1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
|
Independent Submission D. Dolson, Ed.
Request for Comments: 8517
Category: Informational J. Snellman
ISSN: 2070-1721
M. Boucadair, Ed.
C. Jacquenet
Orange
February 2019
An Inventory of Transport-Centric Functions Provided by Middleboxes:
An Operator Perspective
Abstract
This document summarizes an operator's perception of the benefits
that may be provided by intermediary devices that execute functions
beyond normal IP forwarding. Such intermediary devices are often
called "middleboxes".
RFC 3234 defines a taxonomy of middleboxes and issues in the
Internet. Most of those middleboxes utilize or modify application-
layer data. This document primarily focuses on devices that observe
and act on information carried in the transport layer, and especially
information carried in TCP packets.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This is a contribution to the RFC Series, independently of any other
RFC stream. The RFC Editor has chosen to publish this document at
its discretion and makes no statement about its value for
implementation or deployment. Documents approved for publication by
the RFC Editor are not candidates for any level of Internet Standard;
see Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8517.
Dolson, et al. Informational [Page 1]
^L
RFC 8517 Transport-Centric Middlebox Functions February 2019
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Operator Perspective . . . . . . . . . . . . . . . . . . 3
1.2. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Measurements . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1. Packet Loss . . . . . . . . . . . . . . . . . . . . . . . 5
2.2. Round-Trip Times . . . . . . . . . . . . . . . . . . . . 6
2.3. Measuring Packet Reordering . . . . . . . . . . . . . . . 6
2.4. Throughput and Bottleneck Identification . . . . . . . . 7
2.5. Congestion Responsiveness . . . . . . . . . . . . . . . . 7
2.6. Attack Detection . . . . . . . . . . . . . . . . . . . . 8
2.7. Packet Corruption . . . . . . . . . . . . . . . . . . . . 8
2.8. Application-Layer Measurements . . . . . . . . . . . . . 9
3. Functions beyond Measurement: A Few Examples . . . . . . . . 9
3.1. NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.2. Firewall . . . . . . . . . . . . . . . . . . . . . . . . 10
3.3. DDoS Scrubbing . . . . . . . . . . . . . . . . . . . . . 10
3.4. Implicit Identification . . . . . . . . . . . . . . . . . 11
3.5. Performance-Enhancing Proxies . . . . . . . . . . . . . . 11
3.6. Network Coding . . . . . . . . . . . . . . . . . . . . . 12
3.7. Network-Assisted Bandwidth Aggregation . . . . . . . . . 13
3.8. Prioritization and Differentiated Services . . . . . . . 13
3.9. Measurement-Based Shaping . . . . . . . . . . . . . . . . 14
3.10. Fairness to End-User Quota . . . . . . . . . . . . . . . 14
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
5. Security Considerations . . . . . . . . . . . . . . . . . . . 14
5.1. Confidentiality and Privacy . . . . . . . . . . . . . . . 14
5.2. Active On-Path Attacks . . . . . . . . . . . . . . . . . 15
5.3. Improved Security . . . . . . . . . . . . . . . . . . . . 15
6. Informative References . . . . . . . . . . . . . . . . . . . 16
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 21
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21
Dolson, et al. Informational [Page 2]
^L
RFC 8517 Transport-Centric Middlebox Functions February 2019
1. Introduction
From [RFC3234], "A middlebox is defined as any intermediary device
performing functions other than the normal, standard functions of an
IP router on the datagram path between a source host and destination
host."
Middleboxes are usually (but not exclusively) deployed at locations
permitting observation of bidirectional traffic flows. Such
locations are typically points where leaf networks connect to the
Internet, for example:
o Where a residential or business customer connects to its service
provider(s), which may include multihoming;
o On the Gi interface where a Gateway General Packet Radio Service
(GPRS) Support Node (GGSN) connects to a Packet Data Network (PDN)
(Section 3.1 of [RFC6459]).
For the purposes of this document (and to be consistent with the
definition in RFC 3234), middlebox functions may be found in routers
and switches in addition to dedicated devices.
This document itemizes a variety of features provided by middleboxes
and by ad hoc analysis performed by operators using packet analyzers.
Many of the techniques described in this document require stateful
analysis of transport streams. A generic state machine is described
in [PATH-STATE].
This document summarizes an operator's perception of the benefits
that may be provided by middleboxes. A primary goal is to provide
information to the Internet community to aid understanding of what
might be gained or lost by decisions that may affect (or be affected
by) middlebox operation in the design of new transport protocols.
See Section 1.1 for more details.
1.1. Operator Perspective
Network operators are often the ones first called upon when
applications fail to function properly, often with user reports about
application behaviors (not about packet behaviors). Therefore, it
isn't surprising that operators (wanting to be helpful) desire some
visibility into flow information to identify how well the problem
flows are progressing and how well other flows are progressing.
Dolson, et al. Informational [Page 3]
^L
RFC 8517 Transport-Centric Middlebox Functions February 2019
Advanced service functions (e.g., Network Address Translators (NATs),
firewalls, etc.) [RFC7498] are widely used to achieve various
objectives such as IP address sharing, firewalling, avoiding covert
channels, detecting and protecting against ever-increasing
Distributed Denial of Service (DDoS) attacks, etc. For example,
environment-specific designs may require a number of service
functions, such as those needed at the Gi interface of a mobile
infrastructure [USE-CASE].
These sophisticated service functions are located in the network but
also in service platforms or intermediate entities (e.g., Content
Delivery Networks (CDNs)). Network maintenance and diagnostic
operations are complicated, particularly when responsibility is
shared among various players.
Network Providers are challenged to deliver differentiated services
as a competitive business advantage while mastering the complexity of
the applications, (continuously) evaluating the impacts on
middleboxes, and enhancing customers' quality of experience.
Despite the complexity, removing all those service functions is not
an option because they are used to address constraints that are often
typical of the current (and changing) Internet. Operators must deal
with constraints such as global IPv4 address depletion and support a
plethora of services with different requirements for QoS, security,
robustness, etc.
1.2. Scope
Although many middleboxes observe and manipulate application-layer
content (e.g., session boarder controllers [RFC5853]), they are out
of scope for this document, the aim being to describe middleboxes
using transport-layer features. [RFC8404] describes the impact of
pervasive encryption of application-layer data on network monitoring,
protecting, and troubleshooting.
The current document is not intended to recommend (or prohibit)
middlebox deployment. Many operators have found the value provided
by middleboxes to outweigh the added cost and complexity; this
document attempts to provide that perspective as a reference in
discussion of protocol design trade-offs.
This document is not intended to discuss issues related to
middleboxes. These issues are well known and are recorded in
existing documents such as [RFC3234] and [RFC6269]. This document
aims to elaborate on the motivations leading operators to enable such
functions in spite of complications.
Dolson, et al. Informational [Page 4]
^L
RFC 8517 Transport-Centric Middlebox Functions February 2019
This document takes an operator perspective that measurement and
management of transport connections is of benefit to both parties:
the end user receives a better quality of experience, and the network
operator improves resource usage, the former being a consequence of
the latter.
This document does not discuss whether exposing some data to on-path
devices for network-assistance purposes can be achieved by using
in-band or out-of-band mechanisms.
2. Measurements
A number of measurements can be made by network devices that are
either on-path or off-path. These measurements can be used either by
automated systems or for manual network troubleshooting purposes
(e.g., using packet-analysis tools). The automated systems can
further be classified into two types: 1) monitoring systems that
compute performance indicators for single connections or aggregates
of connections and generate aggregated reports from them; and 2)
active systems that make decisions also on how to handle packet flows
based on these performance indicators.
Long-term trends in these measurements can aid an operator in
capacity planning.
Short-term anomalies revealed by these measurements can identify
network breakages, attacks in progress, or misbehaving devices/
applications.
2.1. Packet Loss
It is very useful for an operator to be able to detect and isolate
packet loss in a network.
Network problems and underprovisioning can be detected if packet loss
is measurable. TCP packet loss can be detected by observing gaps in
sequence numbers, retransmitted sequence numbers, and selective
acknowledgement (SACK) options [RFC2018]. Packet loss can be
detected per direction.
Gaps indicate loss upstream of the traffic observation point;
retransmissions indicate loss downstream of the traffic observation
point. SACKs can be used to detect either upstream or downstream
packet loss (although some care needs to be taken to avoid
misidentifying packet reordering as packet loss) and to distinguish
between upstream versus downstream losses.
Dolson, et al. Informational [Page 5]
^L
RFC 8517 Transport-Centric Middlebox Functions February 2019
Packet-loss measurements on both sides of the measurement point are
an important component in precisely diagnosing insufficiently
dimensioned devices or links in networks. Additionally, packet
losses are one of the two main ways for congestion to manifest, the
others being queuing delay or Explicit Congestion Notification (ECN)
[RFC3168]; therefore, packet loss is an important measurement for any
middlebox that needs to make traffic handling decisions based on
observed levels of congestion.
2.2. Round-Trip Times
The ability to measure partial-path round-trip times (RTTs) is
valuable in diagnosing network issues (e.g., abnormal latency,
abnormal packet loss). Knowing if latency is poor on one side of the
observation point or the other provides more information than is
available at either endpoint, which can only observe full RTTs.
For example, a TCP packet stream can be used to measure the RTT on
each side of the measurement point. During the connection handshake,
the SYN, SYN/ACK, and ACK timings can be used to establish a baseline
RTT in each direction. Once the connection is established, the RTT
between the server and the measurement point can only reliably be
determined using TCP timestamps [RFC7323]. On the side between the
measurement point and the client, the exact timing of data segments
and ACKs can be used as an alternative. For this latter method to be
accurate when packet loss is present, the connection must use
selective acknowledgements.
In many networks, congestion will show up as increasing packet
queuing, and congestion-induced packet loss will only happen in
extreme cases. RTTs will also show up as a much smoother signal than
the discrete packet-loss events. This makes RTTs a good way to
identify individual subscribers for whom the network is a bottleneck
at a given time or geographical sites (such as cellular towers) that
are experiencing large-scale congestion.
The main limit of RTT measurement as a congestion signal is the
difficulty of reliably distinguishing between the data segments being
queued versus the ACKs being queued.
2.3. Measuring Packet Reordering
If a network is reordering packets of transport connections, caused
perhaps by Equal-Cost Multipath (ECMP) misconfiguration (described in
[RFC2991] and [RFC7690], for example), the endpoints may react as if
packet loss is occurring and retransmit packets or reduce forwarding
rates. Therefore, a network operator desires the ability to diagnose
packet reordering.
Dolson, et al. Informational [Page 6]
^L
RFC 8517 Transport-Centric Middlebox Functions February 2019
For TCP, packet reordering can be detected by observing TCP sequence
numbers per direction. See, for example, a number of standard
packet-reordering metrics in [RFC4737] and informational metrics in
[RFC5236].
2.4. Throughput and Bottleneck Identification
Although throughput to or from an IP address can be measured without
transport-layer measurements, the transport layer provides clues
about what the endpoints were attempting to do.
One way of quickly excluding the network as the bottleneck during
troubleshooting is to check whether the speed is limited by the
endpoints. For example, the connection speed might instead be
limited by suboptimal TCP options, the sender's congestion window,
the sender temporarily running out of data to send, the sender
waiting for the receiver to send another request, or the receiver
closing the receive window.
This data is also useful for middleboxes used to measure network
quality of service. Connections, or portions of connections, that
are limited by the endpoints do not provide an accurate measure of
the network's speed and can be discounted or completely excluded in
such analyses.
2.5. Congestion Responsiveness
Congestion control mechanisms continue to evolve. Tools exist that
can interpret protocol sequence numbers (e.g., from TCP or RTP) to
infer the congestion response of a flow. Such tools can be used by
operators to help understand the impact of specific transport
protocols on other traffic that shares their network. For example,
packet sequence numbers can be analyzed to help understand whether an
application flow backs off its load in the face of persistent
congestion (as TCP does) and, hence, whether the behavior is
appropriate for sharing limited network capacity.
These tools can also be used to determine whether mechanisms are
needed in the network to prevent flows from acquiring excessive
network capacity under severe congestion (e.g., by deploying rate
limiters or network transport circuit breakers [RFC8084]).
Dolson, et al. Informational [Page 7]
^L
RFC 8517 Transport-Centric Middlebox Functions February 2019
2.6. Attack Detection
When an application or network resource is under attack, it is useful
to identify this situation from the network perspective, upstream of
the attacked resource.
Although detection methods tend to be proprietary, attack detection
from within the network may comprise:
o Identifying uncharacteristic traffic volumes or sources;
o Identifying congestion, possibly using techniques in Sections 2.1
and 2.2;
o Identifying incomplete connections or transactions, from attacks
that attempt to exhaust server resources;
o Fingerprinting based on whatever available fields are determined
to be useful in discriminating an attack from desirable traffic.
Two trends in protocol design will make attack detection more
difficult:
o The desire to encrypt transport-layer fields;
o The desire to avoid statistical fingerprinting by adding entropy
in various forms.
While improving privacy, those approaches may hinder attack
detection.
2.7. Packet Corruption
One notable source of packet loss is packet corruption. This
corruption will generally not be detected until the checksums are
validated by the endpoint and the packet is dropped. This means that
detecting the exact location where packets are lost is not sufficient
when troubleshooting networks. An operator would like to find out
where packets are being corrupted. IP and TCP checksum verification
allows a measurement device to correctly distinguish between upstream
packet corruption and normal downstream packet loss.
Transport protocol designers should consider whether a middlebox will
be able to detect corrupted or tampered packets.
Dolson, et al. Informational [Page 8]
^L
RFC 8517 Transport-Centric Middlebox Functions February 2019
2.8. Application-Layer Measurements
Information about network health may also be gleaned from
application-layer diagnosis, such as:
o DNS response times and retransmissions calculated by correlating
answers to queries;
o Various protocol-aware voice and video quality analyses.
Could this type of information be provided in a transport layer?
3. Functions beyond Measurement: A Few Examples
This section describes features provided by on-path devices that go
beyond measurement by modifying, discarding, delaying, or
prioritizing traffic.
3.1. NAT
Network Address Translators (NATs) allow multiple devices to share a
public address by dividing the transport-layer port space among the
devices.
NAT behavior recommendations are found for UDP in BCP 127 [RFC4787]
and for TCP in BCP 142 [RFC7857].
To support NAT, there must be transport-layer port numbers that can
be modified by the NAT. Note that required fields (e.g., port
numbers) are visible in all IETF-defined transport protocols.
The application layer must not assume the port number was left
unchanged (e.g., by including it in a checksum or signing it).
Address sharing is also used in the context of IPv6 transition. For
example, DS-Lite Address Family Transition Router (AFTR) [RFC6333],
NAT64 [RFC6146], or A+P [RFC7596][RFC7597] are features that are
enabled in the network to allow for IPv4 service continuity over an
IPv6 network.
Further, because of some multihoming considerations, IPv6 prefix
translation may be enabled by some enterprises by means of IPv6-to-
IPv6 Network Prefix Translation (NPTv6) [RFC6296].
Dolson, et al. Informational [Page 9]
^L
RFC 8517 Transport-Centric Middlebox Functions February 2019
3.2. Firewall
Firewalls are pervasive and essential components that inspect
incoming and outgoing traffic. Firewalls are usually the cornerstone
of a security policy that is enforced in end-user premises and other
locations to provide strict guarantees about traffic that may be
authorized to enter/leave the said premises, as well as end users who
may be assigned different clearance levels regarding which networks
and portions of the Internet they access.
An important aspect of a firewall policy is differentiating
internally initiated from externally initiated communications.
For TCP, this is easily done by tracking the TCP state machine.
Furthermore, the ending of a TCP connection is indicated by RST or
FIN flags.
For UDP, the firewall can be opened if the first packet comes from
an internal user, but the closing is generally done by an idle
timer of arbitrary duration, which might not match the
expectations of the application.
Simple IPv6 firewall capabilities for customer premises equipment
(both stateless and stateful) are described in [RFC6092].
A firewall functions better when it can observe the protocol state
machine, described generally by "Transport-Independent Path Layer
State Management" [PATH-STATE].
3.3. DDoS Scrubbing
In the context of a DDoS attack, the purpose of a scrubber is to
discard attack traffic while permitting useful traffic. Such a
mitigator is described in [DOTS].
When attacks occur against constrained resources, some traffic will
be discarded before reaching the intended destination. A user
receives better experience and a server runs more efficiently if a
scrubber can discard attack traffic, leaving room for legitimate
traffic.
Scrubbing must be provided by an on-path network device, because
neither endpoint of a legitimate connection has any control over the
source of the attack traffic.
Source-spoofed DDoS attacks can be mitigated at the source using BCP
38 [RFC2827], but it is more difficult if source address filtering
cannot be applied.
Dolson, et al. Informational [Page 10]
^L
RFC 8517 Transport-Centric Middlebox Functions February 2019
In contrast to devices in the core of the Internet, middleboxes
statefully observing bidirectional transport connections can reject
source-spoofed TCP traffic based on the inability to provide sensible
acknowledgement numbers to complete the three-way handshake.
Obviously, this requires middlebox visibility into a transport-layer
state machine.
Middleboxes may also scrub on the basis of statistical
classification: testing how likely a given packet is to be
legitimate. As protocol designers add more entropy to headers and
lengths, this test becomes less useful, and the best scrubbing
strategy becomes random drop.
3.4. Implicit Identification
In order to enhance the end user's quality of experience, some
operators deploy implicit identification features that rely upon the
correlation of network-related information to access some local
services. For example, service portals operated by some operators
may be accessed immediately by end users without any explicit
identification for the sake of improved service availability. This
is doable thanks to on-path devices that inject appropriate metadata
that can be used by the remote server to enforce per-subscriber
policies. The information can be injected at the application layer
or at the transport layer (when an address-sharing mechanism is in
use).
An experimental implementation using a TCP option is described in
[RFC7974].
For the intended use of implicit identification, it is more secure to
have a trusted middlebox mark this traffic than to trust end-user
devices.
3.5. Performance-Enhancing Proxies
Performance-Enhancing Proxies (PEPs) can improve performance in some
types of networks by improving packet spacing or generating local
acknowledgements; they are most commonly used in satellite and
cellular networks. Transport-Layer PEPs are described in
Section 2.1.1 of [RFC3135].
PEPs allow central deployment of congestion control algorithms more
suited to the specific network, most commonly for delay-based
congestion control. More advanced TCP PEPs deploy congestion control
systems that treat all of a single end user's TCP connections as a
single unit, improving fairness and allowing faster reaction to
Dolson, et al. Informational [Page 11]
^L
RFC 8517 Transport-Centric Middlebox Functions February 2019
changing network conditions. For example, it was reported that
splitting the TCP connections in some network accesses can result in
a halved page downloading time [ICCRG].
Local acknowledgements generated by PEPs speed up TCP slow start by
splitting the effective latency, and they allow for retransmissions
to be done from the PEP rather than from the actual sender. Local
acknowledgements will also allow a PEP to maintain a local buffer of
data appropriate to the actual network conditions, whereas the actual
endpoints would often send too much or too little.
A PEP function requires transport-layer fields that allow chunks of
data to be identified (e.g., TCP sequence numbers), acknowledgements
to be identified (e.g., TCP ACK numbers), and acknowledgements to be
created from the PEP.
Note that PEPs are only useful in some types of networks. In
particular, PEPs are very useful in contexts wherein the congestion
control strategies of the endpoints are inappropriate for the network
connecting them. That being said, poor design can result in degraded
performances when PEPs are deployed.
3.6. Network Coding
Network Coding is a technique for improving transmission performance
over low-bandwidth, long-latency links such as some satellite links.
Coding may involve lossless compression and/or adding redundancy to
headers and payload. A Network Coding Taxonomy is provided by
[RFC8406]; an example of end-to-end coding is FECFRAME [RFC6363]. It
is typically deployed with network-coding gateways at each end of
those links, with a network-coding tunnel between them via the
slow/lossy/long-latency links.
Network-coding implementations may be specific to TCP, taking
advantage of known properties of the protocol.
The network-coding gateways may employ some techniques of PEPs, such
as creating acknowledgements of queued data, removing
retransmissions, and pacing data rates to reduce queue oscillation.
The interest in more network coding in some specific networks is
discussed in [SATELLITES].
Note: This is not to be confused with transcoding, which performs
lossy compression on transmitted media streams and is not in scope
for this document.
Dolson, et al. Informational [Page 12]
^L
RFC 8517 Transport-Centric Middlebox Functions February 2019
3.7. Network-Assisted Bandwidth Aggregation
The Hybrid Access Aggregation Point is a middlebox that allows
customers to aggregate the bandwidth of multiple access technologies.
One of the approaches uses Multipath TCP (MPTCP) proxies
[TCP-CONVERT] to forward traffic along multiple paths. The MPTCP
proxy operates at the transport layer while being located in the
operator's network.
The support of multipath transport capabilities by communicating
hosts remains a privileged target design so that such hosts can
directly use the available resources provided by a variety of access
networks they can connect to. Nevertheless, network operators do not
control end hosts, whereas the support of MPTCP by content servers
remains marginal.
Network-assisted MPTCP deployment models are designed to facilitate
the adoption of MPTCP for the establishment of multipath
communications without making any assumption about the support of
MPTCP capabilities by communicating peers. Network-assisted MPTCP
deployment models rely upon MPTCP Conversion Points (MCPs) that act
on behalf of hosts so that they can take advantage of establishing
communications over multiple paths [TCP-CONVERT].
Note there are cases when end-to-end MPTCP cannot be used even though
both client and server are MPTCP-compliant. An MPTCP proxy can
provide multipath utilization in these cases. Examples of such cases
are listed below:
1. The use of private IPv4 addresses in some access networks.
Typically, additional subflows cannot be added to the MPTCP
connection without the help of an MCP.
2. The assignment of IPv6 prefixes only by some networks. If the
server is IPv4-only, IPv6 subflows cannot be added to an MPTCP
connection established with that server, by definition.
3. Subscription to some service offerings is subject to volume
quota.
3.8. Prioritization and Differentiated Services
Bulk traffic may be served with a higher latency than interactive
traffic with no reduction in throughput. This fact allows a
middlebox function to improve response times in interactive
applications by prioritizing, policing, or remarking interactive
transport connections differently from bulk-traffic transport
Dolson, et al. Informational [Page 13]
^L
RFC 8517 Transport-Centric Middlebox Functions February 2019
connections. For example, gaming traffic may be prioritized over
email or software updates. Configuration guidelines for Diffserv
service classes are discussed in [RFC4594].
Middleboxes may identify different classes of traffic by inspecting
multiple layers of header and length of payload.
3.9. Measurement-Based Shaping
Basic traffic-shaping functionality requires no transport-layer
information. All that is needed is a way of mapping each packet to a
traffic shaper quota. For example, there may be a rate limit per
5-tuple or per subscriber IP address. However, such fixed traffic
shaping rules are wasteful as they end up rate-limiting traffic even
when the network has free resources available.
More advanced traffic-shaping devices use transport-layer metrics
described in Section 2 to detect congestion on either a per-site or a
per-user level and use different traffic-shaping rules when
congestion is detected [RFC3272]. This type of device can overcome
limitations of downstream devices that behave poorly (e.g., by
excessive buffering or suboptimally dropping packets).
3.10. Fairness to End-User Quota
Several service offerings rely upon a volume-based charging model
(e.g., volume-based data plans offered by cellular providers).
Operators may assist end users in conserving their data quota by
deploying on-path functions that shape traffic that would otherwise
be aggressively transferred.
For example, a fast download of a video that won't be viewed
completely by the subscriber may lead to quick exhaustion of the data
quota. Limiting the video download rate conserves quota for the
benefit of the end user. Also, discarding unsolicited incoming
traffic prevents the user's quota from being unfairly exhausted.
4. IANA Considerations
This document has no IANA actions.
5. Security Considerations
5.1. Confidentiality and Privacy
This document intentionally excludes middleboxes that observe or
manipulate application-layer data.
Dolson, et al. Informational [Page 14]
^L
RFC 8517 Transport-Centric Middlebox Functions February 2019
The measurements and functions described in this document can all be
implemented without violating confidentiality [RFC6973]. However,
there is always the question of whether the fields and packet
properties used to achieve operational benefits may also be used for
harm.
In particular, the question is what confidentiality is lost by
exposing transport-layer fields beyond what can be learned by
observing IP-layer fields:
o Sequence numbers: an observer can learn how much data is
transferred.
o Start/Stop indicators: an observer can count transactions for some
applications.
o Device fingerprinting: an observer may be more easily able to
identify a device type when different devices use different
default field values or options.
5.2. Active On-Path Attacks
An on-path attacker being able to observe sequence numbers or session
identifiers may make it easier to modify or terminate a transport
connection. For example, observing TCP sequence numbers allows
generation of a RST packet that terminates the connection. However,
signing transport fields softens this attack. The attack and
solution are described for the TCP authentication option [RFC5925].
Still, an on-path attacker can also drop the traffic flow.
5.3. Improved Security
Network maintainability and security can be improved by providing
firewalls and DDoS mechanisms with some information about transport
connections. In contrast, it would be very difficult to secure a
network in which every packet appears unique and filled with random
bits (from the perspective of an on-path device).
Some features providing the ability to mitigate/filter attacks owing
to a network-assisted mechanism will therefore improve security --
e.g., by means of Distributed-Denial-of-Service Open Threat Signaling
(DOTS) [DOTS-SIGNAL].
Dolson, et al. Informational [Page 15]
^L
RFC 8517 Transport-Centric Middlebox Functions February 2019
6. Informative References
[DOTS] Mortensen, A., Andreasen, F., Reddy, T., Compton, R., and
N. Teague, "Distributed-Denial-of-Service Open Threat
Signaling (DOTS) Architecture", Work in Progress,
draft-ietf-dots-architecture-07, September 2018.
[DOTS-SIGNAL]
Reddy, T., Boucadair, M., Patil, P., Mortensen, A., and N.
Teague, "Distributed Denial-of-Service Open Threat
Signaling (DOTS) Signal Channel Specification", Work in
Progress, draft-ietf-dots-signal-channel-25, September
2018.
[ICCRG] Kuhn, N., "MPTCP and BBR performance over Internet
satellite paths", IETF 100, 2017,
<https://datatracker.ietf.org/meeting/100/materials/
slides-100-iccrg-mptcp-and-bbr-performance-over-satcom-
links-00>.
[PATH-STATE]
Kuehlewind, M., Trammell, B., and J. Hildebrand,
"Transport-Independent Path Layer State Management", Work
in Progress, draft-trammell-plus-statefulness-04, November
2017.
[RFC2018] Mathis, M., Mahdavi, J., Floyd, S., and A. Romanow, "TCP
Selective Acknowledgment Options", RFC 2018,
DOI 10.17487/RFC2018, October 1996,
<https://www.rfc-editor.org/info/rfc2018>.
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827,
May 2000, <https://www.rfc-editor.org/info/rfc2827>.
[RFC2991] Thaler, D. and C. Hopps, "Multipath Issues in Unicast and
Multicast Next-Hop Selection", RFC 2991,
DOI 10.17487/RFC2991, November 2000,
<https://www.rfc-editor.org/info/rfc2991>.
[RFC3135] Border, J., Kojo, M., Griner, J., Montenegro, G., and
Z. Shelby, "Performance Enhancing Proxies Intended to
Mitigate Link-Related Degradations", RFC 3135,
DOI 10.17487/RFC3135, June 2001,
<https://www.rfc-editor.org/info/rfc3135>.
Dolson, et al. Informational [Page 16]
^L
RFC 8517 Transport-Centric Middlebox Functions February 2019
[RFC3168] Ramakrishnan, K., Floyd, S., and D. Black, "The Addition
of Explicit Congestion Notification (ECN) to IP",
RFC 3168, DOI 10.17487/RFC3168, September 2001,
<https://www.rfc-editor.org/info/rfc3168>.
[RFC3234] Carpenter, B. and S. Brim, "Middleboxes: Taxonomy and
Issues", RFC 3234, DOI 10.17487/RFC3234, February 2002,
<https://www.rfc-editor.org/info/rfc3234>.
[RFC3272] Awduche, D., Chiu, A., Elwalid, A., Widjaja, I., and
X. Xiao, "Overview and Principles of Internet Traffic
Engineering", RFC 3272, DOI 10.17487/RFC3272, May 2002,
<https://www.rfc-editor.org/info/rfc3272>.
[RFC4594] Babiarz, J., Chan, K., and F. Baker, "Configuration
Guidelines for DiffServ Service Classes", RFC 4594,
DOI 10.17487/RFC4594, August 2006,
<https://www.rfc-editor.org/info/rfc4594>.
[RFC4737] Morton, A., Ciavattone, L., Ramachandran, G., Shalunov,
S., and J. Perser, "Packet Reordering Metrics", RFC 4737,
DOI 10.17487/RFC4737, November 2006,
<https://www.rfc-editor.org/info/rfc4737>.
[RFC4787] Audet, F., Ed. and C. Jennings, "Network Address
Translation (NAT) Behavioral Requirements for Unicast
UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January
2007, <https://www.rfc-editor.org/info/rfc4787>.
[RFC5236] Jayasumana, A., Piratla, N., Banka, T., Bare, A., and
R. Whitner, "Improved Packet Reordering Metrics",
RFC 5236, DOI 10.17487/RFC5236, June 2008,
<https://www.rfc-editor.org/info/rfc5236>.
[RFC5853] Hautakorpi, J., Ed., Camarillo, G., Penfield, R.,
Hawrylyshen, A., and M. Bhatia, "Requirements from Session
Initiation Protocol (SIP) Session Border Control (SBC)
Deployments", RFC 5853, DOI 10.17487/RFC5853, April 2010,
<https://www.rfc-editor.org/info/rfc5853>.
[RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP
Authentication Option", RFC 5925, DOI 10.17487/RFC5925,
June 2010, <https://www.rfc-editor.org/info/rfc5925>.
Dolson, et al. Informational [Page 17]
^L
RFC 8517 Transport-Centric Middlebox Functions February 2019
[RFC6092] Woodyatt, J., Ed., "Recommended Simple Security
Capabilities in Customer Premises Equipment (CPE) for
Providing Residential IPv6 Internet Service", RFC 6092,
DOI 10.17487/RFC6092, January 2011,
<https://www.rfc-editor.org/info/rfc6092>.
[RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
NAT64: Network Address and Protocol Translation from IPv6
Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146,
April 2011, <https://www.rfc-editor.org/info/rfc6146>.
[RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and
P. Roberts, "Issues with IP Address Sharing", RFC 6269,
DOI 10.17487/RFC6269, June 2011,
<https://www.rfc-editor.org/info/rfc6269>.
[RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix
Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011,
<https://www.rfc-editor.org/info/rfc6296>.
[RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual-
Stack Lite Broadband Deployments Following IPv4
Exhaustion", RFC 6333, DOI 10.17487/RFC6333, August 2011,
<https://www.rfc-editor.org/info/rfc6333>.
[RFC6363] Watson, M., Begen, A., and V. Roca, "Forward Error
Correction (FEC) Framework", RFC 6363,
DOI 10.17487/RFC6363, October 2011,
<https://www.rfc-editor.org/info/rfc6363>.
[RFC6459] Korhonen, J., Ed., Soininen, J., Patil, B., Savolainen,
T., Bajko, G., and K. Iisakkila, "IPv6 in 3rd Generation
Partnership Project (3GPP) Evolved Packet System (EPS)",
RFC 6459, DOI 10.17487/RFC6459, January 2012,
<https://www.rfc-editor.org/info/rfc6459>.
[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
Morris, J., Hansen, M., and R. Smith, "Privacy
Considerations for Internet Protocols", RFC 6973,
DOI 10.17487/RFC6973, July 2013,
<https://www.rfc-editor.org/info/rfc6973>.
[RFC7323] Borman, D., Braden, B., Jacobson, V., and
R. Scheffenegger, Ed., "TCP Extensions for High
Performance", RFC 7323, DOI 10.17487/RFC7323, September
2014, <https://www.rfc-editor.org/info/rfc7323>.
Dolson, et al. Informational [Page 18]
^L
RFC 8517 Transport-Centric Middlebox Functions February 2019
[RFC7498] Quinn, P., Ed. and T. Nadeau, Ed., "Problem Statement for
Service Function Chaining", RFC 7498,
DOI 10.17487/RFC7498, April 2015,
<https://www.rfc-editor.org/info/rfc7498>.
[RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and
I. Farrer, "Lightweight 4over6: An Extension to the Dual-
Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596,
July 2015, <https://www.rfc-editor.org/info/rfc7596>.
[RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S.,
Murakami, T., and T. Taylor, Ed., "Mapping of Address and
Port with Encapsulation (MAP-E)", RFC 7597,
DOI 10.17487/RFC7597, July 2015,
<https://www.rfc-editor.org/info/rfc7597>.
[RFC7690] Byerly, M., Hite, M., and J. Jaeggli, "Close Encounters of
the ICMP Type 2 Kind (Near Misses with ICMPv6 Packet Too
Big (PTB))", RFC 7690, DOI 10.17487/RFC7690, January 2016,
<https://www.rfc-editor.org/info/rfc7690>.
[RFC7857] Penno, R., Perreault, S., Boucadair, M., Ed.,
Sivakumar, S., and K. Naito, "Updates to Network Address
Translation (NAT) Behavioral Requirements", BCP 127,
RFC 7857, DOI 10.17487/RFC7857, April 2016,
<https://www.rfc-editor.org/info/rfc7857>.
[RFC7974] Williams, B., Boucadair, M., and D. Wing, "An Experimental
TCP Option for Host Identification", RFC 7974,
DOI 10.17487/RFC7974, October 2016,
<https://www.rfc-editor.org/info/rfc7974>.
[RFC8084] Fairhurst, G., "Network Transport Circuit Breakers",
BCP 208, RFC 8084, DOI 10.17487/RFC8084, March 2017,
<https://www.rfc-editor.org/info/rfc8084>.
[RFC8404] Moriarty, K., Ed. and A. Morton, Ed., "Effects of
Pervasive Encryption on Operators", RFC 8404,
DOI 10.17487/RFC8404, July 2018,
<https://www.rfc-editor.org/info/rfc8404>.
[RFC8406] Adamson, B., Adjih, C., Bilbao, J., Firoiu, V., Fitzek,
F., Ghanem, S., Lochin, E., Masucci, A., Montpetit, M-J.,
Pedersen, M., Peralta, G., Roca, V., Ed., Saxena, P., and
S. Sivakumar, "Taxonomy of Coding Techniques for Efficient
Network Communications", RFC 8406, DOI 10.17487/RFC8406,
June 2018, <https://www.rfc-editor.org/info/rfc8406>.
Dolson, et al. Informational [Page 19]
^L
RFC 8517 Transport-Centric Middlebox Functions February 2019
[SATELLITES]
Kuhn, N. and E. Lochin, "Network coding and satellites",
Work in Progress, draft-irtf-nwcrg-network-coding-
satellites-02, November 2018.
[TCP-CONVERT]
Bonaventure, O., Boucadair, M., Gundavelli, S., and S.
Seo, "0-RTT TCP Convert Protocol", Work in Progress,
draft-ietf-tcpm-converters-04, October 2018.
[USE-CASE] Napper, J., Stiemerling, M., Lopez, D., and J. Uttaro,
"Service Function Chaining Use Cases in Mobile Networks",
Work in Progress, draft-ietf-sfc-use-case-mobility-08,
May 2018.
Dolson, et al. Informational [Page 20]
^L
RFC 8517 Transport-Centric Middlebox Functions February 2019
Acknowledgements
The authors thank Brian Trammell, Brian Carpenter, Mirja Kuehlewind,
Kathleen Moriarty, Gorry Fairhurst, Adrian Farrel, and Nicolas Kuhn
for their review and suggestions.
Authors' Addresses
David Dolson (editor)
Email: ddolson@acm.org
Juho Snellman
Email: jsnell@iki.fi
Mohamed Boucadair (editor)
Orange
4 rue du Clos Courtel
Rennes 35000
France
Email: mohamed.boucadair@orange.com
Christian Jacquenet
Orange
4 rue du Clos Courtel
Rennes 35000
France
Email: christian.jacquenet@orange.com
Dolson, et al. Informational [Page 21]
^L
|