From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc3135.txt | 2523 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 2523 insertions(+) create mode 100644 doc/rfc/rfc3135.txt (limited to 'doc/rfc/rfc3135.txt') diff --git a/doc/rfc/rfc3135.txt b/doc/rfc/rfc3135.txt new file mode 100644 index 0000000..1138e09 --- /dev/null +++ b/doc/rfc/rfc3135.txt @@ -0,0 +1,2523 @@ + + + + + + +Network Working Group J. Border +Request for Comments: 3135 Hughes Network Systems +Category: Informational M. Kojo + University of Helsinki + J. Griner + NASA Glenn Research Center + G. Montenegro + Sun Microsystems, Inc. + Z. Shelby + University of Oulu + June 2001 + + + Performance Enhancing Proxies Intended to Mitigate Link-Related + Degradations + +Status of this Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2001). All Rights Reserved. + +Abstract + + This document is a survey of Performance Enhancing Proxies (PEPs) + often employed to improve degraded TCP performance caused by + characteristics of specific link environments, for example, in + satellite, wireless WAN, and wireless LAN environments. Different + types of Performance Enhancing Proxies are described as well as the + mechanisms used to improve performance. Emphasis is put on proxies + operating with TCP. In addition, motivations for their development + and use are described along with some of the consequences of using + them, especially in the context of the Internet. + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2. Types of Performance Enhancing Proxies . . . . . . . . . . . . 4 + 2.1 Layering . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 + 2.1.1 Transport Layer PEPs . . . . . . . . . . . . . . . . . . . . 5 + 2.1.2 Application Layer PEPs . . . . . . . . . . . . . . . . . . . 5 + 2.2 Distribution . . . . . . . . . . . . . . . . . . . . . . . . . 6 + 2.3 Implementation Symmetry . . . . . . . . . . . . . . . . . . . 6 + 2.4 Split Connections . . . . . . . . . . . . . . . . . . . . . . 7 + + + +Border, et al. Informational [Page 1] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + 2.5 Transparency . . . . . . . . . . . . . . . . . . . . . . . . . 8 + 3. PEP Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . 9 + 3.1 TCP ACK Handling . . . . . . . . . . . . . . . . . . . . . . . 9 + 3.1.1 TCP ACK Spacing . . . . . . . . . . . . . . . . . . . . . . 9 + 3.1.2 Local TCP Acknowledgements . . . . . . . . . . . . . . . . . 9 + 3.1.3 Local TCP Retransmissions . . . . . . . . . . . . . . . . . 9 + 3.1.4 TCP ACK Filtering and Reconstruction . . . . . . . . . . . . 10 + 3.2 Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . 10 + 3.3 Compression . . . . . . . . . . . . . . . . . . . . . . . . . 10 + 3.4 Handling Periods of Link Disconnection with TCP . . . . . . . 11 + 3.5 Priority-based Multiplexing . . . . . . . . . . . . . . . . . 12 + 3.6 Protocol Booster Mechanisms . . . . . . . . . . . . . . . . . 13 + 4. Implications of Using PEPs . . . . . . . . . . . . . . . . . . 14 + 4.1 The End-to-end Argument . . . . . . . . . . . . . . . . . . . 14 + 4.1.1 Security . . . . . . . . . . . . . . . . . . . . . . . . . . 14 + 4.1.1.1 Security Implications . . . . . . . . . . . . . . . . . . 15 + 4.1.1.2 Security Implication Mitigations . . . . . . . . . . . . . 16 + 4.1.1.3 Security Research Related to PEPs . . . . . . . . . . . . 16 + 4.1.2 Fate Sharing . . . . . . . . . . . . . . . . . . . . . . . . 16 + 4.1.3 End-to-end Reliability . . . . . . . . . . . . . . . . . . . 17 + 4.1.4 End-to-end Failure Diagnostics . . . . . . . . . . . . . . . 19 + 4.2 Asymmetric Routing . . . . . . . . . . . . . . . . . . . . . . 19 + 4.3 Mobile Hosts . . . . . . . . . . . . . . . . . . . . . . . . . 20 + 4.4 Scalability . . . . . . . . . . . . . . . . . . . . . . . . . 20 + 4.5 Other Implications of Using PEPs . . . . . . . . . . . . . . . 21 + 5. PEP Environment Examples . . . . . . . . . . . . . . . . . . . 21 + 5.1 VSAT Environments . . . . . . . . . . . . . . . . . . . . . . 21 + 5.1.1 VSAT Network Characteristics . . . . . . . . . . . . . . . . 22 + 5.1.2 VSAT Network PEP Implementations . . . . . . . . . . . . . . 23 + 5.1.3 VSAT Network PEP Motivation . . . . . . . . . . . . . . . . 24 + 5.2 W-WAN Environments . . . . . . . . . . . . . . . . . . . . . . 25 + 5.2.1 W-WAN Network Characteristics . . . . . . . . . . . . . . . 25 + 5.2.2 W-WAN PEP Implementations . . . . . . . . . . . . . . . . . 26 + 5.2.2.1 Mowgli System . . . . . . . . . . . . . . . . . . . . . . 26 + 5.2.2.2 Wireless Application Protocol (WAP) . . . . . . . . . . . 28 + 5.2.3 W-WAN PEP Motivation . . . . . . . . . . . . . . . . . . . . 29 + 5.3 W-LAN Environments . . . . . . . . . . . . . . . . . . . . . . 30 + 5.3.1 W-LAN Network Characteristics . . . . . . . . . . . . . . . 30 + 5.3.2 W-LAN PEP Implementations: Snoop . . . . . . . . . . . . . . 31 + 5.3.3 W-LAN PEP Motivation . . . . . . . . . . . . . . . . . . . . 33 + 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 34 + 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 34 + 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 34 + 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 35 + 10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 39 + Appendix A - PEP Terminology Summary . . . . . . . . . . . . . . . 41 + Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 45 + + + + +Border, et al. Informational [Page 2] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + +1. Introduction + + The Transmission Control Protocol [RFC0793] (TCP) is used as the + transport layer protocol by many Internet and intranet applications. + However, in certain environments, TCP and other higher layer protocol + performance is limited by the link characteristics of the + environment. + + This document is a survey of Performance Enhancing Proxy (PEP) + performance migitigation techniques. A PEP is used to improve the + performance of the Internet protocols on network paths where native + performance suffers due to characteristics of a link or subnetwork on + the path. This document is informational and does not make + recommendations about using PEPs or not using them. Distinct + standards track recommendations for the performance mitigation of TCP + over links with high error rates, links with low bandwidth, and so + on, have been developed or are in development by the Performance + Implications of Link Characteristics WG (PILC) [PILCWEB]. + + Link design choices may have a significant influence on the + performance and efficiency of the Internet. However, not all link + characteristics, for example, high latency, can be compensated for by + choices in the link layer design. And, the cost of compensating for + some link characteristics may be prohibitive for some technologies. + The techniques surveyed here are applied to existing link + technologies. When new link technologies are designed, they should + be designed so that these techniques are not required, if at all + possible. + + This document does not advocate the use of PEPs in any general case. + On the contrary, we believe that the end-to-end principle in + designing Internet protocols should be retained as the prevailing + approach and PEPs should be used only in specific environments and + circumstances where end-to-end mechanisms providing similar + performance enhancements are not available. In any environment where + one might consider employing a PEP for improved performance, an end + user (or, in some cases, the responsible network administrator) + should be aware of the PEP and the choice of employing PEP + functionality should be under the control of the end user, especially + if employing the PEP would interfere with end-to-end usage of IP + layer security mechanisms or otherwise have undesirable implications + in some circumstances. This would allow the user to choose end-to- + end IP at all times but, of course, without the performance + enhancements that employing the PEP may yield. + + This survey does not make recommendations, for or against, with + respect to using PEPs. Standards track recommendations have been or + are being developed within the IETF for individual link + + + +Border, et al. Informational [Page 3] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + characteristics, e.g., links with high error rates, links with low + bandwidth, links with asymmetric bandwidth, etc., by the Performance + Implications of Link Characteristics WG (PILC) [PILCWEB]. + + The remainder of this document is organized as follows. Section 2 + provides an overview of different kinds of PEP implementations. + + Section 3 discusses some of the mechanisms which PEPs may employ in + order to improve performance. Section 4 discusses some of the + implications with respect to using PEPs, especially in the context of + the global Internet. Finally, Section 5 discusses some example + environments where PEPs are used: satellite very small aperture + terminal (VSAT) environments, mobile wireless WAN (W-WAN) + environments and wireless LAN (W-LAN) environments. A summary of PEP + terminology is included in an appendix (Appendix A). + +2. Types of Performance Enhancing Proxies + + There are many types of Performance Enhancing Proxies. Different + types of PEPs are used in different environments to overcome + different link characteristics which affect protocol performance. + Note that enhancing performance is not necessarily limited in scope + to throughput. Other performance related aspects, like usability of + a link, may also be addressed. For example, [M-TCP] addresses the + issue of keeping TCP connections alive during periods of + disconnection in wireless networks. + + The following sections describe some of the key characteristics which + differentiate different types of PEPs. + +2.1 Layering + + In principle, a PEP implementation may function at any protocol layer + but typically it functions at one or two layers only. In this + document we focus on PEP implementations that function at the + transport layer or at the application layer as such PEPs are most + commonly used to enhance performance over links with problematic + characteristics. A PEP implementation may also operate below the + network layer, that is, at the link layer, but this document pays + only little attention to such PEPs as link layer mechanisms can be + and typically are implemented transparently to network and higher + layers, requiring no modifications to protocol operation above the + link layer. It should also be noted that some PEP implementations + operate across several protocol layers by exploiting the protocol + information and possibly modifying the protocol operation at more + than one layer. For such a PEP it may be difficult to define at + which layer(s) it exactly operates on. + + + + +Border, et al. Informational [Page 4] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + +2.1.1 Transport Layer PEPs + + Transport layer PEPs operate at the transport level. They may be + aware of the type of application being carried by the transport layer + but, at most, only use this information to influence their behavior + with respect to the transport protocol; they do not modify the + application protocol in any way, but let the application protocol + operate end-to-end. Most transport layer PEP implementations + interact with TCP. Such an implementation is called a TCP + Performance Enhancing Proxy (TCP PEP). For example, in an + environment where ACKs may bunch together causing undesirable data + segment bursts, a TCP PEP may be used to simply modify the ACK + spacing in order to improve performance. On the other hand, in an + environment with a large bandwidth*delay product, a TCP PEP may be + used to alter the behavior of the TCP connection by generating local + acknowledgments to TCP data segments in order to improve the + connection's throughput. + + The term TCP spoofing is sometimes used synonymously for TCP PEP + functionality. However, the term TCP spoofing more accurately + describes the characteristic of intercepting a TCP connection in the + middle and terminating the connection as if the interceptor is the + intended destination. While this is a characteristic of many TCP PEP + implementations, it is not a characteristic of all TCP PEP + implementations. + +2.1.2 Application Layer PEPs + + Application layer PEPs operate above the transport layer. Today, + different kinds of application layer proxies are widely used in the + Internet. Such proxies include Web caches and relay Mail Transfer + Agents (MTA) and they typically try to improve performance or service + availability and reliability in general and in a way which is + applicable in any environment but they do not necessarily include any + optimizations that are specific to certain link characteristics. + + Application layer PEPs, on the other hand, can be implemented to + improve application protocol as well as transport layer performance + with respect to a particular application being used with a particular + type of link. An application layer PEP may have the same + functionality as the corresponding regular proxy for the same + application (e.g., relay MTA or Web caching proxy) but extended with + link-specific optimizations of the application protocol operation. + + Some application protocols employ extraneous round trips, overly + verbose headers and/or inefficient header encoding which may have a + significant impact on performance, in particular, with long delay and + slow links. This unnecessary overhead can be reduced, in general or + + + +Border, et al. Informational [Page 5] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + for a particular type of link, by using an application layer PEP in + an intermediate node. Some examples of application layer PEPs which + have been shown to improve performance on slow wireless WAN links are + described in [LHKR96] and [CTC+97]. + +2.2 Distribution + + A PEP implementation may be integrated, i.e., it comprises a single + PEP component implemented within a single node, or distributed, i.e., + it comprises two or more PEP components, typically implemented in + multiple nodes. An integrated PEP implementation represents a single + point at which performance enhancement is applied. For example, a + single PEP component might be implemented to provide impedance + matching at the point where wired and wireless links meet. + + A distributed PEP implementation is generally used to surround a + particular link for which performance enhancement is desired. For + example, a PEP implementation for a satellite connection may be + distributed between two PEPs located at each end of the satellite + link. + +2.3 Implementation Symmetry + + A PEP implementation may be symmetric or asymmetric. Symmetric PEPs + use identical behavior in both directions, i.e., the actions taken by + the PEP occur independent from which interface a packet is received. + Asymmetric PEPs operate differently in each direction. The direction + can be defined in terms of the link (e.g., from a central site to a + remote site) or in terms of protocol traffic (e.g., the direction of + TCP data flow, often called the TCP data channel, or the direction of + TCP ACK flow, often called the TCP ACK channel). An asymmetric PEP + implementation is generally used at a point where the characteristics + of the links on each side of the PEP differ or with asymmetric + protocol traffic. For example, an asymmetric PEP might be placed at + the intersection of wired and wireless networks or an asymmetric + application layer PEP might be used for the request-reply type of + HTTP traffic. A PEP implementation may also be both symmetric and + asymmetric at the same time with regard to different mechanisms it + employs. (PEP mechanisms are described in Section 3.) + + Whether a PEP implementation is symmetric or asymmetric is + independent of whether the PEP implementation is integrated or + distributed. In other words, a distributed PEP implementation might + operate symmetrically at each end of a link (i.e., the two PEPs + function identically). On the other hand, a distributed PEP + implementation might operate asymmetrically, with a different PEP + implementation at each end of the link. Again, this usually is used + with asymmetric links. For example, for a link with an asymmetric + + + +Border, et al. Informational [Page 6] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + amount of bandwidth available in each direction, the PEP on the end + of the link forwarding traffic in the direction with a large amount + of bandwidth might focus on locally acknowledging TCP traffic in + order to use the available bandwidth. At the same time, the PEP on + the end of the link forwarding traffic in the direction with very + little bandwidth might focus on reducing the amount of TCP + acknowledgement traffic being forwarded across the link (to keep the + link from congesting). + +2.4 Split Connections + + A split connection TCP implementation terminates the TCP connection + received from an end system and establishes a corresponding TCP + connection to the other end system. In a distributed PEP + implementation, this is typically done to allow the use of a third + connection between two PEPs optimized for the link. This might be a + TCP connection optimized for the link or it might be another + protocol, for example, a proprietary protocol running on top of UDP. + Also, the distributed implementation might use a separate connection + between the proxies for each TCP connection or it might multiplex the + data from multiple TCP connections across a single connection between + the PEPs. + + In an integrated PEP split connection TCP implementation, the PEP + again terminates the connection from one end system and originates a + separate connection to the other end system. [I-TCP] documents an + example of a single PEP split connection implementation. + + Many integrated PEPs use a split connection implementation in order + to address a mismatch in TCP capabilities between two end systems. + For example, the TCP window scaling option [RFC1323] can be used to + extend the maximum amount of TCP data which can be "in flight" (i.e., + sent and awaiting acknowledgement). This is useful for filling a + link which has a high bandwidth*delay product. If one end system is + capable of using scaled TCP windows but the other is not, the end + system which is not capable can set up its connection with a PEP on + its side of the high bandwidth*delay link. The split connection PEP + then sets up a TCP connection with window scaling over the link to + the other end system. + + Split connection TCP implementations can effectively leverage TCP + performance enhancements optimal for a particular link but which + cannot necessarily be employed safely over the global Internet. + + Note that using split connection PEPs does not necessarily exclude + simultaneous use of IP for end-to-end connectivity. If a split + connection is managed per application or per connection and is under + the control of the end user, the user can decide whether a particular + + + +Border, et al. Informational [Page 7] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + TCP connection or application makes use of the split connection PEP + or whether it operates end-to-end. When a PEP is employed on a last + hop link, the end user control is relatively easy to implement. + + In effect, application layer proxies for TCP-based applications are + split connection TCP implementations with end systems using PEPs as a + service related to a particular application. Therefore, all + transport (TCP) layer enhancements that are available with split + connection TCP implementations can also be employed with application + layer PEPs in conjunction with application layer enhancements. + +2.5 Transparency + + Another key characteristic of a PEP is its degree of transparency. + PEPs may operate totally transparently to the end systems, transport + endpoints, and/or applications involved (in a connection), requiring + no modifications to the end systems, transport endpoints, or + applications. + + On the other hand, a PEP implementation may require modifications to + both ends in order to be used. In between, a PEP implementation may + require modifications to only one of the ends involved. Either of + these kind of PEP implementations is non-transparent, at least to the + layer requiring modification. + + It is sometimes useful to think of the degree of transparency of a + PEP implementation at four levels, transparency with respect to the + end systems (network-layer transparent PEP), transparency with + respect to the transport endpoints (transport-layer transparent PEP), + transparency with respect to the applications (application-layer + transparent PEP) and transparency with respect to the users. For + example, a user who subscribes to a satellite Internet access service + may be aware that the satellite terminal is providing a performance + enhancing service even though the TCP/IP stack and the applications + in the user's PC are not aware of the PEP which implements it. + + Note that the issue of transparency is not the same as the issue of + maintaining end-to-end semantics. For example, a PEP implementation + which simply uses a TCP ACK spacing mechanism maintains the end-to- + end semantics of the TCP connection while a split connection TCP PEP + implementation may not. Yet, both can be implemented transparently + to the transport endpoints at both ends. The implications of not + maintaining the end-to-end semantics, in particular the end-to-end + semantics of TCP connections, are discussed in Section 4. + + + + + + + +Border, et al. Informational [Page 8] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + +3. PEP Mechanisms + + An obvious key characteristic of a PEP implementation is the + mechanism(s) it uses to improve performance. Some examples of PEP + mechanisms are described in the following subsections. A PEP + implementation might implement more than one of these mechanisms. + +3.1 TCP ACK Handling + + Many TCP PEP implementations are based on TCP ACK manipulation. The + handling of TCP acknowledgments can differ significantly between + different TCP PEP implementations. The following subsections + describe various TCP ACK handling mechanisms. Many implementations + combine some of these mechanisms and possibly employ some additional + mechanisms as well. + +3.1.1 TCP ACK Spacing + + In environments where ACKs tend to bunch together, ACK spacing is + used to smooth out the flow of TCP acknowledgments traversing a link. + This improves performance by eliminating bursts of TCP data segments + that the TCP sender would send due to back-to-back arriving TCP + acknowledgments [BPK97]. + +3.1.2 Local TCP Acknowledgements + + In some PEP implementations, TCP data segments received by the PEP + are locally acknowledged by the PEP. This is very useful over + network paths with a large bandwidth*delay product as it speeds up + TCP slow start and allows the sending TCP to quickly open up its + congestion window. Local (negative) acknowledgments are often also + employed to trigger local (and faster) error recovery on links with + significant error rates. (See Section 3.1.3.) + + Local acknowledgments are automatically employed with split + connection TCP implementations. When local acknowledgments are used, + the burden falls upon the TCP PEP to recover any data which is + dropped after the PEP acknowledges it. + +3.1.3 Local TCP Retransmissions + + A TCP PEP may locally retransmit data segments lost on the path + between the TCP PEP and the receiving end system, thus aiming at + faster recovery from lost data. In order to achieve this the TCP PEP + may use acknowledgments arriving from the end system that receives + the TCP data segments, along with appropriate timeouts, to determine + + + + + +Border, et al. Informational [Page 9] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + when to locally retransmit lost data. TCP PEPs sending local + acknowledgments to the sending end system are required to employ + local retransmissions towards the receiving end system. + + Some PEP implementations perform local retransmissions even though + they do not use local acknowledgments to alter TCP connection + performance. Basic Snoop [SNOOP] is a well know example of such a + PEP implementation. Snoop caches TCP data segments it receives and + forwards and then monitors the end-to-end acknowledgments coming from + the receiving TCP end system for duplicate acknowledgments (DUPACKs). + When DUPACKs are received, Snoop locally retransmits the lost TCP + data segments from its cache, suppressing the DUPACKs flowing to the + sending TCP end system until acknowledgments for new data are + received. The Snoop system also implements an option to employ local + negative acknowledgments to trigger local TCP retransmissions. This + can be achieved, for example, by applying TCP selective + acknowledgments locally on the error-prone link. (See Section 5.3 + for details.) + +3.1.4 TCP ACK Filtering and Reconstruction + + On paths with highly asymmetric bandwidth the TCP ACKs flowing in the + low-speed direction may get congested if the asymmetry ratio is high + enough. The ACK filtering and reconstruction mechanism addresses + this by filtering the ACKs on one side of the link and reconstructing + the deleted ACKs on the other side of the link. The mechanism and + the issue of dealing with TCP ACK congestion with highly asymmetric + links are discussed in detail in [RFC2760] and in [BPK97]. + +3.2 Tunneling + + A Performance Enhancing Proxy may encapsulate messages to carry the + messages across a particular link or to force messages to traverse a + particular path. A PEP at the other end of the encapsulation tunnel + removes the tunnel wrappers before final delivery to the receiving + end system. A tunnel might be used by a distributed split connection + TCP implementation as the means for carrying the connection between + the distributed PEPs. A tunnel might also be used to support forcing + TCP connections which use asymmetric routing to go through the end + points of a distributed PEP implementation. + +3.3 Compression + + Many PEP implementations include support for one or more forms of + compression. In some PEP implementations, compression may even be + the only mechanism used for performance improvement. Compression + reduces the number of bytes which need to be sent across a link. + This is useful in general and can be very important for bandwidth + + + +Border, et al. Informational [Page 10] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + limited links. Benefits of using compression include improved link + efficiency and higher effective link utilization, reduced latency and + improved interactive response time, decreased overhead and reduced + packet loss rate over lossy links. + + Where appropriate, link layer compression is used. TCP and IP header + compression are also frequently used with PEP implementations. + [RFC1144] describes a widely deployed method for compressing TCP + headers. Other header compression algorithms are described in + [RFC2507], [RFC2508] and [RFC2509]. + + Payload compression is also desirable and is increasing in importance + with today's increased emphasis on Internet security. Network (IP) + layer (and above) security mechanisms convert IP payloads into random + bit streams which defeat applicable link layer compression mechanisms + by removing or hiding redundant "information." Therefore, + compression of the payload needs to be applied before security + mechanisms are applied. [RFC2393] defines a framework where common + compression algorithms can be applied to arbitrary IP segment + payloads. However, [RFC2393] compression is not always applicable. + Many types of IP payloads (e.g., images, audio, video and "zipped" + files being transferred) are already compressed. And, when security + mechanisms such as TLS [RFC2246] are applied above the network (IP) + layer, the data is already encrypted (and possibly also compressed), + again removing or hiding any redundancy in the payload. The + resulting additional transport or network layer compression will + compact only headers, which are small, and possibly already covered + by separate compression algorithms of their own. + + With application layer PEPs one can employ application-specific + compression. Typically an application-specific (or content-specific) + compression mechanism is much more efficient than any generic + compression mechanism. For example, a distributed Web PEP + implementation may implement more efficient binary encoding of HTTP + headers, or a PEP can employ lossy compression that reduces the image + quality of online-images on Web pages according to end user + instructions, thus reducing the number of bytes transferred over a + slow link and consequently the response time perceived by the user + [LHKR96]. + +3.4 Handling Periods of Link Disconnection with TCP + + Periods of link disconnection or link outages are very common with + some wireless links. During these periods, a TCP sender does not + receive the expected acknowledgments. Upon expiration of the + retransmit timer, this causes TCP to close its congestion window with + all of the related drawbacks. A TCP PEP may monitor the traffic + coming from the TCP sender towards the TCP receiver behind the + + + +Border, et al. Informational [Page 11] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + disconnected link. The TCP PEP retains the last ACK, so that it can + shut down the TCP sender's window by sending the last ACK with a + window set to zero. Thus, the TCP sender will go into persist mode. + + To make this work in both directions with an integrated TCP PEP + implementation, the TCP receiver behind the disconnected link must be + aware of the current state of the connection and, in the event of a + disconnection, it must be capable of freezing all timers. [M-TCP] + implements such operation. Another possibility is that the + disconnected link is surrounded by a distributed PEP pair. + + In split connection TCP implementations, a period of link + disconnection can easily be hidden from the end host on the other + side of the PEP thus precluding the TCP connection from breaking even + if the period of link disconnection lasts a very long time; if the + TCP PEP cannot forward data due to link disconnection, it stops + receiving data. Normal TCP flow control then prevents the TCP sender + from sending more than the TCP advertised window allowed by the PEP. + Consequently, the PEP and its counterpart behind the disconnected + link can employ a modified TCP version which retains the state and + all unacknowledged data segments across the period of disconnection + and then performs local recovery as the link is reconnected. The + period of link disconnection may or may not be hidden from the + application and user, depending upon what application the user is + using the TCP connection for. + +3.5 Priority-based Multiplexing + + Implementing priority-based multiplexing of data over a slow and + expensive link may significantly improve the performance and + usability of the link for selected applications or connections. + + A user behind a slow link would experience the link more feasible to + use in case of simultaneous data transfers, if urgent data transfers + (e.g., interactive connections) could have shorter response time + (better performance) than less urgent background transfers. If the + interactive connections transmit enough data to keep the slow link + fully utilized, it might be necessary to fully suspend the background + transfers for awhile to ensure timely delivery for the interactive + connections. + + In flight TCP segments of an end-to-end TCP connection (with low + priority) cannot be delayed for a long time. Otherwise, the TCP + timer at the sending end would expire, resulting in suboptimal + performance. However, this kind of operation can be controlled in + conjunction with a split connection TCP PEP by assigning different + priorities for different connections (or applications). A split + connection PEP implementation allows the PEP in an intermediate node + + + +Border, et al. Informational [Page 12] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + to delay the data delivery of a lower-priority TCP flow for an + unlimited period of time by simply rescheduling the order in which it + forwards data of different flows to the destination host behind the + slow link. This does not have a negative impact on the delayed TCP + flow as normal TCP flow control takes care of suspending the flow + between the TCP sender and the PEP, when the PEP is not forwarding + data for the flow, and resumes it once the PEP decides to continue + forwarding data for the flow. This can further be assisted, if the + protocol stacks on both sides of the slow link implement priority + based scheduling of connections. + + With such a PEP implementation, along with user-controlled + priorities, the user can assign higher priority for selected + interactive connection(s) and have much shorter response time for the + selected connection(s), even if there are simultaneous low priority + bulk data transfers which in regular end-to-end operation would + otherwise eat the available bandwidth of the slow link almost + completely. These low priority bulk data transfers would then + proceed nicely during the idle periods of interactive connections, + allowing the user to keep the slow and expensive link (e.g., wireless + WAN) fully utilized. + + Other priority-based mechanisms may be applied on shared wireless + links with more than two terminals. With shared wireless mediums + becoming a weak link in Internet QoS architectures, many may turn to + PEPs to provide extra priority levels across a shared wireless medium + [SHEL00]. These PEPs are distributed on all nodes of the shared + wireless medium. For example, in an 802.11 WLAN this PEP is + implemented in the access point (base station) and each mobile host. + One PEP then uses distributed queuing techniques to coordinate + traffic classes of all nodes. This is also sometimes called subnet + bandwidth management. See [BBKT97] for an example of queuing + techniques which can be used to achieve this. This technique can be + implemented either above or below the IP layer. Priority treatment + can typically be specified either by the user or by marking the + (IPv4) ToS or (IPv6) Traffic Class IP header field. + +3.6 Protocol Booster Mechanisms + + Work in [FMSBMR98] shows a range of other possible PEP mechanisms + called protocol boosters. Some of these mechanisms are specific to + UDP flows. For example, a PEP may apply asymmetrical methods such as + extra UDP error detection. Since the 16 bit UDP checksum is + optional, it is typically not computed. However, for links with + errors, the checksum could be beneficial. This checksum can be added + to outgoing UDP packets by a PEP. + + + + + +Border, et al. Informational [Page 13] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + Symmetrical mechanisms have also been developed. A Forward Erasure + Correction (FZC) mechanism can be used with real-time and multicast + traffic. The encoding PEP adds a parity packet over a block of + packets. Upon reception, the parity is removed and missing data is + regenerated. A jitter control mechanism can be implemented at the + expense of extra latency. A sending PEP can add a timestamp to + outgoing packets. The receiving PEP then delays packets in order to + reproduce the correct interval. + +4. Implications of Using PEPs + + The following sections describe some of the implications of using + Performance Enhancing Proxies. + +4.1 The End-to-end Argument + + As indicated in [RFC1958], the end-to-end argument [SRC84] is one of + the architectural principles of the Internet. The basic argument is + that, as a first principle, certain required end-to-end functions can + only be correctly performed by the end systems themselves. Most of + the potential negative implications associated with using PEPs are + related to the possibility of breaking the end-to-end semantics of + connections. This is one of the main reasons why PEPs are not + recommended for general use. + + As indicated in Section 2.5, not all PEP implementations break the + end-to-end semantics of connections. Correctly designed PEPs do not + attempt to replace any application level end-to-end function, but + only attempt to add performance optimizations to a subpath of the + end-to-end path between the application endpoints. Doing this can be + consistent with the end-to-end argument. However, a user or network + administrator adding a PEP to his network configuration should be + aware of the potential end-to-end implications related to the + mechanisms being used by the particular PEP implementation. + +4.1.1 Security + + In most cases, security applied above the transport layer can be used + with PEPs, especially transport layer PEPs. However, today, only a + limited number of applications include support for the use of + transport (or higher) layer security. Network (IP) layer security + (IPsec) [RFC2401], on the other hand, can generally be used by any + application, transparently to the application. + + + + + + + + +Border, et al. Informational [Page 14] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + +4.1.1.1 Security Implications + + The most detrimental negative implication of breaking the end-to-end + semantics of a connection is that it disables end-to-end use of + IPsec. In general, a user or network administrator must choose + between using PEPs and using IPsec. If IPsec is employed end-to-end, + PEPs that are implemented on intermediate nodes in the network cannot + examine the transport or application headers of IP packets because + encryption of IP packets via IPsec's ESP header (in either transport + or tunnel mode) renders the TCP header and payload unintelligible to + the PEPs. Without being able to examine the transport or application + headers, a PEP may not function optimally or at all. + + If a PEP implementation is non-transparent to the users and the users + trust the PEP in the middle, IPsec can be used separately between + each end system and PEP. However, in most cases this is an + undesirable or unacceptable alternative as the end systems cannot + trust PEPs in general. In addition, this is not as secure as end- + to-end security. (For example, the traffic is exposed in the PEP + when it is decrypted to be processed.) And, it can lead to + potentially misleading security level assumptions by the end systems. + If the two end systems negotiate different levels of security with + the PEP, the end system which negotiated the stronger level of + security may not be aware that a lower level of security is being + provided for part of the connection. The PEP could be implemented to + prevent this from happening by being smart enough to force the same + level of security to each end system but this increases the + complexity of the PEP implementation (and still is not as secure as + end-to-end security). + + With a transparent PEP implementation, it is difficult for the end + systems to trust the PEP because they may not be aware of its + existence. Even if the user is aware of the PEP, setting up + acceptable security associations with the PEP while maintaining the + PEP's transparent nature is problematic (if not impossible). + + Note that even when a PEP implementation does not break the end-to- + end semantics of a connection, the PEP implementation may not be able + to function in the presence of IPsec. For example, it is difficult + to do ACK spacing if the PEP cannot reliably determine which IP + packets contain ACKs of interest. In any case, the authors are + currently not aware of any PEP implementations, transparent or non- + transparent, which provide support for end-to-end IPsec, except in a + case where the PEPs are implemented on the end hosts. + + + + + + + +Border, et al. Informational [Page 15] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + +4.1.1.2 Security Implication Mitigations + + There are some steps which can be taken to allow the use of IPsec and + PEPs to coexist. If an end user can select the use of IPsec for some + traffic and not for other traffic, PEP processing can be applied to + the traffic sent without IPsec. Of course, the user must then do + without security for this traffic or provide security for the traffic + via other means (for example, by using transport layer security). + However, even when this is possible, significant complexity may need + to be added to the configuration of the end system. + + Another alternative is to implement IPsec between the two PEPs of a + distributed PEP implementation. This at least protects the traffic + between the two PEPs. (The issue of trusting the PEPs does not + change.) In the case where the PEP implementation is not transparent + to the user, (assuming that the user trusts the PEPs,) the user can + configure his end system to use the PEPs as the end points of an + IPsec tunnel. And, an IPsec tunnel could even potentially be used + between the end system and a PEP to protect traffic on this part of + the path. But, all of this adds complexity. And, it still does not + eliminate the risk of the traffic being exposed in the PEP itself as + the traffic is received from one IPsec tunnel, processed and then + forwarded (even if forwarded through another IPsec tunnel). + +4.1.1.3 Security Research Related to PEPs + + There is research underway investigating the possibility of changing + the implementation of IPsec to be more friendly to the use of PEPs. + One approach being actively looked at is the use of multi-layer IP + security. [Zhang00] describes a method which allows TCP headers to + be encrypted as one layer (with the PEPs in the path of the TCP + connections included in the security associations used to encrypt the + TCP headers) while the TCP payload is encrypted end-to-end as a + separate layer. This still involves trusting the PEP, but to a much + lesser extent. However, a drawback to this approach is that it adds + a significant amount of complexity to the IP security implementation. + Given the existing complexity of IPsec, this drawback is a serious + impediment to the standardization of the multi-layer IP security idea + and it is very unlikely that this approach will be adopted as a + standard any time soon. Therefore, relying on this type of approach + will likely involve the use of non-standard protocols (and the + associated risk of doing so). + +4.1.2 Fate Sharing + + Another important aspect of the end-to-end argument is fate sharing. + If a failure occurs in the network, the ability of the connection to + survive the failure depends upon how much state is being maintained + + + +Border, et al. Informational [Page 16] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + on behalf of the connection in the network and whether the state is + self-healing. If no connection specific state resides in the network + or such state is self-healing as in case of regular end-to-end + operation, then a failure in the network will break the connection + only if there is no alternate path through the network between the + end systems. And, if there is no path, both end systems can detect + this. However, if the connection depends upon some state being + stored in the network (e.g., in a PEP), then a failure in the network + (e.g., the node containing a PEP crashes) causes this state to be + lost, forcing the connection to terminate even if an alternate path + through the network exists. + + The importance of this aspect of the end-to-end argument with respect + to PEPs is dependent upon both the PEP implementation and upon the + types of applications being used. Sometimes coincidentally but more + often by design, PEPs are used in environments where there is no + alternate path between the end systems and, therefore, a failure of + the intermediate node containing a PEP would result in the + termination of the connection in any case. And, even when this is + not the case, the risk of losing the connection in the case of + regular end-to-end operation may exist as the connection could break + for some other reason, for example, a long enough link outage of a + last-hop wireless link to the end host. Therefore, users may choose + to accept the risk of a PEP crashing in order to take advantage of + the performance gains offered by the PEP implementation. The + important thing is that accepting the risk should be under the + control of the user (i.e., the user should always have the option to + choose end-to-end operation) and, if the user chooses to use the PEP, + the user should be aware of the implications that a PEP failure has + with respect to the applications being used. + +4.1.3 End-to-end Reliability + + Another aspect of the end-to-end argument is that of acknowledging + the receipt of data end-to-end in order to achieve reliable end-to- + end delivery of data. An application aiming at reliable end-to-end + delivery must implement an end-to-end check and recovery at the + application level. According to the end-to-end argument, this is the + only possibility to correctly implement reliable end-to-end + operation. Otherwise the application violates the end-to-end + argument. This also means that a correctly designed application can + never fully rely on the transport layer (e.g., TCP) or any other + communication subsystem to provide reliable end-to-end delivery. + + First, a TCP connection may break down for some reason and result in + lost data that must be recovered at the application level. Second, + the checksum provided by TCP may be considered inadequate, resulting + in undetected (by TCP) data corruption [Pax99] and requiring an + + + +Border, et al. Informational [Page 17] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + application level check for data corruption. Third, a TCP + acknowledgement only indicates that data was delivered to the TCP + implementation on the other end system. It does not guarantee that + the data was delivered to the application layer on the other end + system. Therefore, a well designed application must use an + application layer acknowledgement to ensure end-to-end delivery of + application layer data. Note that this does not diminish the value + of a reliable transport protocol (i.e., TCP) as such a protocol + allows efficient implementation of several essential functions (e.g., + congestion control) for an application. + + If a PEP implementation acknowledges application data prematurely + (before the PEP receives an application ACK from the other endpoint), + end-to-end reliability cannot be guaranteed. Typically, application + layer PEPs do not acknowledge data prematurely, i.e., the PEP does + not send an application ACK to the sender until it receives an + application ACK from the receiver. And, transport layer PEP + implementations, including TCP PEPs, generally do not interfere with + end-to-end application layer acknowledgments as they let applications + operate end-to-end. However, the user and/or network administrator + employing the PEP must understand how it operates in order to + understand the risks related to end-to-end reliability. + + Some Internet applications do not necessarily operate end-to-end in + their regular operation, thus abandoning any end-to-end reliability + guarantee. For example, Internet email delivery often operates via + relay Mail Transfer Agents, that is, relay Simple Mail Transfer + Protocol (SMTP) servers. An originating MTA (SMTP server) sends the + mail message to a relay MTA that receives the mail message, stores it + in non-volatile storage (e.g., on disk) and then sends an application + level acknowledgement. The relay MTA then takes "full + responsibility" for delivering the mail message to the destination + SMTP server (maybe via another relay MTA); it tries to forward the + message for a relatively long time (typically around 5 days). This + scheme does not give a 100% guarantee of email delivery, but + reliability is considered "good enough". + + An application layer PEP for this kind of an application may + acknowledge application data (e.g., mail message) without essentially + decreasing reliability, as long as the PEP operates according to the + same procedure as the regular proxy (e.g., relay MTA). Again, as + indicated above, the user and/or network administrator employing such + a PEP needs to understand how it operates in order to understand the + reliability risks associated with doing so. + + + + + + + +Border, et al. Informational [Page 18] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + +4.1.4 End-to-end Failure Diagnostics + + Another aspect of the end-to-end argument is the ability to support + end-to-end failure diagnostics when problems are encountered. If a + network problem occurs which breaks a connection, the end points of + the connection will detect the failure via timeouts. However, the + existence of a PEP in between the two end points could delay + (sometimes significantly) the detection of the failure by one or both + of the end points. (Of course, some PEPs are intentionally designed + to hide these types of failures as described in Section 3.4.) The + implications of delayed detection of a failed connection depend on + the applications being used. Possibilities range from no impact at + all (or just minor annoyance to the end user) all the way up to + impacting mission critical business functions by delaying switchovers + to alternate communications paths. + + In addition, tools used to debug connection failures may be affected + by the use of a PEP. For example, PING (described in [RFC792] and + [RFC2151]) is often used to test for connectivity. But, because PING + is based on ICMP instead of TCP (i.e., it is implemented using ICMP + Echo and Reply commands at the network layer), it is possible that + the configuration of the network might route PING traffic around the + PEP. Thus, PING could indicate that an end-to-end path exists + between two hosts when it does not actually exist for TCP traffic. + Even when the PING traffic does go through the PEP, the diagnostics + indications provided by the PING traffic are altered. For example, + if the PING traffic goes transparently through the PEP, PING does not + provide any indication that the PEP exists and since the PING traffic + is not being subjected to the same processing as TCP traffic, it may + not necessarily provide an accurate indication of the network delay + being experienced by TCP traffic. On the other hand, if the PEP + terminates the PING and responds to it on behalf of the end host, + then the PING provides information only on the connectivity to the + PEP. Traceroute (also described in [RFC2151]) is similarly affected + by the presence of the PEP. + +4.2 Asymmetric Routing + + Deploying a PEP implementation usually requires that traffic to and + from the end hosts is routed through the intermediate node(s) where + PEPs reside. With some networks, this cannot be accomplished, or it + might require that the intermediate node is located several hops away + from the target link edge which in turn is impractical in many cases + and may result in non-optimal routing. + + + + + + + +Border, et al. Informational [Page 19] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + Note that this restriction does not apply to all PEP implementations. + For example, a PEP which is simply doing ACK spacing only needs to + see one direction of the traffic flow (the direction in which the + ACKs are flowing). ACK spacing can be done without seeing the actual + flow of data. + +4.3 Mobile Hosts + + In environments where a PEP implementation is used to serve mobile + hosts, additional problems may be encountered because PEP related + state information may need to be transferred to a new PEP node during + a handoff. + + When a mobile host moves, it is subject to handovers. If the + intermediate node and home for the serving PEP changes due to + handover, any state information that the PEP maintains and is + required for continuous operation must be transferred to the new + intermediate node to ensure continued operation of the connection. + This requires extra work and overhead and may not be possible to + perform fast enough, especially if the host moves frequently over + cell boundaries of a wireless network. If the mobile host moves to + another IP network, routing to and from the mobile host may need to + be changed to traverse a new PEP node. + + Today, mobility implications with respect to using PEPs are more + significant to W-LAN networks than to W-WAN networks. Currently, a + W-WAN base station typically does not provide the mobile host with + the connection point to the wireline Internet. (A W-WAN base station + may not even have an IP stack.) Instead, the W-WAN network takes + care of mobility with the connection point to the wireline Internet + remaining unchanged while the mobile host moves. Thus, PEP state + handover is not currently required in most W-WAN networks when the + host moves. However, this is generally not true in W-LAN networks + and, even in the case of W-WAN networks, the user and/or network + administrator using a PEP needs to be cognizant of how the W-WAN base + stations and the PEP work in case W-WAN PEP state handoff becomes + necessary in the future. + +4.4 Scalability + + Because a PEP typically processes packet information above the IP + layer, a PEP requires more processing power per packet than a router. + Therefore, PEPs will always be (at least) one step behind routers in + terms of the total throughput they can support. (Processing above + the IP layer is also more difficult to implement in hardware.) In + addition, since most PEP implementations require per connection + state, PEP memory requirements are generally significantly higher + + + + +Border, et al. Informational [Page 20] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + than with a router. Therefore, a PEP implementation may have a limit + on the number of connections which it can support whereas a router + has no such limitation. + + Increased processing power and memory requirements introduce + scalability issues with respect to the use of PEPs. Placement of a + PEP on a high speed link or a link which supports a large number of + connections may require network topology changes beyond just + inserting the PEP into the path of the traffic. For example, if a + PEP can only handle half of the traffic on a link, multiple PEPs may + need to be used in parallel, adding complexity to the network + configuration to divide the traffic between the PEPs. + +4.5 Other Implications of Using PEPs + + This document describes some significant implications with respect to + using Performance Enhancing Proxies. However, the list of + implications provided in this document is not necessarily exhaustive. + Some examples of other potential implications related to using PEPs + include the use of PEPs in multi-homing environments and the use of + PEPs with respect to Quality of Service (QoS) transparency. For + example, there may be potential interaction with the priority-based + multiplexing mechanism described in Section 3.5 and the use of + differentiated services [RFC2475]. Therefore, users and network + administrators who wish to deploy a PEP should look not only at the + implications described in this document but also at the overall + impact (positive and negative) that the PEP will have on their + applications and network infrastructure, both initially and in the + future when new applications are added and/or changes in the network + infrastructure are required. + +5. PEP Environment Examples + + The following sections describe examples of environments where PEP is + currently used to improve performance. The examples are provided to + illustrate the use of the various PEP types and PEP mechanisms + described earlier in the document and to help illustrate the + motivation for their development and use. + +5.1 VSAT Environments + + Today, VSAT networks are implemented with geosynchronous satellites. + VSAT data networks are typically implemented using a star topology. + A large hub earth station is located at the center of the star with + VSATs used at the remote sites of the network. Data is sent from the + hub to the remote sites via an outroute. Data is sent from the + remote sites to the hub via one or more inroutes. VSATs represent an + environment with highly asymmetric links, with an outroute typically + + + +Border, et al. Informational [Page 21] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + much larger than an inroute. (Multiple inroutes can be used with + each outroute but any particular VSAT only has access to a single + inroute at a time, making the link asymmetric.) + + VSAT networks are generally used to implement private networks (i.e., + intranets) for enterprises (e.g., corporations) with geographically + dispersed sites. VSAT networks are rarely, if ever, used to + implement Internet connectivity except at the edge of the Internet + (i.e., as the last hop). Connection to the Internet for the VSAT + network is usually implemented at the VSAT network hub site using + appropriate firewall and (when necessary) NAT [RFC2663] devices. + +5.1.1 VSAT Network Characteristics + + With respect to TCP performance, VSAT networks exhibit the following + subset of the satellite characteristics documented in [RFC2488]: + + Long feedback loops + + Propagation delay from a sender to a receiver in a geosynchronous + satellite network can range from 240 to 280 milliseconds, + depending on where the sending and receiving sites are in the + satellite footprint. This makes the round trip time just due to + propagation delay at least 480 milliseconds. Queueing delay and + delay due to shared channel access methods can sometimes increase + the total delay up to on the order of a few seconds. + + Large bandwidth*delay products + + VSAT networks can support capacity ranging from a few kilobits per + second up to multiple megabits per second. When combined with the + relatively long round trip time, TCP needs to keep a large number + of packets "in flight" in order to fully utilize the satellite + link. + + Asymmetric capacity + + As indicated above, the outroute of a VSAT network is usually + significantly larger than an inroute. Even though multiple + inroutes can be used within a network, a given VSAT can only + access one inroute at a time. Therefore, the incoming (outroute) + and outgoing (inroute) capacity for a VSAT is often very + asymmetric. As outroute capacity has increased in recent years, + ratios of 400 to 1 or greater are becoming more and more common. + With a TCP maximum segment size of 1460 bytes and delayed + acknowledgments [RFC1122] in use, the ratio of IP packet bytes for + data to IP packet bytes for ACKs is only (3000 to 40) 75 to 1. + + + + +Border, et al. Informational [Page 22] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + Thus, inroute capacity for carrying ACKs can have a significant + impact on TCP performance. (The issue of asymmetric link impact + on TCP performance is described in more detail in [BPK97].) + + With respect to the other satellite characteristics listed in + [RFC2488], VSAT networks typically do not suffer from intermittent + connectivity or variable round trip times. Also, VSAT networks + generally include a significant amount of error correction coding. + This makes the bit error rate very low during clear sky conditions, + approaching the bit error rate of a typical terrestrial network. In + severe weather, the bit error rate may increase significantly but + such conditions are rare (when looked at from an overall network + availability point of view) and VSAT networks are generally + engineered to work during these conditions but not to optimize + performance during these conditions. + +5.1.2 VSAT Network PEP Implementations + + Performance Enhancing Proxies implemented for VSAT networks generally + focus on improving throughput (for applications such as FTP and HTTP + web page retrievals). To a lesser degree, PEP implementations also + work to improve interactive response time for small transactions. + + There is not a dominant PEP implementation used with VSAT networks. + Each VSAT network vendor tends to implement their own version of PEP + functionality, integrated with the other features of their VSAT + product. [HNS] and [SPACENET] describe VSAT products with integrated + PEP capabilities. There are also third party PEP implementations + designed to be used with VSAT networks. These products run on nodes + external to the VSAT network at the hub and remote sites. NettGain + [FLASH] and Venturi [FOURELLE] are examples of such products. VSAT + network PEP implementations generally share the following + characteristics: + + - They focus on improving TCP performance; + + - They use an asymmetric distributed implementation; + + - They use a split connection approach with local acknowledgments + and local retransmissions; + + - They support some form of compression to reduce the amount of + bandwidth required (with emphasis on saving inroute bandwidth). + + The key differentiators between VSAT network PEP implementations are: + + - The maximum throughput they attempt to support (mainly a + function of the amount of buffer space they use); + + + +Border, et al. Informational [Page 23] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + - The protocol used over the satellite link. Some implementations + use a modified version of TCP while others use a proprietary + protocol running on top of UDP; + + - The type of compression used. Third party VSAT network PEP + implementations generally focus on application (e.g., HTTP) + specific compression algorithms while PEP implementations + integrated into the VSAT network generally focus on link + specific compression. + + PEP implementations integrated into a VSAT product are generally + transparent to the end systems. Third party PEP implementations used + with VSAT networks usually require configuration changes in the + remote site end systems to route TCP packets to the remote site + proxies but do not require changes to the hub site end systems. In + some cases, the PEP implementation is actually integrated + transparently into the end system node itself, using a "bump in the + stack" approach. In all cases, the use of a PEP is non-transparent + to the user, i.e., the user is aware when a PEP implementation is + being used to boost performance. + +5.1.3 VSAT Network PEP Motivation + + VSAT networks, since the early stages of their deployment, have + supported the use of local termination of a protocol (e.g., SDLC and + X.25) on each side of the satellite link to hide the satellite link + from the applications using the protocol. Therefore, when LAN + capabilities were added to VSAT networks, VSAT customers expected + and, in fact, demanded, the use of similar techniques for improving + the performance of IP based traffic, in particular TCP traffic. + + As indicated in Section 5.1, VSAT networks are primarily used to + implement intranets with Internet connectivity limited to and closely + controlled at the hub site of the VSAT network. Therefore, VSAT + customers are not as affected (or at least perceive that they are not + as affected) by the Internet related implications of using PEPs as + are other technologies. Instead, what is more important to VSAT + customers is the optimization of the network. And, VSAT customers, + in general, prefer that the optimization of the network be done by + the network itself rather than by implementing changes (such as + enabling the TCP scaled window option) to their own equipment. VSAT + customers prefer to optimize their end system configuration for local + communications related to their local mission critical functions and + let the VSAT network hide the presence of the satellite link as much + as possible. VSAT network vendors have also been able to use PEP + functionality to provide value added "services" to their customers + such as extending the useful of life of older equipment which + includes older, "non-modern" TCP stacks. + + + +Border, et al. Informational [Page 24] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + Of course, as the line between intranets and the Internet continues + to fade, the implications of using PEPs start to become more + significant for VSAT networks. For example, twelve years ago + security was not a major concern because the equipment cost related + to being able to intercept VSAT traffic was relatively high. Now, as + technology has advanced, the cost is much less prohibitive. + Therefore, because the use of PEP functionality in VSAT networks + prevents the use of IPsec, customers must rely on the use of higher + layer security mechanisms such as TLS or on proprietary security + mechanisms implemented in the VSAT networks themselves (since + currently many applications are incapable of making (or simply don't + make) use of the standardized higher layer security mechanisms). + This, in turn, affects the cost of the VSAT network as well as + affects the ability of the customers to make use of Internet based + capabilities. + +5.2 W-WAN Environments + + In mobile wireless WAN (W-WAN) environments the wireless link is + typically used as the last-hop link to the end user. W-WANs include + such networks as GSM [GSM], GPRS [GPRS],[BW97], CDPD [CDPD], IS-95 + [CDMA], RichoNet, and PHS. Many of these networks, but not all, have + been designed to provide mobile telephone voice service in the first + place but include data services as well or they evolve from a mobile + telephone network. + +5.2.1 W-WAN Network Characteristics + + W-WAN links typically exhibit some combination of the following link + characteristics: + + - low bandwidth (with some links the available bandwidth might be + as low as a few hundred bits/sec) + + - high latency (minimum round-trip delay close to one second is + not exceptional) + + - high BER resulting in frame or packet losses, or long variable + delays due to local link-layer error recovery + + - some W-WAN links have a lot of internal buffer space which tend + to accumulate data, thus resulting in increased round-trip + delay due to long (and variable) queuing delays + + - on some W-WAN links the users may share common channels for + their data packet delivery which, in turn, may cause unexpected + delays to the packet delivery of a user due to simultaneous use + of the same channel resources by the other users + + + +Border, et al. Informational [Page 25] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + - unexpected link disconnections (or intermittent link outages) + may occur frequently and the period of disconnection may last a + very long time + + - (re)setting the link-connection up may take a long time + (several tens of seconds or even minutes) + + - the W-WAN network typically takes care of terminal mobility: + the connection point to the Internet is retained while the user + moves with the mobile host + + - the use of most W-WAN links is expensive. Many of the service + providers apply time-based charging. + +5.2.2 W-WAN PEP Implementations + + Performance Enhancing Proxies implemented for W-WAN environments + generally focus on improving the interactive response time but at the + same time aim at improving throughput, mainly by reducing the + transfer volume over the inherently slow link in various ways. To + achieve this, typically enhancements are applied at almost all + protocol layers. + +5.2.2.1 Mowgli System + + The Mowgli system [KRA94] is one of the early approaches to address + the challenges induced by the problematic characteristics of low + bandwidth W-WAN links. + + The indirect approach used in Mowgli is not limited to a single layer + as in many other split connection approaches, but it involves all + protocol layers. The basic architecture is based on split TCP (UDP + is also supported) together with full support for application layer + proxies with a distributed PEP approach. An application layer proxy + pair may be added between a client and server, the agent (local + proxy) on a mobile host and the proxy on an intermediate node that + provides the mobile host with the connection to the wireline + Internet. Such a pair may be either explicit or fully transparent to + the applications, but it is, at all times, under end-user control + thus allowing the user to select the traffic that traverses through + the PEP implementation and choose end-to-end IP for other traffic. + + In order to allow running legacy applications unmodified and without + recompilation, the socket layer implementation on the mobile host is + slightly modified to connect the applications, which are configured + to traverse through the PEP, to a local agent while retaining the + original TCP/IP socket semantics. Two types of application layer + agent-proxy pairs can be configured for mobile host application use. + + + +Border, et al. Informational [Page 26] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + A generic pair can be used with any application and it simply + provides split transport service with some optional generic + enhancements like compression. An application-specific pair can be + retailed for any application or a group of applications that are able + to take leverage on the same kind of enhancements. A good example of + enhancements achieved with an application-specific proxy pair is the + Mowgli WWW system that improves significantly the user perceived + response time of Web browsing mainly by reducing the transfer volume + and the number of round trips over the wireless link [LAKLR95], + [LHKR96]. + + Mowgli provides also an option to replace the TCP/IP core protocols + on the last-hop link with a custom protocol that is tuned for low- + bandwidth W-WAN links [KRLKA97]. This protocol was designed to + provide the same transport service with similar semantics as regular + TCP and UDP provide, but use a different protocol implementation that + can freely apply any appropriate protocol mechanisms without being + constrained by the current TCP/IP packet format or protocol + operation. As this protocol is required to operate over a single + logical link only, it could partially combine the protocol control + information and protocol operation of the link, network, and + transport layers. In addition, the protocol can operate on top of + various link services, for example on top of different raw link + services, on top of PPP, on top of IP, or even on top of a single TCP + connection using it as a link service and implementing "TCP + multiplexing" over it. In all other cases, except when the protocol + is configured to operate on top of raw (wireless) link service, IP + may co-exist with the custom protocol allowing simultaneous end-to- + end IP delivery for the traffic not traversing through the PEP + implementation. + + Furthermore, the custom protocol can be run in different operation + modes which turn on or off certain protocol functions depending on + the underlying link service. For example, if the underlying link + service provides reliable data delivery, the checksum and the + window-based error recovery can be turned off, thus reducing the + protocol overhead; only a very simple recovery mechanism is needed to + allow recovery from an unexpected link disconnection. Therefore, the + protocol design was able to use extremely efficient header encoding + (only 1-3 bytes per packet in a typical case), reduce the number of + round trips significantly, and various features that are useful with + low-bandwidth W-WAN links were easy to add. Such features include + suspending the protocol operation over the periods of link + disconnection or link outage together with fast start once the link + becomes operational again, priority-based multiplexing of user data + over the W-WAN link thus offering link capacity to interactive + + + + + +Border, et al. Informational [Page 27] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + applications in a timely manner even in presence of bandwidth- + intensive background transfers, and link-level flow control to + prevent data from accumulating into the W-WAN link internal buffers. + + If desired, regular TCP/IP transport, possibly with corresponding + protocol modifications in TCP (and UDP) that would tune it more + suitable for W-WAN links, can be employed on the last-hop link. + +5.2.2.2 Wireless Application Protocol (WAP) + + The Mowgli system was designed to support mobile hosts that are + attached to the Internet over constrained links, but did not address + the specific challenges with low-end mobile devices. Many mobile + wireless devices are power, memory, and processing constrained, and + the communication links to these devices have lower bandwidth and + less stable connections. These limitations led designers to develop + the Wireless Application Protocol (WAP) that specifies an application + framework and network protocols intended to work across differing + narrowband wireless network technologies bringing Internet content + and advanced data services to low-end digital cellular phones and + other mobile wireless terminals, such as pagers and PDAs. + + The WAP model consists of a WAP client (mobile terminal), a WAP + proxy, and an origin server. It requires a WAP proxy between the WAP + client and the server on the Internet. WAP uses a layered, scalable + architecture [WAPARCH], specifying the following five protocol layers + to be used between the terminal and the proxy: Application Layer + (WAE) [WAPWAE], Session Layer (WSP) [WAPWSP], Transaction Layer (WTP) + [WAPWTP], Security Layer (WTLS) [WAPWTLS], and Transport Layer (WDP) + [WAPWDP]. Standard Internet protocols are used between the proxy and + the origin server. If the origin server includes WAP proxy + functionality, it is called a WAP Server. + + In a typical scenario, a WAP client sends an encoded WAP request to a + WAP proxy. The WAP proxy translates the WAP request into a WWW + (HTTP) request, performing the required protocol conversions, and + submits this request to a standard web server on the Internet. After + the web server responds to the WAP proxy, the response is encoded + into a more compact binary format to decrease the size of the data + over the air. This encoded response is forwarded to the WAP client + [WAPPROXY]. + + WAP operates over a variety of bearer datagram services. When + communicating over these bearer services, the WAP transport layer + (WDP) is always used between the WAP client and WAP proxy and it + provides port addressed datagram service to the higher WAP layers. + If the bearer service supports IP (e.g., GSM-CSD, GSM-GPRS, IS-136, + CDPD), UDP is used as the datagram protocol. However, if the bearer + + + +Border, et al. Informational [Page 28] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + service does not support IP (e.g., GSM-SMS, GSM-USSD, GSM Cell + Broadcast, CDMS-SMS, TETRA-SDS), WDP implements the required datagram + protocol as an adaptation layer between the bearer network and the + protocol stack. + + The use of the other layers depends on the port number. WAP has + registered a set of well-known ports with IANA. The port number + selected by the application for communication between a WAP client + and proxy defines the other layers to be used at each end. The + security layer, WTLS, provides privacy, data integrity and + authentication. Its functionality is similar to TLS 1.0 [RFC2246] + extended with datagram support, optimized handshake and dynamic key + refreshing. If the origin server includes WAP proxy functionality, + it might be used to facilitate the end-to-end security solutions, + otherwise it provides security between the mobile terminal and the + proxy. + + The transaction layer, WTP, is message based without connection + establishment and tear down. It supports three types of transaction + classes: an unconfirmed request (unidirectional), a reliable + (confirmed) request (unidirectional), and a reliable (confirmed) + request-reply transaction. Data is carried in the first packet and + 3-way handshake is eliminated to reduce latencies. In addition + acknowledgments, retransmission, and flow control are provided. It + allows more than one outstanding transaction at a time. It handles + the bearer dependence of a transfer, e.g., selects timeout values and + packet sizes according to the bearer. Unfortunately, WTP uses fixed + retransmission timers and does not include congestion control, which + is a potential problem area as the use of WAP increases [RFC3002]. + + The session layer, WSP, supports binary encoded HTTP 1.1 with some + extensions such as long living session with suspend/resume facility + and state handling, header caching, and push facility. On top of the + architecture is the application environment (WAE). + +5.2.3 W-WAN PEP Motivation + + As indicated in Section 5.2.1, W-WAN networks typically offer very + low bandwidth connections with high latency and relatively frequent + periods of link disconnection and they usually are expensive to use. + Therefore, the transfer volume and extra round-trips, such as those + associated with TCP connection setup and teardown, must be reduced + and the slow W-WAN link should be efficiently shielded from excess + traffic and global (wired) Internet congestion to make Internet + access usable and economical. Furthermore, interactive traffic must + be transmitted in a timely manner even if there are other + simultaneous bandwidth intensive (background) transfers and during + the periods with connectivity the link must be kept fully utilized + + + +Border, et al. Informational [Page 29] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + due to expensive use. In addition, the (long) periods of link + disconnection must not abort active (bulk data) transfers, if an + end-user so desires. + + As (all) applications cannot be made mobility/W-WAN aware in short + time frame or maybe ever, support for mobile W-WAN use should be + implemented in a way which allows most applications, at least those + running on fixed Internet hosts, to continue their operation + unmodified. + +5.3 W-LAN Environments + + Wireless LANs (W-LAN) are typically organized in a cellular topology + where an access point with a W-LAN transceiver controls a single + cell. A cell is defined in terms of the coverage area of the base + station. The access points are directly connected to the wired + network. The access point in each of the cells is responsible for + forwarding packets to and from the hosts located in the cell. Often + the hosts with W-LAN transceivers are mobile. When such a mobile + host moves from one cell to another cell, the responsibility for + forwarding packets between the wired network and the mobile host must + be transferred to the access point of the new cell. This is known as + a handoff. Many W-LAN systems also support an operation mode + enabling ad-hoc networking. In this mode access points are not + necessarily needed, but hosts with W-LAN transceiver can communicate + directly with the other hosts within the transceiver's transmission + range. + +5.3.1 W-LAN Network Characteristics + + Current wireless LANs typically provide link bandwidth from 1 Mbps to + 11 Mbps. In the future, wide deployment of higher bandwidths up to + 54 Mbps or even higher can be expected. The round-trip delay with + wireless LANs is on the order of a few milliseconds or tens of + milliseconds. Examples of W-LANs include IEEE 802.11, HomeRF, and + Hiperlan. Wireless personal area networks (WPAN) such as Bluethooth + can use the same PEP techniques. + + Wireless LANs are error-prone due to bit errors, collisions and link + outages. In addition, consecutive packet losses may also occur + during handoffs. Most W-LAN MAC protocols perform low level + retransmissions. This feature shields upper layers from most losses. + However, unavoidable losses, retransmission latency and link outages + still affect upper layers. TCP performance over W-LANs or a network + path involving a W-LAN link is likely to suffer from these effects. + + + + + + +Border, et al. Informational [Page 30] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + As TCP wrongly interprets these packet losses to be network + congestion, the TCP sender reduces its congestion window and is often + forced to timeout in order to recover from the consecutive losses. + The result is often unacceptably poor end-to-end performance. + +5.3.2 W-LAN PEP Implementations: Snoop + + Berkeley's Snoop protocol [SNOOP] is a TCP-specific approach in which + a TCP-aware module, a Snoop agent, is deployed at the W-LAN base + station that acts as the last-hop router to the mobile host. Snoop + aims at retaining the TCP end-to-end semantics. The Snoop agent + monitors every packet that passes through the base station in either + direction and maintains soft state for each TCP connection. The + Snoop agent is an asymmetric PEP implementation as it operates + differently on TCP data and ACK channels as well as on the uplink + (from the mobile host) and downlink (to the mobile host) TCP + segments. + + For a data transfer to a mobile host, the Snoop agent caches + unacknowledged TCP data segments which it forwards to the TCP + receiver and monitors the corresponding ACKs. It does two things: + + 1. Retransmits any lost data segments locally by using local timers + and TCP duplicate ACKs to identify packet loss, instead of waiting + for the TCP sender to do so end-to-end. + + 2. Suppresses the duplicate ACKs on their way from the mobile host + back to the sender, thus avoiding fast retransmit and congestion + avoidance at the latter. + + Suppressing the duplicate ACKs is required to avoid unnecessary fast + retransmits by the TCP sender as the Snoop agent retransmits a packet + locally. Consider a system that employs the Snoop agent and a TCP + sender S that sends packets to receiver R via a base station BS. + Assume that S sends packets A, B, C, D, E (in that order) which are + forwarded by BS to the wireless receiver R. Assume the first + transmission of packet B is lost due to errors on the wireless link. + In this case, R receives packets A, C, D, E and B (in that order). + Receipt of packets C, D and E trigger duplicate ACKs. When S + receives three duplicate ACKs, it triggers fast retransmit (which + results in a retransmission, as well as reduction of the congestion + window). The Snoop agent also retransmits B locally, when it + receives three duplicate ACKs. The fast retransmit at S occurs + despite the local retransmit on the wireless link, degrading + throughput. Snoop deals with this problem by dropping TCP duplicate + ACKs appropriately at BS. + + + + + +Border, et al. Informational [Page 31] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + For a data transfer from a mobile host, the Snoop agent detects the + packet losses on the wireless link by monitoring the data segments it + forwards. It then employs either Negative Acknowledgements (NAK) + locally or Explicit Loss Notifications (ELN) to inform the mobile + sender that the packet loss was not related to congestion, thus + allowing the sender to retransmit without triggering normal + congestion control procedures. To implement this, changes at the + mobile host are required. + + When a Snoop agent uses NAKs to inform the TCP sender of the packet + losses on the wireless link, one possibility to implement them is + using the Selective Acknowledgment (SACK) option of TCP [RFC2018]. + This requires enabling SACK processing at the mobile host. The Snoop + agent sends a TCP SACK, when it detects a hole in the transmission + sequence from the mobile host or when it has not received any new + packets from the mobile host for a certain time period. This + approach relies on the advisory nature of the SACKs: the mobile + sender is advised to retransmit the missing segments indicated by + SACK, but it must not assume successful end-to-end delivery of the + segments acknowledged with SACK as these segments might get lost + later in the path to the receiver. Instead, the sender must wait for + a cumulative ACK to arrive. + + When the ELN mechanism is used to inform the mobile sender of the + packet losses, Snoop uses one of the 'unreserved' bits in the TCP + header for ELN [SNOOPELN]. The Snoop agent keeps track of the holes + that correspond to segments lost over the wireless link. When a + (duplicate) ACK corresponding to a hole in the sequence space arrives + from the TCP receiver, the Snoop agent sets the ELN bit on the ACK to + indicate that the loss is unrelated to congestion and then forwards + the ACK to the TCP sender. When the sender receives a certain number + of (duplicate) ACKs with ELN (a configurable variable at the mobile + host, e.g., two), it retransmit the missing segment without + performing any congestion control measures. + + The ELN mechanism using one of the six bits reserved for future use + in the TCP header is dangerous as it exercises checks that might not + be correctly implemented in TCP stacks, and may expose bugs. + + A scheme such as Snoop is needed only if the possibility of a fast + retransmit due to wireless errors is non-negligible. In particular, + if the wireless link uses link-layer recovery for lost data, then + this scheme is not beneficial. Also, if the TCP window tends to stay + smaller than four segments, for example, due to congestion related + losses on the wired network, the probability that the Snoop agent + will have an opportunity to locally retransmit a lost packet is + small. This is because at least three duplicate ACKs are needed to + trigger the local retransmission, but due to small window the Snoop + + + +Border, et al. Informational [Page 32] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + agent may not be able to forward three new packets after the lost + packet and thus induce the required three duplicate ACKs. + Conversely, when the TCP window is large enough, Snoop can provide + significant performance improvement (compared with standard TCP). + + In order to alleviate the problem with small TCP windows, Snoop + proposes a solution in which a TCP sender is allowed to transmit a + new data segment for each duplicate ACK it receives as long as the + number of duplicate ACKs is less than the threshold for TCP fast + retransmission (three duplicate ACKs). If the new segment reaches + the receiver, it will generate another duplicate ACK which, in turn, + allows the sender to transmit yet another data segment. This + continues until enough duplicate ACKs have accumulated to trigger TCP + fast retransmission. This proposal is the same as the "Limited + Transfer" proposal [RFC3042] that has recently been forwarded to the + standards track. However, to be able to benefit from this solution, + it needs to be deployed on TCP senders and therefore it is not ready + for use in a short time frame. + + Snoop requires the intermediate node (base station) to examine and + operate on the traffic between the mobile host and the other end host + on the wired Internet. Hence, Snoop does not work if the IP traffic + is encrypted. Possible solutions involve: + + - making the Snoop agent a party to the security association + between the client and the server; + + - IPsec tunneling mode, terminated at the Snooping base station. + + However, these techniques require that users trust base stations. + + Snoop also requires that both the data and the corresponding ACKs + traverse the same base station. Furthermore, the Snoop agent may + duplicate efforts by the link layer as it retransmits the TCP data + segments "at the transport layer" across the wireless link. (Snoop + has been described by its designers as a TCP-aware link layer. This + is the right approach: the link and network layers can be much more + aware of each other than strict layering suggests.) + +5.3.3 W-LAN PEP Motivation + + Wireless LANs suffer from an error prone wireless channel. Errors + can typically be considered bursty and channel conditions may change + rapidly from mobility and environmental changes. Packets are dropped + from bit errors or during handovers. Periods of link outage can also + be experienced. Although the typical MAC performs retransmissions, + dropped packets, outages and retransmission latency still can have + serious performance implications for IP performance, especially TCP. + + + +Border, et al. Informational [Page 33] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + PEPs can be used to alleviate problems caused by packet losses, + protect TCP from link outages, and to add priority multiplexing. + Techniques such as Snoop are integrally implemented in access points, + while priority and compression schemes are distributed across the W- + LAN. + +6. Security Considerations + + The use of Performance Enhancing Proxies introduces several issues + which impact security. First, (as described in detail in Section + 4.1.1,) using PEPs and using IPsec is generally mutually exclusive. + Unless the PEP is also both capable and trusted to be the endpoint of + an IPsec tunnel (and the use of an IPsec tunnel is deemed good enough + security for the applicable threat model), a user or network + administrator must choose between improved performance and network + layer security. In some cases, transport (or higher) layer security + can be used in conjunction with a PEP to mitigate the impact of not + having network layer security. But, support by applications for the + use of transport (or higher) layer security is far from ubiquitous. + + Additionally, the PEP itself needs to be protected from attack. + First, even when IPsec tunnels are used with the PEP, the PEP + represents a point in the network where traffic is exposed. And, the + placement of a PEP in the network makes it an ideal platform from + which to launch a denial of service or man in the middle attack. + (Also, taking the PEP out of action is a potential denial of service + attack itself.) Therefore, the PEP must be protected (e.g., by a + firewall) or must protect itself from improper access by an attacker + just like any other device which resides in a network. + +7. IANA Considerations + + This document is an informational overview document and, as such, + does not introduce new nor modify existing name or number spaces + managed by IANA. + +8. Acknowledgements + + This document grew out of the Internet-Draft "TCP Performance + Enhancing Proxy Terminology", RFC 2757 "Long Thin Networks", and work + done in the IETF TCPSAT working group. The authors are indebted to + the active members of the PILC working group. In particular, Joe + Touch and Mark Allman gave us invaluable feedback on various aspects + of the document and Magdolna Gerendai provided us with essential help + on the WAP example. + + + + + + +Border, et al. Informational [Page 34] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + +9. References + + [BBKT97] P. Bhagwat, P. Bhattacharya, A. Krishma, S.K. Tripathi, + "Using channel state dependent packet scheduling to + improve TCP throughput over wireless LANs," ACM Wireless + Networks, March 1997, pp. 91 - 102. Available at: + http://www.acm.org/pubs + /articles/journals/wireless/1997-3-1/p91-bhagwat/p91- + bhagwat.pdf + + [BPK97] H. Balakrishnan, V.N. Padmanabhan, R.H. Katz, "The + Effects of Asymmetry on TCP Performance," Proc. ACM/IEEE + Mobicom, Budapest, Hungary, September 1997. + + [BW97] G. Brasche, B. Walke, "Concepts, Services, and Protocols + of the New GSM Phase 2+ general Packet Radio Service," + IEEE Communications Magazine, Vol. 35, No. 8, August + 1997. + + [CDMA] Electronic Industry Alliance (EIA)/Telecommunications + Industry Association (TIA), IS-95: Mobile Station-Base + Station Compatibility Standard for Dual-Mode Wideband + Spread Spectrum Cellular System, 1993. + + [CDPD] Wireless Data Forum, CDPD System Specification, Release + 1.1, 1995. + + [CTC+97] H. Chang, C. Tait, N. Cohen, M. Shapiro, S. Mastrianni, + R. Floyd, B. Housel, D. Lindquist, "Web Browsing in a + Wireless Environment: Disconnected and Asynchronous + Operation in ARTour Web Express," Proc. MobiCom'97, + Budapest, Hungary, September 1997. + + [FMSBMR98] D.C. Feldmeier, A.J. McAuley, J.M. Smith, D.S. Bakin, + W.S. Marcus, T.M. Raleigh, "Protocol Boosters," IEEE + Journal on Selected Areas of Communication, Vol. 16, No. + 3, April 1998. + + [FLASH] Flash Networks Ltd., performance boosting products + technology vendor based in Holmdel, New Jersey. Website + at http://www.flashnetworks.com. + + [FOURELLE] Fourelle Systems, performance boosting products + technology vendor based in Santa Clara, California. + Website at http://www.fourelle.com. + + [GPRS] ETSI, "General Packet Radio Service (GPRS): Service + Description, Stage 2," GSM03.60, v.6.1.1, August 1998. + + + +Border, et al. Informational [Page 35] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + [GSM] M. Rahnema, "Overview of the GSM system and protocol + architecture," IEEE Communications Magazine, Vol. 31, No. + 4, pp. 92-100, April 1993. + + [HNS] Hughes Network Systems, Inc., VSAT technology vendor + based in Germantown, Maryland. Website at + http://www.hns.com. + + [I-TCP] A. Bakre, B.R. Badrinath, "I-TCP: Indirect TCP for Mobile + Hosts," Proc. 15th International Conference on + Distributed Computing Systems (ICDCS), May 1995. + + [KRA94] M. Kojo, K. Raatikainen, T. Alanko, "Connecting Mobile + Workstations to the Internet over a Digital Cellular + Telephone Network," Proc. Workshop on Mobile and Wireless + Information Systems (MOBIDATA), Rutgers University, NJ, + November 1994. Revised version published in Mobile + Computing, pp. 253-270, Kluwer, 1996. + + [KRLKA97] M. Kojo, K. Raatikainen, M. Liljeberg, J. Kiiskinen, T. + Alanko, "An Efficient Transport Service for Slow Wireless + Telephone Links," IEEE Journal on Selected Areas of + Communication, Vol. 15, No. 7, September 1997. + + [LAKLR95] M. Liljeberg, T. Alanko, M. Kojo, H. Laamanen, K. + Raatikainen, "Optimizing World-Wide Web for Weakly- + Connected Mobile Workstations: An Indirect Approach," + Proc. of the 2nd Int. Workshop on Services in Distributed + and Networked Environments, Whistler, Canada, pp. 132- + 139, June 1995. + + [LHKR96] M. Liljeberg, H. Helin, M. Kojo, K. Raatikainen, "Mowgli + WWW Software: Improved Usability of WWW in Mobile WAN + Environments," Proc. IEEE Global Internet 1996 + Conference, London, UK, November 1996. + + [M-TCP] K. Brown, S. Singh, "M-TCP: TCP for Mobile Cellular + Networks," ACM Computer Communications Review Volume + 27(5), 1997. Available at + ftp://ftp.ece.orst.edu/pub/singh/papers/mtcp.ps.gz. + + [Pax99] V. Paxson, "End-to-End Internet Packet Dynamics," + IEEE/ACM Transactions on Networking, Vol. 7, No. 3, 1999, + pp. 277-292. + + [PILCWEB] http://pilc.grc.nasa.gov. + + + + + +Border, et al. Informational [Page 36] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, + RFC 792, September 1981. + + [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, RFC + 793, September 1981. + + [RFC1122] Braden, R., "Requirements for Internet Hosts -- + Communications Layers", STD 3, RFC 1122, October 1989. + + [RFC1144] Jacobson, V., "Compressing TCP/IP Headers for Low-Speed + Serial Links", RFC 1144, February 1990. + + [RFC1323] Jacobson, V., Braden, R. and D. Borman, "TCP Extensions + for High Performance", RFC 1323, May 1992. + + [RFC1958] Carpenter, B., "Architectural Principles of the + Internet", RFC 1958, June 1996. + + [RFC2018] Mathis, M., Mahdavi, J., Floyd, S. and A. Romanow, "TCP + Selective Acknowledgment Options", RFC 2018, October + 1996. + + [RFC2151] Kessler, G. and S. Shepard, "A Primer On Internet and + TCP/IP Tools and Utilities", FYI 30, RFC 2151, June 1997. + + [RFC2246] Dierk, T. and E. Allen, "TLS Protocol Version 1," RFC + 2246, January 1999. + + [RFC2393] Shacham, A., Monsour, R., Pereira, R. and M. Thomas, "IP + Payload Compression Protocol (IPcomp)", RFC 2393, + December 1998. + + [RFC2401] Kent, S., and R. Atkinson, "Security Architecture for the + Internet Protocol", RFC 2401, November 1998. + + [RFC2475] Blake, S., Black, D., Carlson, M., Davies, E., Wang, Z. + and W. Weiss, "An Architecture for Differentiated + Services", RFC 2475, December 1998. + + [RFC2488] Allman, M., Glover, D. and L. Sanchez, "Enhancing TCP + Over Satellite Channels using Standard Mechanisms", BCP + 28, RFC 2488, January 1999. + + [RFC2507] Degermark, M., Nordgren, B. and S. Pink, "IP Header + Compression", RFC 2507, February 1999. + + + + + + +Border, et al. Informational [Page 37] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + [RFC2508] Casner, S. and V. Jacobson, "Compressing IP/UDP/RTP + Headers for Low-Speed Serial Links", RFC 2508, February + 1999. + + [RFC2509] Engan, M., Casner, S. and C. Bormann, "IP Header + Compression over PPP", RFC 2509, February 1999. + + [RFC2663] Srisuresh, P. and Y. Holdrege, "IP Network Address + Translator (NAT) Terminology and Considerations", RFC + 2663, August 1999. + + [RFC2760] Allman, M., Dawkins, S., Glover, D., Griner, J., + Henderson, T., Heidemann, J., Kruse, H., Ostermann, S., + Scott, K., Semke, J., Touch, J. and D. Tran, "Ongoing TCP + Research Related to Satellites", RFC 2760, February 2000. + + [RFC3002] Mitzel, D., "Overview of 2000 IAB Wireless + Internetworking Workshop", RFC 3002, December 2000. + + [RFC3042] Allman, M., Balakrishnan, H. and S. Floyd, "Enhancing + TCP's Loss Recovery Using Limited Transmit", RFC 3042, + January 2001. + + [SHEL00] Z. Shelby, T. Saarinen, P. Mahonen, D. Melpignano, A. + Marshall, L. Munoz, "Wireless IPv6 Networks - WINE," IST + Mobile Summit, Ireland, October 2000. + + [SNOOP] H. Balakrishnan, S. Seshan, E. Amir, R. Katz, "Improving + TCP/IP Performance over Wireless Networks," Proc. 1st ACM + Conference on Mobile Communications and Networking + (Mobicom), Berkeley, California, November 1995. + + [SNOOPELN] H. Balakrishnan, R. Katz, "Explicit Loss Notification and + Wireless Web Performance," Proc. IEEE Globecom 1998, + Internet Mini-Conference, Sydney, Australia, November + 1998. + + [SPACENET] Spacenet, VSAT technology vendor based in Mclean, + Virginia. Website at http://www.spacenet.com. + + [SRC84] J.H. Saltzer, D.P. Reed, D.D. Clark, "End-To-End + Arguments in System Design," ACM TOCS, Vol. 2, No. 4, pp. + 277-288, November 1984. + + [WAPARCH] Wireless Application Protocol Architecture Specification, + April 1998, http://www.wapforum.org. + + + + + +Border, et al. Informational [Page 38] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + [WAPPROXY] Wireless Application Protocol Push Proxy Gateway Service + Specification, August 1999, http://www.wapforum.org. + + [WAPWAE] Wireless Application Protocol Wireless Application + Environment Overview, March 2000, + http://www.wapforum.org. + + [WAPWDP] Wireless Application Protocol Wireless Datagram Protocol + Specification, February 2000, http://www.wapforum.org. + + [WAPWSP] Wireless Application Protocol Wireless Session Protocol + Specification, May 2000, http://www.wapforum.org. + + [WAPWTLS] Wireless Application Protocol Wireless Transport Layer + Security Specification, February 2000, + http://www.wapforum.org. + + [WAPWTP] Wireless Application Protocol Wireless Transaction + Protocol Specification, February 2000, + http://www.wapforum.org. + + [Zhang00] Y. Zhang, B. Singh, "A Multi-Layer IPsec Protocol," Proc. + proceedings of 9th USENIX Security Symposium, Denver, + Colorado, August 2000. Available at + http://www.wins.hrl.com/people/ygz/papers/usenix00.html. + +10. Authors' Addresses + + Questions about this document may be directed to: + + John Border + Hughes Network Systems + 11717 Exploration Lane + Germantown, Maryland 20876 + + Phone: +1-301-548-6819 + Fax: +1-301-548-1196 + EMail: border@hns.com + + + + + + + + + + + + + +Border, et al. Informational [Page 39] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + Markku Kojo + Department of Computer Science + University of Helsinki + P.O. Box 26 (Teollisuuskatu 23) + FIN-00014 HELSINKI + Finland + + Phone: +358-9-1914-4179 + Fax: +358-9-1914-4441 + EMail: kojo@cs.helsinki.fi + + + Jim Griner + NASA Glenn Research Center + MS: 54-5 + 21000 Brookpark Orad + Cleveland, Ohio 44135-3191 + + Phone: +1-216-433-5787 + Fax: +1-216-433-8705 + EMail: jgriner@grc.nasa.gov + + + Gabriel Montenegro + Sun Microsystems Laboratories, Europe + 29, chemin du Vieux Chene + 38240 Meylan, FRANCE + + Phone: +33 476 18 80 45 + EMail: gab@sun.com + + + Zach Shelby + University of Oulu + Center for Wireless Communications + PO Box 4500 + FIN-90014 + Finland + + Phone: +358-40-779-6297 + EMail: zach.shelby@ee.oulu.fi + + + + + + + + + + +Border, et al. Informational [Page 40] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + +Appendix A - PEP Terminology Summary + + This appendix provides a summary of terminology frequently used + during discussion of Performance Enhancing Proxies. (In some cases, + these terms have different meanings from their non-PEP related + usage.) + + ACK filtering + + Removing acknowledgments to prevent congestion of a low speed + link, usually used with paths which include a highly asymmetric + link. Sometimes also called ACK reduction. See Section 3.1.4. + + ACK spacing + + Delayed forwarding of acknowledgments in order to space them + appropriately, for example, to help minimize the burstiness of + TCP data. See Section 3.1.1. + + application layer PEP + + A Performance Enhancing Proxy operating above the transport + layer. May be aimed at improving application or transport + protocol performance (or both). Described in detail in Section + 2.1.2. + + asymmetric link + + A link which has different rates for the forward channel (used for + data segments) and the back (or return) channel (used for ACKs). + + available bandwidth + + The total capacity of a link available to carry information at any + given time. May be lower than the raw bandwidth due to competing + traffic. + + bandwidth utilization + + The actual amount of information delivered over a link in a given + period, usually expressed as a percent of the raw bandwidth of + the link. + + gateway + + Has several meanings with respect to PEPs, depending on context: + + - An access point to a particular link; + + + +Border, et al. Informational [Page 41] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + - A device capable of initiating and terminating connections + on + + behalf of a user or end system (e.g., a firewall or proxy). + + Not necessarily, but could be, a router. + + in flight (data) + + Data sent but not yet acknowledged. More precisely, data sent for + which the sender has not yet received the acknowledgement. + + link layer PEP + + A Performance Enhancing Proxy operating below the network layer. + + local acknowledgement + + The generation of acknowledgments by an entity in the path + between two end systems in order to allow the sending system to + transmit more data without waiting for end-to-end + acknowledgments. Described (in the context of TCP) in Section + 3.1.2. + + performance enhancing proxy + + An entity in the network acting on behalf of an end system or user + (with or without the knowledge of the end system or user) in order + to enhance protocol performance. Section 2 describes various + types of performance enhancing proxies. Section 3 describes the + mechanisms performance enhancing proxies use to improve + performance. + + raw bandwidth + + The total capacity of an unloaded link available to carry + information. + + Snoop + + A TCP-aware link layer developed for wireless packet radio and + cellular networks. It works by caching segments at a wireless + base station. If the base station sees duplicate acknowledgments + for a segment that it has cached, it retransmits the missing + segment while suppressing the duplicate acknowledgement stream + being forwarded back to the sender until the wireless receiver + starts to acknowledge new data. Described in detail in Section + 5.3.2 and [SNOOP]. + + + +Border, et al. Informational [Page 42] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + split connection + + A connection that has been terminated before reaching the intended + destination end system in order to initiate another connection + towards the end system. This allows the use of different + connection characteristics for different parts of the path of + the originally intended connection. See Section 2.4. + + TCP PEP + + A Performance Enhancing Proxy operating at the transport layer + with TCP. Aimed at improving TCP performance. + + TCP splitting + + Using one or more split TCP connections to improve TCP + performance. + + TCP spoofing + + Sometimes used as a synonym for TCP PEP. More accurately, TCP + spoofing refers to using transparent (to the TCP stacks in the + end systems) mechanisms to improve TCP performance. See Section + 2.1.1. + + transparent + + In the context of a PEP, transparent refers to not requiring + changes to be made to the end systems, transport endpoints + and/or applications involved in a connection. See Section 2.5 + for a more detailed explanation. + + transport layer PEP + + A Performance Enhancing Proxy operating at the transport layer. + Described in detail in Section 2.1.1. + + tunneling + + In the context of PEPs, tunneling refers to the process of + wrapping a packet for transmission over a particular link + between two PEPs. See Section 3.2. + + + + + + + + + +Border, et al. Informational [Page 43] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + + WAP + + The Wireless Application Protocol specifies an application + framework and network protocols intended to work across + differing narrow-band wireless network technologies. See + Section 5.2.2.2. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Border, et al. Informational [Page 44] + +RFC 3135 PILC - Performance Enhancing Proxies June 2001 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2001). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + + + + + + + + + + + +Border, et al. Informational [Page 45] + -- cgit v1.2.3