idnits 2.17.1 draft-ietf-tcpm-converters-17.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 28, 2020) is 1518 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Obsolete normative reference: RFC 6824 (Obsoleted by RFC 8684) == Outdated reference: A later version (-11) exists of draft-olteanu-intarea-socks-6-08 Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 TCPM Working Group O. Bonaventure, Ed. 3 Internet-Draft Tessares 4 Intended status: Experimental M. Boucadair, Ed. 5 Expires: August 31, 2020 Orange 6 S. Gundavelli 7 Cisco 8 S. Seo 9 Korea Telecom 10 B. Hesmans 11 Tessares 12 February 28, 2020 14 0-RTT TCP Convert Protocol 15 draft-ietf-tcpm-converters-17 17 Abstract 19 This document specifies an application proxy, called Transport 20 Converter, to assist the deployment of TCP extensions such as 21 Multipath TCP. A Transport Converter may provide conversion service 22 for one or more TCP extensions. The conversion service is provided 23 by means of the TCP Convert Protocol (Convert). 25 This protocol provides 0-RTT (Zero Round-Trip Time) conversion 26 service since no extra delay is induced by the protocol compared to 27 connections that are not proxied. Also, the Convert Protocol does 28 not require any encapsulation (no tunnels, whatsoever). 30 This specification assumes an explicit model, where the Transport 31 Converter is explicitly configured on hosts. 33 Status of This Memo 35 This Internet-Draft is submitted in full conformance with the 36 provisions of BCP 78 and BCP 79. 38 Internet-Drafts are working documents of the Internet Engineering 39 Task Force (IETF). Note that other groups may also distribute 40 working documents as Internet-Drafts. The list of current Internet- 41 Drafts is at https://datatracker.ietf.org/drafts/current/. 43 Internet-Drafts are draft documents valid for a maximum of six months 44 and may be updated, replaced, or obsoleted by other documents at any 45 time. It is inappropriate to use Internet-Drafts as reference 46 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on August 31, 2020. 50 Copyright Notice 52 Copyright (c) 2020 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents 57 (https://trustee.ietf.org/license-info) in effect on the date of 58 publication of this document. Please review these documents 59 carefully, as they describe your rights and restrictions with respect 60 to this document. Code Components extracted from this document must 61 include Simplified BSD License text as described in Section 4.e of 62 the Trust Legal Provisions and are provided without warranty as 63 described in the Simplified BSD License. 65 Table of Contents 67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 68 1.1. The Problem . . . . . . . . . . . . . . . . . . . . . . . 3 69 1.2. Network-Assisted Connections: The Rationale . . . . . . . 4 70 2. Differences with SOCKSv5 . . . . . . . . . . . . . . . . . . 6 71 3. Conventions and Definitions . . . . . . . . . . . . . . . . . 8 72 4. Architecture & Behaviors . . . . . . . . . . . . . . . . . . 9 73 4.1. Functional Elements . . . . . . . . . . . . . . . . . . . 9 74 4.2. Theory of Operation . . . . . . . . . . . . . . . . . . . 11 75 4.3. Data Processing at the Transport Converter . . . . . . . 14 76 4.4. Address Preservation vs. Address Sharing . . . . . . . . 16 77 4.4.1. Address Preservation . . . . . . . . . . . . . . . . 16 78 4.4.2. Address/Prefix Sharing . . . . . . . . . . . . . . . 17 79 5. Sample Examples . . . . . . . . . . . . . . . . . . . . . . . 18 80 5.1. Outgoing Converter-Assisted Multipath TCP Connections . . 18 81 5.2. Incoming Converter-Assisted Multipath TCP Connection . . 20 82 6. The Convert Protocol (Convert) . . . . . . . . . . . . . . . 21 83 6.1. The Convert Fixed Header . . . . . . . . . . . . . . . . 22 84 6.2. Convert TLVs . . . . . . . . . . . . . . . . . . . . . . 23 85 6.2.1. Generic Convert TLV Format . . . . . . . . . . . . . 23 86 6.2.2. Summary of Supported Convert TLVs . . . . . . . . . . 23 87 6.2.3. The Info TLV . . . . . . . . . . . . . . . . . . . . 24 88 6.2.4. Supported TCP Extensions TLV . . . . . . . . . . . . 25 89 6.2.5. Connect TLV . . . . . . . . . . . . . . . . . . . . . 25 90 6.2.6. Extended TCP Header TLV . . . . . . . . . . . . . . . 28 91 6.2.7. The Cookie TLV . . . . . . . . . . . . . . . . . . . 29 92 6.2.8. Error TLV . . . . . . . . . . . . . . . . . . . . . . 30 93 7. Compatibility of Specific TCP Options with the Conversion 94 Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 95 7.1. Base TCP Options . . . . . . . . . . . . . . . . . . . . 33 96 7.2. Window Scale (WS) . . . . . . . . . . . . . . . . . . . . 33 97 7.3. Selective Acknowledgments . . . . . . . . . . . . . . . . 34 98 7.4. Timestamp . . . . . . . . . . . . . . . . . . . . . . . . 34 99 7.5. Multipath TCP . . . . . . . . . . . . . . . . . . . . . . 35 100 7.6. TCP Fast Open . . . . . . . . . . . . . . . . . . . . . . 35 101 7.7. TCP-AO . . . . . . . . . . . . . . . . . . . . . . . . . 36 102 8. Interactions with Middleboxes . . . . . . . . . . . . . . . . 36 103 9. Security Considerations . . . . . . . . . . . . . . . . . . . 37 104 9.1. Privacy & Ingress Filtering . . . . . . . . . . . . . . . 37 105 9.2. Authorization . . . . . . . . . . . . . . . . . . . . . . 37 106 9.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 38 107 9.4. Traffic Theft . . . . . . . . . . . . . . . . . . . . . . 39 108 9.5. Authentication Considerations . . . . . . . . . . . . . . 39 109 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 110 10.1. Convert Service Name . . . . . . . . . . . . . . . . . . 40 111 10.2. The Convert Protocol (Convert) Parameters . . . . . . . 40 112 10.2.1. Convert Versions . . . . . . . . . . . . . . . . . . 41 113 10.2.2. Convert TLVs . . . . . . . . . . . . . . . . . . . . 41 114 10.2.3. Convert Error Messages . . . . . . . . . . . . . . . 42 115 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 43 116 11.1. Normative References . . . . . . . . . . . . . . . . . . 43 117 11.2. Informative References . . . . . . . . . . . . . . . . . 44 118 Appendix A. Example Socket API Changes to Support the 0-RTT 119 Convert Protocol . . . . . . . . . . . . . . . . . . 47 120 A.1. Active Open (Client Side) . . . . . . . . . . . . . . . . 47 121 A.2. Passive Open (Converter Side) . . . . . . . . . . . . . . 48 122 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 49 123 Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 50 124 Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 125 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 53 127 1. Introduction 129 1.1. The Problem 131 Transport protocols like TCP evolve regularly [RFC7414]. TCP has 132 been improved in different ways. Some improvements such as changing 133 the initial window size [RFC6928] or modifying the congestion control 134 scheme can be applied independently on clients and servers. Other 135 improvements such as Selective Acknowledgments [RFC2018] or large 136 windows [RFC7323] require a new TCP option or to change the semantics 137 of some fields in the TCP header. These modifications must be 138 deployed on both clients and servers to be actually used on the 139 Internet. Experience with the latter TCP extensions reveals that 140 their deployment can require many years. Fukuda reports in 141 [Fukuda2011] results of a decade of measurements showing the 142 deployment of Selective Acknowledgments, Window Scale and TCP 143 Timestamps. [ANRW17] describes measurements showing that TCP Fast 144 Open (TFO) [RFC7413] is still not widely deployed. 146 There are some situations where the transport stack used on clients 147 (or servers) can be upgraded at a faster pace than the transport 148 stack running on servers (or clients). In those situations, clients 149 would typically want to benefit from the features of an improved 150 transport protocol even if the servers have not yet been upgraded and 151 conversely. Some assistance from the network to make use of these 152 features is valuable. For example, Performance Enhancing Proxies 153 [RFC3135], and other service functions have been deployed as 154 solutions to improve TCP performance over links with specific 155 characteristics. 157 Recent examples of TCP extensions include Multipath TCP (MPTCP) 158 [RFC6824] or TCPINC [RFC8548]. Those extensions provide features 159 that are interesting for clients such as wireless devices. With 160 Multipath TCP, those devices could seamlessly use WLAN (Wireless 161 Local Area Network) and cellular networks, for bonding purposes, 162 faster hand-overs, or better resiliency. Unfortunately, deploying 163 those extensions on both a wide range of clients and servers remains 164 difficult. 166 More recently, 5G bonding experimentation has been conducted into 167 global range of the incumbent 4G (LTE) connectivity using newly 168 devised clients and a Multipath TCP proxy. Even if the 5G and the 4G 169 bonding relying upon Multipath TCP increases the bandwidth, it is as 170 well crucial to minimize latency for all the way between endhosts 171 regardless of whether intermediate nodes are inside or outside of the 172 mobile core. In order to handle URLLC (Ultra Reliable Low Latency 173 Communication) for the next generation mobile network, Multipath TCP 174 and its proxy mechanism such as the one used to provide Access 175 Traffic Steering, Switching, and Splitting (ATSSS) must be optimized 176 to reduce latency [TS23501]. 178 1.2. Network-Assisted Connections: The Rationale 180 This document specifies an application proxy, called Transport 181 Converter. A Transport Converter is a function that is installed by 182 a network operator to aid the deployment of TCP extensions and to 183 provide the benefits of such extensions to clients. A Transport 184 Converter may provide conversion service for one or more TCP 185 extensions. Which TCP extensions are eligible to the conversion 186 service is deployment-specific. The conversion service is provided 187 by means of the 0-RTT TCP Convert Protocol (Convert), that is an 188 application-layer protocol which uses a dedicated TCP port number. 190 The Convert Protocol provides 0-RTT (Zero Round-Trip Time) conversion 191 service since no extra delay is induced by the protocol compared to 192 connections that are not proxied. Particularly, the Convert Protocol 193 does not require extra signaling setup delays before making use of 194 the conversion service. The Convert Protocol does not require any 195 encapsulation (no tunnels, whatsoever). 197 The Transport Converter adheres to the main principles drawn in 198 [RFC1919]. In particular, a Transport Converter achieves the 199 following: 201 o Listen for client sessions; 203 o Receive from a client the address of the final target server; 205 o Setup a session to the final server; 207 o Relay control messages and data between the client and the server; 209 o Perform access controls according to local policies. 211 The main advantage of network-assisted conversion services is that 212 they enable new TCP extensions to be used on a subset of the path 213 between endpoints, which encourages the deployment of these 214 extensions. Furthermore, the Transport Converter allows the client 215 and the server to directly negotiate TCP extensions for the sake of 216 native support along the full path. 218 The Convert Protocol is a generic mechanism to provide 0-RTT 219 conversion service. As a sample applicability use case, this 220 document specifies how the Convert Protocol applies for Multipath 221 TCP. It is out of scope of this document to provide a comprehensive 222 list of all potential conversion services. Applicability documents 223 may be defined in the future. 225 This document does not assume that all the traffic is eligible to the 226 network-assisted conversion service. Only a subset of the traffic 227 will be forwarded to a Transport Converter according to a set of 228 policies. These policies, and how they are communicated to 229 endpoints, are out of scope. Furthermore, it is possible to bypass 230 the Transport Converter to connect directly to the servers that 231 already support the required TCP extension(s). 233 This document assumes an explicit model in which a client is 234 configured with one or a list of Transport Converters (statically or 235 through protocols such as [I-D.boucadair-tcpm-dhc-converter]). 236 Configuration means are outside the scope of this document. 238 The use of a Transport Converter means that there is no end-to-end 239 transport connection between the client and server. This could 240 potentially create problems in some scenarios such as those discussed 241 in Section 4 of [RFC3135]. Some of these problems may not be 242 applicable, for example, a Transport Converter can inform a client by 243 means of Network Failure (65) or Destination Unreachable (97) error 244 messages (Section 6.2.8) that it encounters a failure problem; the 245 client can react accordingly. An endpoint, or its network 246 administrator, can assess the benefit provided by the Transport 247 Converter service versus the risk. This is one reason why the 248 Transport Converter functionality has to be explicitly requested by 249 an endpoint. 251 This document is organized as follows. First, Section 2 provides a 252 brief overview of the differences between the well-known SOCKS 253 protocol and the 0-RTT Convert protocol. Section 4 provides a brief 254 explanation of the operation of Transport Converters. Then, 255 Section 6 describes the Convert Protocol. Section 7 discusses how 256 Transport Converters can be used to support different TCP extensions. 257 Section 8 then discusses the interactions with middleboxes, while 258 Section 9 focuses on the security considerations. Appendix A 259 describes how a TCP stack would need to support the protocol 260 described in this document. 262 2. Differences with SOCKSv5 264 Several IETF protocols provide proxy services; the closest to the 265 0-RTT Convert protocol being the SOCKSv5 protocol [RFC1928]. This 266 protocol is already used to deploy Multipath TCP in some cellular 267 networks (Section 2.2 of [RFC8041]). 269 A SOCKS Client creates a connection to a SOCKS Proxy, exchanges 270 authentication information, and indicates the IP address and port 271 number of the target Server. At this point, the SOCKS Proxy creates 272 a connection towards the target Server and relays all data between 273 the two proxied connections. The operation of an implementation 274 based on SOCKSv5 (without authentication) is illustrated in Figure 1. 276 Client SOCKS Proxy Server 277 | | | 278 | --------------------> | | 279 | SYN | | 280 | <-------------------- | | 281 | SYN+ACK | | 282 | --------------------> | | 283 | ACK | | 284 | | | 285 | --------------------> | | 286 |Version=5, Auth Methods| | 287 | <-------------------- | | 288 | Method | | 289 | --------------------> | | 290 |Auth Request (unless "No auth" method negotiated) 291 | <-------------------- | | 292 | Auth Response | | 293 | --------------------> | | 294 | Connect Server:Port | --------------------> | 295 | | SYN | 296 | | <-------------------- | 297 | | SYN+ACK | 298 | <-------------------- | | 299 | Succeeded | | 300 | --------------------> | | 301 | Data1 | | 302 | | --------------------> | 303 | | Data1 | 304 | | <-------------------- | 305 | | Data2 | 306 | <-------------------- | | 307 | Data2 | | 308 ... 310 Figure 1: Establishment of a TCP Connection through a SOCKS Proxy 311 Without Authentication 313 When SOCKS is used, an "end-to-end" connection between a Client and a 314 Server becomes a sequence of two TCP connections that are glued 315 together on the SOCKS Proxy. The SOCKS Client and Server exchange 316 control information at the beginning of the bytestream on the Client- 317 Proxy connection. The SOCKS Proxy then creates the connection with 318 the target Server and then glues the two connections together so that 319 all bytes sent by the application (Client) to the SOCKS Proxy are 320 relayed to the Server and vice versa. 322 The Convert Protocol is also used on TCP proxies that relay data 323 between an upstream and a downstream connection, but there are 324 important differences with SOCKSv5. A first difference is that the 325 0-RTT Convert protocol exchanges all the control information during 326 the initial RTT. This reduces the connection establishment delay 327 compared to SOCKS which requires two or more round-trip-times before 328 the establishment of the downstream connection towards the final 329 destination. In today's Internet, latency is a important metric and 330 various protocols have ben tuned to reduce their latency 331 [I-D.arkko-arch-low-latency]. A recently proposed extension to SOCKS 332 leverages the TFO (TCP Fast Open) option 333 [I-D.olteanu-intarea-socks-6] to reduce this delay. 335 A second difference is that the Convert Protocol explicitly takes the 336 TCP extensions into account. By using the Convert Protocol, the 337 Client can learn whether a given TCP extension is supported by the 338 destination Server. This enables the Client to bypass the Transport 339 Converter when the Server supports the required TCP extension(s). 340 Neither SOCKSv5 [RFC1928] nor the proposed SOCKSv6 341 [I-D.olteanu-intarea-socks-6] provide such a feature. 343 A third difference is that a Transport Converter will only confirm 344 the establishment of the connection initiated by the Client provided 345 that the downstream connection has already been accepted by the 346 Server. If the Server refuses the connection establishment attempt 347 from the Transport Converter, then the upstream connection from the 348 Client is rejected as well. This feature is important for 349 applications that check the availability of a Server or use the time 350 to connect as a hint on the selection of a Server [RFC8305]. 352 A fourth difference is that the 0-RTT Convert protocol only allows 353 the Client to specify the IP address/port number of the destination 354 server and not a DNS name. We evaluated an alternate design that 355 included the DNS name of the remote peer instead of its IP address as 356 in SOCKS [RFC1928]. However, that design was not adopted because it 357 induces both an extra load and increased delays on the Transport 358 Converter to handle and manage DNS resolution requests. 360 3. Conventions and Definitions 362 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 363 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 364 "OPTIONAL" in this document are to be interpreted as described in BCP 365 14 [RFC2119][RFC8174] when, and only when, they appear in all 366 capitals, as shown here. 368 4. Architecture & Behaviors 370 4.1. Functional Elements 372 The Convert Protocol considers three functional elements: 374 o Clients; 376 o Transport Converters; 378 o Servers. 380 A Transport Converter is a network function that proxies all data 381 exchanged over one upstream connection to one downstream connection 382 and vice versa (Figure 2). The Transport Converter, thus, maintains 383 state that associates one upstream connection to a corresponding 384 downstream connection. 386 A connection can be initiated from both sides of the Transport 387 Converter (Internet-facing interface, customer-facing interface). 389 | 390 : 391 | 392 +------------+ 393 Client <- upstream ->| Transport |<- downstream -> Server 394 connection | Converter | connection 395 +------------+ 396 | 397 customer-facing interface : Internet-facing interface 398 | 400 Figure 2: A Transport Converter Proxies Data between Pairs of TCP 401 Connections 403 "Client" refers to a software instance embedded on a host that can 404 reach a Transport Converter via its customer-facing interface. The 405 "Client" can initiate connections via a Transport Converter (referred 406 to as outgoing connections). Also, the "Client" can accept incoming 407 connections via a Transport Converter (referred to as incoming 408 connections). 410 Transport Converters can be operated by network operators or third 411 parties. Nevertheless, this document focuses on the single 412 administrative deployment case where the entity offering the 413 connectivity service to a client is also the entity which owns and 414 operates the Transport Converter. 416 A Transport Converter can be embedded in a standalone device or be 417 activated as a service on a router. How such function is enabled is 418 deployment-specific. 420 The architecture assumes that new software will be installed on the 421 Client hosts to interact with one or more Transport Converters. 422 Furthermore, the architecture allows for making use of new TCP 423 extensions even if those are not supported by a given server. 425 A Client is configured, through means that are outside the scope of 426 this document, with the names and/or the addresses of one or more 427 Transport Converters and the TCP extensions that they support. The 428 procedure for selecting a Transport Converter among a list of 429 configured Transport Converters is outside the scope of this 430 document. 432 One of the benefits of this design is that different transport 433 protocol extensions can be used on the upstream and the downstream 434 connections. This encourages the deployment of new TCP extensions 435 until they are widely supported by servers, in particular. 437 The architecture does not mandate anything on the Server side. 439 Similar to SOCKS, the architecture does not interfere with end-to-end 440 TLS connections [RFC8446] between the Client and the Server 441 (Figure 3). In other words, end-to-end TLS is supported in the 442 presence of a Converter. 444 Client Transport Server 445 | Converter | 446 | | | 447 /==========================================\ 448 | End-to-end TLS | 449 \==========================================/ 451 * TLS messages exchanged between the Client 452 and the Server are not shown. 454 Figure 3: End-to-end TLS via a Transport Converter 456 It is out of scope of this document to elaborate on specific 457 considerations related to the use of TLS in the Client-Converter 458 connection leg to exchange Convert messages (in addition to the end- 459 to-end TLS connection). 461 4.2. Theory of Operation 463 At a high level, the objective of the Transport Converter is to allow 464 the use a specific extension, e.g., Multipath TCP, on a subset of the 465 path even if the peer does not support this extension. This is 466 illustrated in Figure 4 where the Client initiates a Multipath TCP 467 connection with the Transport Converter (packets belonging to the 468 Multipath TCP connection are shown with "===") while the Transport 469 Converter uses a regular TCP connection with the Server. 471 Client Transport Server 472 | Converter | 473 | | | 474 |==================>|--------------------->| 475 | | | 476 |<==================|<---------------------| 477 | | | 478 Multipath TCP packets Regular TCP packets 480 Figure 4: An Example of 0-RTT Network-Assisted Outgoing MPTCP 481 Connection 483 The packets belonging to a connection established through a Transport 484 Converter may follow a different path than the packets directly 485 exchanged between the Client and the Server. Deployments should 486 minimize the possible additional delay by carefully selecting the 487 location of the Transport Converter used to reach a given 488 destination. 490 When establishing a connection, the Client can, depending on local 491 policies, either contact the Server directly (e.g., by sending a TCP 492 SYN towards the Server) or create the connection via a Transport 493 Converter. In the latter case (that is, the conversion service is 494 used), the Client initiates a connection towards the Transport 495 Converter and indicates the IP address and port number of the Server 496 within the connection establishment packet. Doing so enables the 497 Transport Converter to immediately initiate a connection towards that 498 Server, without experiencing an extra delay. The Transport Converter 499 waits until the receipt of the confirmation that the Server agrees to 500 establish the connection before confirming it to the Client. 502 The Client places the destination address and port number of the 503 Server in the payload of the SYN sent to the Transport Converter to 504 minimize connection establishment delays. The Transport Converter 505 maintains two connections that are combined together: 507 o the upstream connection is the one between the Client and the 508 Transport Converter. 510 o the downstream connection is the one between the Transport 511 Converter and the Server. 513 Any user data received by the Transport Converter over the upstream 514 (or downstream) connection is proxied over the downstream (or 515 upstream) connection. 517 Figure 5 illustrates the establishment of an outgoing TCP connection 518 by a Client through a Transport Converter. 520 o Note: The information shown between brackets in Figure 5 (and 521 other figures in the document) refers to Convert Protocol messages 522 described in Section 6. 524 Transport 525 Client Converter Server 526 | | | 527 |SYN [->Server:port]| SYN | 528 |------------------>|--------------------->| 529 |<------------------|<---------------------| 530 | SYN+ACK [ ] | SYN+ACK | 531 | ... | ... | 533 Figure 5: Establishment of an Outgoing TCP Connection Through a 534 Transport Converter 536 The Client sends a SYN destined to the Transport Converter. The 537 payload of this SYN contains the address and port number of the 538 Server. The Transport Converter does not reply immediately to this 539 SYN. It first tries to create a TCP connection towards the target 540 Server. If this upstream connection succeeds, the Transport 541 Converter confirms the establishment of the connection to the Client 542 by returning a SYN+ACK and the first bytes of the bytestream contain 543 information about the TCP options that were negotiated with the 544 Server. Also, a state entry is instantiated for this connection. 545 This state entry is used by the Converter to handle subsequent 546 messages belonging to the connection. 548 The connection can also be established from the Internet towards a 549 Client via a Transport Converter (Figure 6). This is typically the 550 case when the Client hosts an application server that listens to a 551 specific port number. When the Converter receives an incoming SYN 552 from a remote host, it checks if it can provide the conversion 553 service for the destination IP address and destination port number of 554 that SYN. The Transport Converter receives this SYN because it is, 555 for example, on the path between the remote host and the Client or it 556 provides address sharing service for the Client. If the check fails, 557 the packet is silently ignored by the Converter. If the check is 558 successful, the Converter tries to initiate a TCP connection towards 559 the Client from its own address and using its configured TCP options. 560 In the SYN that corresponds to this connection attempt, the Transport 561 Convert inserts a TLV message that indicates the source address and 562 port number of the remote host. A transport session entry is created 563 by the Converter for this connection. SYN+ACK and ACK will be then 564 exchanged between the Client, the Converter, and remote host to 565 confirm the establishment of the connection. The Converter uses the 566 transport session entry to proxy packets belonging to the connection. 568 Transport Remote 569 Client Converter Host (RH) 570 | | | 571 |SYN [<-RH IP@:port]| SYN | 572 |<------------------|<---------------------| 573 |------------------>|--------------------->| 574 | SYN+ACK [ ] | SYN+ACK | 575 | ... | ... | 577 Figure 6: Establishment of an Incoming TCP Connection Through a 578 Transport Converter 580 Standard TCP ([RFC0793], Section 3.4) allows a SYN packet to carry 581 data inside its payload but forbids the receiver from delivering it 582 to the application until completion of the three-way-handshake. To 583 enable applications to exchange data in a TCP handshake, this 584 specification follows an approach similar to TCP Fast Open [RFC7413] 585 and thus removes the constraint by allowing data in SYN packets to be 586 delivered to the Transport Converter application. 588 As discussed in [RFC7413], such change to TCP semantic raises two 589 issues. First, duplicate SYNs can cause problems for some 590 applications that rely on TCP. Second, TCP suffers from SYN flooding 591 attacks [RFC4987]. TFO solves these two problems for applications 592 that can tolerate replays by using the TCP Fast Open option that 593 includes a cookie. However, the utilization of this option consumes 594 space in the limited TCP header. Furthermore, there are situations, 595 as noted in Section 7.3 of [RFC7413] where it is possible to accept 596 the payload of SYN packets without creating additional security risks 597 such as a network where addresses cannot be spoofed and the Transport 598 Converter only serves a set of hosts that are identified by these 599 addresses. 601 For these reasons, this specification does not mandate the use of the 602 TCP Fast Open option when the Client sends a connection establishment 603 packet towards a Transport Converter. The Convert Protocol includes 604 an optional Cookie TLV that provides similar protection as the TCP 605 Fast Open option without consuming space in the TCP header. 606 Furthermore, this design allows for the use of longer cookies than 607 [RFC7413]. 609 If the downstream (or upstream) connection fails for some reason 610 (excessive retransmissions, reception of an RST segment, etc.), then 611 the Converter reacts by forcing the tear-down of the upstream (or 612 downstream) connection. 614 The same reasoning applies when the upstream connection ends with an 615 exchange of FIN packets. In this case, the Converter will also 616 terminate the downstream connection by using FIN packets. If the 617 downstream connection terminates with the exchange of FIN packets, 618 the Converter should initiate a graceful termination of the upstream 619 connection. 621 4.3. Data Processing at the Transport Converter 623 As mentioned in Section 4.2, the Transport Converter acts as a TCP 624 proxy between the upstream connection (i.e., between the Client and 625 the Transport Converter) and the downstream connection (i.e., between 626 the Transport Converter and the Server). 628 The control messages, discussed in Section 6, establish state 629 (called, transport session entry) in the Transport Converter that 630 will enable it to proxy between the two TCP connections. 632 The Transport Converter uses the transport session entry to proxy 633 packets belonging to the connection. An implementation example of a 634 transport session entry for TCP connections is shown in Figure 7. 636 (C,c) <--> (T,t), (S,s), Lifetime 638 Where: 639 * C and c are the source IP address and source port number 640 used by the Client for the upstream connection. 641 * S and s are the Server's IP address and port number. 642 * T and t are the source IP address and source port number 643 used by the Transport Converter to proxy the connection. 644 * Lifetime is the validity lifetime of the entry as assigned 645 by the Converter. 647 Figure 7: An Example of Transport Session Entry (TCP) 649 Clients send packets bound to connections eligible to the conversion 650 service to the provisioned Transport Converter and destination port 651 number. This applies for both control messages and data. Additional 652 information is supplied by Clients to the Transport Converter by 653 means of Convert messages as detailed in Section 6. User data can be 654 included in SYN or non-SYN messages. User data is unambiguously 655 distinguished from Convert TLVs by a Transport Converter owing to the 656 Convert Fixed Header in the Convert messages (Section 6.1). These 657 Convert TLVs are destined to the Transport Convert and are, thus, 658 removed by the Transport Converter when proxying between the two 659 connections. 661 Upon receipt of a packet that belongs to an existing connection 662 between a Client and the Transport Converter the Converter proxies 663 the user data to the Server using the information stored in the 664 corresponding transport session entry. For example, in reference to 665 Figure 7, the Transport Converter proxies the data received from (C, 666 c) downstream using (T,t) as source transport address and (S,s) as 667 destination transport address. 669 A similar process happens for data sent from the Server. The 670 Converter acts as a TCP proxy and sends the data to the Client 671 relying upon the information stored in a transport session entry. 672 The Converter associates a lifetime with state entries used to bind 673 an upstream connection with its downstream connection. 675 When Multipath TCP is used between the Client and the Transport 676 Converter, the Converter maintains more state (e.g. information about 677 the subflows) for each Multipath TCP connection. The procedure 678 described above continues to apply except that the Converter needs to 679 manage the establishment/termination of subflows and schedule packets 680 among the established ones. These operations are part of the 681 Multipath TCP implementation. They are independent of the Convert 682 protocol that only processes the Convert messages in the beginning of 683 the bytestream. 685 A Transport Converter may operate in address preservation mode (that 686 is, the Converter does not rewrite the source IP address (i.e., 687 C==T)) or address sharing mode (that is, an address pool is shared 688 among all Clients serviced by the Converter (i.e., C!=T)); refer to 689 Section 4.4 for more details. Which behavior to use by a Transport 690 Converter is deployment-specific. If address sharing mode is 691 enabled, the Transport Converter MUST adhere to REQ-2 of [RFC6888] 692 which implies a default "IP address pooling" behavior of "Paired" (as 693 defined in Section 4.1 of [RFC4787]) MUST be supported. This 694 behavior is meant to avoid breaking applications that depend on the 695 source address remaining constant. 697 4.4. Address Preservation vs. Address Sharing 699 The Transport Converter is provided with instructions about the 700 behavior to adopt with regards to the processing of source addresses 701 of outgoing packets. The following sub-sections discusses two 702 deployment models for illustration purposes. It is out of the scope 703 of this document to make a recommendation. 705 4.4.1. Address Preservation 707 In this model, the visible source IP address of a packet proxied by a 708 Transport Converter to a Server is an IP address of the end host 709 (Client). No dedicated IP address pool is provisioned to the 710 Transport Converter, but the the Transport Converter is located on 711 the path between the Client and the Server. 713 For Multipath TCP, the Transport Converter preserves the source IP 714 address used by the Client when establishing the initial subflow. 715 Data conveyed in secondary subflows will be proxied by the Transport 716 Converter using the source IP address of the initial subflow. An 717 example of a proxied Multipath TCP connection with address 718 preservation is shown in Figure 8. 720 Transport 721 Client Converter Server 723 @:C1,C2 @:Tc @:S 724 || | | 725 |src:C1 SYN dst:Tc|src:C1 dst:S| 726 |-------MPC [->S:port]------->|-------SYN------->| 727 || | | 728 ||dst:C1 src:Tc|dst:C1 src:S| 729 |<---------SYN/ACK------------|<-----SYN/ACK-----| 730 || | | 731 |src:C1 dst:Tc|src:C1 dst:S| 732 |------------ACK------------->|-------ACK------->| 733 | | | 734 |src:C2 ... dst:Tc| ... | 735 ||<-----Secondary Subflow---->|src:C1 dst:S| 736 || |-------data------>| 737 | .. | ... | 739 Legend: 740 Tc: IP address used by the Transport Converter on its customer-facing 741 interface. 743 Figure 8: Example of Address Preservation 745 The Transport Converter must be on the forwarding path of incoming 746 traffic. Because the same (destination) IP address is used for both 747 proxied and non-proxied connections, the Transport Converter should 748 not drop incoming packets it intercepts if no matching entry is found 749 for the packets. Unless explicitly configured otherwise, such 750 packets are forwarded according to the instructions of a local 751 forwarding table. 753 4.4.2. Address/Prefix Sharing 755 A pool of global IPv4 addresses is provisioned to the Transport 756 Converter along with possible instructions about the address sharing 757 ratio to apply (see Appendix B of [RFC6269]). An address is thus 758 shared among multiple clients. 760 Likewise, rewriting the source IPv6 prefix [RFC6296] may be used to 761 ease redirection of incoming IPv6 traffic towards the appropriate 762 Transport Converter. A pool of IPv6 prefixes is then provisioned to 763 the Transport Converter for this purpose. 765 Adequate forwarding policies are enforced so that traffic destined to 766 an address of such pool is intercepted by the appropriate Transport 767 Converter. Unlike Section 4.4.1, the Transport Converter drops 768 incoming packets which do not match an active transport session 769 entry. 771 An example is shown in Figure 9. 773 Transport 774 Client Converter Server 776 @:C @:Tc|Te @:S 777 | | | 778 |src:C dst:Tc|src:Te dst:S| 779 |-------SYN [->S:port]------->|-------SYN------->| 780 | | | 781 |dst:C src:Tc|dst:Te src:S| 782 |<---------SYN/ACK------------|<-----SYN/ACK-----| 783 | | | 784 |src:C dst:Tc|src:Te dst:S| 785 |------------ACK------------->|-------ACK------->| 786 | | | 787 | ... | ... | 789 Legend: 790 Tc: IP address used by the Transport Converter for its customer-facing 791 interface. 792 Te: IP address used by the Transport Converter for its Internet-facing 793 interface. 795 Figure 9: Address Sharing 797 5. Sample Examples 799 5.1. Outgoing Converter-Assisted Multipath TCP Connections 801 As an example, let us consider how the Convert Protocol can help the 802 deployment of Multipath TCP. We assume that both the Client and the 803 Transport Converter support Multipath TCP, but consider two different 804 cases depending on whether the Server supports Multipath TCP or not. 806 As a reminder, a Multipath TCP connection is created by placing the 807 MP_CAPABLE (MPC) option in the SYN sent by the Client. 809 Figure 10 describes the operation of the Transport Converter if the 810 Server does not support Multipath TCP. 812 Transport 813 Client Converter Server 814 |SYN, MPC | | 815 |[->Server:port] | SYN, MPC | 816 |------------------>|--------------------->| 817 |<------------------|<---------------------| 818 | SYN+ACK,MPC [.] | SYN+ACK | 819 |------------------>|--------------------->| 820 | ACK, MPC | ACK | 821 | ... | ... | 823 Figure 10: Establishment of a Multipath TCP Connection through a 824 Transport Converter towards a Server that does not support Multipath 825 TCP 827 The Client tries to initiate a Multipath TCP connection by sending a 828 SYN with the MP_CAPABLE option (MPC in Figure 10). The SYN includes 829 the address and port number of the target Server, that are extracted 830 and used by the Transport Converter to initiate a Multipath TCP 831 connection towards this Server. Since the Server does not support 832 Multipath TCP, it replies with a SYN+ACK that does not contain the 833 MP_CAPABLE option. The Transport Converter notes that the connection 834 with the Server does not support Multipath TCP and returns the 835 extended TCP header received from the Server to the Client. 837 Note that, if the TCP connection is reset for some reason, the 838 Converter tears down the Multipath TCP connection by transmitting a 839 MP_FASTCLOSE. Likewise, if the Multipath TCP connection ends with 840 the transmission of DATA_FINs, the Converter terminates the TCP 841 connection by using FIN segments. As a side note, given that with 842 Multipath TCP, RST only has the scope of the subflow and will only 843 close the concerned subflow but not affect the remaining subflows, 844 the Converter does not terminate the downstream TCP connection upon 845 receipt of an RST over a Multipath subflow. 847 Figure 11 considers a Server that supports Multipath TCP. In this 848 case, it replies to the SYN sent by the Transport Converter with the 849 MP_CAPABLE option. Upon reception of this SYN+ACK, the Transport 850 Converter confirms the establishment of the connection to the Client 851 and indicates to the Client that the Server supports Multipath TCP. 852 With this information, the Client has discovered that the Server 853 supports Multipath TCP. This will enable the Client to bypass the 854 Transport Converter for the subsequent Multipath TCP connections that 855 it will initiate towards this Server. 857 Transport 858 Client Converter Server 859 |SYN, MPC | | 860 |[->Server:port] | SYN, MPC | 861 |------------------>|--------------------->| 862 |<------------------|<---------------------| 863 |SYN+ACK, MPC | SYN+ACK, MPC | 864 |[MPC supported] | | 865 |------------------>|--------------------->| 866 | ACK, MPC | ACK, MPC | 867 | ... | ... | 869 Figure 11: Establishment of a Multipath TCP Connection through a 870 Converter towards an MPTCP-capable Server 872 5.2. Incoming Converter-Assisted Multipath TCP Connection 874 An example of an incoming Converter-assisted Multipath TCP connection 875 is depicted in Figure 12. In order to support incoming connections 876 from remote hosts, the Client may use PCP [RFC6887] to instruct the 877 Transport Converter to create dynamic mappings. Those mappings will 878 be used by the Transport Converter to intercept an incoming TCP 879 connection destined to the Client and convert it into a Multipath TCP 880 connection. 882 Typically, the Client sends a PCP request to the Converter asking to 883 create an explicit TCP mapping for (internal IP address, internal 884 port number). The Converter accepts the request by creating a TCP 885 mapping (internal IP address, internal port number, external IP 886 address, external port number). The external IP address and external 887 port number will be then advertised using an out-of-band mechanism so 888 that remote hosts can initiate TCP connections to the Client via the 889 Converter. Note that the external and internal information may be 890 the same. 892 Then, when the Converter receives an incoming SYN, it checks its 893 mapping table to verify if there is an active mapping matching the 894 destination IP address and destination port of that SYN. If no entry 895 is found, the Converter silently ignores the message. If an entry is 896 found, the Converter inserts an MP_CAPABLE option and Connect TLV in 897 the SYN packet, rewrites the source IP address to one of its IP 898 addresses and, eventually, the destination IP address and port number 899 in accordance with the information stored in the mapping. SYN+ACK 900 and ACK will be then exchanged between the Client and the Converter 901 to confirm the establishment of the initial subflow. The Client can 902 add new subflows following normal Multipath TCP procedures. 904 Transport Remote 905 Client Converter Host 906 | | | 907 |<--------------------|<-------------------| 908 |SYN, MPC | SYN | 909 |[Remote Host:port] | | 910 |-------------------->|------------------->| 911 | SYN+ACK, MPC | SYN+ACK | 912 |<--------------------|<-------------------| 913 | ACK, MPC | ACK | 914 | ... | ... | 916 Figure 12: Establishment of an Incoming Multipath TCP Connection 917 through a Transport Converter 919 It is out of scope of this document to define specific Convert TLVs 920 to manage incoming connections. These TLVs can be defined in a 921 separate document. 923 6. The Convert Protocol (Convert) 925 This section defines the Convert Protocol (Convert, for short) 926 messages that are exchanged between a Client and a Transport 927 Converter. 929 The Transport Converter listens on a dedicated TCP port number for 930 Convert messages from Clients. That port number is configured by an 931 administrator. Absent any policy, the Transport Converter SHOULD 932 silently ignore SYNs with no Convert TLVs. 934 Convert messages may appear only in a SYN, SYN+ACK, or in an ACK that 935 is sent shortly after the SYN+ACK. 937 Convert messages MUST be included as the first bytes of the 938 bytestream. All Convert messages starts with a 32 bits long fixed 939 header (Section 6.1) followed by one or more Convert TLVs (Type, 940 Length, Value) (Section 6.2). 942 If the initial SYN message contains user data in its payload (e.g., 943 [RFC7413]), that data MUST be placed right after the Convert TLVs 944 when generating the SYN. 946 o Implementation note 1: Several implementers expressed concerns 947 about the use of TFO. As a reminder, the TFO Cookie protects from 948 some attack scenarios that affect open servers like web servers. 949 The Convert Protocol is different and, as discussed in RFC7413, 950 there are different ways to protect from such attacks. Instead of 951 using a TFO cookie inside the TCP options, which consumes precious 952 space in the extended TCP header, the Convert Protocol supports 953 the utilization of a Cookie that is placed in the SYN payload. 954 This provides the same level of protection as a TFO Cookie in 955 environments were such protection is required. 957 o Implementation note 2: Error messages are not included in RST but 958 sent in the bytestream. Implementers have indicated that 959 processing RST on clients was difficult on some platforms. This 960 design simplifies client implementations. 962 6.1. The Convert Fixed Header 964 The Convert Protocol uses a 32 bits long fixed header that is sent by 965 both the Client and the Transport Converter over each established 966 connection. This header indicates both the version of the protocol 967 used and the length of the Convert message. 969 The Client and the Transport Converter MUST send the fixed-sized 970 header, shown in Figure 13, as the first four bytes of the 971 bytestream. 973 1 2 3 974 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 975 +---------------+---------------+-------------------------------+ 976 | Version | Total Length | Unassigned | 977 +---------------+---------------+-------------------------------+ 979 Figure 13: The Convert Fixed Header 981 The Version is encoded as an 8 bits unsigned integer value. This 982 document specifies version 1. Version 0 is reserved by this document 983 and MUST NOT be used. 985 The Total Length is the number of 32 bits word, including the header, 986 of the bytestream that are consumed by the Convert messages. Since 987 Total Length is also an 8 bits unsigned integer, those messages 988 cannot consume more than 1020 bytes of data. This limits the number 989 of bytes that a Transport Converter needs to process. A Total Length 990 of zero is invalid and the connection MUST be reset upon reception of 991 a header with such total length. 993 The Unassigned field MUST be set to zero in this version of the 994 protocol. These bits are available for future use. 996 The Total Length field unambiguously marks the number of 32 bits 997 words that carry Convert TLVs in the beginning of the bytestream. 999 6.2. Convert TLVs 1001 6.2.1. Generic Convert TLV Format 1003 The Convert Protocol uses variable length messages that are encoded 1004 using the generic TLV format depicted in Figure 14. 1006 The length of all TLVs used by the Convert Protocol is always a 1007 multiple of four bytes. All TLVs are aligned on 32 bits boundaries. 1008 All TLV fields are encoded using the network byte order. 1010 1 2 3 1011 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1012 +---------------+---------------+-------------------------------+ 1013 | Type | Length | Value ... | 1014 +---------------+---------------+-------------------------------+ 1015 // ... (optional) Value // 1016 +---------------------------------------------------------------+ 1018 Figure 14: Convert Generic TLV Format 1020 The Length field covers Type, Length, and Value fields. It is 1021 expressed in units of 32 bits words. If necessary, Value MUST be 1022 padded with zeroes so that the length of the TLV is a multiple of 32 1023 bits. 1025 A given TLV MUST only appear once on a connection. If a Client 1026 receives two or more instances of the same TLV over a Convert 1027 connection, it MUST reset the associated TCP connection. If a 1028 Converter receives two or more instances of the same TLV over a 1029 Convert connection, it MUST return a Malformed Message Error TLV and 1030 close the associated TCP connection. 1032 6.2.2. Summary of Supported Convert TLVs 1034 This document specifies the following Convert TLVs: 1036 +------+-----+----------+------------------------------------------+ 1037 | Type | Hex | Length | Description | 1038 +------+-----+----------+------------------------------------------+ 1039 | 1 | 0x1 | 1 | Info TLV | 1040 | 10 | 0xA | Variable | Connect TLV | 1041 | 20 | 0x14| Variable | Extended TCP Header TLV | 1042 | 21 | 0x15| Variable | Supported TCP Extensions TLV | 1043 | 22 | 0x16| Variable | Cookie TLV | 1044 | 30 | 0x1E| Variable | Error TLV | 1045 +------+-----+----------+------------------------------------------+ 1047 Figure 15: The TLVs used by the Convert Protocol 1049 Type 0x0 is a reserved value. If a Client receives a TLV of type 1050 0x0, it MUST reset the associated TCP connection. If a Converter 1051 receives a TLV of type 0x0, it MUST return an Unsupported Message 1052 Error TLV and close the associated TCP connection. 1054 The Client typically sends in the first connection it established 1055 with a Transport Converter the Info TLV (Section 6.2.3) to learn its 1056 capabilities. Assuming the Client is authorized to invoke the 1057 Transport Converter, the latter replies with the Supported TCP 1058 Extensions TLV (Section 6.2.4). 1060 The Client can request the establishment of connections to servers by 1061 using the Connect TLV (Section 6.2.5). If the connection can be 1062 established with the final server, the Transport Converter replies 1063 with the Extended TCP Header TLV (Section 6.2.6). If not, the 1064 Transport Converter MUST return an Error TLV (Section 6.2.8) and then 1065 closes the connection. The Transport Converter MUST NOT send an RST 1066 immediately after the detection of an error to let the Error TLV 1067 reach the Client. As explained later, the Client will anyway send an 1068 RST upon reception of the Error TLV. 1070 6.2.3. The Info TLV 1072 The Info TLV (Figure 16) is an optional TLV which can be sent by a 1073 Client to request the TCP extensions that are supported by a 1074 Transport Converter. It is typically sent on the first connection 1075 that a Client establishes with a Transport Converter to learn its 1076 capabilities. Assuming a Client is entitled to invoke the Transport 1077 Converter, the latter replies with the Supported TCP Extensions TLV 1078 described in Section 6.2.4. 1080 1 2 3 1081 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1082 +---------------+---------------+-------------------------------+ 1083 | Type=0x1 | Length | Zero | 1084 +---------------+---------------+-------------------------------+ 1086 Figure 16: The Info TLV 1088 6.2.4. Supported TCP Extensions TLV 1090 The Supported TCP Extensions TLV (Figure 17) is used by a Transport 1091 Converter to announce the TCP options for which it provides a 1092 conversion service. A Transport Converter SHOULD include in this 1093 list the TCP options that it supports in outgoing SYNs. 1095 Each supported TCP option is encoded with its TCP option Kind listed 1096 in the "TCP Parameters" registry maintained by IANA. 1098 1 2 3 1099 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1100 +---------------+---------------+-------------------------------+ 1101 | Type=0x15 | Length | Unassigned | 1102 +---------------+---------------+-------------------------------+ 1103 | Kind #1 | Kind #2 | ... | 1104 +---------------+---------------+-------------------------------+ 1105 / ... / 1106 / / 1107 +---------------------------------------------------------------+ 1109 Figure 17: The Supported TCP Extensions TLV 1111 TCP option Kinds 0, 1, and 2 defined in [RFC0793] are supported by 1112 all TCP implementations and thus MUST NOT appear in this list. 1114 The list of Supported TCP Extensions is padded with 0 to end on a 32 1115 bits boundary. 1117 For example, if the Transport Converter supports Multipath TCP, 1118 Kind=30 will be present in the Supported TCP Extensions TLV that it 1119 returns in response to Info TLV. 1121 6.2.5. Connect TLV 1123 The Connect TLV (Figure 18) is used to request the establishment of a 1124 connection via a Transport Converter. This connection can be from or 1125 to a Client. 1127 The 'Remote Peer Port' and 'Remote Peer IP Address' fields contain 1128 the destination port number and IP address of the Server, for 1129 outgoing connections. For incoming connections destined to a Client 1130 serviced via a Transport Converter, these fields convey the source 1131 port number and IP address of the SYN packet received by the 1132 Transport Converter from the server. 1134 The Remote Peer IP Address MUST be encoded as an IPv6 address. IPv4 1135 addresses MUST be encoded using the IPv4-Mapped IPv6 Address format 1136 defined in [RFC4291]. Further, Remote Peer IP address field MUST NOT 1137 include multicast, broadcast, and host loopback addresses [RFC6890]. 1138 If a Converter receives a Connect TLVs with such invalid addresses, 1139 it MUST reply with a Malformed Message Error TLV and close the 1140 associated TCP connection. 1142 We distinguish two types of Connect TLV based on their length: (1) 1143 the Base Connect TLV has a length of 20 bytes and contains a remote 1144 address and a remote port (Figure 18), (2) the Extended Connect TLV 1145 spans more than 20 bytes and also includes the optional 'TCP Options' 1146 field (Figure 19). This field is used to request the advertisement 1147 of specific TCP options to the server. 1149 1 2 3 1150 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1151 +---------------+---------------+-------------------------------+ 1152 | Type=0xA | Length | Remote Peer Port | 1153 +---------------+---------------+-------------------------------+ 1154 | | 1155 | Remote Peer IP Address (128 bits) | 1156 | | 1157 | | 1158 +---------------------------------------------------------------+ 1160 Figure 18: The Base Connect TLV 1161 1 2 3 1162 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1163 +---------------+---------------+-------------------------------+ 1164 | Type=0xA | Length | Remote Peer Port | 1165 +---------------+---------------+-------------------------------+ 1166 | | 1167 | Remote Peer IP Address (128 bits) | 1168 | | 1169 | | 1170 +---------------------------------------------------------------+ 1171 / TCP Options (Variable) / 1172 / ... / 1173 +---------------------------------------------------------------+ 1175 Figure 19: The Extended Connect TLV 1177 The 'TCP Options' field is a variable length field that carries a 1178 list of TCP option fields (Figure 20). Each TCP option field is 1179 encoded as a block of 2+n bytes where the first byte is the TCP 1180 option Kind and the second byte is the length of the TCP option as 1181 specified in [RFC0793]. The minimum value for the TCP option Length 1182 is 2. The TCP options that do not include a length sub-field, i.e., 1183 option types 0 (EOL) and 1 (NOP) defined in [RFC0793] MUST NOT be 1184 placed inside the TCP options field of the Connect TLV. The optional 1185 Value field contains the variable-length part of the TCP option. A 1186 length of two indicates the absence of the Value field. The TCP 1187 options field always ends on a 32 bits boundary after being padded 1188 with zeros. 1190 1 2 3 1191 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1192 +---------------+---------------+---------------+---------------+ 1193 | TCPOpt kind | TCPOpt Length | Value (opt) | .... | 1194 +---------------+---------------+---------------+---------------+ 1195 | .... | 1196 +---------------------------------------------------------------+ 1197 | ... | 1198 +---------------------------------------------------------------+ 1200 Figure 20: The TCP Options Field 1202 Upon reception of a Base Connect TLV, and absent any policy (e.g., 1203 rate-limit) or resource exhaustion conditions, a Transport Converter 1204 attempts to establish a connection to the address and port that it 1205 contains. The Transport Converter MUST use by default the TCP 1206 options that correspond to its local policy to establish this 1207 connection. These are the options that it advertises in the 1208 Supported TCP Extensions TLV. 1210 Upon reception of an Extended Connect TLV, a Transport Converter 1211 first checks whether it supports the TCP Options listed in the 'TCP 1212 Options' field. If not, it returns an error message (Section 6.2.8). 1213 If the above check succeeded and absent any rate limit policy or 1214 resource exhaustion conditions, a Transport Converter MUST attempt to 1215 establish a connection to the address and port that it contains. It 1216 MUST include in the SYN that it sends to the Server the options 1217 listed in the 'TCP Options' sub-field and the TCP options that it 1218 would have used according to its local policies. For the TCP options 1219 that are included in the TCP Options field without an optional value, 1220 the Transport Converter MUST generate its own value. For the TCP 1221 options that are included in the 'TCP Options' field with an optional 1222 value, it MUST copy the entire option in the SYN sent to the remote 1223 server. This procedure is designed with TFO in mind. Particularly, 1224 this procedure allows to successfully exchange a TFO Cookie between 1225 the client and the server. See Section 7 for a detailed discussion 1226 of the different types of TCP options. 1228 The Transport Converter may refuse a Connect TLV request for various 1229 reasons (e.g., authorization failed, out of resources, invalid 1230 address type, unsupported TCP option). An error message indicating 1231 the encountered error is returned to the requesting Client 1232 (Section 6.2.8). In order to prevent denial-of-service attacks, 1233 error messages sent to a Client SHOULD be rate-limited. 1235 6.2.6. Extended TCP Header TLV 1237 The Extended TCP Header TLV (Figure 21) is used by the Transport 1238 Converter to return to the Client the TCP options that were returned 1239 by the Server in the SYN+ACK packet. A Transport Converter MUST 1240 return this TLV if the Client sent an Extended Connect TLV and the 1241 connection was accepted by the server. 1243 1 2 3 1244 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1245 +---------------+---------------+-------------------------------+ 1246 | Type=0x14 | Length | Unassigned | 1247 +---------------+---------------+-------------------------------+ 1248 / Returned Extended TCP header / 1249 / ... / 1250 +---------------------------------------------------------------+ 1252 Figure 21: The Extended TCP Header TLV 1254 The Returned Extended TCP header field is a copy of the TCP Options 1255 that were included in the SYN+ACK received by the Transport 1256 Converter. 1258 The Unassigned field MUST be set to zero by the sender and ignored by 1259 the receiver. 1261 6.2.7. The Cookie TLV 1263 The Cookie TLV (Figure 22) is an optional TLV which is similar to the 1264 TCP Fast Open Cookie [RFC7413]. A Transport Converter may want to 1265 verify that a Client can receive the packets that it sends to prevent 1266 attacks from spoofed addresses. This verification can be done by 1267 using a Cookie that is bound to, for example, the IP address(es) of 1268 the Client. This Cookie can be configured on the Client by means 1269 that are outside of this document or provided by the Transport 1270 Converter as follows. 1272 A Transport Converter that has been configured to use the optional 1273 Cookie TLV MUST verify the presence of this TLV in the payload of the 1274 received SYN. If this TLV is present, the Transport Converter MUST 1275 validate the Cookie by means similar to those in Section 4.1.2 of 1276 [RFC7413] (i.e., IsCookieValid). If the Cookie is valid, the 1277 connection establishment procedure can continue. Otherwise, the 1278 Transport Converter MUST return an Error TLV set to "Not Authorized" 1279 and close the connection. 1281 If the received SYN did not contain a Cookie TLV, and cookie 1282 validation is required, the Transport Converter MAY compute a Cookie 1283 bound to this Client address. In such case, the Transport Converter 1284 MUST return an Error TLV set to "Missing Cookie" and the computed 1285 Cookie and close the connection. The Client will react to this error 1286 by first issuing a reset to terminate the connection. It also stores 1287 the received Cookie in its cache and attempts to reestablish a new 1288 connection to the Transport Converter that includes the Cookie TLV. 1290 The format of the Cookie TLV is shown in Figure 22. 1292 1 2 3 1293 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1294 +---------------+---------------+-------------------------------+ 1295 | Type=0x16 | Length | Zero | 1296 +---------------+---------------+-------------------------------+ 1297 / Opaque Cookie / 1298 / ... / 1299 +---------------------------------------------------------------+ 1301 Figure 22: The Cookie TLV 1303 6.2.8. Error TLV 1305 The Error TLV (Figure 23) is meant to provide information about some 1306 errors that occurred during the processing of a Convert message. 1307 This TLV has a variable length. Upon reception of an Error TLV, a 1308 Client MUST reset the associated connection. 1310 An Error TLV can be included in the SYN+ACK or an ACK sent shortly 1311 after the SYN+ACK. 1313 1 2 3 1314 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1315 +---------------+---------------+----------------+--------------+ 1316 | Type=0x1E | Length | Error Code | Value | 1317 +---------------+---------------+----------------+--------------+ 1318 // ... (optional) Value // 1319 +---------------------------------------------------------------+ 1321 Figure 23: The Error TLV 1323 Different types of errors can occur while processing Convert 1324 messages. Each error is identified by an Error Code represented as 1325 an unsigned integer. Four classes of error codes are defined: 1327 o Message validation and processing errors (0-31 range): returned 1328 upon reception of an invalid message (including valid messages but 1329 with invalid or unknown TLVs). 1331 o Client-side errors (32-63 range): the Client sent a request that 1332 could not be accepted by the Transport Converter (e.g., 1333 unsupported operation). 1335 o Converter-side errors (64-95 range): problems encountered on the 1336 Transport Converter (e.g., lack of resources) which prevent it 1337 from fulfilling the Client's request. 1339 o Errors caused by the destination server (96-127 range): the final 1340 destination could not be reached or it replied with a reset. 1342 The following error codes are defined in this document: 1344 o Unsupported Version (0): The version number indicated in the fixed 1345 header of a message received from a peer is not supported. 1347 This error code MUST be generated by a peer (e.g. Transport 1348 Converter) when it receives a request having a version number that 1349 it does not support. 1351 The value field MUST be set to the version supported by the peer. 1352 When multiple versions are supported by the peer, it includes the 1353 list of supported version in the value field; each version is 1354 encoded in 8 bits. The list of supported versions should be 1355 padded with zeros to end on a 32 bits boundary. 1357 Upon receipt of this error code, the remote peer (e.g., Client) 1358 checks whether it supports one of the versions returned by the 1359 peer. The highest common supported version MUST be used by the 1360 remote peer in subsequent exchanges with the peer. 1362 o Malformed Message (1): This error code is sent to indicate that a 1363 message received from a peer cannot be successfully parsed and 1364 validated. 1366 Typically, this error code is sent by the Transport Converter if 1367 it receives a Connect TLV enclosing a multicast, broadcast, or 1368 loopback IP address. 1370 To ease troubleshooting, the value field MUST echo the received 1371 message shifted by one byte to keep to original alignment of the 1372 message. 1374 o Unsupported Message (2): This error code is sent to indicate that 1375 a message type received from a Client is not supported. 1377 To ease troubleshooting, the value field MUST echo the received 1378 message shifted by one byte to keep to original alignment of the 1379 message. 1381 o Missing Cookie (3): If a Transport Converter requires the 1382 utilization of Cookies to prevent spoofing attacks and a Cookie 1383 TLV was not included in the Convert message, the Transport 1384 Converter MUST return this error to the requesting client only if 1385 it computes a cookie for this client. The first byte of the value 1386 field MUST be set to zero and the remaining bytes of the Error TLV 1387 contain the Cookie computed by the Transport Converter for this 1388 Client. 1390 A Client which receives this error code SHOULD cache the received 1391 Cookie and include it in subsequent Convert messages sent to that 1392 Transport Converter. 1394 o Not Authorized (32): This error code indicates that the Transport 1395 Converter refused to create a connection because of a lack of 1396 authorization (e.g., administratively prohibited, authorization 1397 failure, invalid Cookie TLV, etc.). The Value field MUST be set 1398 to zero. 1400 This error code MUST be sent by the Transport Converter when a 1401 request cannot be successfully processed because the authorization 1402 failed. 1404 o Unsupported TCP Option (33): A TCP option that the Client 1405 requested to advertise to the final Server cannot be safely used. 1407 The Value field is set to the type of the unsupported TCP option. 1408 If several unsupported TCP options were specified in the Connect 1409 TLV, then the list of unsupported TCP options is returned. The 1410 list of unsupported TCP options MUST be padded with zeros to end 1411 on a 32 bits boundary. 1413 o Resource Exceeded (64): This error indicates that the Transport 1414 Converter does not have enough resources to perform the request. 1416 This error MUST be sent by the Transport Converter when it does 1417 not have sufficient resources to handle a new connection. The 1418 Transport Converter may indicate in the Value field the suggested 1419 delay (in seconds) that the Client SHOULD wait before soliciting 1420 the Transport Converter for a new proxied connection. A Value of 1421 zero corresponds to a default delay of at least 30 seconds. 1423 o Network Failure (65): This error indicates that the Transport 1424 Converter is experiencing a network failure to proxy the request. 1426 The Transport Converter MUST send this error code when it 1427 experiences forwarding issues to proxy a connection. The 1428 Transport Converter may indicate in the Value field the suggested 1429 delay (in seconds) that the Client SHOULD wait before soliciting 1430 the Transport Converter for a new proxied connection. A Value of 1431 zero corresponds to a default delay of at least 30 seconds. 1433 o Connection Reset (96): This error indicates that the final 1434 destination responded with an RST packet. The Value field MUST be 1435 set to zero. 1437 o Destination Unreachable (97): This error indicates that an ICMP 1438 destination unreachable, port unreachable, or network unreachable 1439 was received by the Transport Converter. The Value field MUST 1440 echo the Code field of the received ICMP message. 1442 Figure 24 summarizes the different error codes. 1444 +-------+------+-----------------------------------------------+ 1445 | Error | Hex | Description | 1446 +-------+------+-----------------------------------------------+ 1447 | 0 | 0x00 | Unsupported Version | 1448 | 1 | 0x01 | Malformed Message | 1449 | 2 | 0x02 | Unsupported Message | 1450 | 3 | 0x03 | Missing Cookie | 1451 | 32 | 0x20 | Not Authorized | 1452 | 33 | 0x21 | Unsupported TCP Option | 1453 | 64 | 0x40 | Resource Exceeded | 1454 | 65 | 0x41 | Network Failure | 1455 | 96 | 0x60 | Connection Reset | 1456 | 97 | 0x61 | Destination Unreachable | 1457 +-------+------+-----------------------------------------------+ 1459 Figure 24: Convert Error Values 1461 7. Compatibility of Specific TCP Options with the Conversion Service 1463 In this section, we discuss how several deployed standard track TCP 1464 options can be supported through the Convert Protocol. The other TCP 1465 options will be discussed in other documents. 1467 7.1. Base TCP Options 1469 Three TCP options were initially defined in [RFC0793]: End-of-Option 1470 List (Kind=0), No-Operation (Kind=1) and Maximum Segment Size 1471 (Kind=2). The first two options are mainly used to pad the TCP 1472 header. There is no reason for a client to request a Transport 1473 Converter to specifically send these options towards the final 1474 destination. 1476 The Maximum Segment Size option (Kind=2) is used by a host to 1477 indicate the largest segment that it can receive over each 1478 connection. This value is function of the stack that terminates the 1479 TCP connection. There is no reason for a Client to request a 1480 Transport Converter to advertise a specific MSS value to a remote 1481 server. 1483 A Transport Converter MUST ignore options with Kind=0, 1 or 2 if they 1484 appear in a Connect TLV. It MUST NOT announce them in a Supported 1485 TCP Extensions TLV. 1487 7.2. Window Scale (WS) 1489 The Window Scale (WS) option (Kind=3) is defined in [RFC7323]. As 1490 for the MSS option, the window scale factor that is used for a 1491 connection strongly depends on the TCP stack that handles the 1492 connection. When a Transport Converter opens a TCP connection 1493 towards a remote server on behalf of a Client, it SHOULD use a WS 1494 option with a scaling factor that corresponds to the configuration of 1495 its stack. A local configuration MAY allow for WS option in the 1496 proxied message to be function of the scaling factor of the incoming 1497 connection. 1499 There is no benefit from a deployment viewpoint in enabling a Client 1500 of a Transport Converter to specifically request the utilization of 1501 the WS option (Kind=3) with a specific scaling factor towards a 1502 remote Server. For this reason, a Transport Converter MUST ignore 1503 option Kind=3 if it appears in a Connect TLV. It MUST NOT announce 1504 it in a Supported TCP Extensions TLV. 1506 7.3. Selective Acknowledgments 1508 Two distinct TCP options were defined to support selective 1509 acknowledgments in [RFC2018]. This first one, SACK Permitted 1510 (Kind=4), is used to negotiate the utilization of selective 1511 acknowledgments during the three-way handshake. The second one, SACK 1512 (Kind=5), carries the selective acknowledgments inside regular 1513 segments. 1515 The SACK Permitted option (Kind=4) MAY be advertised by a Transport 1516 Converter in the Supported TCP Extensions TLV. Clients connected to 1517 this Transport Converter MAY include the SACK Permitted option in the 1518 Connect TLV. 1520 The SACK option (Kind=5) cannot be used during the three-way 1521 handshake. For this reason, a Transport Converter MUST ignore option 1522 Kind=5 if it appears in a Connect TLV. It MUST NOT announce it in a 1523 TCP Supported Extensions TLV. 1525 7.4. Timestamp 1527 The Timestamp option [RFC7323] can be used during the three-way 1528 handshake to negotiate the utilization of timestamps during the TCP 1529 connection. It is notably used to improve round-trip-time 1530 estimations and to provide protection against wrapped sequence 1531 numbers (PAWS). As for the WS option, the timestamps are a property 1532 of a connection and there is limited benefit in enabling a client to 1533 request a Transport Converter to use the timestamp option when 1534 establishing a connection to a remote server. Furthermore, the 1535 timestamps that are used by TCP stacks are specific to each stack and 1536 there is no benefit in enabling a client to specify the timestamp 1537 value that a Transport Converter could use to establish a connection 1538 to a remote server. 1540 A Transport Converter MAY advertise the Timestamp option (Kind=8) in 1541 the TCP Supported Extensions TLV. The clients connected to this 1542 Transport Converter MAY include the Timestamp option in the Connect 1543 TLV but without any timestamp. 1545 7.5. Multipath TCP 1547 The Multipath TCP options are defined in [RFC6824]. [RFC6824] 1548 defines one variable length TCP option (Kind=30) that includes a sub- 1549 type field to support several Multipath TCP options. There are 1550 several operational use cases where clients would like to use 1551 Multipath TCP through a Transport Converter [IETFJ16]. However, none 1552 of these use cases require the Client to specify the content of the 1553 Multipath TCP option that the Transport Converter should send to a 1554 remote server. 1556 A Transport Converter which supports Multipath TCP conversion service 1557 MUST advertise the Multipath TCP option (Kind=30) in the Supported 1558 TCP Extensions TLV. Clients serviced by this Transport Converter may 1559 include the Multipath TCP option in the Connect TLV but without any 1560 content. 1562 7.6. TCP Fast Open 1564 The TCP Fast Open cookie option (Kind=34) is defined in [RFC7413]. 1565 There are two different usages of this option that need to be 1566 supported by Transport Converters. The first utilization of the TCP 1567 Fast Open cookie option is to request a cookie from the server. In 1568 this case, the option is sent with an empty cookie by the client and 1569 the server returns the cookie. The second utilization of the TCP 1570 Fast Open cookie option is to send a cookie to the server. In this 1571 case, the option contains a cookie. 1573 A Transport Converter MAY advertise the TCP Fast Open cookie option 1574 (Kind=34) in the Supported TCP Extensions TLV. If a Transport 1575 Converter has advertised the support for TCP Fast Open in its 1576 Supported TCP Extensions TLV, it needs to be able to process two 1577 types of Connect TLV. If such a Transport Converter receives a 1578 Connect TLV with the TCP Fast Open cookie option that does not 1579 contain a cookie, it MUST add an empty TCP Fast Open cookie option in 1580 the SYN sent to the remote server. If such a Transport Converter 1581 receives a Connect TLV with the TCP Fast Open cookie option that 1582 contains a cookie, it MUST copy the TCP Fast Open cookie option in 1583 the SYN sent to the remote server. 1585 7.7. TCP-AO 1587 TCP-AO [RFC5925] provides a technique to authenticate all the packets 1588 exchanged over a TCP connection. Given the nature of this extension, 1589 it is unlikely that the applications that require their packets to be 1590 authenticated end-to-end would want their connections to pass through 1591 a converter. For this reason, we do not recommend the support of the 1592 TCP-AO option by Transport Converters. The only use cases where it 1593 could make sense to combine TCP-AO and the solution in this document 1594 are those where the TCP-AO-NAT extension [RFC6978] is in use. 1596 A Transport Converter MUST NOT advertise the TCP-AO option (Kind=29) 1597 in the Supported TCP Extensions TLV. If a Transport Converter 1598 receives a Connect TLV that contains the TCP-AO option, it MUST 1599 reject the establishment of the connection with error code set to 1600 "Unsupported TCP Option", except if the TCP-AO-NAT option is used. 1602 8. Interactions with Middleboxes 1604 The Convert Protocol is designed to be used in networks that do not 1605 contain middleboxes that interfere with TCP. Under such conditions, 1606 it is assumed that the network provider ensures that all involved on- 1607 path nodes are not breaking TCP signals (e.g., strip TCP options, 1608 discard some SYNs, etc.). 1610 Nevertheless, and in order to allow for a robust service, this 1611 section describes how a Client can detect middlebox interference and 1612 stop using the Transport Converter affected by this interference. 1614 Internet measurements [IMC11] have shown that middleboxes can affect 1615 the deployment of TCP extensions. In this section, we focus the 1616 middleboxes that modify the payload since the Convert Protocol places 1617 its messages at the beginning of the bytestream. 1619 Consider a middlebox that removes the SYN payload. The Client can 1620 detect this problem by looking at the acknowledgment number field of 1621 the SYN+ACK if returned by the Transport Converter. The Client MUST 1622 stop to use this Transport Converter given the middlebox 1623 interference. 1625 Consider now a middlebox that drops SYN/ACKs with a payload. The 1626 Client won't be able to establish a connection via the Transport 1627 Converter. The case of a middlebox that removes the payload of 1628 SYN+ACKs or from the packet that follows the SYN+ACK (but not the 1629 payload of SYN) can be detected by a Client. This is hinted by the 1630 absence of a valid Convert message in the response. 1632 As explained in [RFC7413], some CGNs (Carrier Grade NATs) can affect 1633 the operation of TFO if they assign different IP addresses to the 1634 same end host. Such CGNs could affect the operation of the cookie 1635 validation used by the Convert Protocol. As a reminder CGNs, enabled 1636 on the path between a Client and a Transport Converter, must adhere 1637 to the address preservation defined in [RFC6888]. See also the 1638 discussion in Section 7.1 of [RFC7413]. 1640 9. Security Considerations 1642 9.1. Privacy & Ingress Filtering 1644 The Transport Converter may have access to privacy-related 1645 information (e.g., subscriber credentials). The Transport Converter 1646 is designed to not leak such sensitive information outside a local 1647 domain. 1649 Given its function and its location in the network, a Transport 1650 Converter has access to the payload of all the packets that it 1651 processes. As such, it MUST be protected as a core IP router (e.g., 1652 [RFC1812]). 1654 Furthermore, ingress filtering policies MUST be enforced at the 1655 network boundaries [RFC2827]. 1657 This document assumes that all network attachments are managed by the 1658 same administrative entity. Therefore, enforcing anti-spoofing 1659 filters at these network ensures that hosts are not sending traffic 1660 with spoofed source IP addresses. 1662 9.2. Authorization 1664 The Convert Protocol is intended to be used in managed networks where 1665 end hosts can be identified by their IP address. 1667 Stronger mutual authentication schemes MUST be defined to use the 1668 Convert Protocol in more open network environments. One possibility 1669 is to use TLS to perform mutual authentication between the client and 1670 the Converter. That is, use TLS when a Client retrieves a Cookie 1671 from the Converter and rely on certificate-based client 1672 authentication, pre-shared key based [RFC4279] or raw public key 1673 based client authentication [RFC7250] to secure this connection. 1675 If the authentication succeeds, the Converter returns a cookie to the 1676 Client. Subsequent Connect messages will be authorized as a function 1677 of the content of the Cookie TLV. 1679 In deployments where network-assisted connections are not allowed 1680 between hosts of a domain (i.e., hairpinning), the Converter may be 1681 instructed to discard such connections. Hairpinned connections are 1682 thus rejected by the Transport Converter by returning an Error TLV 1683 set to "Not Authorized". Absent explicit configuration otherwise, 1684 hairpinning is enabled by the Converter (see Figure 25. 1686 <===Network Provider===> 1688 +----+ from X1:x1 to X2':x2' +-----+ X1':x1' 1689 | C1 |>>>>>>>>>>>>>>>>>>>>>>>>>>>>>--+--- 1690 +----+ | v | 1691 | v | 1692 | v | 1693 | v | 1694 +----+ from X1':x1' to X2:x2 | v | X2':x2' 1695 | C2 |<<<<<<<<<<<<<<<<<<<<<<<<<<<<<--+--- 1696 +----+ +-----+ 1697 Converter 1699 Note: X2':x2' may be equal to 1700 X2:x2 1702 Figure 25: Hairpinning Example 1704 See below for authorization considerations that are specific for 1705 Multipath TCP. 1707 9.3. Denial of Service 1709 Another possible risk is the amplification attacks since a Transport 1710 Converter sends a SYN towards a remote Server upon reception of a SYN 1711 from a Client. This could lead to amplification attacks if the SYN 1712 sent by the Transport Converter were larger than the SYN received 1713 from the Client or if the Transport Converter retransmits the SYN. 1714 To mitigate such attacks, the Transport Converter SHOULD rate limit 1715 the number of pending requests for a given Client. It SHOULD also 1716 avoid sending to remote Servers SYNs that are significantly longer 1717 than the SYN received from the Client. Finally, the Transport 1718 Converter SHOULD only retransmit a SYN to a Server after having 1719 received a retransmitted SYN from the corresponding Client. Means to 1720 protect against SYN flooding attacks should also be enabled (e.g., 1721 Section 3 of [RFC4987]). 1723 9.4. Traffic Theft 1725 Traffic theft is a risk if an illegitimate Converter is inserted in 1726 the path. Indeed, inserting an illegitimate Converter in the 1727 forwarding path allows traffic interception and can therefore provide 1728 access to sensitive data issued by or destined to a host. Converter 1729 discovery and configuration are out of scope of this document. 1731 9.5. Authentication Considerations 1733 The operator that manages the various network attachments (including 1734 the Transport Converters) can enforce authentication and 1735 authorization policies using appropriate mechanisms. For example, a 1736 non-exhaustive list of methods to achieve authorization is provided 1737 hereafter: 1739 o The network provider may enforce a policy based on the 1740 International Mobile Subscriber Identity (IMSI) to verify that a 1741 user is allowed to benefit from the TCP converter service. If 1742 that authorization fails, the Packet Data Protocol (PDP) context/ 1743 bearer will not be mounted. This method does not require any 1744 interaction with the Transport Converter for authorization 1745 matters. 1747 o The network provider may enforce a policy based upon Access 1748 Control Lists (ACLs), e.g., at a Broadband Network Gateway (BNG) 1749 to control the hosts that are authorized to communicate with a 1750 Transport Converter. These ACLs may be installed as a result of 1751 RADIUS exchanges, e.g., [I-D.boucadair-radext-tcpm-converter]. 1752 This method does not require any interaction with the Transport 1753 Converter for authorization matters. 1755 o A device that embeds a Transport Converter may also host a RADIUS 1756 client that will solicit an AAA server to check whether 1757 connections received from a given source IP address are authorized 1758 or not [I-D.boucadair-radext-tcpm-converter]. 1760 A first safeguard against the misuse of Transport Converter resources 1761 by illegitimate users (e.g., users with access networks that are not 1762 managed by the same provider that operates the Transport Converter) 1763 is the Transport Converter to reject Convert connections received on 1764 its Internet-facing interfaces. Only Convert connections received on 1765 the customer-facing interfaces of a Transport Converter will be 1766 accepted. 1768 10. IANA Considerations 1770 Note to the RFC Editor: Please replace "THISRFC" in the following 1771 sub-sections with the RFC number to be assigned to this document. 1773 10.1. Convert Service Name 1775 IANA is requested to assign a service name for the Convert Protocol 1776 from the "Service Name and Transport Protocol Port Number Registry" 1777 available at https://www.iana.org/assignments/service-names-port- 1778 numbers/service-names-port-numbers.xhtml. 1780 Service Name: convert 1781 Port Number: N/A 1782 Transport Protocol(s): TCP 1783 Description: 0-RTT TCP Convert Protocol 1784 Assignee: IESG 1785 Contact: IETF Chair 1786 Reference: THISRFC 1788 Clients may use this service name to fed the procedure defined in 1789 [RFC2782] to discover the IP address(es) and the port number used by 1790 the Transport Converters of a domain. 1792 10.2. The Convert Protocol (Convert) Parameters 1794 IANA is requested to create a new "The TCP Convert Protocol (Convert) 1795 Parameters" registry. 1797 The following subsections detail new registries within "The Convert 1798 Protocol (Convert) Parameters" registry. 1800 The Designated Expert is expected to ascertain the existence of 1801 suitable documentation as described in Section 4.6 of [RFC8126] and 1802 to verify that the document is permanently and publicly available. 1803 The Designated Expert is also expected to check the clarity of 1804 purpose and use of the requested code points. 1806 Also, criteria that should be applied by the Designated Experts 1807 includes determining whether the proposed registration duplicates 1808 existing functionality, whether it is likely to be of general 1809 applicability or whether it is useful only for a private use, and 1810 whether the registration description is clear. IANA must only accept 1811 registry updates to the 128-191 range (for both "Convert TLVs" and 1812 "Convert Error Messages" sub-registries) from the Designated Experts 1813 and should direct all requests for registration to the review mailing 1814 list. It is suggested that multiple Designated Experts be appointed. 1815 In cases where a registration decision could be perceived as creating 1816 a conflict of interest for a particular Expert, that Expert should 1817 defer to the judgment of the other Experts. 1819 10.2.1. Convert Versions 1821 IANA is requested to create the "Convert versions" sub-registry. New 1822 values are assigned via IETF Review (Section 4.8 of [RFC8126]). 1824 The initial values to be assigned at the creation of the registry are 1825 as follows: 1827 +---------+--------------------------------------+-------------+ 1828 | Version | Description | Reference | 1829 +---------+--------------------------------------+-------------+ 1830 | 0 | Reserved by this document | THISRFC | 1831 | 1 | Assigned by this document | THISRFC | 1832 +---------+--------------------------------------+-------------+ 1834 10.2.2. Convert TLVs 1836 IANA is requested to create the "Convert TLVs" sub-registry. The 1837 procedure for assigning values from this registry is as follows: 1839 o The values in the range 1-127 can be assigned via IETF Review. 1841 o The values in the range 128-191 can be assigned via Specification 1842 Required. 1844 o The values in the range 192-255 are reserved for Private Use. 1846 The initial values to be assigned at the creation of the registry are 1847 as follows: 1849 +---------+--------------------------------------+-------------+ 1850 | Code | Name | Reference | 1851 +---------+--------------------------------------+-------------+ 1852 | 0 | Reserved | THISRFC | 1853 | 1 | Info TLV | THISRFC | 1854 | 10 | Connect TLV | THISRFC | 1855 | 20 | Extended TCP Header TLV | THISRFC | 1856 | 21 | Supported TCP Extension TLV | THISRFC | 1857 | 22 | Cookie TLV | THISRFC | 1858 | 30 | Error TLV | THISRFC | 1859 +---------+--------------------------------------+-------------+ 1861 10.2.3. Convert Error Messages 1863 IANA is requested to create the "Convert Errors" sub-registry. Codes 1864 in this registry are assigned as a function of the error type. Four 1865 types are defined; the following ranges are reserved for each of 1866 these types: 1868 o Message validation and processing errors: 0-31 1870 o Client-side errors: 32-63 1872 o Transport Converter-side errors: 64-95 1874 o Errors caused by destination server: 96-127 1876 The procedure for assigning values from this sub-registry is as 1877 follows: 1879 o 0-127: Values in this range are assigned via IETF Review. 1881 o 128-191: Values in this range are assigned via Specification 1882 Required. 1884 o 192-255: Values in this range are reserved for Private Use. 1886 The initial values to be assigned at the creation of the registry are 1887 as follows: 1889 +-------+------+-----------------------------------+-----------+ 1890 | Error | Hex | Description | Reference | 1891 +-------+------+-----------------------------------+-----------+ 1892 | 0 | 0x00 | Unsupported Version | THISRFC | 1893 | 1 | 0x01 | Malformed Message | THISRFC | 1894 | 2 | 0x02 | Unsupported Message | THISRFC | 1895 | 3 | 0x03 | Missing Cookie | THISRFC | 1896 | 32 | 0x20 | Not Authorized | THISRFC | 1897 | 33 | 0x21 | Unsupported TCP Option | THISRFC | 1898 | 64 | 0x40 | Resource Exceeded | THISRFC | 1899 | 65 | 0x41 | Network Failure | THISRFC | 1900 | 96 | 0x60 | Connection Reset | THISRFC | 1901 | 97 | 0x61 | Destination Unreachable | THISRFC | 1902 +-------+------+-----------------------------------+-----------+ 1904 Figure 26: The Convert Error Codes 1906 11. References 1908 11.1. Normative References 1910 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 1911 RFC 793, DOI 10.17487/RFC0793, September 1981, 1912 . 1914 [RFC2018] Mathis, M., Mahdavi, J., Floyd, S., and A. Romanow, "TCP 1915 Selective Acknowledgment Options", RFC 2018, 1916 DOI 10.17487/RFC2018, October 1996, 1917 . 1919 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1920 Requirement Levels", BCP 14, RFC 2119, 1921 DOI 10.17487/RFC2119, March 1997, 1922 . 1924 [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: 1925 Defeating Denial of Service Attacks which employ IP Source 1926 Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827, 1927 May 2000, . 1929 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing 1930 Architecture", RFC 4291, DOI 10.17487/RFC4291, February 1931 2006, . 1933 [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address 1934 Translation (NAT) Behavioral Requirements for Unicast 1935 UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 1936 2007, . 1938 [RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common 1939 Mitigations", RFC 4987, DOI 10.17487/RFC4987, August 2007, 1940 . 1942 [RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP 1943 Authentication Option", RFC 5925, DOI 10.17487/RFC5925, 1944 June 2010, . 1946 [RFC6824] Ford, A., Raiciu, C., Handley, M., and O. Bonaventure, 1947 "TCP Extensions for Multipath Operation with Multiple 1948 Addresses", RFC 6824, DOI 10.17487/RFC6824, January 2013, 1949 . 1951 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 1952 A., and H. Ashida, "Common Requirements for Carrier-Grade 1953 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 1954 April 2013, . 1956 [RFC6890] Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman, 1957 "Special-Purpose IP Address Registries", BCP 153, 1958 RFC 6890, DOI 10.17487/RFC6890, April 2013, 1959 . 1961 [RFC6978] Touch, J., "A TCP Authentication Option Extension for NAT 1962 Traversal", RFC 6978, DOI 10.17487/RFC6978, July 2013, 1963 . 1965 [RFC7323] Borman, D., Braden, B., Jacobson, V., and R. 1966 Scheffenegger, Ed., "TCP Extensions for High Performance", 1967 RFC 7323, DOI 10.17487/RFC7323, September 2014, 1968 . 1970 [RFC7413] Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP 1971 Fast Open", RFC 7413, DOI 10.17487/RFC7413, December 2014, 1972 . 1974 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 1975 Writing an IANA Considerations Section in RFCs", BCP 26, 1976 RFC 8126, DOI 10.17487/RFC8126, June 2017, 1977 . 1979 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1980 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1981 May 2017, . 1983 11.2. Informative References 1985 [ANRW17] Trammell, B., Kuehlewind, M., De Vaere, P., Learmonth, I., 1986 and G. Fairhurst, "Tracking transport-layer evolution with 1987 PATHspider", Applied Networking Research Workshop 2017 1988 (ANRW17) , July 2017. 1990 [Fukuda2011] 1991 Fukuda, K., "An Analysis of Longitudinal TCP Passive 1992 Measurements (Short Paper)", Traffic Monitoring and 1993 Analysis. TMA 2011. Lecture Notes in Computer Science, vol 1994 6613. , 2011. 1996 [HotMiddlebox13b] 1997 Detal, G., Paasch, C., and O. Bonaventure, "Multipath in 1998 the Middle(Box)", HotMiddlebox'13 , December 2013, 1999 . 2002 [I-D.arkko-arch-low-latency] 2003 Arkko, J. and J. Tantsura, "Low Latency Applications and 2004 the Internet Architecture", draft-arkko-arch-low- 2005 latency-02 (work in progress), October 2017. 2007 [I-D.boucadair-mptcp-plain-mode] 2008 Boucadair, M., Jacquenet, C., Bonaventure, O., Behaghel, 2009 D., stefano.secci@lip6.fr, s., Henderickx, W., Skog, R., 2010 Vinapamula, S., Seo, S., Cloetens, W., Meyer, U., 2011 Contreras, L., and B. Peirens, "Extensions for Network- 2012 Assisted MPTCP Deployment Models", draft-boucadair-mptcp- 2013 plain-mode-10 (work in progress), March 2017. 2015 [I-D.boucadair-radext-tcpm-converter] 2016 Boucadair, M. and C. Jacquenet, "RADIUS Extensions for 2017 0-RTT TCP Converters", draft-boucadair-radext-tcpm- 2018 converter-02 (work in progress), April 2019. 2020 [I-D.boucadair-tcpm-dhc-converter] 2021 Boucadair, M., Jacquenet, C., and T. Reddy.K, "DHCP 2022 Options for 0-RTT TCP Converters", draft-boucadair-tcpm- 2023 dhc-converter-03 (work in progress), October 2019. 2025 [I-D.olteanu-intarea-socks-6] 2026 Olteanu, V. and D. Niculescu, "SOCKS Protocol Version 6", 2027 draft-olteanu-intarea-socks-6-08 (work in progress), 2028 November 2019. 2030 [I-D.peirens-mptcp-transparent] 2031 Peirens, B., Detal, G., Barre, S., and O. Bonaventure, 2032 "Link bonding with transparent Multipath TCP", draft- 2033 peirens-mptcp-transparent-00 (work in progress), July 2034 2016. 2036 [IETFJ16] Bonaventure, O. and S. Seo, "Multipath TCP Deployment", 2037 IETF Journal, Fall 2016 , n.d.. 2039 [IMC11] Honda, K., Nishida, Y., Raiciu, C., Greenhalgh, A., 2040 Handley, M., and T. Hideyuki, "Is it still possible to 2041 extend TCP?", Proceedings of the 2011 ACM SIGCOMM 2042 conference on Internet measurement conference , 2011. 2044 [RFC1812] Baker, F., Ed., "Requirements for IP Version 4 Routers", 2045 RFC 1812, DOI 10.17487/RFC1812, June 1995, 2046 . 2048 [RFC1919] Chatel, M., "Classical versus Transparent IP Proxies", 2049 RFC 1919, DOI 10.17487/RFC1919, March 1996, 2050 . 2052 [RFC1928] Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., and 2053 L. Jones, "SOCKS Protocol Version 5", RFC 1928, 2054 DOI 10.17487/RFC1928, March 1996, 2055 . 2057 [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for 2058 specifying the location of services (DNS SRV)", RFC 2782, 2059 DOI 10.17487/RFC2782, February 2000, 2060 . 2062 [RFC3135] Border, J., Kojo, M., Griner, J., Montenegro, G., and Z. 2063 Shelby, "Performance Enhancing Proxies Intended to 2064 Mitigate Link-Related Degradations", RFC 3135, 2065 DOI 10.17487/RFC3135, June 2001, 2066 . 2068 [RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key 2069 Ciphersuites for Transport Layer Security (TLS)", 2070 RFC 4279, DOI 10.17487/RFC4279, December 2005, 2071 . 2073 [RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and 2074 P. Roberts, "Issues with IP Address Sharing", RFC 6269, 2075 DOI 10.17487/RFC6269, June 2011, 2076 . 2078 [RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix 2079 Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011, 2080 . 2082 [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and 2083 P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, 2084 DOI 10.17487/RFC6887, April 2013, 2085 . 2087 [RFC6928] Chu, J., Dukkipati, N., Cheng, Y., and M. Mathis, 2088 "Increasing TCP's Initial Window", RFC 6928, 2089 DOI 10.17487/RFC6928, April 2013, 2090 . 2092 [RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J., 2093 Weiler, S., and T. Kivinen, "Using Raw Public Keys in 2094 Transport Layer Security (TLS) and Datagram Transport 2095 Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250, 2096 June 2014, . 2098 [RFC7414] Duke, M., Braden, R., Eddy, W., Blanton, E., and A. 2099 Zimmermann, "A Roadmap for Transmission Control Protocol 2100 (TCP) Specification Documents", RFC 7414, 2101 DOI 10.17487/RFC7414, February 2015, 2102 . 2104 [RFC8041] Bonaventure, O., Paasch, C., and G. Detal, "Use Cases and 2105 Operational Experience with Multipath TCP", RFC 8041, 2106 DOI 10.17487/RFC8041, January 2017, 2107 . 2109 [RFC8305] Schinazi, D. and T. Pauly, "Happy Eyeballs Version 2: 2110 Better Connectivity Using Concurrency", RFC 8305, 2111 DOI 10.17487/RFC8305, December 2017, 2112 . 2114 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 2115 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 2116 . 2118 [RFC8548] Bittau, A., Giffin, D., Handley, M., Mazieres, D., Slack, 2119 Q., and E. Smith, "Cryptographic Protection of TCP Streams 2120 (tcpcrypt)", RFC 8548, DOI 10.17487/RFC8548, May 2019, 2121 . 2123 [TS23501] 3GPP (3rd Generation Partnership Project), ., "Technical 2124 Specification Group Services and System Aspects; System 2125 Architecture for the 5G System; Stage 2 (Release 16)", 2126 2019, . 2129 Appendix A. Example Socket API Changes to Support the 0-RTT Convert 2130 Protocol 2132 A.1. Active Open (Client Side) 2134 On the client side, the support of the 0-RTT Converter protocol does 2135 not require any other changes than those identified in Appendix A of 2136 [RFC7413]. Those modifications are already supported by multiple TCP 2137 stacks. 2139 As an example, on Linux, a client can send the 0-RTT Convert message 2140 inside a SYN by using sendto with the MSG_FASTOPEN flag as shown in 2141 the example below: 2143 s = socket(AF_INET, SOCK_STREAM, 0); 2145 sendto(s, buffer, buffer_len, MSG_FASTOPEN, 2146 (struct sockaddr *) &server_addr, addr_len); 2148 The client side of the Linux TCP TFO can be used in two different 2149 modes depending on the host configuration (sysctl tcp_fastopen 2150 variable): 2152 o 0x1: (client) enables sending data in the opening SYN on the 2153 client. 2155 o 0x4: (client) send data in the opening SYN regardless of cookie 2156 availability and without a cookie option. 2158 By setting this configuration variable to 0x5, a Linux client using 2159 the above code would send data inside the SYN without using a TFO 2160 option. 2162 A.2. Passive Open (Converter Side) 2164 The Converter needs to enable the reception of data inside the SYN 2165 independently of the utilization of the TFO option. This implies 2166 that the Transport Converter application cannot rely on the TFO 2167 cookies to validate the reachability of the IP address that sent the 2168 SYN. It must rely on other techniques, such as the Cookie TLV 2169 described in this document, to verify this reachability. 2171 [RFC7413] suggested the utilization of a TCP_FASTOPEN socket option 2172 the enable the reception of SYNs containing data. Later, Appendix A 2173 of [RFC7413], mentioned: 2175 Traditionally, accept() returns only after a socket is connected. 2176 But, for a Fast Open connection, accept() returns upon receiving 2177 SYN with a valid Fast Open cookie and data, and the data is available 2178 to be read through, e.g., recvmsg(), read(). 2180 To support the 0-RTT Convert Protocol, this behavior should be 2181 modified as follows: 2183 Traditionally, accept() returns only after a socket is connected. 2184 But, for a Fast Open connection, accept() returns upon receiving a 2185 SYN with data, and the data is available to be read through, e.g., 2186 recvmsg(), read(). The application that receives such SYNs with data 2187 must be able to validate the reachability of the source of the SYN 2188 and also deal with replayed SYNs. 2190 The Linux server side can be configured with the following sysctls: 2192 o 0x2: (server) enables the server support, i.e., allowing data in a 2193 SYN packet to be accepted and passed to the application before 2194 3-way handshake finishes. 2196 o 0x200: (server) accept data-in-SYN w/o any cookie option present. 2198 However, this configuration is system-wide. This is convenient for 2199 typical Transport Converter deployments where no other applications 2200 relying on TFO are collocated on the same device. 2202 Recently, the TCP_FASTOPEN_NO_COOKIE socket option has been added to 2203 provide the same behavior on a per socket basis. This enables a 2204 single host to support both servers that require the TFO cookie and 2205 servers that do not use it. 2207 Acknowledgments 2209 Although they could disagree with the contents of the document, we 2210 would like to thank Joe Touch and Juliusz Chroboczek whose comments 2211 on the MPTCP mailing list have forced us to reconsider the design of 2212 the solution several times. 2214 We would like to thank Raphael Bauduin, Stefano Secci, Anandatirtha 2215 Nandugudi and Gregory Vander Schueren for their help in preparing 2216 this document. Nandini Ganesh provided valuable feedback about the 2217 handling of TFO and the error codes. Yuchung Cheng and Praveen 2218 Balasubramanian helped to clarify the discussion on supplying data in 2219 SYNs. Phil Eardley and Michael Scharf's helped to clarify different 2220 parts of the text. 2222 Many thanks to Mirja Kuehlewind for the detailed AD review. 2224 This document builds upon earlier documents that proposed various 2225 forms of Multipath TCP proxies [I-D.boucadair-mptcp-plain-mode], 2226 [I-D.peirens-mptcp-transparent] and [HotMiddlebox13b]. 2228 From [I-D.boucadair-mptcp-plain-mode]: 2230 Many thanks to Chi Dung Phung, Mingui Zhang, Rao Shoaib, Yoshifumi 2231 Nishida, and Christoph Paasch for their valuable comments. 2233 Thanks to Ian Farrer, Mikael Abrahamsson, Alan Ford, Dan Wing, and 2234 Sri Gundavelli for the fruitful discussions in IETF#95 (Buenos 2235 Aires). 2237 Special thanks to Pierrick Seite, Yannick Le Goff, Fred Klamm, and 2238 Xavier Grall for their inputs. 2240 Thanks also to Olaf Schleusing, Martin Gysi, Thomas Zasowski, Andreas 2241 Burkhard, Silka Simmen, Sandro Berger, Michael Melloul, Jean-Yves 2242 Flahaut, Adrien Desportes, Gregory Detal, Benjamin David, Arun 2243 Srinivasan, and Raghavendra Mallya for the discussion. 2245 Contributors 2247 Bart Peirens contributed to an early version of the document. 2249 As noted above, this document builds on two previous documents. 2251 The authors of [I-D.boucadair-mptcp-plain-mode] were: 2253 o Mohamed Boucadair 2255 o Christian Jacquenet 2257 o Olivier Bonaventure 2259 o Denis Behaghel 2261 o Stefano Secci 2263 o Wim Henderickx 2265 o Robert Skog 2267 o Suresh Vinapamula 2269 o SungHoon Seo 2271 o Wouter Cloetens 2273 o Ullrich Meyer 2275 o Luis M. Contreras 2277 o Bart Peirens 2278 The authors of [I-D.peirens-mptcp-transparent] were: 2280 o Bart Peirens 2282 o Gregory Detal 2284 o Sebastien Barre 2286 o Olivier Bonaventure 2288 Change Log 2290 This section to be removed before publication. 2292 o 00 : initial version, designed to support Multipath TCP and TFO 2293 only 2295 o 00 to -01 : added section Section 7 describing the support of 2296 different standard tracks TCP options by Transport Converters, 2297 clarification of the IANA section, moved the SOCKS comparison to 2298 the appendix and various minor modifications 2300 o 01 to -02: Minor modifications 2302 o 02 to -03: Minor modifications 2304 o 03 to -04: Minor modifications 2306 o 04 to -05: Integrate a lot of feedback from implementers who have 2307 worked on client and server side implementations. The main 2308 modifications are the following : 2310 * TCP Fast Open is not strictly required anymore. Several 2311 implementers expressed concerns about this requirement. The 2312 TFO Cookie protects from some attack scenarios that affect open 2313 servers like web servers. The Convert Protocol is different 2314 and as discussed in RFC7413, there are different ways to 2315 protect from such attacks. Instead of using a TFO cookie 2316 inside the TCP options, which consumes precious space in the 2317 extended TCP header, this version supports the utilization of a 2318 Cookie that is placed in the SYN payload. This provides the 2319 same level of protection as a TFO Cookie in environments were 2320 such protection is required. 2322 * the Bootstrap procedure has been simplified based on feedback 2323 from implementers 2325 * Error messages are not included in RST segments anymore but 2326 sent in the bytestream. Implementers have indicated that 2327 processing such segments on clients was difficult on some 2328 platforms. This change simplifies client implementations. 2330 * Many minor editorial changes to clarify the text based on 2331 implementers feedback. 2333 o 05 to -06: Many clarifications to integrate the comments from the 2334 chairs in preparation to the WGLC: 2336 * Updated IANA policy to require "IETF Review" instead of 2337 "Standard Action" 2339 * Call out explicitly that data in SYNs are relayed by the 2340 Converter 2342 * Reiterate the scope 2344 * Hairpinning behavior can be disabled (policy-based) 2346 * Fix nits 2348 o 07: 2350 * Update the text about supplying data in SYNs to make it clear 2351 that a constraint defined in RFC793 is relaxed following the 2352 same rationale as in RFC7413. 2354 * Nits 2356 * Added Appendix A on example Socket API changes 2358 o 08: 2360 * Added short discussion on the termination of connections 2362 o 09: 2364 * Address various comments received during last call 2366 o 10-13: 2368 * Changes to address the comments from Phil: Add a new section to 2369 group data plane considerations in one place + add a new 2370 appendix with more details on address modes + rearrange the 2371 MPTCP text. 2373 o 14: fixed nits (the shepherd write-up) 2375 o 15: Rewrote parts of the text to address the detailed comments 2376 provided by M. Kuehlewind 2378 Authors' Addresses 2380 Olivier Bonaventure (editor) 2381 Tessares 2383 Email: Olivier.Bonaventure@tessares.net 2385 Mohamed Boucadair (editor) 2386 Orange 2387 Clos Courtel 2388 Rennes 35000 2389 France 2391 Email: mohamed.boucadair@orange.com 2393 Sri Gundavelli 2394 Cisco 2396 Email: sgundave@cisco.com 2398 SungHoon Seo 2399 Korea Telecom 2401 Email: sh.seo@kt.com 2403 Benjamin Hesmans 2404 Tessares 2406 Email: Benjamin.Hesmans@tessares.net