idnits 2.17.1 draft-ietf-tcpm-converters-19.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 21, 2020) is 1497 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Obsolete normative reference: RFC 6824 (Obsoleted by RFC 8684) == Outdated reference: A later version (-11) exists of draft-olteanu-intarea-socks-6-08 Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 TCPM Working Group O. Bonaventure, Ed. 3 Internet-Draft Tessares 4 Intended status: Experimental M. Boucadair, Ed. 5 Expires: September 22, 2020 Orange 6 S. Gundavelli 7 Cisco 8 S. Seo 9 Korea Telecom 10 B. Hesmans 11 Tessares 12 March 21, 2020 14 0-RTT TCP Convert Protocol 15 draft-ietf-tcpm-converters-19 17 Abstract 19 This document specifies an application proxy, called Transport 20 Converter, to assist the deployment of TCP extensions such as 21 Multipath TCP. A Transport Converter may provide conversion service 22 for one or more TCP extensions. The conversion service is provided 23 by means of the TCP Convert Protocol (Convert). 25 This protocol provides 0-RTT (Zero Round-Trip Time) conversion 26 service since no extra delay is induced by the protocol compared to 27 connections that are not proxied. Also, the Convert Protocol does 28 not require any encapsulation (no tunnels, whatsoever). 30 This specification assumes an explicit model, where the Transport 31 Converter is explicitly configured on hosts. As a sample 32 applicability use case, this document specifies how the Convert 33 Protocol applies for Multipath TCP. 35 Status of This Memo 37 This Internet-Draft is submitted in full conformance with the 38 provisions of BCP 78 and BCP 79. 40 Internet-Drafts are working documents of the Internet Engineering 41 Task Force (IETF). Note that other groups may also distribute 42 working documents as Internet-Drafts. The list of current Internet- 43 Drafts is at https://datatracker.ietf.org/drafts/current/. 45 Internet-Drafts are draft documents valid for a maximum of six months 46 and may be updated, replaced, or obsoleted by other documents at any 47 time. It is inappropriate to use Internet-Drafts as reference 48 material or to cite them other than as "work in progress." 49 This Internet-Draft will expire on September 22, 2020. 51 Copyright Notice 53 Copyright (c) 2020 IETF Trust and the persons identified as the 54 document authors. All rights reserved. 56 This document is subject to BCP 78 and the IETF Trust's Legal 57 Provisions Relating to IETF Documents 58 (https://trustee.ietf.org/license-info) in effect on the date of 59 publication of this document. Please review these documents 60 carefully, as they describe your rights and restrictions with respect 61 to this document. Code Components extracted from this document must 62 include Simplified BSD License text as described in Section 4.e of 63 the Trust Legal Provisions and are provided without warranty as 64 described in the Simplified BSD License. 66 Table of Contents 68 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 69 1.1. The Problem . . . . . . . . . . . . . . . . . . . . . . . 3 70 1.2. Network-Assisted Connections: The Rationale . . . . . . . 4 71 1.3. Applicability Scope . . . . . . . . . . . . . . . . . . . 6 72 2. Differences with SOCKSv5 . . . . . . . . . . . . . . . . . . 6 73 3. Conventions and Definitions . . . . . . . . . . . . . . . . . 8 74 4. Architecture & Behaviors . . . . . . . . . . . . . . . . . . 9 75 4.1. Functional Elements . . . . . . . . . . . . . . . . . . . 9 76 4.2. Theory of Operation . . . . . . . . . . . . . . . . . . . 11 77 4.3. Data Processing at the Transport Converter . . . . . . . 14 78 4.4. Address Preservation vs. Address Sharing . . . . . . . . 16 79 4.4.1. Address Preservation . . . . . . . . . . . . . . . . 16 80 4.4.2. Address/Prefix Sharing . . . . . . . . . . . . . . . 17 81 5. Sample Examples . . . . . . . . . . . . . . . . . . . . . . . 18 82 5.1. Outgoing Converter-Assisted Multipath TCP Connections . . 18 83 5.2. Incoming Converter-Assisted Multipath TCP Connection . . 20 84 6. The Convert Protocol (Convert) . . . . . . . . . . . . . . . 21 85 6.1. The Convert Fixed Header . . . . . . . . . . . . . . . . 22 86 6.2. Convert TLVs . . . . . . . . . . . . . . . . . . . . . . 23 87 6.2.1. Generic Convert TLV Format . . . . . . . . . . . . . 23 88 6.2.2. Summary of Supported Convert TLVs . . . . . . . . . . 24 89 6.2.3. The Info TLV . . . . . . . . . . . . . . . . . . . . 25 90 6.2.4. Supported TCP Extensions TLV . . . . . . . . . . . . 25 91 6.2.5. Connect TLV . . . . . . . . . . . . . . . . . . . . . 26 92 6.2.6. Extended TCP Header TLV . . . . . . . . . . . . . . . 28 93 6.2.7. The Cookie TLV . . . . . . . . . . . . . . . . . . . 29 94 6.2.8. Error TLV . . . . . . . . . . . . . . . . . . . . . . 30 95 7. Compatibility of Specific TCP Options with the Conversion 96 Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 98 7.1. Base TCP Options . . . . . . . . . . . . . . . . . . . . 33 99 7.2. Window Scale (WS) . . . . . . . . . . . . . . . . . . . . 34 100 7.3. Selective Acknowledgments . . . . . . . . . . . . . . . . 34 101 7.4. Timestamp . . . . . . . . . . . . . . . . . . . . . . . . 35 102 7.5. Multipath TCP . . . . . . . . . . . . . . . . . . . . . . 35 103 7.6. TCP Fast Open . . . . . . . . . . . . . . . . . . . . . . 35 104 7.7. TCP-AO . . . . . . . . . . . . . . . . . . . . . . . . . 36 105 8. Interactions with Middleboxes . . . . . . . . . . . . . . . . 36 106 9. Security Considerations . . . . . . . . . . . . . . . . . . . 37 107 9.1. Privacy & Ingress Filtering . . . . . . . . . . . . . . . 37 108 9.2. Authentication and Authorization Considerations . . . . . 38 109 9.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 40 110 9.4. Traffic Theft . . . . . . . . . . . . . . . . . . . . . . 40 111 9.5. Logging . . . . . . . . . . . . . . . . . . . . . . . . . 40 112 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 113 10.1. Convert Service Name . . . . . . . . . . . . . . . . . . 40 114 10.2. The Convert Protocol (Convert) Parameters . . . . . . . 41 115 10.2.1. Convert Versions . . . . . . . . . . . . . . . . . . 41 116 10.2.2. Convert TLVs . . . . . . . . . . . . . . . . . . . . 42 117 10.2.3. Convert Error Messages . . . . . . . . . . . . . . . 42 118 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 43 119 11.1. Normative References . . . . . . . . . . . . . . . . . . 43 120 11.2. Informative References . . . . . . . . . . . . . . . . . 45 121 Appendix A. Example Socket API Changes to Support the 0-RTT 122 Convert Protocol . . . . . . . . . . . . . . . . . . 48 123 A.1. Active Open (Client Side) . . . . . . . . . . . . . . . . 48 124 A.2. Passive Open (Converter Side) . . . . . . . . . . . . . . 49 125 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 50 126 Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 51 127 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 52 129 1. Introduction 131 1.1. The Problem 133 Transport protocols like TCP evolve regularly [RFC7414]. TCP has 134 been improved in different ways. Some improvements such as changing 135 the initial window size [RFC6928] or modifying the congestion control 136 scheme can be applied independently on clients and servers. Other 137 improvements such as Selective Acknowledgments [RFC2018] or large 138 windows [RFC7323] require a new TCP option or to change the semantics 139 of some fields in the TCP header. These modifications must be 140 deployed on both clients and servers to be actually used on the 141 Internet. Experience with the latter class of TCP extensions reveals 142 that their deployment can require many years. Fukuda reports in 143 [Fukuda2011] results of a decade of measurements showing the 144 deployment of Selective Acknowledgments, Window Scale, and TCP 145 Timestamps. [ANRW17] describes measurements showing that TCP Fast 146 Open (TFO) [RFC7413] is still not widely deployed. 148 There are some situations where the transport stack used on clients 149 (or servers) can be upgraded at a faster pace than the transport 150 stack running on servers (or clients). In those situations, clients 151 would typically want to benefit from the features of an improved 152 transport protocol even if the servers have not yet been upgraded and 153 conversely. Some assistance from the network to make use of these 154 features is valuable. For example, Performance Enhancing Proxies 155 [RFC3135], and other service functions have been deployed as 156 solutions to improve TCP performance over links with specific 157 characteristics. 159 Recent examples of TCP extensions include Multipath TCP (MPTCP) 160 [RFC6824] or TCPINC [RFC8548]. Those extensions provide features 161 that are interesting for clients such as wireless devices. With 162 Multipath TCP, those devices could seamlessly use Wireless Local Area 163 Network (WLAN) and cellular networks, for bonding purposes, faster 164 hand-overs, or better resiliency. Unfortunately, deploying those 165 extensions on both a wide range of clients and servers remains 166 difficult. 168 More recently, 5G bonding experimentation has been conducted into 169 global range of the incumbent 4G (LTE) connectivity using newly 170 devised clients and a Multipath TCP proxy. Even if the 5G and the 4G 171 bonding (that relies upon Multipath TCP) increases the bandwidth, it 172 is as well crucial to minimize latency for all the way between 173 endhosts regardless of whether intermediate nodes are inside or 174 outside of the mobile core. In order to handle Ultra Reliable Low 175 Latency Communication (URLLC) for the next generation mobile network, 176 Multipath TCP and its proxy mechanism such as the one used to provide 177 Access Traffic Steering, Switching, and Splitting (ATSSS) must be 178 optimized to reduce latency [TS23501]. 180 1.2. Network-Assisted Connections: The Rationale 182 This document specifies an application proxy, called Transport 183 Converter. A Transport Converter is a function that is installed by 184 a network operator to aid the deployment of TCP extensions and to 185 provide the benefits of such extensions to clients in particular. A 186 Transport Converter may provide conversion service for one or more 187 TCP extensions. Which TCP extensions are eligible to the conversion 188 service is deployment-specific. The conversion service is provided 189 by means of the 0-RTT TCP Convert Protocol (Convert), that is an 190 application-layer protocol which uses a specific TCP port number on 191 the Converter. 193 The Convert Protocol provides Zero Round-Trip Time (0-RTT) conversion 194 service since no extra delay is induced by the protocol compared to 195 connections that are not proxied. Particularly, the Convert Protocol 196 does not require extra signaling setup delays before making use of 197 the conversion service. The Convert Protocol does not require any 198 encapsulation (no tunnels, whatsoever). 200 The Transport Converter adheres to the main steps drawn in Section 3 201 of [RFC1919]. In particular, a Transport Converter achieves the 202 following: 204 o Listen for client sessions; 206 o Receive from a client the address of the server; 208 o Setup a session to the server; 210 o Relay control messages and data between the client and the server; 212 o Perform access controls according to local policies. 214 The main advantage of network-assisted conversion services is that 215 they enable new TCP extensions to be used on a subset of the path 216 between endpoints, which encourages the deployment of these 217 extensions. Furthermore, the Transport Converter allows the client 218 and the server to directly negotiate TCP extensions for the sake of 219 native support along the full path. 221 The Convert Protocol is a generic mechanism to provide 0-RTT 222 conversion service. As a sample applicability use case, this 223 document specifies how the Convert Protocol applies for Multipath 224 TCP. It is out of scope of this document to provide a comprehensive 225 list of all potential conversion services. Applicability documents 226 may be defined in the future. 228 This document does not assume that all the traffic is eligible to the 229 network-assisted conversion service. Only a subset of the traffic 230 will be forwarded to a Transport Converter according to a set of 231 policies. These policies, and how they are communicated to 232 endpoints, are out of scope. Furthermore, it is possible to bypass 233 the Transport Converter to connect directly to the servers that 234 already support the required TCP extension(s). 236 This document assumes an explicit model in which a client is 237 configured with one or a list of Transport Converters (statically or 238 through protocols such as [I-D.boucadair-tcpm-dhc-converter]). 239 Configuration means are outside the scope of this document. 241 The use of a Transport Converter means that there is no end-to-end 242 transport connection between the client and server. This could 243 potentially create problems in some scenarios such as those discussed 244 in Section 4 of [RFC3135]. Some of these problems may not be 245 applicable, for example, a Transport Converter can inform a client by 246 means of Network Failure (65) or Destination Unreachable (97) error 247 messages (Section 6.2.8) that it encounters a failure problem; the 248 client can react accordingly. An endpoint, or its network 249 administrator, can assess the benefit provided by the Transport 250 Converter service versus the risk. This is one reason why the 251 Transport Converter functionality has to be explicitly requested by 252 an endpoint. 254 This document is organized as follows. First, Section 2 provides a 255 brief overview of the differences between the well-known SOCKS 256 protocol and the 0-RTT Convert protocol. Section 4 provides a brief 257 explanation of the operation of Transport Converters. Then, 258 Section 6 describes the Convert Protocol. Section 7 discusses how 259 Transport Converters can be used to support different TCP extensions. 260 Section 8 then discusses the interactions with middleboxes, while 261 Section 9 focuses on the security considerations. Appendix A 262 describes how a TCP stack would need to support the protocol 263 described in this document. 265 1.3. Applicability Scope 267 0-RTT TCP Convert Protocol specified in this document MUST be used in 268 a single administrative domain deployment model. That is, the entity 269 offering the connectivity service to a client is also be entity which 270 owns and operates the Transport Converter, with no transit over a 271 third-party network. 273 Future deployment of Transport Converters by third parties MUST 274 adhere to the mutual authentication requirements in Section 9.2 to 275 prevent illegitimate traffic interception (Section 9.4), in 276 particular. 278 2. Differences with SOCKSv5 280 Several IETF protocols provide proxy services; the closest to the 281 0-RTT Convert protocol being the SOCKSv5 protocol [RFC1928]. This 282 protocol is already used to deploy Multipath TCP in some cellular 283 networks (Section 2.2 of [RFC8041]). 285 A SOCKS Client creates a connection to a SOCKS Proxy, exchanges 286 authentication information, and indicates the IP address and port 287 number of the target Server. At this point, the SOCKS Proxy creates 288 a connection towards the target Server and relays all data between 289 the two proxied connections. The operation of an implementation 290 based on SOCKSv5 (without authentication) is illustrated in Figure 1. 292 Client SOCKS Proxy Server 293 | | | 294 | --------------------> | | 295 | SYN | | 296 | <-------------------- | | 297 | SYN+ACK | | 298 | --------------------> | | 299 | ACK | | 300 | | | 301 | --------------------> | | 302 |Version=5, Auth Methods| | 303 | <-------------------- | | 304 | Method | | 305 | --------------------> | | 306 |Auth Request (unless "No auth" method negotiated) 307 | <-------------------- | | 308 | Auth Response | | 309 | --------------------> | | 310 | Connect Server:Port | --------------------> | 311 | | SYN | 312 | | <-------------------- | 313 | | SYN+ACK | 314 | <-------------------- | | 315 | Succeeded | | 316 | --------------------> | | 317 | Data1 | | 318 | | --------------------> | 319 | | Data1 | 320 | | <-------------------- | 321 | | Data2 | 322 | <-------------------- | | 323 | Data2 | | 324 ... 326 Figure 1: Establishment of a TCP Connection through a SOCKS Proxy 327 Without Authentication 329 When SOCKS is used, an "end-to-end" connection between a Client and a 330 Server becomes a sequence of two TCP connections that are glued 331 together on the SOCKS Proxy. The SOCKS Client and Server exchange 332 control information at the beginning of the bytestream on the Client- 333 Proxy connection. The SOCKS Proxy then creates the connection with 334 the target Server and then glues the two connections together so that 335 all bytes sent by the application (Client) to the SOCKS Proxy are 336 relayed to the Server and vice versa. 338 The Convert Protocol is also used on TCP proxies that relay data 339 between an upstream and a downstream connection, but there are 340 important differences with SOCKSv5. A first difference is that the 341 0-RTT Convert protocol exchanges all the control information during 342 the initial RTT. This reduces the connection establishment delay 343 compared to SOCKS which requires two or more round-trip-times before 344 the establishment of the downstream connection towards the final 345 destination. In today's Internet, latency is an important metric and 346 various protocols have been tuned to reduce their latency 347 [I-D.arkko-arch-low-latency]. A recently proposed extension to SOCKS 348 leverages the TCP Fast Open (TFO) option 349 [I-D.olteanu-intarea-socks-6] to reduce this delay. 351 A second difference is that the Convert Protocol explicitly takes the 352 TCP extensions into account. By using the Convert Protocol, the 353 Client can learn whether a given TCP extension is supported by the 354 destination Server. This enables the Client to bypass the Transport 355 Converter when the Server supports the required TCP extension(s). 356 Neither SOCKSv5 [RFC1928] nor the proposed SOCKSv6 357 [I-D.olteanu-intarea-socks-6] provide such a feature. 359 A third difference is that a Transport Converter will only confirm 360 the establishment of the connection initiated by the Client provided 361 that the downstream connection has already been accepted by the 362 Server. If the Server refuses the connection establishment attempt 363 from the Transport Converter, then the upstream connection from the 364 Client is rejected as well. This feature is important for 365 applications that check the availability of a Server or use the time 366 to connect as a hint on the selection of a Server [RFC8305]. 368 A fourth difference is that the 0-RTT Convert protocol only allows 369 the Client to specify the IP address/port number of the destination 370 server and not a DNS name. We evaluated an alternate design that 371 included the DNS name of the remote peer instead of its IP address as 372 in SOCKS [RFC1928]. However, that design was not adopted because it 373 induces both an extra load and increased delays on the Transport 374 Converter to handle and manage DNS resolution requests. Note that 375 the name resolution at the Converter may fail (e.g., private names 376 discussed in Section 2.1 of [RFC6731]) or may not match the one that 377 would be returned by a Client's resolution library (e.g., Section 2.2 378 of [RFC6731]). 380 3. Conventions and Definitions 382 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 383 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 384 "OPTIONAL" in this document are to be interpreted as described in BCP 385 14 [RFC2119][RFC8174] when, and only when, they appear in all 386 capitals, as shown here. 388 4. Architecture & Behaviors 390 4.1. Functional Elements 392 The Convert Protocol considers three functional elements: 394 o Clients; 396 o Transport Converters; 398 o Servers. 400 A Transport Converter is a network function that proxies all data 401 exchanged over one upstream connection to one downstream connection 402 and vice versa (Figure 2). The Transport Converter, thus, maintains 403 state that associates one upstream connection to a corresponding 404 downstream connection. 406 A connection can be initiated from both sides of the Transport 407 Converter (External realm, Internal realm). 409 | 410 : 411 | 412 +------------+ 413 Client <- upstream ->| Transport |<- downstream -> Server 414 connection | Converter | connection 415 +------------+ 416 | 417 Internal realm : External realm 418 | 420 Figure 2: A Transport Converter Proxies Data between Pairs of TCP 421 Connections 423 "Client" refers to a software instance embedded on a host that can 424 reach a Transport Converter in the internal realm. The "Client" can 425 initiate connections via a Transport Converter (referred to as 426 outgoing connections). Also, the "Client" can accept incoming 427 connections via a Transport Converter (referred to as incoming 428 connections). 430 A Transport Converter can be embedded in a standalone device or be 431 activated as a service on a router. How such function is enabled is 432 deployment-specific. 434 The architecture assumes that new software will be installed on the 435 Client hosts to interact with one or more Transport Converters. 436 Furthermore, the architecture allows for making use of new TCP 437 extensions even if those are not supported by a given server. 439 A Client is configured, through means that are outside the scope of 440 this document, with the names and/or the addresses of one or more 441 Transport Converters and the TCP extensions that they support. The 442 procedure for selecting a Transport Converter among a list of 443 configured Transport Converters is outside the scope of this 444 document. 446 One of the benefits of this design is that different transport 447 protocol extensions can be used on the upstream and the downstream 448 connections. This encourages the deployment of new TCP extensions 449 until they are widely supported by servers, in particular. 451 The architecture does not mandate anything on the Server side. 453 Similar to SOCKS, the architecture does not interfere with end-to-end 454 TLS connections [RFC8446] between the Client and the Server 455 (Figure 3). In other words, end-to-end TLS is supported in the 456 presence of a Converter. 458 Client Transport Server 459 | Converter | 460 | | | 461 /==========================================\ 462 | End-to-end TLS | 463 \==========================================/ 465 * TLS messages exchanged between the Client 466 and the Server are not shown. 468 Figure 3: End-to-end TLS via a Transport Converter 470 It is out of scope of this document to elaborate on specific 471 considerations related to the use of TLS in the Client-Converter 472 connection leg to exchange Convert messages (in addition to the end- 473 to-end TLS connection). In particular, (1) assessment whether 0-RTT 474 data mode discussed in Section 2.3 of [RFC8446] is safe under replay 475 and (2) specification of a profile for its use (Section E.5 of 476 [RFC8446]) are out of scope. 478 4.2. Theory of Operation 480 At a high level, the objective of the Transport Converter is to allow 481 the use a specific extension, e.g., Multipath TCP, on a subset of the 482 path even if the peer does not support this extension. This is 483 illustrated in Figure 4 where the Client initiates a Multipath TCP 484 connection with the Transport Converter (packets belonging to the 485 Multipath TCP connection are shown with "===") while the Transport 486 Converter uses a TCP connection with the Server. 488 Client Transport Server 489 | Converter | 490 | | | 491 |==================>|--------------------->| 492 | | | 493 |<==================|<---------------------| 494 | | | 495 Multipath TCP packets TCP packets 497 Figure 4: An Example of 0-RTT Network-Assisted Outgoing MPTCP 498 Connection 500 The packets belonging to a connection established through a Transport 501 Converter may follow a different path than the packets directly 502 exchanged between the Client and the Server. Deployments should 503 minimize the possible additional delay by carefully selecting the 504 location of the Transport Converter used to reach a given 505 destination. 507 When establishing a connection, the Client can, depending on local 508 policies, either contact the Server directly (e.g., by sending a TCP 509 SYN towards the Server) or create the connection via a Transport 510 Converter. In the latter case (that is, the conversion service is 511 used), the Client initiates a connection towards the Transport 512 Converter and indicates the IP address and port number of the Server 513 within the connection establishment packet. Doing so enables the 514 Transport Converter to immediately initiate a connection towards that 515 Server, without experiencing an extra delay. The Transport Converter 516 waits until the receipt of the confirmation that the Server agrees to 517 establish the connection before confirming it to the Client. 519 The Client places the destination address and port number of the 520 Server in the payload of the SYN sent to the Transport Converter to 521 minimize connection establishment delays. The Transport Converter 522 maintains two connections that are combined together: 524 o the upstream connection is the one between the Client and the 525 Transport Converter. 527 o the downstream connection is the one between the Transport 528 Converter and the Server. 530 Any user data received by the Transport Converter over the upstream 531 (or downstream) connection is proxied over the downstream (or 532 upstream) connection. 534 Figure 5 illustrates the establishment of an outgoing TCP connection 535 by a Client through a Transport Converter. 537 o Note: The information shown between brackets in Figure 5 (and 538 other figures in the document) refers to Convert Protocol messages 539 described in Section 6. 541 Transport 542 Client Converter Server 543 | | | 544 |SYN [->Server:port]| SYN | 545 |------------------>|--------------------->| 546 |<------------------|<---------------------| 547 | SYN+ACK [ ] | SYN+ACK | 548 | ... | ... | 550 Figure 5: Establishment of an Outgoing TCP Connection Through a 551 Transport Converter 553 The Client sends a SYN destined to the Transport Converter. The 554 payload of this SYN contains the address and port number of the 555 Server. The Transport Converter does not reply immediately to this 556 SYN. It first tries to create a TCP connection towards the target 557 Server. If this upstream connection succeeds, the Transport 558 Converter confirms the establishment of the connection to the Client 559 by returning a SYN+ACK and the first bytes of the bytestream contain 560 information about the TCP options that were negotiated with the 561 Server. Also, a state entry is instantiated for this connection. 562 This state entry is used by the Converter to handle subsequent 563 messages belonging to the connection. 565 The connection can also be established from the Internet towards a 566 Client via a Transport Converter (Figure 6). This is typically the 567 case when the Client hosts an application server that listens to a 568 specific port number. When the Converter receives an incoming SYN 569 from a remote host, it checks if it can provide the conversion 570 service for the destination IP address and destination port number of 571 that SYN. The Transport Converter receives this SYN because it is, 572 for example, on the path between the remote host and the Client or it 573 provides address sharing service for the Client (Section 2 of 574 [RFC6269]). If the check fails, the packet is silently ignored by 575 the Converter. If the check is successful, the Converter tries to 576 initiate a TCP connection towards the Client from its own address and 577 using its configured TCP options. In the SYN that corresponds to 578 this connection attempt, the Transport Convert inserts a TLV message 579 that indicates the source address and port number of the remote host. 580 A transport session entry is created by the Converter for this 581 connection. SYN+ACK and ACK will be then exchanged between the 582 Client, the Converter, and remote host to confirm the establishment 583 of the connection. The Converter uses the transport session entry to 584 proxy packets belonging to the connection. 586 Transport Remote 587 Client Converter Host (RH) 588 | | | 589 |SYN [<-RH IP@:port]| SYN | 590 |<------------------|<---------------------| 591 |------------------>|--------------------->| 592 | SYN+ACK [ ] | SYN+ACK | 593 | ... | ... | 595 Figure 6: Establishment of an Incoming TCP Connection Through a 596 Transport Converter 598 Standard TCP ([RFC0793], Section 3.4) allows a SYN packet to carry 599 data inside its payload but forbids the receiver from delivering it 600 to the application until completion of the three-way-handshake. To 601 enable applications to exchange data in a TCP handshake, this 602 specification follows an approach similar to TCP Fast Open [RFC7413] 603 and thus removes the constraint by allowing data in SYN packets to be 604 delivered to the Transport Converter application. 606 As discussed in [RFC7413], such change to TCP semantic raises two 607 issues. First, duplicate SYNs can cause problems for applications 608 that rely on TCP; whether or not a given application is affected 609 dependes on the details of that application protocol. Second, TCP 610 suffers from SYN flooding attacks [RFC4987]. TFO solves these two 611 problems for applications that can tolerate replays by using the TCP 612 Fast Open option that includes a cookie. However, the utilization of 613 this option consumes space in the limited TCP header. Furthermore, 614 there are situations, as noted in Section 7.3 of [RFC7413] where it 615 is possible to accept the payload of SYN packets without creating 616 additional security risks such as a network where addresses cannot be 617 spoofed and the Transport Converter only serves a set of hosts that 618 are identified by these addresses. 620 For these reasons, this specification does not mandate the use of the 621 TCP Fast Open option when the Client sends a connection establishment 622 packet towards a Transport Converter. The Convert Protocol includes 623 an optional Cookie TLV that provides similar protection as the TCP 624 Fast Open option without consuming space in the TCP header. 625 Furthermore, this design allows for the use of longer cookies than 626 [RFC7413]. 628 If the downstream (or upstream) connection fails for some reason 629 (excessive retransmissions, reception of an RST segment, etc.), then 630 the Converter reacts by forcing the tear-down of the upstream (or 631 downstream) connection. In particular, if an ICMP error message that 632 indicates a hard error is received on the downstream connection, the 633 Converter echoes the Code field of that ICMP message in a Destination 634 Unreachable Error TLV (see Section 6.2.8) that it transmits to the 635 Client. Note that if an ICMP error message that indicates a soft 636 error is received on the downstream connection, the Converter will 637 retransmit the corresponding data until it is acknowledged or the 638 connection times out. A classification of ICMP soft and hard errors 639 is provided in Table 1 of [RFC5461]. 641 The same reasoning applies when the upstream connection ends with an 642 exchange of FIN segments. In this case, the Converter will also 643 terminate the downstream connection by using FIN segments. If the 644 downstream connection terminates with the exchange of FIN segments, 645 the Converter should initiate a graceful termination of the upstream 646 connection. 648 4.3. Data Processing at the Transport Converter 650 As mentioned in Section 4.2, the Transport Converter acts as a TCP 651 proxy between the upstream connection (i.e., between the Client and 652 the Transport Converter) and the downstream connection (i.e., between 653 the Transport Converter and the Server). 655 The control messages, discussed in Section 6, establish state 656 (called, transport session entry) in the Transport Converter that 657 will enable it to proxy between the two TCP connections. 659 The Transport Converter uses the transport session entry to proxy 660 packets belonging to the connection. An implementation example of a 661 transport session entry for TCP connections is shown in Figure 7. 663 (C,c) <--> (T,t), (S,s), Lifetime 665 Where: 666 * C and c are the source IP address and source port number 667 used by the Client for the upstream connection. 668 * S and s are the Server's IP address and port number. 669 * T and t are the source IP address and source port number 670 used by the Transport Converter to proxy the connection. 671 * Lifetime is a timer that tracks the remaining lifetime of 672 the entry as assigned by the Converter. When the timer 673 expires, the entry is deleted. 675 Figure 7: An Example of Transport Session Entry 677 Clients send packets bound to connections eligible to the conversion 678 service to the provisioned Transport Converter and destination port 679 number. This applies for both control messages and data. Additional 680 information is supplied by Clients to the Transport Converter by 681 means of Convert messages as detailed in Section 6. User data can be 682 included in SYN or non-SYN messages. User data is unambiguously 683 distinguished from Convert TLVs by a Transport Converter owing to the 684 Convert Fixed Header in the Convert messages (Section 6.1). These 685 Convert TLVs are destined to the Transport Convert and are, thus, 686 removed by the Transport Converter when proxying between the two 687 connections. 689 Upon receipt of a packet that belongs to an existing connection 690 between a Client and the Transport Converter the Converter proxies 691 the user data to the Server using the information stored in the 692 corresponding transport session entry. For example, in reference to 693 Figure 7, the Transport Converter proxies the data received from (C, 694 c) downstream using (T,t) as source transport address and (S,s) as 695 destination transport address. 697 A similar process happens for data sent from the Server. The 698 Converter acts as a TCP proxy and sends the data to the Client 699 relying upon the information stored in a transport session entry. 700 The Converter associates a lifetime with state entries used to bind 701 an upstream connection with its downstream connection. 703 When Multipath TCP is used between the Client and the Transport 704 Converter, the Converter maintains more state (e.g. information about 705 the subflows) for each Multipath TCP connection. The procedure 706 described above continues to apply except that the Converter needs to 707 manage the establishment/termination of subflows and schedule packets 708 among the established ones. These operations are part of the 709 Multipath TCP implementation. They are independent of the Convert 710 protocol that only processes the Convert messages in the beginning of 711 the bytestream. 713 A Transport Converter may operate in address preservation mode (that 714 is, the Converter does not rewrite the source IP address (i.e., 715 C==T)) or address sharing mode (that is, an address pool is shared 716 among all Clients serviced by the Converter (i.e., C!=T)); refer to 717 Section 4.4 for more details. Which behavior to use by a Transport 718 Converter is deployment-specific. If address sharing mode is 719 enabled, the Transport Converter MUST adhere to REQ-2 of [RFC6888] 720 which implies a default "IP address pooling" behavior of "Paired" (as 721 defined in Section 4.1 of [RFC4787]) MUST be supported. This 722 behavior is meant to avoid breaking applications that depend on the 723 source address remaining constant. 725 4.4. Address Preservation vs. Address Sharing 727 The Transport Converter is provided with instructions about the 728 behavior to adopt with regards to the processing of source addresses 729 of outgoing packets. The following sub-sections discusses two 730 deployment models for illustration purposes. It is out of the scope 731 of this document to make a recommendation. 733 4.4.1. Address Preservation 735 In this model, the visible source IP address of a packet proxied by a 736 Transport Converter to a Server is an IP address of the end host 737 (Client). No dedicated IP address pool is provisioned to the 738 Transport Converter, but the Transport Converter is located on the 739 path between the Client and the Server. 741 For Multipath TCP, the Transport Converter preserves the source IP 742 address used by the Client when establishing the initial subflow. 743 Data conveyed in secondary subflows will be proxied by the Transport 744 Converter using the source IP address of the initial subflow. An 745 example of a proxied Multipath TCP connection with address 746 preservation is shown in Figure 8. 748 Transport 749 Client Converter Server 751 @:C1,C2 @:Tc @:S 752 || | | 753 |src:C1 SYN dst:Tc|src:C1 dst:S| 754 |-------MPC [->S:port]------->|-------SYN------->| 755 || | | 756 ||dst:C1 src:Tc|dst:C1 src:S| 757 |<---------SYN/ACK------------|<-----SYN/ACK-----| 758 || | | 759 |src:C1 dst:Tc|src:C1 dst:S| 760 |------------ACK------------->|-------ACK------->| 761 | | | 762 |src:C2 ... dst:Tc| ... | 763 ||<-----Secondary Subflow---->|src:C1 dst:S| 764 || |-------data------>| 765 | .. | ... | 767 Legend: 768 Tc: IP address used by the Transport Converter on the internal 769 realm. 771 Figure 8: Example of Address Preservation 773 The Transport Converter must be on the forwarding path of incoming 774 traffic. Because the same (destination) IP address is used for both 775 proxied and non-proxied connections, the Transport Converter should 776 not drop incoming packets it intercepts if no matching entry is found 777 for the packets. Unless explicitly configured otherwise, such 778 packets are forwarded according to the instructions of a local 779 forwarding table. 781 4.4.2. Address/Prefix Sharing 783 A pool of global IPv4 addresses is provisioned to the Transport 784 Converter along with possible instructions about the address sharing 785 ratio to apply (see Appendix B of [RFC6269]). An address is thus 786 shared among multiple clients. 788 Likewise, rewriting the source IPv6 prefix [RFC6296] may be used to 789 ease redirection of incoming IPv6 traffic towards the appropriate 790 Transport Converter. A pool of IPv6 prefixes is then provisioned to 791 the Transport Converter for this purpose. 793 Adequate forwarding policies are enforced so that traffic destined to 794 an address of such pool is intercepted by the appropriate Transport 795 Converter. Unlike Section 4.4.1, the Transport Converter drops 796 incoming packets which do not match an active transport session 797 entry. 799 An example is shown in Figure 9. 801 Transport 802 Client Converter Server 804 @:C @:Tc|Te @:S 805 | | | 806 |src:C dst:Tc|src:Te dst:S| 807 |-------SYN [->S:port]------->|-------SYN------->| 808 | | | 809 |dst:C src:Tc|dst:Te src:S| 810 |<---------SYN/ACK------------|<-----SYN/ACK-----| 811 | | | 812 |src:C dst:Tc|src:Te dst:S| 813 |------------ACK------------->|-------ACK------->| 814 | | | 815 | ... | ... | 817 Legend: 818 Tc: IP address used by the Transport Converter on the internal 819 realm. 820 Te: IP address used by the Transport Converter on the external 821 realm. 823 Figure 9: Address Sharing 825 5. Sample Examples 827 5.1. Outgoing Converter-Assisted Multipath TCP Connections 829 As an example, let us consider how the Convert Protocol can help the 830 deployment of Multipath TCP. We assume that both the Client and the 831 Transport Converter support Multipath TCP, but consider two different 832 cases depending on whether the Server supports Multipath TCP or not. 834 As a reminder, a Multipath TCP connection is created by placing the 835 MP_CAPABLE (MPC) option in the SYN sent by the Client. 837 Figure 10 describes the operation of the Transport Converter if the 838 Server does not support Multipath TCP. 840 Transport 841 Client Converter Server 842 |SYN, MPC | | 843 |[->Server:port] | SYN, MPC | 844 |------------------>|--------------------->| 845 |<------------------|<---------------------| 846 | SYN+ACK,MPC [.] | SYN+ACK | 847 |------------------>|--------------------->| 848 | ACK, MPC | ACK | 849 | ... | ... | 851 Figure 10: Establishment of a Multipath TCP Connection through a 852 Transport Converter towards a Server that does not support Multipath 853 TCP 855 The Client tries to initiate a Multipath TCP connection by sending a 856 SYN with the MP_CAPABLE option (MPC in Figure 10). The SYN includes 857 the address and port number of the target Server, that are extracted 858 and used by the Transport Converter to initiate a Multipath TCP 859 connection towards this Server. Since the Server does not support 860 Multipath TCP, it replies with a SYN+ACK that does not contain the 861 MP_CAPABLE option. The Transport Converter notes that the connection 862 with the Server does not support Multipath TCP and returns the 863 extended TCP header received from the Server to the Client. 865 Note that, if the TCP connection is reset for some reason, the 866 Converter tears down the Multipath TCP connection by transmitting a 867 MP_FASTCLOSE. Likewise, if the Multipath TCP connection ends with 868 the transmission of DATA_FINs, the Converter terminates the TCP 869 connection by using FIN segments. As a side note, given that with 870 Multipath TCP, RST only has the scope of the subflow and will only 871 close the concerned subflow but not affect the remaining subflows, 872 the Converter does not terminate the downstream TCP connection upon 873 receipt of an RST over a Multipath subflow. 875 Figure 11 considers a Server that supports Multipath TCP. In this 876 case, it replies to the SYN sent by the Transport Converter with the 877 MP_CAPABLE option. Upon reception of this SYN+ACK, the Transport 878 Converter confirms the establishment of the connection to the Client 879 and indicates to the Client that the Server supports Multipath TCP. 880 With this information, the Client has discovered that the Server 881 supports Multipath TCP. This will enable the Client to bypass the 882 Transport Converter for the subsequent Multipath TCP connections that 883 it will initiate towards this Server. 885 Transport 886 Client Converter Server 887 |SYN, MPC | | 888 |[->Server:port] | SYN, MPC | 889 |------------------>|--------------------->| 890 |<------------------|<---------------------| 891 |SYN+ACK, MPC | SYN+ACK, MPC | 892 |[MPC supported] | | 893 |------------------>|--------------------->| 894 | ACK, MPC | ACK, MPC | 895 | ... | ... | 897 Figure 11: Establishment of a Multipath TCP Connection through a 898 Converter towards an MPTCP-capable Server 900 5.2. Incoming Converter-Assisted Multipath TCP Connection 902 An example of an incoming Converter-assisted Multipath TCP connection 903 is depicted in Figure 12. In order to support incoming connections 904 from remote hosts, the Client may use PCP [RFC6887] to instruct the 905 Transport Converter to create dynamic mappings. Those mappings will 906 be used by the Transport Converter to intercept an incoming TCP 907 connection destined to the Client and convert it into a Multipath TCP 908 connection. 910 Typically, the Client sends a PCP request to the Converter asking to 911 create an explicit TCP mapping for (internal IP address, internal 912 port number). The Converter accepts the request by creating a TCP 913 mapping (internal IP address, internal port number, external IP 914 address, external port number). The external IP address, external 915 port number, and assigned lifetime are returned back the Client in 916 the PCP response. The external IP address and external port number 917 will be then advertised by the Client (or the user) using an out-of- 918 band mechanism so that remote hosts can initiate TCP connections to 919 the Client via the Converter. Note that the external and internal 920 information may be the same. 922 Then, when the Converter receives an incoming SYN, it checks its 923 mapping table to verify if there is an active mapping matching the 924 destination IP address and destination port of that SYN. If no entry 925 is found, the Converter silently ignores the message. If an entry is 926 found, the Converter inserts an MP_CAPABLE option and Connect TLV in 927 the SYN packet, rewrites the source IP address to one of its IP 928 addresses and, eventually, the destination IP address and port number 929 in accordance with the information stored in the mapping. SYN+ACK 930 and ACK will be then exchanged between the Client and the Converter 931 to confirm the establishment of the initial subflow. The Client can 932 add new subflows following normal Multipath TCP procedures. 934 Transport Remote 935 Client Converter Host 936 | | | 937 |<--------------------|<-------------------| 938 |SYN, MPC | SYN | 939 |[Remote Host:port] | | 940 |-------------------->|------------------->| 941 | SYN+ACK, MPC | SYN+ACK | 942 |<--------------------|<-------------------| 943 | ACK, MPC | ACK | 944 | ... | ... | 946 Figure 12: Establishment of an Incoming Multipath TCP Connection 947 through a Transport Converter 949 It is out of scope of this document to define specific Convert TLVs 950 to manage incoming connections (that is, TLVs that mimic PCP 951 messages). These TLVs can be defined in a separate document. 953 6. The Convert Protocol (Convert) 955 This section defines the Convert Protocol (Convert, for short) 956 messages that are exchanged between a Client and a Transport 957 Converter. 959 The Transport Converter listens on a specific TCP port number for 960 Convert messages from Clients. That port number is configured by an 961 administrator. Absent any policy, the Transport Converter SHOULD 962 silently ignore SYNs with no Convert TLVs. 964 Convert messages may appear only in SYN, SYN+ACK, or ACK. 966 Convert messages MUST be included as the first bytes of the 967 bytestream. All Convert messages starts with a 32 bits long fixed 968 header (Section 6.1) followed by one or more Convert TLVs (Type, 969 Length, Value) (Section 6.2). 971 If the initial SYN message contains user data in its payload (e.g., 972 [RFC7413]), that data MUST be placed right after the Convert TLVs 973 when generating the SYN. 975 The protocol can be extended by defining new TLVs or bumping the 976 version number if a different message format is needed. If a future 977 version is defined but with a different message format, the version 978 negotiation procedure defined in Section 6.2.8 (see "Unsupported 979 Version") is meant to agree on a version that is supported by both 980 peers. 982 o Implementation note 1: Several implementers expressed concerns 983 about the use of TFO. As a reminder, the TFO Cookie protects from 984 some attack scenarios that affect open servers like web servers. 985 The Convert Protocol is different and, as discussed in RFC7413, 986 there are different ways to protect from such attacks. Instead of 987 using a TFO cookie inside the TCP options, which consumes precious 988 space in the extended TCP header, the Convert Protocol supports 989 the utilization of a Cookie that is placed in the SYN payload. 990 This provides the same level of protection as a TFO Cookie in 991 environments were such protection is required. 993 o Implementation note 2: Error messages are not included in RST but 994 sent in the bytestream. Implementers have indicated that 995 processing RST on clients was difficult on some platforms. This 996 design simplifies client implementations. 998 6.1. The Convert Fixed Header 1000 The Convert Protocol uses a 32 bits long fixed header that is sent by 1001 both the Client and the Transport Converter over each established 1002 connection. This header indicates both the version of the protocol 1003 used and the length of the Convert message. 1005 The Client and the Transport Converter MUST send the fixed-sized 1006 header, shown in Figure 13, as the first four bytes of the 1007 bytestream. 1009 1 2 3 1010 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1011 +---------------+---------------+-------------------------------+ 1012 | Version | Total Length | Magic Number | 1013 +---------------+---------------+-------------------------------+ 1015 Figure 13: The Convert Fixed Header 1017 The Version is encoded as an 8 bits unsigned integer value. This 1018 document specifies version 1. Version 0 is reserved by this document 1019 and MUST NOT be used. 1021 Note: Early versions of this specification don't use a dedicated 1022 port number but only rely upon the IP address of the Converter. 1023 Having a bit set in the version field together with the length 1024 field allows to avoid mis-interpreting a data in a SYN as Convert 1025 TLVs. Since the design was updated to use a specific service 1026 port, that constraint was relaxed. Version 0 would work but given 1027 existing implementations already use Version 1, the use of Version 1028 0 is maintained as reserved. 1030 The Total Length is the number of 32 bits word, including the header, 1031 of the bytestream that are consumed by the Convert messages. Since 1032 Total Length is also an 8 bits unsigned integer, those messages 1033 cannot consume more than 1020 bytes of data. This limits the number 1034 of bytes that a Transport Converter needs to process. A Total Length 1035 of zero is invalid and the connection MUST be reset upon reception of 1036 a header with such total length. 1038 The Magic Number field MUST be set to the RFC number to be assigned 1039 to this document. This field is meant to further strengthen the 1040 protocol to unambiguously distinguish any data supplied by an 1041 application from Convert TLVs. 1043 o Note to the RFC Editor: Please replace "the RFC number to be 1044 assigned to this document" with the hex representation of the RFC 1045 number assigned to this document. 1047 The Total Length field unambiguously marks the number of 32 bits 1048 words that carry Convert TLVs in the beginning of the bytestream. 1050 6.2. Convert TLVs 1052 6.2.1. Generic Convert TLV Format 1054 The Convert Protocol uses variable length messages that are encoded 1055 using the generic TLV format depicted in Figure 14. 1057 The length of all TLVs used by the Convert Protocol is always a 1058 multiple of four bytes. All TLVs are aligned on 32 bits boundaries. 1059 All TLV fields are encoded using the network byte order. 1061 1 2 3 1062 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1063 +---------------+---------------+-------------------------------+ 1064 | Type | Length | Value ... | 1065 +---------------+---------------+-------------------------------+ 1066 // ... (optional) Value // 1067 +---------------------------------------------------------------+ 1069 Figure 14: Convert Generic TLV Format 1071 The Length field covers Type, Length, and Value fields. It is 1072 expressed in units of 32 bits words. If necessary, Value MUST be 1073 padded with zeroes so that the length of the TLV is a multiple of 32 1074 bits. 1076 A given TLV MUST only appear once on a connection. If a Client 1077 receives two or more instances of the same TLV over a Convert 1078 connection, it MUST reset the associated TCP connection. If a 1079 Converter receives two or more instances of the same TLV over a 1080 Convert connection, it MUST return a Malformed Message Error TLV and 1081 close the associated TCP connection. 1083 6.2.2. Summary of Supported Convert TLVs 1085 This document specifies the following Convert TLVs: 1087 +------+-----+----------+------------------------------------------+ 1088 | Type | Hex | Length | Description | 1089 +------+-----+----------+------------------------------------------+ 1090 | 1 | 0x1 | 1 | Info TLV | 1091 | 10 | 0xA | Variable | Connect TLV | 1092 | 20 | 0x14| Variable | Extended TCP Header TLV | 1093 | 21 | 0x15| Variable | Supported TCP Extensions TLV | 1094 | 22 | 0x16| Variable | Cookie TLV | 1095 | 30 | 0x1E| Variable | Error TLV | 1096 +------+-----+----------+------------------------------------------+ 1098 Figure 15: The TLVs used by the Convert Protocol 1100 Type 0x0 is a reserved value. If a Client receives a TLV of type 1101 0x0, it MUST reset the associated TCP connection. If a Converter 1102 receives a TLV of type 0x0, it MUST return an Unsupported Message 1103 Error TLV and close the associated TCP connection. 1105 The Client typically sends in the first connection it established 1106 with a Transport Converter the Info TLV (Section 6.2.3) to learn its 1107 capabilities. Assuming the Client is authorized to invoke the 1108 Transport Converter, the latter replies with the Supported TCP 1109 Extensions TLV (Section 6.2.4). 1111 The Client can request the establishment of connections to servers by 1112 using the Connect TLV (Section 6.2.5). If the connection can be 1113 established with the final server, the Transport Converter replies 1114 with the Extended TCP Header TLV (Section 6.2.6). If not, the 1115 Transport Converter MUST return an Error TLV (Section 6.2.8) and then 1116 closes the connection. The Transport Converter MUST NOT send an RST 1117 immediately after the detection of an error to let the Error TLV 1118 reach the Client. As explained later, the Client will anyway send an 1119 RST upon reception of the Error TLV. 1121 6.2.3. The Info TLV 1123 The Info TLV (Figure 16) is an optional TLV which can be sent by a 1124 Client to request the TCP extensions that are supported by a 1125 Transport Converter. It is typically sent on the first connection 1126 that a Client establishes with a Transport Converter to learn its 1127 capabilities. Assuming a Client is entitled to invoke the Transport 1128 Converter, the latter replies with the Supported TCP Extensions TLV 1129 described in Section 6.2.4. 1131 1 2 3 1132 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1133 +---------------+---------------+-------------------------------+ 1134 | Type=0x1 | Length | Zero | 1135 +---------------+---------------+-------------------------------+ 1137 Figure 16: The Info TLV 1139 6.2.4. Supported TCP Extensions TLV 1141 The Supported TCP Extensions TLV (Figure 17) is used by a Transport 1142 Converter to announce the TCP options for which it provides a 1143 conversion service. A Transport Converter SHOULD include in this 1144 list the TCP options that it supports in outgoing SYNs. 1146 Each supported TCP option is encoded with its TCP option Kind listed 1147 in the "TCP Parameters" registry maintained by IANA. The Unassigned 1148 field MUST be set to zero by the Transport Converter and ignored by 1149 the Client. 1151 1 2 3 1152 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1153 +---------------+---------------+-------------------------------+ 1154 | Type=0x15 | Length | Unassigned | 1155 +---------------+---------------+-------------------------------+ 1156 | Kind #1 | Kind #2 | ... | 1157 +---------------+---------------+-------------------------------+ 1158 / ... / 1159 / / 1160 +---------------------------------------------------------------+ 1162 Figure 17: The Supported TCP Extensions TLV 1164 TCP option Kinds 1 and 2 defined in [RFC0793] are supported by all 1165 TCP implementations and thus MUST NOT appear in this list. 1167 The list of Supported TCP Extensions is padded with 0 to end on a 32 1168 bits boundary. 1170 For example, if the Transport Converter supports Multipath TCP, 1171 Kind=30 will be present in the Supported TCP Extensions TLV that it 1172 returns in response to Info TLV. 1174 6.2.5. Connect TLV 1176 The Connect TLV (Figure 18) is used to request the establishment of a 1177 connection via a Transport Converter. This connection can be from or 1178 to a Client. 1180 The 'Remote Peer Port' and 'Remote Peer IP Address' fields contain 1181 the destination port number and IP address of the Server, for 1182 outgoing connections. For incoming connections destined to a Client 1183 serviced via a Transport Converter, these fields convey the source 1184 port number and IP address of the SYN packet received by the 1185 Transport Converter from the server. 1187 The Remote Peer IP Address MUST be encoded as an IPv6 address. IPv4 1188 addresses MUST be encoded using the IPv4-Mapped IPv6 Address format 1189 defined in [RFC4291]. Further, Remote Peer IP address field MUST NOT 1190 include multicast, broadcast, and host loopback addresses [RFC6890]. 1191 If a Converter receives a Connect TLVs with such invalid addresses, 1192 it MUST reply with a Malformed Message Error TLV and close the 1193 associated TCP connection. 1195 We distinguish two types of Connect TLV based on their length: (1) 1196 the Base Connect TLV has a length set to 5 (i.e., 20 bytes) and 1197 contains a remote address and a remote port (Figure 18), (2) the 1198 Extended Connect TLV spans more than 20 bytes and also includes the 1199 optional 'TCP Options' field (Figure 19). This field is used to 1200 request the advertisement of specific TCP options to the server. 1202 1 2 3 1203 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1204 +---------------+---------------+-------------------------------+ 1205 | Type=0xA | Length | Remote Peer Port | 1206 +---------------+---------------+-------------------------------+ 1207 | | 1208 | Remote Peer IP Address (128 bits) | 1209 | | 1210 | | 1211 +---------------------------------------------------------------+ 1213 Figure 18: The Base Connect TLV 1214 1 2 3 1215 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1216 +---------------+---------------+-------------------------------+ 1217 | Type=0xA | Length | Remote Peer Port | 1218 +---------------+---------------+-------------------------------+ 1219 | | 1220 | Remote Peer IP Address (128 bits) | 1221 | | 1222 | | 1223 +---------------------------------------------------------------+ 1224 / TCP Options (Variable) / 1225 / ... / 1226 +---------------------------------------------------------------+ 1228 Figure 19: The Extended Connect TLV 1230 The 'TCP Options' field is a variable length field that carries a 1231 list of TCP option fields (Figure 20). Each TCP option field is 1232 encoded as a block of 2+n bytes where the first byte is the TCP 1233 option Kind and the second byte is the length of the TCP option as 1234 specified in [RFC0793]. The minimum value for the TCP option Length 1235 is 2. The TCP options that do not include a length sub-field, i.e., 1236 option types 0 (EOL) and 1 (NOP) defined in [RFC0793] MUST NOT be 1237 placed inside the TCP options field of the Connect TLV. The optional 1238 Value field contains the variable-length part of the TCP option. A 1239 length of two indicates the absence of the Value field. The TCP 1240 options field always ends on a 32 bits boundary after being padded 1241 with zeros. 1243 1 2 3 1244 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1245 +---------------+---------------+---------------+---------------+ 1246 | TCPOpt kind | TCPOpt Length | Value (opt) | .... | 1247 +---------------+---------------+---------------+---------------+ 1248 | .... | 1249 +---------------------------------------------------------------+ 1250 | ... | 1251 +---------------------------------------------------------------+ 1253 Figure 20: The TCP Options Field 1255 Upon reception of a Base Connect TLV, and absent any policy (e.g., 1256 rate-limit) or resource exhaustion conditions, a Transport Converter 1257 attempts to establish a connection to the address and port that it 1258 contains. The Transport Converter MUST use by default the TCP 1259 options that correspond to its local policy to establish this 1260 connection. 1262 Upon reception of an Extended Connect TLV, a Transport Converter 1263 first checks whether it supports the TCP Options listed in the 'TCP 1264 Options' field. If not, it returns an error TLV set to "Unsupported 1265 TCP Option" (Section 6.2.8). If the above check succeeded and absent 1266 any rate limit policy or resource exhaustion conditions, a Transport 1267 Converter MUST attempt to establish a connection to the address and 1268 port that it contains. It MUST include in the SYN that it sends to 1269 the Server the options listed in the 'TCP Options' sub-field and the 1270 TCP options that it would have used according to its local policies. 1271 For the TCP options that are included in the TCP Options field 1272 without an optional value, the Transport Converter MUST generate its 1273 own value. For the TCP options that are included in the 'TCP 1274 Options' field with an optional value, it MUST copy the entire option 1275 in the SYN sent to the remote server. This procedure is designed 1276 with TFO in mind. Particularly, this procedure allows to 1277 successfully exchange a TFO Cookie between the client and the server. 1278 See Section 7 for a detailed discussion of the different types of TCP 1279 options. 1281 The Transport Converter may refuse a Connect TLV request for various 1282 reasons (e.g., authorization failed, out of resources, invalid 1283 address type, unsupported TCP option). An error message indicating 1284 the encountered error is returned to the requesting Client 1285 (Section 6.2.8). In order to prevent denial-of-service attacks, 1286 error messages sent to a Client SHOULD be rate-limited. 1288 6.2.6. Extended TCP Header TLV 1290 The Extended TCP Header TLV (Figure 21) is used by the Transport 1291 Converter to return to the Client the TCP options that were returned 1292 by the Server in the SYN+ACK packet. A Transport Converter MUST 1293 return this TLV if the Client sent an Extended Connect TLV and the 1294 connection was accepted by the server. 1296 1 2 3 1297 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1298 +---------------+---------------+-------------------------------+ 1299 | Type=0x14 | Length | Unassigned | 1300 +---------------+---------------+-------------------------------+ 1301 / Returned Extended TCP header / 1302 / ... / 1303 +---------------------------------------------------------------+ 1305 Figure 21: The Extended TCP Header TLV 1307 The Returned Extended TCP header field is a copy of the TCP Options 1308 that were included in the SYN+ACK received by the Transport 1309 Converter. 1311 The Unassigned field MUST be set to zero by the sender and ignored by 1312 the receiver. 1314 6.2.7. The Cookie TLV 1316 The Cookie TLV (Figure 22) is an optional TLV which is similar to the 1317 TCP Fast Open Cookie [RFC7413]. A Transport Converter may want to 1318 verify that a Client can receive the packets that it sends to prevent 1319 attacks from spoofed addresses. This verification can be done by 1320 using a Cookie that is bound to, for example, the IP address(es) of 1321 the Client. This Cookie can be configured on the Client by means 1322 that are outside of this document or provided by the Transport 1323 Converter. 1325 A Transport Converter that has been configured to use the optional 1326 Cookie TLV MUST verify the presence of this TLV in the payload of the 1327 received SYN. If this TLV is present, the Transport Converter MUST 1328 validate the Cookie by means similar to those in Section 4.1.2 of 1329 [RFC7413] (i.e., IsCookieValid). If the Cookie is valid, the 1330 connection establishment procedure can continue. Otherwise, the 1331 Transport Converter MUST return an Error TLV set to "Not Authorized" 1332 and close the connection. 1334 If the received SYN did not contain a Cookie TLV, and cookie 1335 validation is required, the Transport Converter MAY compute a Cookie 1336 bound to this Client address. In such case, the Transport Converter 1337 MUST return an Error TLV set to "Missing Cookie" and the computed 1338 Cookie and close the connection. The Client will react to this error 1339 by first issuing a reset to terminate the connection. It also stores 1340 the received Cookie in its cache and attempts to reestablish a new 1341 connection to the Transport Converter that includes the Cookie TLV. 1343 The format of the Cookie TLV is shown in Figure 22. 1345 1 2 3 1346 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1347 +---------------+---------------+-------------------------------+ 1348 | Type=0x16 | Length | Zero | 1349 +---------------+---------------+-------------------------------+ 1350 / Opaque Cookie / 1351 / ... / 1352 +---------------------------------------------------------------+ 1354 Figure 22: The Cookie TLV 1356 6.2.8. Error TLV 1358 The Error TLV (Figure 23) is meant to provide information about some 1359 errors that occurred during the processing of a Convert message. 1360 This TLV has a variable length. Upon reception of an Error TLV, a 1361 Client MUST reset the associated connection. 1363 An Error TLV can be included in the SYN+ACK or an ACK. 1365 1 2 3 1366 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1367 +---------------+---------------+----------------+--------------+ 1368 | Type=0x1E | Length | Error Code | Value | 1369 +---------------+---------------+----------------+--------------+ 1370 // ... (optional) Value // 1371 +---------------------------------------------------------------+ 1373 Figure 23: The Error TLV 1375 Different types of errors can occur while processing Convert 1376 messages. Each error is identified by an Error Code represented as 1377 an unsigned integer. Four classes of error codes are defined: 1379 o Message validation and processing errors (0-31 range): returned 1380 upon reception of an invalid message (including valid messages but 1381 with invalid or unknown TLVs). 1383 o Client-side errors (32-63 range): the Client sent a request that 1384 could not be accepted by the Transport Converter (e.g., 1385 unsupported operation). 1387 o Converter-side errors (64-95 range): problems encountered on the 1388 Transport Converter (e.g., lack of resources) which prevent it 1389 from fulfilling the Client's request. 1391 o Errors caused by the destination server (96-127 range): the final 1392 destination could not be reached or it replied with a reset. 1394 The following error codes are defined in this document: 1396 o Unsupported Version (0): The version number indicated in the fixed 1397 header of a message received from a peer is not supported. 1399 This error code MUST be generated by a peer (e.g. Transport 1400 Converter) when it receives a request having a version number that 1401 it does not support. 1403 The value field MUST be set to the version supported by the peer. 1404 When multiple versions are supported by the peer, it includes the 1405 list of supported version in the value field; each version is 1406 encoded in 8 bits. The list of supported versions MUST be padded 1407 with zeros to end on a 32 bits boundary. 1409 Upon receipt of this error code, the remote peer (e.g., Client) 1410 checks whether it supports one of the versions returned by the 1411 peer. The highest common supported version MUST be used by the 1412 remote peer in subsequent exchanges with the peer. 1414 o Malformed Message (1): This error code is sent to indicate that a 1415 message received from a peer cannot be successfully parsed and 1416 validated. 1418 Typically, this error code is sent by the Transport Converter if 1419 it receives a Connect TLV enclosing a multicast, broadcast, or 1420 loopback IP address. 1422 To ease troubleshooting, the value field MUST echo the received 1423 message using the format depicted in Figure 24. This format 1424 allows to keep the original alignment of the message that 1425 triggered the error. 1427 1 2 3 1428 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1429 +---------------+---------------+----------------+--------------+ 1430 | Type=0x1E | Length | Error Code | Zeros | 1431 +---------------+---------------+----------------+--------------+ 1432 // Echo the message which triggered the error // 1433 +---------------------------------------------------------------+ 1435 Figure 24: Error TLV to ease Message Correlation 1437 o Unsupported Message (2): This error code is sent to indicate that 1438 a message type received from a Client is not supported. 1440 To ease troubleshooting, the value field MUST echo the received 1441 message using the format shown in Figure 24. 1443 o Missing Cookie (3): If a Transport Converter requires the 1444 utilization of Cookies to prevent spoofing attacks and a Cookie 1445 TLV was not included in the Convert message, the Transport 1446 Converter MUST return this error to the requesting client only if 1447 it computes a cookie for this client. The first byte of the value 1448 field MUST be set to zero and the remaining bytes of the Error TLV 1449 contain the Cookie computed by the Transport Converter for this 1450 Client. 1452 A Client which receives this error code SHOULD cache the received 1453 Cookie and include it in subsequent Convert messages sent to that 1454 Transport Converter. 1456 o Not Authorized (32): This error code indicates that the Transport 1457 Converter refused to create a connection because of a lack of 1458 authorization (e.g., administratively prohibited, authorization 1459 failure, invalid Cookie TLV). The Value field MUST be set to 1460 zero. 1462 This error code MUST be sent by the Transport Converter when a 1463 request cannot be successfully processed because the authorization 1464 failed. 1466 o Unsupported TCP Option (33): A TCP option that the Client 1467 requested to advertise to the final Server cannot be safely used. 1469 The Value field is set to the type of the unsupported TCP option. 1470 If several unsupported TCP options were specified in the Connect 1471 TLV, then the list of unsupported TCP options is returned. The 1472 list of unsupported TCP options MUST be padded with zeros to end 1473 on a 32 bits boundary. 1475 o Resource Exceeded (64): This error indicates that the Transport 1476 Converter does not have enough resources to perform the request. 1478 This error MUST be sent by the Transport Converter when it does 1479 not have sufficient resources to handle a new connection. The 1480 Transport Converter may indicate in the Value field the suggested 1481 delay (in seconds) that the Client SHOULD wait before soliciting 1482 the Transport Converter for a new proxied connection. A Value of 1483 zero corresponds to a default delay of at least 30 seconds. 1485 o Network Failure (65): This error indicates that the Transport 1486 Converter is experiencing a network failure to proxy the request. 1488 The Transport Converter MUST send this error code when it 1489 experiences forwarding issues to proxy a connection. The 1490 Transport Converter may indicate in the Value field the suggested 1491 delay (in seconds) that the Client SHOULD wait before soliciting 1492 the Transport Converter for a new proxied connection. A Value of 1493 zero corresponds to a default delay of at least 30 seconds. 1495 o Connection Reset (96): This error indicates that the final 1496 destination responded with an RST segment. The Value field MUST 1497 be set to zero. 1499 o Destination Unreachable (97): This error indicates that an ICMP 1500 message indicating a hard error (e.g., destination unreachable, 1501 port unreachable, or network unreachable) was received by the 1502 Transport Converter. The Value field MUST echo the Code field of 1503 the received ICMP message. 1505 As a reminder, TCP implementations are supposed to act on an ICMP 1506 error message passed up from the IP layer, directing it to the 1507 connection that triggered the error using the demultiplexing 1508 information included in the payload of that ICMP message. Such 1509 demultiplexing issue does not apply for handling the "Destination 1510 Unreachable" Error TLV because the error is sent in-band. For 1511 this reason, the payload of the ICMP message is not echoed in the 1512 Destination Unreachable Error TLV. 1514 Figure 25 summarizes the different error codes. 1516 +-------+------+-----------------------------------------------+ 1517 | Error | Hex | Description | 1518 +-------+------+-----------------------------------------------+ 1519 | 0 | 0x00 | Unsupported Version | 1520 | 1 | 0x01 | Malformed Message | 1521 | 2 | 0x02 | Unsupported Message | 1522 | 3 | 0x03 | Missing Cookie | 1523 | 32 | 0x20 | Not Authorized | 1524 | 33 | 0x21 | Unsupported TCP Option | 1525 | 64 | 0x40 | Resource Exceeded | 1526 | 65 | 0x41 | Network Failure | 1527 | 96 | 0x60 | Connection Reset | 1528 | 97 | 0x61 | Destination Unreachable | 1529 +-------+------+-----------------------------------------------+ 1531 Figure 25: Convert Error Values 1533 7. Compatibility of Specific TCP Options with the Conversion Service 1535 In this section, we discuss how several deployed standard track TCP 1536 options can be supported through the Convert Protocol. The other TCP 1537 options will be discussed in other documents. 1539 7.1. Base TCP Options 1541 Three TCP options were initially defined in [RFC0793]: End-of-Option 1542 List (Kind=0), No-Operation (Kind=1) and Maximum Segment Size 1543 (Kind=2). The first two options are mainly used to pad the TCP 1544 header. There is no reason for a client to request a Transport 1545 Converter to specifically send these options towards the final 1546 destination. 1548 The Maximum Segment Size option (Kind=2) is used by a host to 1549 indicate the largest segment that it can receive over each 1550 connection. This value is function of the stack that terminates the 1551 TCP connection. There is no reason for a Client to request a 1552 Transport Converter to advertise a specific MSS value to a remote 1553 server. 1555 A Transport Converter MUST ignore options with Kind=0, 1 or 2 if they 1556 appear in a Connect TLV. It MUST NOT announce them in a Supported 1557 TCP Extensions TLV. 1559 7.2. Window Scale (WS) 1561 The Window Scale (WS) option (Kind=3) is defined in [RFC7323]. As 1562 for the MSS option, the window scale factor that is used for a 1563 connection strongly depends on the TCP stack that handles the 1564 connection. When a Transport Converter opens a TCP connection 1565 towards a remote server on behalf of a Client, it SHOULD use a WS 1566 option with a scaling factor that corresponds to the configuration of 1567 its stack. A local configuration MAY allow for WS option in the 1568 proxied message to be function of the scaling factor of the incoming 1569 connection. 1571 There is no benefit from a deployment viewpoint in enabling a Client 1572 of a Transport Converter to specifically request the utilization of 1573 the WS option (Kind=3) with a specific scaling factor towards a 1574 remote Server. For this reason, a Transport Converter MUST ignore 1575 option Kind=3 if it appears in a Connect TLV. It MUST NOT announce 1576 it in a Supported TCP Extensions TLV. 1578 7.3. Selective Acknowledgments 1580 Two distinct TCP options were defined to support selective 1581 acknowledgments in [RFC2018]. This first one, SACK Permitted 1582 (Kind=4), is used to negotiate the utilization of selective 1583 acknowledgments during the three-way handshake. The second one, SACK 1584 (Kind=5), carries the selective acknowledgments inside regular 1585 segments. 1587 The SACK Permitted option (Kind=4) MAY be advertised by a Transport 1588 Converter in the Supported TCP Extensions TLV. Clients connected to 1589 this Transport Converter MAY include the SACK Permitted option in the 1590 Connect TLV. 1592 The SACK option (Kind=5) cannot be used during the three-way 1593 handshake. For this reason, a Transport Converter MUST ignore option 1594 Kind=5 if it appears in a Connect TLV. It MUST NOT announce it in a 1595 TCP Supported Extensions TLV. 1597 7.4. Timestamp 1599 The Timestamp option [RFC7323] can be used during the three-way 1600 handshake to negotiate the utilization of timestamps during the TCP 1601 connection. It is notably used to improve round-trip-time 1602 estimations and to provide protection against wrapped sequence 1603 numbers (PAWS). As for the WS option, the timestamps are a property 1604 of a connection and there is limited benefit in enabling a client to 1605 request a Transport Converter to use the timestamp option when 1606 establishing a connection to a remote server. Furthermore, the 1607 timestamps that are used by TCP stacks are specific to each stack and 1608 there is no benefit in enabling a client to specify the timestamp 1609 value that a Transport Converter could use to establish a connection 1610 to a remote server. 1612 A Transport Converter MAY advertise the Timestamp option (Kind=8) in 1613 the TCP Supported Extensions TLV. The clients connected to this 1614 Transport Converter MAY include the Timestamp option in the Connect 1615 TLV but without any timestamp. 1617 7.5. Multipath TCP 1619 The Multipath TCP options are defined in [RFC6824]. [RFC6824] 1620 defines one variable length TCP option (Kind=30) that includes a sub- 1621 type field to support several Multipath TCP options. There are 1622 several operational use cases where clients would like to use 1623 Multipath TCP through a Transport Converter [IETFJ16]. However, none 1624 of these use cases require the Client to specify the content of the 1625 Multipath TCP option that the Transport Converter should send to a 1626 remote server. 1628 A Transport Converter which supports Multipath TCP conversion service 1629 MUST advertise the Multipath TCP option (Kind=30) in the Supported 1630 TCP Extensions TLV. Clients serviced by this Transport Converter may 1631 include the Multipath TCP option in the Connect TLV but without any 1632 content. 1634 7.6. TCP Fast Open 1636 The TCP Fast Open cookie option (Kind=34) is defined in [RFC7413]. 1637 There are two different usages of this option that need to be 1638 supported by Transport Converters. The first utilization of the TCP 1639 Fast Open cookie option is to request a cookie from the server. In 1640 this case, the option is sent with an empty cookie by the client and 1641 the server returns the cookie. The second utilization of the TCP 1642 Fast Open cookie option is to send a cookie to the server. In this 1643 case, the option contains a cookie. 1645 A Transport Converter MAY advertise the TCP Fast Open cookie option 1646 (Kind=34) in the Supported TCP Extensions TLV. If a Transport 1647 Converter has advertised the support for TCP Fast Open in its 1648 Supported TCP Extensions TLV, it needs to be able to process two 1649 types of Connect TLV. 1651 If such a Transport Converter receives a Connect TLV with the TCP 1652 Fast Open cookie option that does not contain a cookie, it MUST add 1653 an empty TCP Fast Open cookie option in the SYN sent to the remote 1654 server. If the remote server supports TFO, it responds with a SYN- 1655 ACK according to the procedure in Section 4.1.2 of [RFC7413]. This 1656 SYN-ACK may contain a Fast Open option with a cookie. Upon receipt 1657 of the SYN-ACK by the Converter, it relays Fast Open option with the 1658 cookie to the Client. 1660 If such a Transport Converter receives a Connect TLV with the TCP 1661 Fast Open cookie option that contains a cookie, it MUST copy the TCP 1662 Fast Open cookie option in the SYN sent to the remote server. 1664 7.7. TCP-AO 1666 TCP-AO [RFC5925] provides a technique to authenticate all the packets 1667 exchanged over a TCP connection. Given the nature of this extension, 1668 it is unlikely that the applications that require their packets to be 1669 authenticated end-to-end would want their connections to pass through 1670 a converter. For this reason, we do not recommend the support of the 1671 TCP-AO option by Transport Converters. The only use cases where it 1672 could make sense to combine TCP-AO and the solution in this document 1673 are those where the TCP-AO-NAT extension [RFC6978] is in use. 1675 A Transport Converter MUST NOT advertise the TCP-AO option (Kind=29) 1676 in the Supported TCP Extensions TLV. If a Transport Converter 1677 receives a Connect TLV that contains the TCP-AO option, it MUST 1678 reject the establishment of the connection with error code set to 1679 "Unsupported TCP Option", except if the TCP-AO-NAT option is used. 1680 Nevertheless, given that TCP-AO-NAT is Experimental, its usage is not 1681 currently defined and must be specified by some other document before 1682 it can be used. 1684 8. Interactions with Middleboxes 1686 The Convert Protocol is designed to be used in networks that do not 1687 contain middleboxes that interfere with TCP. Under such conditions, 1688 it is assumed that the network provider ensures that all involved on- 1689 path nodes are not breaking TCP signals (e.g., strip TCP options, 1690 discard some SYNs, etc.). 1692 Nevertheless, and in order to allow for a robust service, this 1693 section describes how a Client can detect middlebox interference and 1694 stop using the Transport Converter affected by this interference. 1696 Internet measurements [IMC11] have shown that middleboxes can affect 1697 the deployment of TCP extensions. In this section, we focus the 1698 middleboxes that modify the payload since the Convert Protocol places 1699 its messages at the beginning of the bytestream. 1701 Consider a middlebox that removes the SYN payload. The Client can 1702 detect this problem by looking at the acknowledgment number field of 1703 the SYN+ACK if returned by the Transport Converter. The Client MUST 1704 stop to use this Transport Converter given the middlebox 1705 interference. 1707 Consider now a middlebox that drops SYN/ACKs with a payload. The 1708 Client won't be able to establish a connection via the Transport 1709 Converter. The case of a middlebox that removes the payload of 1710 SYN+ACKs or from the packet that follows the SYN+ACK (but not the 1711 payload of SYN) can be detected by a Client. This is hinted by the 1712 absence of a valid Convert message in the response. 1714 As explained in [RFC7413], some CGNs (Carrier Grade NATs) can affect 1715 the operation of TFO if they assign different IP addresses to the 1716 same end host. Such CGNs could affect the operation of the cookie 1717 validation used by the Convert Protocol. As a reminder CGNs, enabled 1718 on the path between a Client and a Transport Converter, must adhere 1719 to the address preservation defined in [RFC6888]. See also the 1720 discussion in Section 7.1 of [RFC7413]. 1722 9. Security Considerations 1724 An implementation MUST check that the Convert TLVs are properly 1725 framed within the boundary indicated by the Total Length in the fixed 1726 header (Section 6.1). 1728 Additional security considerations are discussed in the following 1729 sub-sections. 1731 9.1. Privacy & Ingress Filtering 1733 The Transport Converter may have access to privacy-related 1734 information (e.g., subscriber credentials). The Transport Converter 1735 is designed to not leak such sensitive information outside a local 1736 domain. 1738 Given its function and location in the network, a Transport Converter 1739 is in a position to observe all packets that it processes, to include 1740 payloads and meta-data; and has the ability to profile and conduct 1741 some traffic analysis of user behavior. The Transport Converter MUST 1742 be as protected as a core IP router (e.g., Section 10 of [RFC1812]). 1744 Furthermore, ingress filtering policies MUST be enforced at the 1745 network boundaries [RFC2827]. 1747 This document assumes that all network attachments are managed by the 1748 same administrative entity. Therefore, enforcing anti-spoofing 1749 filters at these network is a guard that hosts are not sending 1750 traffic with spoofed source IP addresses. 1752 9.2. Authentication and Authorization Considerations 1754 The Convert Protocol is RECOMMENDED to be used in a managed network 1755 where end hosts can be securely identified by their IP address. If 1756 such control is not exerted and there is a more open network 1757 environment, a strong mutual authentication scheme MUST be defined to 1758 use the Convert Protocol. 1760 One possibility for mutual authentication is to use TLS to perform 1761 mutual authentication between the client and the Converter. That is, 1762 use TLS when a Client retrieves a Cookie from the Converter and rely 1763 on certificate-based client authentication, pre-shared key based 1764 [RFC4279] or raw public key based client authentication [RFC7250] to 1765 secure this connection. If the authentication succeeds, the 1766 Converter returns a cookie to the Client. Subsequent Connect 1767 messages will be authorized as a function of the content of the 1768 Cookie TLV. An attacker from within the network between a Client and 1769 a Transport Converter may intercept the Cookie and use it to be 1770 granted access to the conversion service. Such attack is only 1771 possible if the attacker spoofs the IP address of the Client and the 1772 network does not filter packets with source spoofed IP addresses. 1774 The operator that manages the various network attachments (including 1775 the Transport Converters) has various options for enforcing 1776 authentication and authorization policies. For example, a non- 1777 exhaustive list of methods to achieve authorization is provided 1778 hereafter: 1780 o The network provider may enforce a policy based on the 1781 International Mobile Subscriber Identity (IMSI) to verify that a 1782 user is allowed to benefit from the TCP converter service. If 1783 that authorization fails, the Packet Data Protocol (PDP) context/ 1784 bearer will not be mounted. This method does not require any 1785 interaction with the Transport Converter for authorization 1786 matters. 1788 o The network provider may enforce a policy based upon Access 1789 Control Lists (ACLs), e.g., at a Broadband Network Gateway (BNG) 1790 to control the hosts that are authorized to communicate with a 1791 Transport Converter. These ACLs may be installed as a result of 1792 RADIUS exchanges, e.g., [I-D.boucadair-radext-tcpm-converter]. 1793 This method does not require any interaction with the Transport 1794 Converter for authorization matters. 1796 o A device that embeds a Transport Converter may also host a RADIUS 1797 client that will solicit an AAA server to check whether 1798 connections received from a given source IP address are authorized 1799 or not [I-D.boucadair-radext-tcpm-converter]. 1801 A first safeguard against the misuse of Transport Converter resources 1802 by illegitimate users (e.g., users with access networks that are not 1803 managed by the same provider that operates the Transport Converter) 1804 is the Transport Converter to reject Convert connections received in 1805 the external realm. Only Convert connections received in the 1806 internal realm of a Transport Converter will be accepted. 1808 In deployments where network-assisted connections are not allowed 1809 between hosts of a domain (i.e., hairpinning), the Converter may be 1810 instructed to discard such connections. Hairpinned connections are 1811 thus rejected by the Transport Converter by returning an Error TLV 1812 set to "Not Authorized". Absent explicit configuration otherwise, 1813 hairpinning is enabled by the Converter (see Figure 26. 1815 <===Network Provider===> 1817 +----+ from X1:x1 to X2':x2' +-----+ X1':x1' 1818 | C1 |>>>>>>>>>>>>>>>>>>>>>>>>>>>>>--+--- 1819 +----+ | v | 1820 | v | 1821 | v | 1822 | v | 1823 +----+ from X1':x1' to X2:x2 | v | X2':x2' 1824 | C2 |<<<<<<<<<<<<<<<<<<<<<<<<<<<<<--+--- 1825 +----+ +-----+ 1826 Converter 1828 Note: X2':x2' may be equal to 1829 X2:x2 1831 Figure 26: Hairpinning Example 1833 9.3. Denial of Service 1835 Another possible risk is the amplification attacks since a Transport 1836 Converter sends a SYN towards a remote Server upon reception of a SYN 1837 from a Client. This could lead to amplification attacks if the SYN 1838 sent by the Transport Converter were larger than the SYN received 1839 from the Client or if the Transport Converter retransmits the SYN. 1840 To mitigate such attacks, the Transport Converter SHOULD rate limit 1841 the number of pending requests for a given Client. It SHOULD also 1842 avoid sending to remote Servers SYNs that are significantly longer 1843 than the SYN received from the Client. Finally, the Transport 1844 Converter SHOULD only retransmit a SYN to a Server after having 1845 received a retransmitted SYN from the corresponding Client. Means to 1846 protect against SYN flooding attacks should also be enabled (e.g., 1847 Section 3 of [RFC4987]). 1849 Attacks from within the network between a Client and a Transport 1850 Converter (including attacks that change the protocol version) are 1851 yet another threat. Means to ensure that illegitimate nodes cannot 1852 connect to a network should be implemented. 1854 9.4. Traffic Theft 1856 Traffic theft is a risk if an illegitimate Converter is inserted in 1857 the path. Indeed, inserting an illegitimate Converter in the 1858 forwarding path allows traffic interception and can therefore provide 1859 access to sensitive data issued by or destined to a host. Converter 1860 discovery and configuration are out of scope of this document. 1862 9.5. Logging 1864 If the Converter is configured to behave in the address sharing mode 1865 (Section 4.4.2), the logging recommendations discussed in Section 4 1866 of [RFC6888] need to be considered. Security-related issues 1867 encountered in address sharing environments are documented in 1868 Section 13 of [RFC6269]. 1870 10. IANA Considerations 1872 Note to the RFC Editor: Please replace "THISRFC" in the following 1873 sub-sections with the RFC number to be assigned to this document. 1875 10.1. Convert Service Name 1877 IANA is requested to assign a service name for the Convert Protocol 1878 from the "Service Name and Transport Protocol Port Number Registry" 1879 available at https://www.iana.org/assignments/service-names-port- 1880 numbers/service-names-port-numbers.xhtml. 1882 Service Name: convert 1883 Port Number: N/A 1884 Transport Protocol(s): TCP 1885 Description: 0-RTT TCP Convert Protocol 1886 Assignee: IESG 1887 Contact: IETF Chair 1888 Reference: THISRFC 1890 Clients may use this service name to fed the procedure defined in 1891 [RFC2782] to discover the IP address(es) and the port number used by 1892 the Transport Converters of a domain. 1894 10.2. The Convert Protocol (Convert) Parameters 1896 IANA is requested to create a new "The TCP Convert Protocol (Convert) 1897 Parameters" registry. 1899 The following subsections detail new registries within "The Convert 1900 Protocol (Convert) Parameters" registry. 1902 The Designated Expert is expected to ascertain the existence of 1903 suitable documentation as described in Section 4.6 of [RFC8126] and 1904 to verify that the document is permanently and publicly available. 1905 The Designated Expert is also expected to check the clarity of 1906 purpose and use of the requested code points. 1908 Also, criteria that should be applied by the Designated Experts 1909 includes determining whether the proposed registration duplicates 1910 existing functionality, whether it is likely to be of general 1911 applicability or whether it is useful only for a private use, and 1912 whether the registration description is clear. IANA must only accept 1913 registry updates to the 128-191 range (for both "Convert TLVs" and 1914 "Convert Error Messages" sub-registries) from the Designated Experts 1915 and should direct all requests for registration to the review mailing 1916 list. It is suggested that multiple Designated Experts be appointed. 1917 In cases where a registration decision could be perceived as creating 1918 a conflict of interest for a particular Expert, that Expert should 1919 defer to the judgment of the other Experts. 1921 10.2.1. Convert Versions 1923 IANA is requested to create the "Convert versions" sub-registry. New 1924 values are assigned via IETF Review (Section 4.8 of [RFC8126]). 1926 The initial values to be assigned at the creation of the registry are 1927 as follows: 1929 +---------+--------------------------------------+-------------+ 1930 | Version | Description | Reference | 1931 +---------+--------------------------------------+-------------+ 1932 | 0 | Reserved | THISRFC | 1933 | 1 | Assigned | THISRFC | 1934 +---------+--------------------------------------+-------------+ 1936 Figure 27: Current Convert Versions 1938 10.2.2. Convert TLVs 1940 IANA is requested to create the "Convert TLVs" sub-registry. The 1941 procedure for assigning values from this registry is as follows: 1943 o The values in the range 1-127 can be assigned via IETF Review. 1945 o The values in the range 128-191 can be assigned via Specification 1946 Required. 1948 o The values in the range 192-255 are reserved for Private Use. 1950 The initial values to be assigned at the creation of the registry are 1951 as follows: 1953 +---------+--------------------------------------+-------------+ 1954 | Code | Name | Reference | 1955 +---------+--------------------------------------+-------------+ 1956 | 0 | Reserved | THISRFC | 1957 | 1 | Info TLV | THISRFC | 1958 | 10 | Connect TLV | THISRFC | 1959 | 20 | Extended TCP Header TLV | THISRFC | 1960 | 21 | Supported TCP Extension TLV | THISRFC | 1961 | 22 | Cookie TLV | THISRFC | 1962 | 30 | Error TLV | THISRFC | 1963 +---------+--------------------------------------+-------------+ 1965 Figure 28: Initial Convert TLVs 1967 10.2.3. Convert Error Messages 1969 IANA is requested to create the "Convert Errors" sub-registry. Codes 1970 in this registry are assigned as a function of the error type. Four 1971 types are defined; the following ranges are reserved for each of 1972 these types: 1974 o Message validation and processing errors: 0-31 1976 o Client-side errors: 32-63 1977 o Transport Converter-side errors: 64-95 1979 o Errors caused by destination server: 96-127 1981 The procedure for assigning values from this sub-registry is as 1982 follows: 1984 o 0-127: Values in this range are assigned via IETF Review. 1986 o 128-191: Values in this range are assigned via Specification 1987 Required. 1989 o 192-255: Values in this range are reserved for Private Use. 1991 The initial values to be assigned at the creation of the registry are 1992 as follows: 1994 +-------+-----------------------------------+-----------+ 1995 | Error | Description | Reference | 1996 +-------+-----------------------------------+-----------+ 1997 | 0 | Unsupported Version | THISRFC | 1998 | 1 | Malformed Message | THISRFC | 1999 | 2 | Unsupported Message | THISRFC | 2000 | 3 | Missing Cookie | THISRFC | 2001 | 32 | Not Authorized | THISRFC | 2002 | 33 | Unsupported TCP Option | THISRFC | 2003 | 64 | Resource Exceeded | THISRFC | 2004 | 65 | Network Failure | THISRFC | 2005 | 96 | Connection Reset | THISRFC | 2006 | 97 | Destination Unreachable | THISRFC | 2007 +-------+-----------------------------------+-----------+ 2009 Figure 29: Initial Convert Error Codes 2011 11. References 2013 11.1. Normative References 2015 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 2016 RFC 793, DOI 10.17487/RFC0793, September 1981, 2017 . 2019 [RFC2018] Mathis, M., Mahdavi, J., Floyd, S., and A. Romanow, "TCP 2020 Selective Acknowledgment Options", RFC 2018, 2021 DOI 10.17487/RFC2018, October 1996, 2022 . 2024 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2025 Requirement Levels", BCP 14, RFC 2119, 2026 DOI 10.17487/RFC2119, March 1997, 2027 . 2029 [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: 2030 Defeating Denial of Service Attacks which employ IP Source 2031 Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827, 2032 May 2000, . 2034 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing 2035 Architecture", RFC 4291, DOI 10.17487/RFC4291, February 2036 2006, . 2038 [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address 2039 Translation (NAT) Behavioral Requirements for Unicast 2040 UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 2041 2007, . 2043 [RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common 2044 Mitigations", RFC 4987, DOI 10.17487/RFC4987, August 2007, 2045 . 2047 [RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP 2048 Authentication Option", RFC 5925, DOI 10.17487/RFC5925, 2049 June 2010, . 2051 [RFC6824] Ford, A., Raiciu, C., Handley, M., and O. Bonaventure, 2052 "TCP Extensions for Multipath Operation with Multiple 2053 Addresses", RFC 6824, DOI 10.17487/RFC6824, January 2013, 2054 . 2056 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 2057 A., and H. Ashida, "Common Requirements for Carrier-Grade 2058 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 2059 April 2013, . 2061 [RFC6890] Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman, 2062 "Special-Purpose IP Address Registries", BCP 153, 2063 RFC 6890, DOI 10.17487/RFC6890, April 2013, 2064 . 2066 [RFC7323] Borman, D., Braden, B., Jacobson, V., and R. 2067 Scheffenegger, Ed., "TCP Extensions for High Performance", 2068 RFC 7323, DOI 10.17487/RFC7323, September 2014, 2069 . 2071 [RFC7413] Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP 2072 Fast Open", RFC 7413, DOI 10.17487/RFC7413, December 2014, 2073 . 2075 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 2076 Writing an IANA Considerations Section in RFCs", BCP 26, 2077 RFC 8126, DOI 10.17487/RFC8126, June 2017, 2078 . 2080 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2081 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2082 May 2017, . 2084 11.2. Informative References 2086 [ANRW17] Trammell, B., Kuehlewind, M., De Vaere, P., Learmonth, I., 2087 and G. Fairhurst, "Tracking transport-layer evolution with 2088 PATHspider", Applied Networking Research Workshop 2017 2089 (ANRW17) , July 2017. 2091 [Fukuda2011] 2092 Fukuda, K., "An Analysis of Longitudinal TCP Passive 2093 Measurements (Short Paper)", Traffic Monitoring and 2094 Analysis. TMA 2011. Lecture Notes in Computer Science, vol 2095 6613. , 2011. 2097 [HotMiddlebox13b] 2098 Detal, G., Paasch, C., and O. Bonaventure, "Multipath in 2099 the Middle(Box)", HotMiddlebox'13 , December 2013, 2100 . 2103 [I-D.arkko-arch-low-latency] 2104 Arkko, J. and J. Tantsura, "Low Latency Applications and 2105 the Internet Architecture", draft-arkko-arch-low- 2106 latency-02 (work in progress), October 2017. 2108 [I-D.boucadair-mptcp-plain-mode] 2109 Boucadair, M., Jacquenet, C., Bonaventure, O., Behaghel, 2110 D., stefano.secci@lip6.fr, s., Henderickx, W., Skog, R., 2111 Vinapamula, S., Seo, S., Cloetens, W., Meyer, U., 2112 Contreras, L., and B. Peirens, "Extensions for Network- 2113 Assisted MPTCP Deployment Models", draft-boucadair-mptcp- 2114 plain-mode-10 (work in progress), March 2017. 2116 [I-D.boucadair-radext-tcpm-converter] 2117 Boucadair, M. and C. Jacquenet, "RADIUS Extensions for 2118 0-RTT TCP Converters", draft-boucadair-radext-tcpm- 2119 converter-02 (work in progress), April 2019. 2121 [I-D.boucadair-tcpm-dhc-converter] 2122 Boucadair, M., Jacquenet, C., and T. Reddy.K, "DHCP 2123 Options for 0-RTT TCP Converters", draft-boucadair-tcpm- 2124 dhc-converter-03 (work in progress), October 2019. 2126 [I-D.olteanu-intarea-socks-6] 2127 Olteanu, V. and D. Niculescu, "SOCKS Protocol Version 6", 2128 draft-olteanu-intarea-socks-6-08 (work in progress), 2129 November 2019. 2131 [I-D.peirens-mptcp-transparent] 2132 Peirens, B., Detal, G., Barre, S., and O. Bonaventure, 2133 "Link bonding with transparent Multipath TCP", draft- 2134 peirens-mptcp-transparent-00 (work in progress), July 2135 2016. 2137 [IETFJ16] Bonaventure, O. and S. Seo, "Multipath TCP Deployment", 2138 IETF Journal, Fall 2016 , n.d.. 2140 [IMC11] Honda, K., Nishida, Y., Raiciu, C., Greenhalgh, A., 2141 Handley, M., and T. Hideyuki, "Is it still possible to 2142 extend TCP?", Proceedings of the 2011 ACM SIGCOMM 2143 conference on Internet measurement conference , 2011. 2145 [RFC1812] Baker, F., Ed., "Requirements for IP Version 4 Routers", 2146 RFC 1812, DOI 10.17487/RFC1812, June 1995, 2147 . 2149 [RFC1919] Chatel, M., "Classical versus Transparent IP Proxies", 2150 RFC 1919, DOI 10.17487/RFC1919, March 1996, 2151 . 2153 [RFC1928] Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., and 2154 L. Jones, "SOCKS Protocol Version 5", RFC 1928, 2155 DOI 10.17487/RFC1928, March 1996, 2156 . 2158 [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for 2159 specifying the location of services (DNS SRV)", RFC 2782, 2160 DOI 10.17487/RFC2782, February 2000, 2161 . 2163 [RFC3135] Border, J., Kojo, M., Griner, J., Montenegro, G., and Z. 2164 Shelby, "Performance Enhancing Proxies Intended to 2165 Mitigate Link-Related Degradations", RFC 3135, 2166 DOI 10.17487/RFC3135, June 2001, 2167 . 2169 [RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key 2170 Ciphersuites for Transport Layer Security (TLS)", 2171 RFC 4279, DOI 10.17487/RFC4279, December 2005, 2172 . 2174 [RFC5461] Gont, F., "TCP's Reaction to Soft Errors", RFC 5461, 2175 DOI 10.17487/RFC5461, February 2009, 2176 . 2178 [RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and 2179 P. Roberts, "Issues with IP Address Sharing", RFC 6269, 2180 DOI 10.17487/RFC6269, June 2011, 2181 . 2183 [RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix 2184 Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011, 2185 . 2187 [RFC6731] Savolainen, T., Kato, J., and T. Lemon, "Improved 2188 Recursive DNS Server Selection for Multi-Interfaced 2189 Nodes", RFC 6731, DOI 10.17487/RFC6731, December 2012, 2190 . 2192 [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and 2193 P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, 2194 DOI 10.17487/RFC6887, April 2013, 2195 . 2197 [RFC6928] Chu, J., Dukkipati, N., Cheng, Y., and M. Mathis, 2198 "Increasing TCP's Initial Window", RFC 6928, 2199 DOI 10.17487/RFC6928, April 2013, 2200 . 2202 [RFC6978] Touch, J., "A TCP Authentication Option Extension for NAT 2203 Traversal", RFC 6978, DOI 10.17487/RFC6978, July 2013, 2204 . 2206 [RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J., 2207 Weiler, S., and T. Kivinen, "Using Raw Public Keys in 2208 Transport Layer Security (TLS) and Datagram Transport 2209 Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250, 2210 June 2014, . 2212 [RFC7414] Duke, M., Braden, R., Eddy, W., Blanton, E., and A. 2213 Zimmermann, "A Roadmap for Transmission Control Protocol 2214 (TCP) Specification Documents", RFC 7414, 2215 DOI 10.17487/RFC7414, February 2015, 2216 . 2218 [RFC8041] Bonaventure, O., Paasch, C., and G. Detal, "Use Cases and 2219 Operational Experience with Multipath TCP", RFC 8041, 2220 DOI 10.17487/RFC8041, January 2017, 2221 . 2223 [RFC8305] Schinazi, D. and T. Pauly, "Happy Eyeballs Version 2: 2224 Better Connectivity Using Concurrency", RFC 8305, 2225 DOI 10.17487/RFC8305, December 2017, 2226 . 2228 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 2229 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 2230 . 2232 [RFC8548] Bittau, A., Giffin, D., Handley, M., Mazieres, D., Slack, 2233 Q., and E. Smith, "Cryptographic Protection of TCP Streams 2234 (tcpcrypt)", RFC 8548, DOI 10.17487/RFC8548, May 2019, 2235 . 2237 [TS23501] 3GPP (3rd Generation Partnership Project), ., "Technical 2238 Specification Group Services and System Aspects; System 2239 Architecture for the 5G System; Stage 2 (Release 16)", 2240 2019, . 2243 Appendix A. Example Socket API Changes to Support the 0-RTT Convert 2244 Protocol 2246 A.1. Active Open (Client Side) 2248 On the client side, the support of the 0-RTT Converter protocol does 2249 not require any other changes than those identified in Appendix A of 2250 [RFC7413]. Those modifications are already supported by multiple TCP 2251 stacks. 2253 As an example, on Linux, a client can send the 0-RTT Convert message 2254 inside a SYN by using sendto with the MSG_FASTOPEN flag as shown in 2255 the example below: 2257 s = socket(AF_INET, SOCK_STREAM, 0); 2259 sendto(s, buffer, buffer_len, MSG_FASTOPEN, 2260 (struct sockaddr *) &server_addr, addr_len); 2262 The client side of the Linux TCP TFO can be used in two different 2263 modes depending on the host configuration (sysctl tcp_fastopen 2264 variable): 2266 o 0x1: (client) enables sending data in the opening SYN on the 2267 client. 2269 o 0x4: (client) send data in the opening SYN regardless of cookie 2270 availability and without a cookie option. 2272 By setting this configuration variable to 0x5, a Linux client using 2273 the above code would send data inside the SYN without using a TFO 2274 option. 2276 A.2. Passive Open (Converter Side) 2278 The Converter needs to enable the reception of data inside the SYN 2279 independently of the utilization of the TFO option. This implies 2280 that the Transport Converter application cannot rely on the TFO 2281 cookies to validate the reachability of the IP address that sent the 2282 SYN. It must rely on other techniques, such as the Cookie TLV 2283 described in this document, to verify this reachability. 2285 [RFC7413] suggested the utilization of a TCP_FASTOPEN socket option 2286 the enable the reception of SYNs containing data. Later, Appendix A 2287 of [RFC7413], mentioned: 2289 Traditionally, accept() returns only after a socket is connected. 2290 But, for a Fast Open connection, accept() returns upon receiving 2291 SYN with a valid Fast Open cookie and data, and the data is available 2292 to be read through, e.g., recvmsg(), read(). 2294 To support the 0-RTT Convert Protocol, this behavior should be 2295 modified as follows: 2297 Traditionally, accept() returns only after a socket is connected. 2298 But, for a Fast Open connection, accept() returns upon receiving a 2299 SYN with data, and the data is available to be read through, e.g., 2300 recvmsg(), read(). The application that receives such SYNs with data 2301 must be able to validate the reachability of the source of the SYN 2302 and also deal with replayed SYNs. 2304 The Linux server side can be configured with the following sysctls: 2306 o 0x2: (server) enables the server support, i.e., allowing data in a 2307 SYN packet to be accepted and passed to the application before 2308 3-way handshake finishes. 2310 o 0x200: (server) accept data-in-SYN w/o any cookie option present. 2312 However, this configuration is system-wide. This is convenient for 2313 typical Transport Converter deployments where no other applications 2314 relying on TFO are collocated on the same device. 2316 Recently, the TCP_FASTOPEN_NO_COOKIE socket option has been added to 2317 provide the same behavior on a per socket basis. This enables a 2318 single host to support both servers that require the TFO cookie and 2319 servers that do not use it. 2321 Acknowledgments 2323 Although they could disagree with the contents of the document, we 2324 would like to thank Joe Touch and Juliusz Chroboczek whose comments 2325 on the MPTCP mailing list have forced us to reconsider the design of 2326 the solution several times. 2328 We would like to thank Raphael Bauduin, Stefano Secci, Anandatirtha 2329 Nandugudi and Gregory Vander Schueren for their help in preparing 2330 this document. Nandini Ganesh provided valuable feedback about the 2331 handling of TFO and the error codes. Yuchung Cheng and Praveen 2332 Balasubramanian helped to clarify the discussion on supplying data in 2333 SYNs. Phil Eardley and Michael Scharf's helped to clarify different 2334 parts of the text. Thanks to Eric Vyncke, Roman Danyliw, Benjamin 2335 Kaduk, and Alexey Melnikov for the IESG review, and Christian Huitema 2336 for the security directorate review. 2338 Many thanks to Mirja Kuehlewind for the detailed AD review. 2340 This document builds upon earlier documents that proposed various 2341 forms of Multipath TCP proxies [I-D.boucadair-mptcp-plain-mode], 2342 [I-D.peirens-mptcp-transparent] and [HotMiddlebox13b]. 2344 From [I-D.boucadair-mptcp-plain-mode]: 2346 Many thanks to Chi Dung Phung, Mingui Zhang, Rao Shoaib, Yoshifumi 2347 Nishida, and Christoph Paasch for their valuable comments. 2349 Thanks to Ian Farrer, Mikael Abrahamsson, Alan Ford, Dan Wing, and 2350 Sri Gundavelli for the fruitful discussions in IETF#95 (Buenos 2351 Aires). 2353 Special thanks to Pierrick Seite, Yannick Le Goff, Fred Klamm, and 2354 Xavier Grall for their inputs. 2356 Thanks also to Olaf Schleusing, Martin Gysi, Thomas Zasowski, Andreas 2357 Burkhard, Silka Simmen, Sandro Berger, Michael Melloul, Jean-Yves 2358 Flahaut, Adrien Desportes, Gregory Detal, Benjamin David, Arun 2359 Srinivasan, and Raghavendra Mallya for the discussion. 2361 Contributors 2363 Bart Peirens contributed to an early version of the document. 2365 As noted above, this document builds on two previous documents. 2367 The authors of [I-D.boucadair-mptcp-plain-mode] were: 2369 o Mohamed Boucadair 2371 o Christian Jacquenet 2373 o Olivier Bonaventure 2375 o Denis Behaghel 2377 o Stefano Secci 2379 o Wim Henderickx 2381 o Robert Skog 2383 o Suresh Vinapamula 2385 o SungHoon Seo 2387 o Wouter Cloetens 2389 o Ullrich Meyer 2391 o Luis M. Contreras 2393 o Bart Peirens 2395 The authors of [I-D.peirens-mptcp-transparent] were: 2397 o Bart Peirens 2399 o Gregory Detal 2400 o Sebastien Barre 2402 o Olivier Bonaventure 2404 Authors' Addresses 2406 Olivier Bonaventure (editor) 2407 Tessares 2409 Email: Olivier.Bonaventure@tessares.net 2411 Mohamed Boucadair (editor) 2412 Orange 2413 Clos Courtel 2414 Rennes 35000 2415 France 2417 Email: mohamed.boucadair@orange.com 2419 Sri Gundavelli 2420 Cisco 2422 Email: sgundave@cisco.com 2424 SungHoon Seo 2425 Korea Telecom 2427 Email: sh.seo@kt.com 2429 Benjamin Hesmans 2430 Tessares 2432 Email: Benjamin.Hesmans@tessares.net