoon Seo 2384 o Wouter Cloetens 2386 o Ullrich Meyer 2388 o Luis M. Contreras 2389 o Bart Peirens 2391 The authors of [I-D.peirens-mptcp-transparent] were: 2393 o Bart Peirens 2395 o Gregory Detal 2397 o Sebastien Barre 2399 o Olivier Bonaventure 2401 Authors' Addresses 2403 Olivier Bonaventure (editor) 2404 Tessares 2406 Email: Olivier.Bonaventure@tessares.net 2408 Mohamed Boucadair (editor) 2409 Orange 2410 Clos Courtel 2411 Rennes 35000 2412 France 2414 Email: mohamed.boucadair@orange.com 2416 Sri Gundavelli 2417 Cisco 2419 Email: sgundave@cisco.com 2421 SungHoon Seo 2422 Korea Telecom 2424 Email: sh.seo@kt.com 2426 Benjamin Hesmans 2427 Tessares 2429 Email: Benjamin.Hesmans@tessares.net