1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
|
Internet Engineering Task Force (IETF) O. Bonaventure, Ed.
Request for Comments: 8803 Tessares
Category: Experimental M. Boucadair, Ed.
ISSN: 2070-1721 Orange
S. Gundavelli
Cisco
S. Seo
Korea Telecom
B. Hesmans
Tessares
July 2020
0-RTT TCP Convert Protocol
Abstract
This document specifies an application proxy, called Transport
Converter, to assist the deployment of TCP extensions such as
Multipath TCP. A Transport Converter may provide conversion service
for one or more TCP extensions. The conversion service is provided
by means of the 0-RTT TCP Convert Protocol (Convert).
This protocol provides 0-RTT (Zero Round-Trip Time) conversion
service since no extra delay is induced by the protocol compared to
connections that are not proxied. Also, the Convert Protocol does
not require any encapsulation (no tunnels whatsoever).
This specification assumes an explicit model, where the Transport
Converter is explicitly configured on hosts. As a sample
applicability use case, this document specifies how the Convert
Protocol applies for Multipath TCP.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for examination, experimental implementation, and
evaluation.
This document defines an Experimental Protocol for the Internet
community. This document is a product of the Internet Engineering
Task Force (IETF). It represents the consensus of the IETF
community. It has received public review and has been approved for
publication by the Internet Engineering Steering Group (IESG). Not
all documents approved by the IESG are candidates for any level of
Internet Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8803.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction
1.1. The Problem
1.2. Network-Assisted Connections: The Rationale
1.3. Applicability Scope
2. Conventions and Definitions
3. Differences with SOCKSv5
4. Architecture and Behaviors
4.1. Functional Elements
4.2. Theory of Operation
4.3. Data Processing at the Transport Converter
4.4. Address Preservation vs. Address Sharing
4.4.1. Address Preservation
4.4.2. Address/Prefix Sharing
5. Sample Examples
5.1. Outgoing Converter-Assisted Multipath TCP Connections
5.2. Incoming Converter-Assisted Multipath TCP Connection
6. The Convert Protocol (Convert)
6.1. The Convert Fixed Header
6.2. Convert TLVs
6.2.1. Generic Convert TLV Format
6.2.2. Summary of Supported Convert TLVs
6.2.3. The Info TLV
6.2.4. Supported TCP Extensions TLV
6.2.5. Connect TLV
6.2.6. Extended TCP Header TLV
6.2.7. The Cookie TLV
6.2.8. Error TLV
7. Compatibility of Specific TCP Options with the Conversion
Service
7.1. Base TCP Options
7.2. Window Scale (WS)
7.3. Selective Acknowledgments
7.4. Timestamp
7.5. Multipath TCP
7.6. TCP Fast Open
7.7. TCP-AO
8. Interactions with Middleboxes
9. Security Considerations
9.1. Privacy & Ingress Filtering
9.2. Authentication and Authorization Considerations
9.3. Denial of Service
9.4. Traffic Theft
9.5. Logging
10. IANA Considerations
10.1. Convert Service Name
10.2. The Convert Protocol (Convert) Parameters
10.2.1. Convert Versions
10.2.2. Convert TLVs
10.2.3. Convert Error Messages
11. References
11.1. Normative References
11.2. Informative References
Appendix A. Example Socket API Changes to Support the 0-RTT TCP
Convert Protocol
A.1. Active Open (Client Side)
A.2. Passive Open (Converter Side)
Acknowledgments
Contributors
Authors' Addresses
1. Introduction
1.1. The Problem
Transport protocols like TCP evolve regularly [RFC7414]. TCP has
been improved in different ways. Some improvements such as changing
the initial window size [RFC6928] or modifying the congestion control
scheme can be applied independently on Clients and Servers. Other
improvements such as Selective Acknowledgments [RFC2018] or large
windows [RFC7323] require a new TCP option or changing the semantics
of some fields in the TCP header. These modifications must be
deployed on both Clients and Servers to be actually used on the
Internet. Experience with the latter class of TCP extensions reveals
that their deployment can require many years. Fukuda reports in
[Fukuda2011] results of a decade of measurements showing the
deployment of Selective Acknowledgments, Window Scale, and TCP
Timestamps. [ANRW17] describes measurements showing that TCP Fast
Open (TFO) [RFC7413] is still not widely deployed.
There are some situations where the transport stack used on Clients
(or Servers) can be upgraded at a faster pace than the transport
stack running on Servers (or Clients). In those situations, Clients
(or Servers) would typically want to benefit from the features of an
improved transport protocol even if the Servers (or Clients) have not
yet been upgraded. Some assistance from the network to make use of
these features is valuable. For example, Performance Enhancing
Proxies [RFC3135] and other service functions have been deployed as
solutions to improve TCP performance over links with specific
characteristics.
Recent examples of TCP extensions include Multipath TCP (MPTCP)
[RFC8684] or tcpcrypt [RFC8548]. Those extensions provide features
that are interesting for Clients such as wireless devices. With
Multipath TCP, those devices could seamlessly use Wireless Local Area
Network (WLAN) and cellular networks for bonding purposes, faster
hand-overs, or better resiliency. Unfortunately, deploying those
extensions on both a wide range of Clients and Servers remains
difficult.
More recently, 5G bonding experimentation has been conducted into
global range of the incumbent 4G (LTE) connectivity using newly
devised Clients and a Multipath TCP proxy. Even if the 5G and 4G
bonding (that relies upon Multipath TCP) increases the bandwidth, it
is also crucial to minimize latency entirely between end hosts
regardless of whether intermediate nodes are inside or outside of the
mobile core. In order to handle Ultra-Reliable Low Latency
Communication (URLLC) for the next-generation mobile network,
Multipath TCP and its proxy mechanism such as the one used to provide
Access Traffic Steering, Switching, and Splitting (ATSSS) must be
optimized to reduce latency [TS23501].
1.2. Network-Assisted Connections: The Rationale
This document specifies an application proxy called Transport
Converter. A Transport Converter is a function that is installed by
a network operator to aid the deployment of TCP extensions and to
provide the benefits of such extensions to Clients in particular. A
Transport Converter may provide conversion service for one or more
TCP extensions. Which TCP extensions are eligible for the conversion
service is deployment specific. The conversion service is provided
by means of the 0-RTT TCP Convert Protocol (Convert), which is an
application-layer protocol that uses a specific TCP port number on
the Converter.
The Convert Protocol provides Zero Round-Trip Time (0-RTT) conversion
service since no extra delay is induced by the protocol compared to
connections that are not proxied. Particularly, the Convert Protocol
does not require extra signaling setup delays before making use of
the conversion service. The Convert Protocol does not require any
encapsulation (no tunnels, whatsoever).
The Transport Converter adheres to the main steps drawn in Section 3
of [RFC1919]. In particular, a Transport Converter achieves the
following:
* Listening for Client sessions;
* Receiving the address of the Server from the Client;
* Setting up a session to the Server;
* Relaying control messages and data between the Client and the
Server;
* Performing access controls according to local policies.
The main advantage of network-assisted conversion services is that
they enable new TCP extensions to be used on a subset of the path
between endpoints, which encourages the deployment of these
extensions. Furthermore, the Transport Converter allows the Client
and the Server to directly negotiate TCP extensions for the sake of
native support along the full path.
The Convert Protocol is a generic mechanism to provide 0-RTT
conversion service. As a sample applicability use case, this
document specifies how the Convert Protocol applies for Multipath
TCP. It is out of scope of this document to provide a comprehensive
list of all potential conversion services. Applicability documents
may be defined in the future.
This document does not assume that all the traffic is eligible for
the network-assisted conversion service. Only a subset of the
traffic will be forwarded to a Transport Converter according to a set
of policies. These policies, and how they are communicated to
endpoints, are out of scope. Furthermore, it is possible to bypass
the Transport Converter to connect directly to the Servers that
already support the required TCP extension(s).
This document assumes an explicit model in which a Client is
configured with one or a list of Transport Converters (statically or
through protocols such as [DHC-CONVERTER]). Configuration means are
outside the scope of this document.
The use of a Transport Converter means that there is no end-to-end
transport connection between the Client and Server. This could
potentially create problems in some scenarios such as those discussed
in Section 4 of [RFC3135]. Some of these problems may not be
applicable. For example, a Transport Converter can inform a Client
by means of Network Failure (65) or Destination Unreachable (97)
error messages (Section 6.2.8) that it encounters a failure problem;
the Client can react accordingly. An endpoint, or its network
administrator, can assess the benefit provided by the Transport
Converter service versus the risk. This is one reason why the
Transport Converter functionality has to be explicitly requested by
an endpoint.
This document is organized as follows:
Section 3 provides a brief overview of the differences between the
well-known SOCKS protocol and the 0-RTT TCP Convert Protocol.
Section 4 provides a brief explanation of the operation of
Transport Converters.
Section 5 includes a set of sample examples to illustrate the
overall behavior.
Section 6 describes the Convert Protocol.
Section 7 discusses how Transport Converters can be used to
support different TCP extensions.
Section 8 then discusses the interactions with middleboxes.
Section 9 focuses on security considerations.
Appendix A describes how a TCP stack would need to support the
protocol described in this document.
1.3. Applicability Scope
The 0-RTT TCP Convert Protocol specified in this document MUST be
used in a single administrative domain deployment model. That is,
the entity offering the connectivity service to a Client is also the
entity that owns and operates the Transport Converter, with no
transit over a third-party network.
Future deployment of Transport Converters by third parties MUST
adhere to the mutual authentication requirements in Section 9.2 to
prevent illegitimate traffic interception (Section 9.4) in
particular.
2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. Differences with SOCKSv5
Several IETF protocols provide proxy services, the closest to the
0-RTT TCP Convert Protocol being the SOCKSv5 protocol [RFC1928].
This protocol is already used to deploy Multipath TCP in some
cellular networks (Section 2.2 of [RFC8041]).
A SOCKS Client creates a connection to a SOCKS Proxy, exchanges
authentication information, and indicates the IP address and port
number of the target Server. At this point, the SOCKS Proxy creates
a connection towards the target Server and relays all data between
the two proxied connections. The operation of an implementation
based on SOCKSv5 (without authentication) is illustrated in Figure 1.
Client SOCKS Proxy Server
| | |
| --------------------> | |
| SYN | |
| <-------------------- | |
| SYN+ACK | |
| --------------------> | |
| ACK | |
| | |
| --------------------> | |
|Version=5, Auth Methods| |
| <-------------------- | |
| Method | |
| --------------------> | |
|Auth Request (unless "No auth" method negotiated)
| <-------------------- | |
| Auth Response | |
| --------------------> | |
| Connect Server:Port | --------------------> |
| | SYN |
| | <-------------------- |
| | SYN+ACK |
| <-------------------- | |
| Succeeded | |
| --------------------> | |
| Data1 | |
| | --------------------> |
| | Data1 |
| | <-------------------- |
| | Data2 |
| <-------------------- | |
| Data2 | |
...
Figure 1: Establishment of a TCP Connection through a SOCKS Proxy
without Authentication
When SOCKS is used, an "end-to-end" connection between a Client and a
Server becomes a sequence of two TCP connections that are glued
together on the SOCKS Proxy. The SOCKS Client and Server exchange
control information at the beginning of the bytestream on the Client-
Proxy connection. The SOCKS Proxy then creates the connection with
the target Server and then glues the two connections together so that
all bytes sent by the application (Client) to the SOCKS Proxy are
relayed to the Server and vice versa.
The Convert Protocol is also used on TCP proxies that relay data
between an upstream and a downstream connection, but there are
important differences with SOCKSv5. A first difference is that the
0-RTT TCP Convert Protocol exchanges all the control information
during the initial RTT. This reduces the connection establishment
delay compared to SOCKS, which requires two or more round-trip times
before the establishment of the downstream connection towards the
final destination. In today's Internet, latency is an important
metric, and various protocols have been tuned to reduce their latency
[LOW-LATENCY]. A recently proposed extension to SOCKS leverages the
TCP Fast Open (TFO) option [INTAREA-SOCKS] to reduce this delay.
A second difference is that the Convert Protocol explicitly takes the
TCP extensions into account. By using the Convert Protocol, the
Client can learn whether a given TCP extension is supported by the
destination Server. This enables the Client to bypass the Transport
Converter when the Server supports the required TCP extension(s).
Neither SOCKSv5 [RFC1928] nor the proposed SOCKSv6 [INTAREA-SOCKS]
provide such a feature.
A third difference is that a Transport Converter will only confirm
the establishment of the connection initiated by the Client provided
that the downstream connection has already been accepted by the
Server. If the Server refuses the connection establishment attempt
from the Transport Converter, then the upstream connection from the
Client is rejected as well. This feature is important for
applications that check the availability of a Server or use the time
to connect as a hint on the selection of a Server [RFC8305].
A fourth difference is that the 0-RTT TCP Convert Protocol only
allows the Client to specify the IP address/port number of the
destination Server and not a DNS name. We evaluated an alternate
design that included the DNS name of the remote peer instead of its
IP address as in SOCKS [RFC1928]. However, that design was not
adopted because it induces both an extra load and increased delays on
the Transport Converter to handle and manage DNS resolution requests.
Note that the name resolution at the Converter may fail (e.g.,
private names discussed in Section 2.1 of [RFC6731]) or may not match
the one that would be returned by a Client's resolution library
(e.g., Section 2.2 of [RFC6731]).
4. Architecture and Behaviors
4.1. Functional Elements
The Convert Protocol considers three functional elements:
* Clients
* Transport Converters
* Servers
A Transport Converter is a network function that proxies all data
exchanged over one upstream connection to one downstream connection
and vice versa (Figure 2). Thus, the Transport Converter maintains
state that associates one upstream connection to a corresponding
downstream connection.
A connection can be initiated from both sides of the Transport
Converter (External realm, Internal realm).
|
:
|
+------------+
Client <- upstream ->| Transport |<- downstream -> Server
connection | Converter | connection
+------------+
|
Internal realm : External realm
|
Figure 2: A Transport Converter Proxies Data between Pairs of TCP
Connections
"Client" refers to a software instance embedded on a host that can
reach a Transport Converter in the internal realm. The "Client" can
initiate connections via a Transport Converter (referred to as
outgoing connections). Also, the "Client" can accept incoming
connections via a Transport Converter (referred to as incoming
connections).
A Transport Converter can be embedded in a standalone device or be
activated as a service on a router. How such a function is enabled
is deployment specific.
The architecture assumes that new software will be installed on the
Client hosts to interact with one or more Transport Converters.
Furthermore, the architecture allows for making use of new TCP
extensions even if those are not supported by a given Server.
A Client is configured, through means that are outside the scope of
this document, with the names and/or addresses of one or more
Transport Converters and the TCP extensions that they support. The
procedure for selecting a Transport Converter among a list of
configured Transport Converters is outside the scope of this
document.
One of the benefits of this design is that different transport
protocol extensions can be used on the upstream and the downstream
connections. This encourages the deployment of new TCP extensions
until they are widely supported, in particular, by Servers.
The architecture does not mandate anything on the Server side.
Similar to SOCKS, the architecture does not interfere with end-to-end
TLS connections [RFC8446] between the Client and the Server
(Figure 3). In other words, end-to-end TLS is supported in the
presence of a Converter.
Client Transport Server
| Converter |
| | |
/==========================================\
| End-to-end TLS |
\==========================================/
* TLS messages exchanged between the Client
and the Server are not shown.
Figure 3: End-to-end TLS via a Transport Converter
It is out of scope of this document to elaborate on specific
considerations related to the use of TLS in the Client-Converter
connection leg to exchange Convert messages (in addition to the end-
to-end TLS connection). In particular, (1) assessment of whether
0-RTT data mode discussed in Section 2.3 of [RFC8446] is safe under
replay and (2) specification of a profile for its use (Appendix E.5
of [RFC8446]) are out of scope.
4.2. Theory of Operation
At a high level, the objective of the Transport Converter is to allow
the use a specific extension, e.g., Multipath TCP, on a subset of the
path even if the peer does not support this extension. This is
illustrated in Figure 4 where the Client initiates a Multipath TCP
connection with the Transport Converter (packets belonging to the
Multipath TCP connection are shown with "===") while the Transport
Converter uses a TCP connection with the Server.
Client Transport Server
| Converter |
| | |
|==================>|--------------------->|
| | |
|<==================|<---------------------|
| | |
Multipath TCP packets TCP packets
Figure 4: An Example of 0-RTT Network-Assisted Outgoing MPTCP
Connection
The packets belonging to a connection established through a Transport
Converter may follow a different path than the packets directly
exchanged between the Client and the Server. Deployments should
minimize the possible additional delay by carefully selecting the
location of the Transport Converter used to reach a given
destination.
When establishing a connection, the Client can, depending on local
policies, either contact the Server directly (e.g., by sending a TCP
SYN towards the Server) or create the connection via a Transport
Converter. In the latter case (that is, the conversion service is
used), the Client initiates a connection towards the Transport
Converter and indicates the IP address and port number of the Server
within the connection establishment packet. Doing so enables the
Transport Converter to immediately initiate a connection towards that
Server without experiencing an extra delay. The Transport Converter
waits until the receipt of the confirmation that the Server agrees to
establish the connection before confirming it to the Client.
The Client places the destination address and port number of the
Server in the payload of the SYN sent to the Transport Converter to
minimize connection establishment delays. The Transport Converter
maintains two connections that are combined together:
* The upstream connection is the one between the Client and the
Transport Converter.
* The downstream connection is the one between the Transport
Converter and the Server.
Any user data received by the Transport Converter over the upstream
(or downstream) connection is proxied over the downstream (or
upstream) connection.
Figure 5 illustrates the establishment of an outgoing TCP connection
by a Client through a Transport Converter.
| Note: The information shown between brackets in Figure 5 (and
| other figures in the document) refers to Convert Protocol
| messages described in Section 6.
Transport
Client Converter Server
| | |
|SYN [->Server:port]| SYN |
|------------------>|--------------------->|
|<------------------|<---------------------|
| SYN+ACK [ ] | SYN+ACK |
| ... | ... |
Figure 5: Establishment of an Outgoing TCP Connection through a
Transport Converter
The Client sends a SYN destined to the Transport Converter. The
payload of this SYN contains the address and port number of the
Server. The Transport Converter does not reply immediately to this
SYN. It first tries to create a TCP connection towards the target
Server. If this upstream connection succeeds, the Transport
Converter confirms the establishment of the connection to the Client
by returning a SYN+ACK and the first bytes of the bytestream contain
information about the TCP options that were negotiated with the
Server. Also, a state entry is instantiated for this connection.
This state entry is used by the Converter to handle subsequent
messages belonging to the connection.
The connection can also be established from the Internet towards a
Client via a Transport Converter (Figure 6). This is typically the
case when the Client hosts an application Server that listens to a
specific port number. When the Converter receives an incoming SYN
from a remote host, it checks if it can provide the conversion
service for the destination IP address and destination port number of
that SYN. The Transport Converter receives this SYN because it is,
for example, on the path between the remote host and the Client or it
provides address-sharing service for the Client (Section 2 of
[RFC6269]). If the check fails, the packet is silently ignored by
the Converter. If the check is successful, the Converter tries to
initiate a TCP connection towards the Client from its own address and
using its configured TCP options. In the SYN that corresponds to
this connection attempt, the Transport Convert inserts a TLV message
that indicates the source address and port number of the remote host.
A transport session entry is created by the Converter for this
connection. SYN+ACK and ACK will then be exchanged between the
Client, the Converter, and remote host to confirm the establishment
of the connection. The Converter uses the transport session entry to
proxy packets belonging to the connection.
Transport Remote
Client Converter Host (RH)
| | |
|SYN [<-RH IP@:port]| SYN |
|<------------------|<---------------------|
|------------------>|--------------------->|
| SYN+ACK [ ] | SYN+ACK |
| ... | ... |
Figure 6: Establishment of an Incoming TCP Connection through a
Transport Converter
Standard TCP (Section 3.4 of [RFC0793]) allows a SYN packet to carry
data inside its payload but forbids the receiver from delivering it
to the application until completion of the three-way-handshake. To
enable applications to exchange data in a TCP handshake, this
specification follows an approach similar to TCP Fast Open [RFC7413]
and thus, removes the constraint by allowing data in SYN packets to
be delivered to the Transport Converter application.
As discussed in [RFC7413], such change to TCP semantics raises two
issues. First, duplicate SYNs can cause problems for applications
that rely on TCP; whether or not a given application is affected
depends on the details of that application protocol. Second, TCP
suffers from SYN flooding attacks [RFC4987]. TFO solves these two
problems for applications that can tolerate replays by using the TCP
Fast Open option that includes a cookie. However, the utilization of
this option consumes space in the limited TCP header. Furthermore,
there are situations, as noted in Section 7.3 of [RFC7413], where it
is possible to accept the payload of SYN packets without creating
additional security risks such as a network where addresses cannot be
spoofed and the Transport Converter only serves a set of hosts that
are identified by these addresses.
For these reasons, this specification does not mandate the use of the
TCP Fast Open option when the Client sends a connection establishment
packet towards a Transport Converter. The Convert Protocol includes
an optional Cookie TLV that provides similar protection as the TCP
Fast Open option without consuming space in the TCP header.
Furthermore, this design allows for the use of longer cookies than
[RFC7413].
If the downstream (or upstream) connection fails for some reason
(excessive retransmissions, reception of an RST segment, etc.), then
the Converter reacts by forcing the teardown of the upstream (or
downstream) connection. In particular, if an ICMP error message that
indicates a hard error is received on the downstream connection, the
Converter echoes the Code field of that ICMP message in a Destination
Unreachable Error TLV (see Section 6.2.8) that it transmits to the
Client. Note that if an ICMP error message that indicates a soft
error is received on the downstream connection, the Converter will
retransmit the corresponding data until it is acknowledged or the
connection times out. A classification of ICMP soft and hard errors
is provided in Table 1 of [RFC5461].
The same reasoning applies when the upstream connection ends with an
exchange of FIN segments. In this case, the Converter will also
terminate the downstream connection by using FIN segments. If the
downstream connection terminates with the exchange of FIN segments,
the Converter should initiate a graceful termination of the upstream
connection.
4.3. Data Processing at the Transport Converter
As mentioned in Section 4.2, the Transport Converter acts as a TCP
proxy between the upstream connection (i.e., between the Client and
the Transport Converter) and the downstream connection (i.e., between
the Transport Converter and the Server).
The control messages (i.e., the Convert messages discussed in
Section 6) establish state (called transport session entry) in the
Transport Converter that will enable it to proxy between the two TCP
connections.
The Transport Converter uses the transport session entry to proxy
packets belonging to the connection. An implementation example of a
transport session entry for TCP connections is shown in Figure 7.
(C,c) <--> (T,t), (S,s), Lifetime
Figure 7: An Example of Transport Session Entry
Where:
* C and c are the source IP address and source port number used by
the Client for the upstream connection.
* S and s are the Server's IP address and port number.
* T and t are the source IP address and source port number used by
the Transport Converter to proxy the connection.
* Lifetime is a timer that tracks the remaining lifetime of the
entry as assigned by the Converter. When the timer expires, the
entry is deleted.
Clients send packets bound to connections eligible for the conversion
service to the provisioned Transport Converter and destination port
number. This applies for both control messages and data. Additional
information is supplied by Clients to the Transport Converter by
means of Convert messages as detailed in Section 6. User data can be
included in SYN or non-SYN messages. User data is unambiguously
distinguished from Convert TLVs by a Transport Converter owing to the
Convert Fixed Header in the Convert messages (Section 6.1). These
Convert TLVs are destined to the Transport Convert and are, thus,
removed by the Transport Converter when proxying between the two
connections.
Upon receipt of a packet that belongs to an existing connection
between a Client and the Transport Converter, the Converter proxies
the user data to the Server using the information stored in the
corresponding transport session entry. For example, in reference to
Figure 7, the Transport Converter proxies the data received from
(C,c) downstream using (T,t) as source transport address and (S,s) as
destination transport address.
A similar process happens for data sent from the Server. The
Converter acts as a TCP proxy and sends the data to the Client
relying upon the information stored in a transport session entry.
The Converter associates a lifetime with state entries used to bind
an upstream connection with its downstream connection.
When Multipath TCP is used between the Client and the Transport
Converter, the Converter maintains more state (e.g., information
about the subflows) for each Multipath TCP connection. The procedure
described above continues to apply except that the Converter needs to
manage the establishment/termination of subflows and schedule packets
among the established ones. These operations are part of the
Multipath TCP implementation. They are independent of the Convert
Protocol that only processes the Convert messages in the beginning of
the bytestream.
A Transport Converter may operate in address preservation mode (that
is, the Converter does not rewrite the source IP address (i.e.,
C==T)) or address-sharing mode (that is, an address pool is shared
among all Clients serviced by the Converter (i.e., C!=T)); refer to
Section 4.4 for more details. Which behavior to use by a Transport
Converter is deployment specific. If address-sharing mode is
enabled, the Transport Converter MUST adhere to REQ-2 of [RFC6888],
which implies a default "IP address pooling" behavior of "Paired" (as
defined in Section 4.1 of [RFC4787]) MUST be supported. This
behavior is meant to avoid breaking applications that depend on the
source address remaining constant.
4.4. Address Preservation vs. Address Sharing
The Transport Converter is provided with instructions about the
behavior to adopt with regard to the processing of source addresses
of outgoing packets. The following subsections discuss two
deployment models for illustration purposes. It is out of the scope
of this document to make a recommendation.
4.4.1. Address Preservation
In this model, the visible source IP address of a packet proxied by a
Transport Converter to a Server is an IP address of the end host
(Client). No dedicated IP address pool is provisioned to the
Transport Converter, but the Transport Converter is located on the
path between the Client and the Server.
For Multipath TCP, the Transport Converter preserves the source IP
address used by the Client when establishing the initial subflow.
Data conveyed in secondary subflows will be proxied by the Transport
Converter using the source IP address of the initial subflow. An
example of a proxied Multipath TCP connection with address
preservation is shown in Figure 8.
Transport
Client Converter Server
@:C1,C2 @:Tc @:S
|| | |
|src:C1 SYN dst:Tc|src:C1 dst:S|
|-------MPC [->S:port]------->|-------SYN------->|
|| | |
||dst:C1 src:Tc|dst:C1 src:S|
|<---------SYN/ACK------------|<-----SYN/ACK-----|
|| | |
|src:C1 dst:Tc|src:C1 dst:S|
|------------ACK------------->|-------ACK------->|
| | |
|src:C2 ... dst:Tc| ... |
||<-----Secondary Subflow---->|src:C1 dst:S|
|| |-------data------>|
| .. | ... |
Legend:
Tc: IP address used by the Transport Converter on the internal
realm.
Figure 8: Example of Address Preservation
The Transport Converter must be on the forwarding path of incoming
traffic. Because the same (destination) IP address is used for both
proxied and non-proxied connections, the Transport Converter should
not drop incoming packets it intercepts if no matching entry is found
for the packets. Unless explicitly configured otherwise, such
packets are forwarded according to the instructions of a local
forwarding table.
4.4.2. Address/Prefix Sharing
A pool of global IPv4 addresses is provisioned to the Transport
Converter along with possible instructions about the address-sharing
ratio to apply (see Appendix B of [RFC6269]). An address is thus
shared among multiple Clients.
Likewise, rewriting the source IPv6 prefix [RFC6296] may be used to
ease redirection of incoming IPv6 traffic towards the appropriate
Transport Converter. A pool of IPv6 prefixes is then provisioned to
the Transport Converter for this purpose.
Adequate forwarding policies are enforced so that traffic destined to
an address of such a pool is intercepted by the appropriate Transport
Converter. Unlike Section 4.4.1, the Transport Converter drops
incoming packets that do not match an active transport session entry.
An example is shown in Figure 9.
Transport
Client Converter Server
@:C @:Tc|Te @:S
| | |
|src:C dst:Tc|src:Te dst:S|
|-------SYN [->S:port]------->|-------SYN------->|
| | |
|dst:C src:Tc|dst:Te src:S|
|<---------SYN/ACK------------|<-----SYN/ACK-----|
| | |
|src:C dst:Tc|src:Te dst:S|
|------------ACK------------->|-------ACK------->|
| | |
| ... | ... |
Legend:
Tc: IP address used by the Transport Converter on the internal
realm.
Te: IP address used by the Transport Converter on the external
realm.
Figure 9: Address Sharing
5. Sample Examples
5.1. Outgoing Converter-Assisted Multipath TCP Connections
As an example, let us consider how the Convert Protocol can help the
deployment of Multipath TCP. We assume that both the Client and the
Transport Converter support Multipath TCP but consider two different
cases depending on whether or not the Server supports Multipath TCP.
As a reminder, a Multipath TCP connection is created by placing the
MP_CAPABLE (MPC) option in the SYN sent by the Client.
Figure 10 describes the operation of the Transport Converter if the
Server does not support Multipath TCP.
Transport
Client Converter Server
|SYN, MPC | |
|[->Server:port] | SYN, MPC |
|------------------>|--------------------->|
|<------------------|<---------------------|
| SYN+ACK,MPC [.] | SYN+ACK |
|------------------>|--------------------->|
| ACK, MPC | ACK |
| ... | ... |
Figure 10: Establishment of a Multipath TCP Connection through a
Transport Converter towards a Server That Does Not support
Multipath TCP
The Client tries to initiate a Multipath TCP connection by sending a
SYN with the MP_CAPABLE option (MPC in Figure 10). The SYN includes
the address and port number of the target Server, that are extracted
and used by the Transport Converter to initiate a Multipath TCP
connection towards this Server. Since the Server does not support
Multipath TCP, it replies with a SYN+ACK that does not contain the
MP_CAPABLE option. The Transport Converter notes that the connection
with the Server does not support Multipath TCP and returns the
extended TCP header received from the Server to the Client.
Note that, if the TCP connection is reset for some reason, the
Converter tears down the Multipath TCP connection by transmitting an
MP_FASTCLOSE. Likewise, if the Multipath TCP connection ends with
the transmission of DATA_FINs, the Converter terminates the TCP
connection by using FIN segments. As a side note, given that with
Multipath TCP, RST only has the scope of the subflow and will only
close the concerned subflow but not affect the remaining subflows,
the Converter does not terminate the downstream TCP connection upon
receipt of an RST over a Multipath subflow.
Figure 11 considers a Server that supports Multipath TCP. In this
case, it replies to the SYN sent by the Transport Converter with the
MP_CAPABLE option. Upon reception of this SYN+ACK, the Transport
Converter confirms the establishment of the connection to the Client
and indicates to the Client that the Server supports Multipath TCP.
With this information, the Client has discovered that the Server
supports Multipath TCP. This will enable the Client to bypass the
Transport Converter for the subsequent Multipath TCP connections that
it will initiate towards this Server.
Transport
Client Converter Server
|SYN, MPC | |
|[->Server:port] | SYN, MPC |
|------------------>|--------------------->|
|<------------------|<---------------------|
|SYN+ACK, MPC | SYN+ACK, MPC |
|[MPC supported] | |
|------------------>|--------------------->|
| ACK, MPC | ACK, MPC |
| ... | ... |
Figure 11: Establishment of a Multipath TCP Connection through a
Converter towards an MPTCP-Capable Server
5.2. Incoming Converter-Assisted Multipath TCP Connection
An example of an incoming Converter-assisted Multipath TCP connection
is depicted in Figure 12. In order to support incoming connections
from remote hosts, the Client may use the Port Control Protocol (PCP)
[RFC6887] to instruct the Transport Converter to create dynamic
mappings. Those mappings will be used by the Transport Converter to
intercept an incoming TCP connection destined to the Client and
convert it into a Multipath TCP connection.
Typically, the Client sends a PCP request to the Converter asking to
create an explicit TCP mapping for the internal IP address and
internal port number. The Converter accepts the request by creating
a TCP mapping for the internal IP address, internal port number,
external IP address, and external port number. The external IP
address, external port number, and assigned lifetime are returned
back to the Client in the PCP response. The external IP address and
external port number will then be advertised by the Client (or the
user) using an out-of-band mechanism so that remote hosts can
initiate TCP connections to the Client via the Converter. Note that
the external and internal information may be the same.
Then, when the Converter receives an incoming SYN, it checks its
mapping table to verify if there is an active mapping matching the
destination IP address and destination port of that SYN. If no entry
is found, the Converter silently ignores the message. If an entry is
found, the Converter inserts an MP_CAPABLE option and Connect TLV in
the SYN packet, and rewrites the source IP address to one of its IP
addresses and, eventually, the destination IP address and port number
in accordance with the information stored in the mapping. SYN+ACK
and ACK will then be exchanged between the Client and the Converter
to confirm the establishment of the initial subflow. The Client can
add new subflows following normal Multipath TCP procedures.
Transport Remote
Client Converter Host
| | |
|<--------------------|<-------------------|
|SYN, MPC | SYN |
|[Remote Host:port] | |
|-------------------->|------------------->|
| SYN+ACK, MPC | SYN+ACK |
|<--------------------|<-------------------|
| ACK, MPC | ACK |
| ... | ... |
Figure 12: Establishment of an Incoming Multipath TCP Connection
through a Transport Converter
It is out of scope of this document to define specific Convert TLVs
to manage incoming connections (that is, TLVs that mimic PCP
messages). These TLVs can be defined in a separate document.
6. The Convert Protocol (Convert)
This section defines the Convert Protocol (Convert, for short)
messages that are exchanged between a Client and a Transport
Converter.
The Transport Converter listens on a specific TCP port number for
Convert messages from Clients. That port number is configured by an
administrator. Absent any policy, the Transport Converter SHOULD
silently ignore SYNs with no Convert TLVs.
Convert messages may appear only in SYN, SYN+ACK, or ACK.
Convert messages MUST be included as the first bytes of the
bytestream. All Convert messages start with a fixed header that is
32 bits long (Section 6.1) followed by one or more Convert TLVs
(Type, Length, Value) (Section 6.2).
If the initial SYN message contains user data in its payload (e.g.,
see [RFC7413]), that data MUST be placed right after the Convert TLVs
when generating the SYN.
The protocol can be extended by defining new TLVs or bumping the
version number if a different message format is needed. If a future
version is defined but with a different message format, the version
negotiation procedure defined in Section 6.2.8 (see "Unsupported
Version") is meant to agree on a version that is supported by both
peers.
| Implementation note 1: Several implementers expressed concerns
| about the use of TFO. As a reminder, the Fast Open Cookie
| protects from some attack scenarios that affect open servers
| like web servers. The Convert Protocol is different and, as
| discussed in [RFC7413], there are different ways to protect
| from such attacks. Instead of using a Fast Open Cookie inside
| the TCP options, which consumes precious space in the extended
| TCP header, the Convert Protocol supports the utilization of a
| Cookie that is placed in the SYN payload. This provides the
| same level of protection as a Fast Open Cookie in environments
| were such protection is required.
|
| Implementation note 2: Error messages are not included in RST
| but sent in the bytestream. Implementers have indicated that
| processing RST on Clients was difficult on some platforms.
| This design simplifies Client implementations.
6.1. The Convert Fixed Header
The Convert Protocol uses a fixed header that is 32 bits long sent by
both the Client and the Transport Converter over each established
connection. This header indicates both the version of the protocol
used and the length of the Convert message.
The Client and the Transport Converter MUST send the fixed-sized
header, shown in Figure 13, as the first four bytes of the
bytestream.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+
| Version | Total Length | Magic Number |
+---------------+---------------+-------------------------------+
Figure 13: The Convert Fixed Header
The version is encoded as an 8-bit unsigned integer value. This
document specifies version 1. Version 0 is reserved by this document
and MUST NOT be used.
| Note: Early versions of this specification don't use a
| dedicated port number but only rely upon the IP address of the
| Converter. Having a bit set in the Version field together with
| the Total Length field avoids misinterpreting data in a SYN as
| Convert TLVs. Since the design was updated to use a specific
| service port, that constraint was relaxed. Version 0 would
| work, but given existing implementations already use Version 1,
| the use of Version 0 is maintained as reserved.
The Total Length is the number of 32-bit words, including the header,
of the bytestream that are consumed by the Convert messages. Since
Total Length is also an 8-bit unsigned integer, those messages cannot
consume more than 1020 bytes of data. This limits the number of
bytes that a Transport Converter needs to process. A Total Length of
zero is invalid and the connection MUST be reset upon reception of a
header with such a total length.
The Magic Number field MUST be set to 0x2263. This field is meant to
further strengthen the protocol to unambiguously distinguish any data
supplied by an application from Convert TLVs.
The Total Length field unambiguously marks the number of 32-bit words
that carry Convert TLVs in the beginning of the bytestream.
6.2. Convert TLVs
6.2.1. Generic Convert TLV Format
The Convert Protocol uses variable length messages that are encoded
using the generic TLV format depicted in Figure 14.
The length of all TLVs used by the Convert Protocol is always a
multiple of four bytes. All TLVs are aligned on 32-bit boundaries.
All TLV fields are encoded using the network byte order.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+
| Type | Length | Value ... |
+---------------+---------------+-------------------------------+
// ... (optional) Value //
+---------------------------------------------------------------+
Figure 14: Convert Generic TLV Format
The Length field covers Type, Length, and Value fields. It is
expressed in units of 32-bit words. If necessary, Value MUST be
padded with zeroes so that the length of the TLV is a multiple of 32
bits.
A given TLV MUST only appear once on a connection. If a Client
receives two or more instances of the same TLV over a Convert
connection, it MUST reset the associated TCP connection. If a
Converter receives two or more instances of the same TLV over a
Convert connection, it MUST return a Malformed Message Error TLV and
close the associated TCP connection.
6.2.2. Summary of Supported Convert TLVs
This document specifies the following Convert TLVs:
+======+======+==========+==============================+
| Type | Hex | Length | Description |
+======+======+==========+==============================+
| 1 | 0x1 | 1 | Info TLV |
+------+------+----------+------------------------------+
| 10 | 0xA | Variable | Connect TLV |
+------+------+----------+------------------------------+
| 20 | 0x14 | Variable | Extended TCP Header TLV |
+------+------+----------+------------------------------+
| 21 | 0x15 | Variable | Supported TCP Extensions TLV |
+------+------+----------+------------------------------+
| 22 | 0x16 | Variable | Cookie TLV |
+------+------+----------+------------------------------+
| 30 | 0x1E | Variable | Error TLV |
+------+------+----------+------------------------------+
Table 1: The TLVs Used by the Convert Protocol
Type 0x0 is a reserved value. If a Client receives a TLV of type
0x0, it MUST reset the associated TCP connection. If a Converter
receives a TLV of type 0x0, it MUST return an Unsupported Message
Error TLV and close the associated TCP connection.
The Client typically sends, in the first connection it established
with a Transport Converter, the Info TLV (Section 6.2.3) to learn its
capabilities. Assuming the Client is authorized to invoke the
Transport Converter, the latter replies with the Supported TCP
Extensions TLV (Section 6.2.4).
The Client can request the establishment of connections to Servers by
using the Connect TLV (Section 6.2.5). If the connection can be
established with the final Server, the Transport Converter replies
with the Extended TCP Header TLV (Section 6.2.6). If not, the
Transport Converter MUST return an Error TLV (Section 6.2.8) and then
close the connection. The Transport Converter MUST NOT send an RST
immediately after the detection of an error to let the Error TLV
reach the Client. As explained later, the Client will send an RST
regardless upon reception of the Error TLV.
6.2.3. The Info TLV
The Info TLV (Figure 15) is an optional TLV that can be sent by a
Client to request the TCP extensions that are supported by a
Transport Converter. It is typically sent on the first connection
that a Client establishes with a Transport Converter to learn its
capabilities. Assuming a Client is entitled to invoke the Transport
Converter, the latter replies with the Supported TCP Extensions TLV
described in Section 6.2.4.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+
| Type=0x1 | Length | Zero |
+---------------+---------------+-------------------------------+
Figure 15: The Info TLV
6.2.4. Supported TCP Extensions TLV
The Supported TCP Extensions TLV (Figure 16) is used by a Transport
Converter to announce the TCP options for which it provides a
conversion service. A Transport Converter SHOULD include in this
list the TCP options that it supports in outgoing SYNs.
Each supported TCP option is encoded with its TCP option Kind listed
in the "Transmission Control Protocol (TCP) Parameters" registry
maintained by IANA [IANA-CONVERT]. The Unassigned field MUST be set
to zero by the Transport Converter and ignored by the Client.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+
| Type=0x15 | Length | Unassigned |
+---------------+---------------+-------------------------------+
| Kind #1 | Kind #2 | ... |
+---------------+---------------+-------------------------------+
/ ... /
/ /
+---------------------------------------------------------------+
Figure 16: The Supported TCP Extensions TLV
TCP option Kinds 1 and 2 defined in [RFC0793] are supported by all
TCP implementations and thus, MUST NOT appear in this list.
The list of Supported TCP Extensions is padded with 0 to end on a
32-bit boundary.
For example, if the Transport Converter supports Multipath TCP,
Kind=30 will be present in the Supported TCP Extensions TLV that it
returns in response to the Info TLV.
6.2.5. Connect TLV
The Connect TLV (Figure 17) is used to request the establishment of a
connection via a Transport Converter. This connection can be from or
to a Client.
The Remote Peer Port and Remote Peer IP Address fields contain the
destination port number and IP address of the Server, for outgoing
connections. For incoming connections destined to a Client serviced
via a Transport Converter, these fields convey the source port number
and IP address of the SYN packet received by the Transport Converter
from the Server.
The Remote Peer IP Address MUST be encoded as an IPv6 address. IPv4
addresses MUST be encoded using the IPv4-mapped IPv6 address format
defined in [RFC4291]. Further, the Remote Peer IP Address field MUST
NOT include multicast, broadcast, or host loopback addresses
[RFC6890]. If a Converter receives a Connect TLV with such invalid
addresses, it MUST reply with a Malformed Message Error TLV and close
the associated TCP connection.
We distinguish two types of Connect TLV based on their length: (1)
the Base Connect TLV has a length set to 5 (i.e., 20 bytes) and
contains a remote address and a remote port (Figure 17), and (2) the
Extended Connect TLV spans more than 20 bytes and also includes the
optional TCP Options field (Figure 18). This field is used to
request the advertisement of specific TCP options to the Server.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+
| Type=0xA | Length | Remote Peer Port |
+---------------+---------------+-------------------------------+
| |
| Remote Peer IP Address (128 bits) |
| |
| |
+---------------------------------------------------------------+
Figure 17: The Base Connect TLV
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+
| Type=0xA | Length | Remote Peer Port |
+---------------+---------------+-------------------------------+
| |
| Remote Peer IP Address (128 bits) |
| |
| |
+---------------------------------------------------------------+
/ TCP Options (Variable) /
/ ... /
+---------------------------------------------------------------+
Figure 18: The Extended Connect TLV
The TCP Options field is a variable length field that carries a list
of TCP option fields (Figure 19). Each TCP option field is encoded
as a block of 2+n bytes where the first byte is the TCP option Kind
and the second byte is the length of the TCP option as specified in
[RFC0793]. The minimum value for the TCP option Length is 2. The
TCP options that do not include a length sub-field, i.e., option
types 0 (EOL) and 1 (NOP) defined in [RFC0793] MUST NOT be placed
inside the TCP options field of the Connect TLV. The optional Value
field contains the variable-length part of the TCP option. A length
of 2 indicates the absence of the Value field. The TCP options field
always ends on a 32-bit boundary after being padded with zeros.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+
| TCPOpt kind | TCPOpt Length | Value (opt) | .... |
+---------------+---------------+---------------+---------------+
| .... |
+---------------------------------------------------------------+
| ... |
+---------------------------------------------------------------+
Figure 19: The TCP Options Field
Upon reception of a Base Connect TLV, and absent any policy (e.g.,
rate-limit) or resource exhaustion conditions, a Transport Converter
attempts to establish a connection to the address and port that it
contains. The Transport Converter MUST use by default the TCP
options that correspond to its local policy to establish this
connection.
Upon reception of an Extended Connect TLV, a Transport Converter
first checks whether or not it supports the TCP Options listed in the
TCP Options field. If not, it returns an error TLV set to
"Unsupported TCP Option" (Section 6.2.8). If the above check
succeeded, and absent any rate-limit policy or resource exhaustion
conditions, a Transport Converter MUST attempt to establish a
connection to the address and port that it contains. It MUST include
in the SYN that it sends to the Server the options listed in the TCP
Options subfield and the TCP options that it would have used
according to its local policies. For the TCP options that are
included in the TCP Options field without an optional value, the
Transport Converter MUST generate its own value. For the TCP options
that are included in the TCP Options field with an optional value, it
MUST copy the entire option in the SYN sent to the remote Server.
This procedure is designed with TFO in mind. Particularly, this
procedure allows to successfully exchange a Fast Open Cookie between
the Client and the Server. See Section 7 for a detailed discussion
of the different types of TCP options.
The Transport Converter may refuse a Connect TLV request for various
reasons (e.g., authorization failed, out of resources, invalid
address type, or unsupported TCP option). An error message
indicating the encountered error is returned to the requesting Client
(Section 6.2.8). In order to prevent denial-of-service attacks,
error messages sent to a Client SHOULD be rate-limited.
6.2.6. Extended TCP Header TLV
The Extended TCP Header TLV (Figure 20) is used by the Transport
Converter to return to the Client the TCP options that were returned
by the Server in the SYN+ACK packet. A Transport Converter MUST
return this TLV if the Client sent an Extended Connect TLV and the
connection was accepted by the Server.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+
| Type=0x14 | Length | Unassigned |
+---------------+---------------+-------------------------------+
/ Returned Extended TCP header /
/ ... /
+---------------------------------------------------------------+
Figure 20: The Extended TCP Header TLV
The Returned Extended TCP header field is a copy of the TCP Options
that were included in the SYN+ACK received by the Transport
Converter.
The Unassigned field MUST be set to zero by the sender and ignored by
the receiver.
6.2.7. The Cookie TLV
The Cookie TLV (Figure 21) is an optional TLV that is similar to the
TCP Fast Open Cookie [RFC7413]. A Transport Converter may want to
verify that a Client can receive the packets that it sends to prevent
attacks from spoofed addresses. This verification can be done by
using a Cookie that is bound to, for example, the IP address(es) of
the Client. This Cookie can be configured on the Client by means
that are outside of this document or provided by the Transport
Converter.
A Transport Converter that has been configured to use the optional
Cookie TLV MUST verify the presence of this TLV in the payload of the
received SYN. If this TLV is present, the Transport Converter MUST
validate the Cookie by means similar to those in Section 4.1.2 of
[RFC7413] (i.e., IsCookieValid). If the Cookie is valid, the
connection establishment procedure can continue. Otherwise, the
Transport Converter MUST return an Error TLV set to "Not Authorized"
and close the connection.
If the received SYN did not contain a Cookie TLV, and cookie
validation is required, the Transport Converter MAY compute a Cookie
bound to this Client address. In such case, the Transport Converter
MUST return an Error TLV set to "Missing Cookie" and the computed
Cookie and close the connection. The Client will react to this error
by first issuing a reset to terminate the connection. It also stores
the received Cookie in its cache and attempts to reestablish a new
connection to the Transport Converter that includes the Cookie TLV.
The format of the Cookie TLV is shown in Figure 21.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+
| Type=0x16 | Length | Zero |
+---------------+---------------+-------------------------------+
/ Opaque Cookie /
/ ... /
+---------------------------------------------------------------+
Figure 21: The Cookie TLV
6.2.8. Error TLV
The Error TLV (Figure 22) is meant to provide information about some
errors that occurred during the processing of a Convert message.
This TLV has a variable length. Upon reception of an Error TLV, a
Client MUST reset the associated connection.
An Error TLV can be included in the SYN+ACK or an ACK.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+----------------+--------------+
| Type=0x1E | Length | Error Code | Value |
+---------------+---------------+----------------+--------------+
// ... (optional) Value //
+---------------------------------------------------------------+
Figure 22: The Error TLV
Different types of errors can occur while processing Convert
messages. Each error is identified by an Error Code represented as
an unsigned integer. Four classes of error codes are defined:
Message validation and processing errors (0-31 range):
Returned upon reception of an invalid message (including valid
messages but with invalid or unknown TLVs).
Client-side errors (32-63 range):
The Client sent a request that could not be accepted by the
Transport Converter (e.g., unsupported operation).
Converter-side errors (64-95 range):
Problems encountered on the Transport Converter (e.g., lack of
resources) that prevent it from fulfilling the Client's request.
Errors caused by the destination Server (96-127 range):
The final destination could not be reached or it replied with a
reset.
The following error codes are defined in this document:
Unsupported Version (0):
The version number indicated in the fixed header of a message
received from a peer is not supported.
This error code MUST be generated by a peer (e.g., Transport
Converter) when it receives a request having a version number that
it does not support.
The Value field MUST be set to the version supported by the peer.
When multiple versions are supported by the peer, it includes the
list of supported versions in the Value field; each version is
encoded in 8 bits. The list of supported versions MUST be padded
with zeros to end on a 32-bit boundary.
Upon receipt of this error code, the remote peer (e.g., Client)
checks whether it supports one of the versions returned by the
peer. The highest commonly supported version number MUST be used
by the remote peer in subsequent exchanges with the peer.
Malformed Message (1):
This error code is sent to indicate that a message received from a
peer cannot be successfully parsed and validated.
Typically, this error code is sent by the Transport Converter if
it receives a Connect TLV enclosing a multicast, broadcast, or
loopback IP address.
To ease troubleshooting, the Value field MUST echo the received
message using the format depicted in Figure 23. This format
allows keeping the original alignment of the message that
triggered the error.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+----------------+--------------+
| Type=0x1E | Length | Error Code | Zeros |
+---------------+---------------+----------------+--------------+
// Echo the message that triggered the error //
+---------------------------------------------------------------+
Figure 23: Error TLV to Ease Message Correlation
Unsupported Message (2):
This error code is sent to indicate that a message type received
from a Client is not supported.
To ease troubleshooting, the Value field MUST echo the received
message using the format shown in Figure 23.
Missing Cookie (3):
If a Transport Converter requires the utilization of Cookies to
prevent spoofing attacks and a Cookie TLV was not included in the
Convert message, the Transport Converter MUST return this error to
the requesting Client only if it computes a cookie for this
Client. The first byte of the Value field MUST be set to zero and
the remaining bytes of the Error TLV contain the Cookie computed
by the Transport Converter for this Client.
A Client that receives this error code SHOULD cache the received
Cookie and include it in subsequent Convert messages sent to that
Transport Converter.
Not Authorized (32):
This error code indicates that the Transport Converter refused to
create a connection because of a lack of authorization (e.g.,
administratively prohibited, authorization failure, or invalid
Cookie TLV). The Value field MUST be set to zero.
This error code MUST be sent by the Transport Converter when a
request cannot be successfully processed because the authorization
failed.
Unsupported TCP Option (33):
A TCP option that the Client requested to advertise to the final
Server cannot be safely used.
The Value field is set to the type of the unsupported TCP option.
If several unsupported TCP options were specified in the Connect
TLV, then the list of unsupported TCP options is returned. The
list of unsupported TCP options MUST be padded with zeros to end
on a 32-bit boundary.
Resource Exceeded (64):
This error indicates that the Transport Converter does not have
enough resources to perform the request.
This error MUST be sent by the Transport Converter when it does
not have sufficient resources to handle a new connection. The
Transport Converter may indicate in the Value field the suggested
delay (in seconds) that the Client SHOULD wait before soliciting
the Transport Converter for a new proxied connection. A Value of
zero corresponds to a default delay of at least 30 seconds.
Network Failure (65):
This error indicates that the Transport Converter is experiencing
a network failure to proxy the request.
The Transport Converter MUST send this error code when it
experiences forwarding issues to proxy a connection. The
Transport Converter may indicate in the Value field the suggested
delay (in seconds) that the Client SHOULD wait before soliciting
the Transport Converter for a new proxied connection. A Value of
zero corresponds to a default delay of at least 30 seconds.
Connection Reset (96):
This error indicates that the final destination responded with an
RST segment. The Value field MUST be set to zero.
Destination Unreachable (97):
This error indicates that an ICMP message indicating a hard error
(e.g., destination unreachable, port unreachable, or network
unreachable) was received by the Transport Converter. The Value
field MUST echo the Code field of the received ICMP message.
As a reminder, TCP implementations are supposed to act on an ICMP
error message passed up from the IP layer, directing it to the
connection that triggered the error using the demultiplexing
information included in the payload of that ICMP message. Such a
demultiplexing issue does not apply for handling the "Destination
Unreachable" Error TLV because the error is sent in-band. For
this reason, the payload of the ICMP message is not echoed in the
Destination Unreachable Error TLV.
Table 2 summarizes the different error codes.
+=======+======+=========================+
| Error | Hex | Description |
+=======+======+=========================+
| 0 | 0x00 | Unsupported Version |
+-------+------+-------------------------+
| 1 | 0x01 | Malformed Message |
+-------+------+-------------------------+
| 2 | 0x02 | Unsupported Message |
+-------+------+-------------------------+
| 3 | 0x03 | Missing Cookie |
+-------+------+-------------------------+
| 32 | 0x20 | Not Authorized |
+-------+------+-------------------------+
| 33 | 0x21 | Unsupported TCP Option |
+-------+------+-------------------------+
| 64 | 0x40 | Resource Exceeded |
+-------+------+-------------------------+
| 65 | 0x41 | Network Failure |
+-------+------+-------------------------+
| 96 | 0x60 | Connection Reset |
+-------+------+-------------------------+
| 97 | 0x61 | Destination Unreachable |
+-------+------+-------------------------+
Table 2: Convert Error Values
7. Compatibility of Specific TCP Options with the Conversion Service
In this section, we discuss how several deployed Standards Track TCP
options can be supported through the Convert Protocol. The other TCP
options will be discussed in other documents.
7.1. Base TCP Options
Three TCP options were initially defined in [RFC0793]: End-of-Option
List (Kind=0), No-Operation (Kind=1), and Maximum Segment Size
(Kind=2). The first two options are mainly used to pad the TCP
header. There is no reason for a Client to request a Transport
Converter to specifically send these options towards the final
destination.
The Maximum Segment Size option (Kind=2) is used by a host to
indicate the largest segment that it can receive over each
connection. This value is a function of the stack that terminates
the TCP connection. There is no reason for a Client to request a
Transport Converter to advertise a specific Maximum Segment Size
(MSS) value to a remote Server.
A Transport Converter MUST ignore options with Kind=0, 1, or 2 if
they appear in a Connect TLV. It MUST NOT announce them in a
Supported TCP Extensions TLV.
7.2. Window Scale (WS)
The Window Scale (WS) option (Kind=3) is defined in [RFC7323]. As
for the MSS option, the window scale factor that is used for a
connection strongly depends on the TCP stack that handles the
connection. When a Transport Converter opens a TCP connection
towards a remote Server on behalf of a Client, it SHOULD use a WS
option with a scaling factor that corresponds to the configuration of
its stack. A local configuration MAY allow for a WS option in the
proxied message to be a function of the scaling factor of the
incoming connection.
From a deployment viewpoint, there is no benefit in enabling a Client
of a Transport Converter to specifically request the utilization of
the WS option (Kind=3) with a specific scaling factor towards a
remote Server. For this reason, a Transport Converter MUST ignore
option Kind=3 if it appears in a Connect TLV. The Transport
Converter MUST NOT announce a WS option (Kind=3) in a Supported TCP
Extensions TLV.
7.3. Selective Acknowledgments
Two distinct TCP options were defined to support Selective
Acknowledgment (SACK) in [RFC2018]. This first one, SACK-Permitted
(Kind=4), is used to negotiate the utilization of Selective
Acknowledgments during the three-way handshake. The second one, SACK
(Kind=5), carries the Selective Acknowledgments inside regular
segments.
The SACK-Permitted option (Kind=4) MAY be advertised by a Transport
Converter in the Supported TCP Extensions TLV. Clients connected to
this Transport Converter MAY include the SACK-Permitted option in the
Connect TLV.
The SACK option (Kind=5) cannot be used during the three-way
handshake. For this reason, a Transport Converter MUST ignore option
Kind=5 if it appears in a Connect TLV. It MUST NOT announce it in a
TCP Supported Extensions TLV.
7.4. Timestamp
The Timestamp option [RFC7323] can be used during the three-way
handshake to negotiate the utilization of timestamps during the TCP
connection. It is notably used to improve round-trip-time
estimations and to provide Protection Against Wrapped Sequences
(PAWS). As for the WS option, the timestamps are a property of a
connection and there is limited benefit in enabling a Client to
request a Transport Converter to use the timestamp option when
establishing a connection to a remote Server. Furthermore, the
timestamps that are used by TCP stacks are specific to each stack and
there is no benefit in enabling a Client to specify the timestamp
value that a Transport Converter could use to establish a connection
to a remote Server.
A Transport Converter MAY advertise the Timestamp option (Kind=8) in
the TCP Supported Extensions TLV. The Clients connected to this
Transport Converter MAY include the Timestamp option in the Connect
TLV but without any timestamp.
7.5. Multipath TCP
The Multipath TCP options are defined in [RFC8684], which defines one
variable length TCP option (Kind=30) that includes a sub-type field
to support several Multipath TCP options. There are several
operational use cases where Clients would like to use Multipath TCP
through a Transport Converter [IETFJ16]. However, none of these use
cases require the Client to specify the content of the Multipath TCP
option that the Transport Converter should send to a remote Server.
A Transport Converter that supports Multipath TCP conversion service
MUST advertise the Multipath TCP option (Kind=30) in the Supported
TCP Extensions TLV. Clients serviced by this Transport Converter may
include the Multipath TCP option in the Connect TLV but without any
content.
7.6. TCP Fast Open
The TCP Fast Open Cookie option (Kind=34) is defined in [RFC7413].
There are two different usages of this option that need to be
supported by Transport Converters. The first utilization of the TCP
Fast Open Cookie option is to request a cookie from the Server. In
this case, the option is sent with an empty cookie by the Client, and
the Server returns the cookie. The second utilization of the TCP
Fast Open Cookie option is to send a cookie to the Server. In this
case, the option contains a cookie.
A Transport Converter MAY advertise the TCP Fast Open Cookie option
(Kind=34) in the Supported TCP Extensions TLV. If a Transport
Converter has advertised the support for TCP Fast Open in its
Supported TCP Extensions TLV, it needs to be able to process two
types of Connect TLV.
If such a Transport Converter receives a Connect TLV with the TCP
Fast Open Cookie option that does not contain a cookie, it MUST add
an empty TCP Fast Open Cookie option in the SYN sent to the remote
Server. If the remote Server supports TFO, it responds with a SYN-
ACK according to the procedure in Section 4.1.2 of [RFC7413]. This
SYN-ACK may contain a Fast Open option with a cookie. Upon receipt
of the SYN-ACK by the Converter, it relays the Fast Open option with
the cookie to the Client.
If such a Transport Converter receives a Connect TLV with the TCP
Fast Open Cookie option that contains a cookie, it MUST copy the TCP
Fast Open Cookie option in the SYN sent to the remote Server.
7.7. TCP-AO
The TCP Authentication Option (TCP-AO) [RFC5925] provides a technique
to authenticate all the packets exchanged over a TCP connection.
Given the nature of this extension, it is unlikely that the
applications that require their packets to be authenticated end to
end would want their connections to pass through a converter. For
this reason, we do not recommend the support of the TCP-AO by
Transport Converters. The only use cases where it could make sense
to combine TCP-AO and the solution in this document are those where
the TCP-AO-NAT extension [RFC6978] is in use.
A Transport Converter MUST NOT advertise the TCP-AO (Kind=29) in the
Supported TCP Extensions TLV. If a Transport Converter receives a
Connect TLV that contains the TCP-AO, it MUST reject the
establishment of the connection with error code set to "Unsupported
TCP Option", except if the TCP-AO-NAT option is used. Nevertheless,
given that TCP-AO-NAT is Experimental, its usage is not currently
defined and must be specified by some other document before it can be
used.
8. Interactions with Middleboxes
The Convert Protocol is designed to be used in networks that do not
contain middleboxes that interfere with TCP. Under such conditions,
it is assumed that the network provider ensures that all involved on-
path nodes are not breaking TCP signals (e.g., strip TCP options,
discard some SYNs, etc.).
Nevertheless, and in order to allow for a robust service, this
section describes how a Client can detect middlebox interference and
stop using the Transport Converter affected by this interference.
Internet measurements [IMC11] have shown that middleboxes can affect
the deployment of TCP extensions. In this section, we focus the
middleboxes that modify the payload since the Convert Protocol places
its messages at the beginning of the bytestream.
Consider a middlebox that removes the SYN payload. The Client can
detect this problem by looking at the acknowledgment number field of
the SYN+ACK if returned by the Transport Converter. The Client MUST
stop to use this Transport Converter given the middlebox
interference.
Consider now a middlebox that drops SYN/ACKs with a payload. The
Client won't be able to establish a connection via the Transport
Converter. The case of a middlebox that removes the payload of
SYN+ACKs or from the packet that follows the SYN+ACK (but not the
payload of SYN) can be detected by a Client. This is hinted by the
absence of a valid Convert message in the response.
As explained in [RFC7413], some Carrier Grade NATs (CGNs) can affect
the operation of TFO if they assign different IP addresses to the
same end host. Such CGNs could affect the operation of the cookie
validation used by the Convert Protocol. As a reminder, CGNs that
are enabled on the path between a Client and a Transport Converter
must adhere to the address preservation defined in [RFC6888]. See
also the discussion in Section 7.1 of [RFC7413].
9. Security Considerations
An implementation MUST check that the Convert TLVs are properly
framed within the boundary indicated by the Total Length in the fixed
header (Section 6.1).
Additional security considerations are discussed in the following
subsections.
9.1. Privacy & Ingress Filtering
The Transport Converter may have access to privacy-related
information (e.g., subscriber credentials). The Transport Converter
is designed to not leak such sensitive information outside a local
domain.
Given its function and location in the network, a Transport Converter
is in a position to observe all packets that it processes, to include
payloads and metadata, and has the ability to profile and conduct
some traffic analysis of user behavior. The Transport Converter MUST
be as protected as a core IP router (e.g., Section 10 of [RFC1812]).
Furthermore, ingress filtering policies MUST be enforced at the
network boundaries [RFC2827].
This document assumes that all network attachments are managed by the
same administrative entity. Therefore, enforcing anti-spoofing
filters at these networks is a guard that hosts are not sending
traffic with spoofed source IP addresses.
9.2. Authentication and Authorization Considerations
The Convert Protocol is RECOMMENDED for use in a managed network
where end hosts can be securely identified by their IP address. If
such control is not exerted and there is a more open network
environment, a strong mutual authentication scheme MUST be defined to
use the Convert Protocol.
One possibility for mutual authentication is to use TLS to perform
mutual authentication between the Client and the Converter. That is,
use TLS when a Client retrieves a Cookie from the Converter and rely
on certificate-based, pre-shared key-based [RFC4279], or raw public
key-based Client authentication [RFC7250] to secure this connection.
If the authentication succeeds, the Converter returns a cookie to the
Client. Subsequent Connect messages will be authorized as a function
of the content of the Cookie TLV. An attacker from within the
network between a Client and a Transport Converter may intercept the
Cookie and use it to be granted access to the conversion service.
Such an attack is only possible if the attacker spoofs the IP address
of the Client and the network does not filter packets with source-
spoofed IP addresses.
The operator that manages the various network attachments (including
the Transport Converters) has various options for enforcing
authentication and authorization policies. For example, a non-
exhaustive list of methods to achieve authorization is provided
hereafter:
* The network provider may enforce a policy based on the
International Mobile Subscriber Identity (IMSI) to verify that a
user is allowed to benefit from the TCP converter service. If
that authorization fails, the Packet Data Protocol (PDP) context/
bearer will not be mounted. This method does not require any
interaction with the Transport Converter for authorization
matters.
* The network provider may enforce a policy based upon Access
Control Lists (ACLs), e.g., at a Broadband Network Gateway (BNG)
to control the hosts that are authorized to communicate with a
Transport Converter. These ACLs may be installed as a result of
RADIUS exchanges, e.g., [TCPM-CONVERTER]. This method does not
require any interaction with the Transport Converter for
authorization matters.
* A device that embeds a Transport Converter may also host a RADIUS
Client that will solicit a AAA Server to check whether or not
connections received from a given source IP address are authorized
[TCPM-CONVERTER].
A first safeguard against the misuse of Transport Converter resources
by illegitimate users (e.g., users with access networks that are not
managed by the same provider that operates the Transport Converter)
is the Transport Converter to reject Convert connections received in
the external realm. Only Convert connections received in the
internal realm of a Transport Converter will be accepted.
In deployments where network-assisted connections are not allowed
between hosts of a domain (i.e., hairpinning), the Converter may be
instructed to discard such connections. Hairpinned connections are
thus rejected by the Transport Converter by returning an Error TLV
set to "Not Authorized". Otherwise, absent explicit configuration,
hairpinning is enabled by the Converter (see Figure 24).
<===Network Provider===>
+----+ from X1:x1 to X2':x2' +-----+ X1':x1'
| C1 |>>>>>>>>>>>>>>>>>>>>>>>>>>>>>--+---
+----+ | v |
| v |
| v |
| v |
+----+ from X1':x1' to X2:x2 | v | X2':x2'
| C2 |<<<<<<<<<<<<<<<<<<<<<<<<<<<<<--+---
+----+ +-----+
Converter
Note: X2':x2' may be equal to
X2:x2
Figure 24: Hairpinning Example
9.3. Denial of Service
Another possible risk is amplification attacks, since a Transport
Converter sends a SYN towards a remote Server upon reception of a SYN
from a Client. This could lead to amplification attacks if the SYN
sent by the Transport Converter were larger than the SYN received
from the Client, or if the Transport Converter retransmits the SYN.
To mitigate such attacks, the Transport Converter SHOULD rate-limit
the number of pending requests for a given Client. It SHOULD also
avoid sending SYNs that are significantly longer than the SYN
received from the Client, to remote Servers. Finally, the Transport
Converter SHOULD only retransmit a SYN to a Server after having
received a retransmitted SYN from the corresponding Client. Means to
protect against SYN flooding attacks should also be enabled (e.g.,
Section 3 of [RFC4987]).
Attacks from within the network between a Client and a Transport
Converter (including attacks that change the protocol version) are
yet another threat. Means to ensure that illegitimate nodes cannot
connect to a network should be implemented.
9.4. Traffic Theft
Traffic theft is a risk if an illegitimate Converter is inserted in
the path. Indeed, inserting an illegitimate Converter in the
forwarding path allows traffic interception and can therefore provide
access to sensitive data issued by or destined to a host. Converter
discovery and configuration are out of scope of this document.
9.5. Logging
If the Converter is configured to behave in the address-sharing mode
(Section 4.4.2), the logging recommendations discussed in Section 4
of [RFC6888] need to be considered. Security-related issues
encountered in address-sharing environments are documented in
Section 13 of [RFC6269].
10. IANA Considerations
10.1. Convert Service Name
IANA has assigned a service name for the Convert Protocol from the
"Service Name and Transport Protocol Port Number Registry" available
at <https://www.iana.org/assignments/service-names-port-numbers>.
Service Name: convert
Port Number: N/A
Transport Protocol(s): TCP
Description: 0-RTT TCP Convert Protocol
Assignee: IESG <iesg@ietf.org>
Contact: IETF Chair <chair@ietf.org>
Reference: RFC 8803
Clients may use this service name to feed the procedure defined in
[RFC2782] to discover the IP address(es) and the port number used by
the Transport Converters of a domain.
10.2. The Convert Protocol (Convert) Parameters
IANA has created a new "TCP Convert Protocol (Convert) Parameters"
registry.
The following subsections detail new registries within the "Convert
Protocol (Convert) Parameters" registry.
The designated expert is expected to ascertain the existence of
suitable documentation as described in Section 4.6 of [RFC8126] and
to verify that the document is permanently and publicly available.
The designated expert is also expected to check the clarity of
purpose and use of the requested code points.
Also, criteria that should be applied by the designated experts
includes determining whether the proposed registration duplicates
existing functionality, whether it is likely to be of general
applicability or useful only for private use, and whether the
registration description is clear. All requests should be directed
to the review mailing list. For both the "Convert TLVs" and "Convert
Errors" subregistries, IANA must only accept registry updates in the
128-191 range from the designated experts. It is suggested that
multiple designated experts be appointed. In cases where a
registration decision could be perceived as creating a conflict of
interest for a particular expert, that expert should defer to the
judgment of the other experts.
10.2.1. Convert Versions
IANA has created the "Convert Versions" subregistry. New values are
assigned via IETF Review (Section 4.8 of [RFC8126]).
The initial values of the registry are as follows:
+=========+=============+===========+
| Version | Description | Reference |
+=========+=============+===========+
| 0 | Reserved | RFC 8803 |
+---------+-------------+-----------+
| 1 | Assigned | RFC 8803 |
+---------+-------------+-----------+
Table 3: Current Convert Versions
10.2.2. Convert TLVs
IANA has created the "Convert TLVs" subregistry. The procedures for
assigning values from this registry are as follows:
1-127: IETF Review
128-191: Specification Required
192-255: Private Use
The initial values of the registry are as follows:
+======+=============================+===========+
| Code | Name | Reference |
+======+=============================+===========+
| 0 | Reserved | RFC 8803 |
+------+-----------------------------+-----------+
| 1 | Info TLV | RFC 8803 |
+------+-----------------------------+-----------+
| 10 | Connect TLV | RFC 8803 |
+------+-----------------------------+-----------+
| 20 | Extended TCP Header TLV | RFC 8803 |
+------+-----------------------------+-----------+
| 21 | Supported TCP Extension TLV | RFC 8803 |
+------+-----------------------------+-----------+
| 22 | Cookie TLV | RFC 8803 |
+------+-----------------------------+-----------+
| 30 | Error TLV | RFC 8803 |
+------+-----------------------------+-----------+
Table 4: Initial Convert TLVs
10.2.3. Convert Error Messages
IANA has created the "Convert Errors" subregistry. Codes in this
registry are assigned as a function of the error type. Four types
are defined; the following ranges are reserved for each of these
types:
0-31: Message validation and processing errors
32-63: Client-side errors
64-95: Transport Converter-side errors
96-127: Errors caused by destination Server
The procedures for assigning values from this subregistry are as
follows:
0-127: IETF Review
128-191: Specification Required
192-255: Private Use
The initial values of the registry are as follows:
+=======+=========================+===========+
| Error | Description | Reference |
+=======+=========================+===========+
| 0 | Unsupported Version | RFC 8803 |
+-------+-------------------------+-----------+
| 1 | Malformed Message | RFC 8803 |
+-------+-------------------------+-----------+
| 2 | Unsupported Message | RFC 8803 |
+-------+-------------------------+-----------+
| 3 | Missing Cookie | RFC 8803 |
+-------+-------------------------+-----------+
| 32 | Not Authorized | RFC 8803 |
+-------+-------------------------+-----------+
| 33 | Unsupported TCP Option | RFC 8803 |
+-------+-------------------------+-----------+
| 64 | Resource Exceeded | RFC 8803 |
+-------+-------------------------+-----------+
| 65 | Network Failure | RFC 8803 |
+-------+-------------------------+-----------+
| 96 | Connection Reset | RFC 8803 |
+-------+-------------------------+-----------+
| 97 | Destination Unreachable | RFC 8803 |
+-------+-------------------------+-----------+
Table 5: Initial Convert Error Codes
11. References
11.1. Normative References
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, DOI 10.17487/RFC0793, September 1981,
<https://www.rfc-editor.org/info/rfc793>.
[RFC2018] Mathis, M., Mahdavi, J., Floyd, S., and A. Romanow, "TCP
Selective Acknowledgment Options", RFC 2018,
DOI 10.17487/RFC2018, October 1996,
<https://www.rfc-editor.org/info/rfc2018>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827,
May 2000, <https://www.rfc-editor.org/info/rfc2827>.
[RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", RFC 4291, DOI 10.17487/RFC4291, February
2006, <https://www.rfc-editor.org/info/rfc4291>.
[RFC4787] Audet, F., Ed. and C. Jennings, "Network Address
Translation (NAT) Behavioral Requirements for Unicast
UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January
2007, <https://www.rfc-editor.org/info/rfc4787>.
[RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common
Mitigations", RFC 4987, DOI 10.17487/RFC4987, August 2007,
<https://www.rfc-editor.org/info/rfc4987>.
[RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP
Authentication Option", RFC 5925, DOI 10.17487/RFC5925,
June 2010, <https://www.rfc-editor.org/info/rfc5925>.
[RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa,
A., and H. Ashida, "Common Requirements for Carrier-Grade
NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888,
April 2013, <https://www.rfc-editor.org/info/rfc6888>.
[RFC6890] Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman,
"Special-Purpose IP Address Registries", BCP 153,
RFC 6890, DOI 10.17487/RFC6890, April 2013,
<https://www.rfc-editor.org/info/rfc6890>.
[RFC7323] Borman, D., Braden, B., Jacobson, V., and R.
Scheffenegger, Ed., "TCP Extensions for High Performance",
RFC 7323, DOI 10.17487/RFC7323, September 2014,
<https://www.rfc-editor.org/info/rfc7323>.
[RFC7413] Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP
Fast Open", RFC 7413, DOI 10.17487/RFC7413, December 2014,
<https://www.rfc-editor.org/info/rfc7413>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8684] Ford, A., Raiciu, C., Handley, M., Bonaventure, O., and C.
Paasch, "TCP Extensions for Multipath Operation with
Multiple Addresses", RFC 8684, DOI 10.17487/RFC8684, March
2020, <https://www.rfc-editor.org/info/rfc8684>.
11.2. Informative References
[ANRW17] Trammell, B., Kuehlewind, M., De Vaere, P., Learmonth, I.,
and G. Fairhurst, "Tracking transport-layer evolution with
PATHspider", Applied Networking Research Workshop 2017
(ANRW17), July 2017.
[DHC-CONVERTER]
Boucadair, M., Jacquenet, C., and T. Reddy.K, "DHCP
Options for 0-RTT TCP Converters", Work in Progress,
Internet-Draft, draft-boucadair-tcpm-dhc-converter-03, 7
October 2019, <https://tools.ietf.org/html/draft-
boucadair-tcpm-dhc-converter-03>.
[Fukuda2011]
Fukuda, K., "An Analysis of Longitudinal TCP Passive
Measurements (Short Paper)", Traffic Monitoring and
Analysis, TMA 2011, Lecture Notes in Computer Science,
vol. 6613, 2011.
[HOT-MIDDLEBOX13]
Detal, G., Paasch, C., and O. Bonaventure, "Multipath in
the Middle(Box)", HotMiddlebox'13,
DOI 10.1145/2535828.2535829, December 2013,
<https://inl.info.ucl.ac.be/publications/multipath-
middlebox>.
[IANA-CONVERT]
IANA, "TCP Convert Protocol (Convert) Parameters",
<https://www.iana.org/assignments/tcp-convert-protocol-
parameters>.
[IETFJ16] Bonaventure, O. and S. Seo, "Multipath TCP Deployments",
IETF Journal, Vol. 12, Issue 2, November 2016.
[IMC11] Honda, K., Nishida, Y., Raiciu, C., Greenhalgh, A.,
Handley, M., and T. Hideyuki, "Is it still possible to
extend TCP?", Proceedings of the 2011 ACM SIGCOMM
conference on Internet measurement conference,
DOI 10.1145/2068816.2068834, November 2011,
<https://doi.org/10.1145/2068816.2068834>.
[INTAREA-SOCKS]
Olteanu, V. and D. Niculescu, "SOCKS Protocol Version 6",
Work in Progress, Internet-Draft, draft-olteanu-intarea-
socks-6-10, 13 July 2020, <https://tools.ietf.org/html/
draft-olteanu-intarea-socks-6-10>.
[LOW-LATENCY]
Arkko, J. and J. Tantsura, "Low Latency Applications and
the Internet Architecture", Work in Progress, Internet-
Draft, draft-arkko-arch-low-latency-02, 30 October 2017,
<https://tools.ietf.org/html/draft-arkko-arch-low-latency-
02>.
[MPTCP-PLAIN]
Boucadair, M., Jacquenet, C., Bonaventure, O., Behaghel,
D., Secci, S., Henderickx, W., Skog, R., Vinapamula, S.,
Seo, S., Cloetens, W., Meyer, U., Contreras, L., and B.
Peirens, "Extensions for Network-Assisted MPTCP Deployment
Models", Work in Progress, Internet-Draft, draft-
boucadair-mptcp-plain-mode-10, March 2017,
<https://tools.ietf.org/html/draft-boucadair-mptcp-plain-
mode-10>.
[MPTCP-TRANSPARENT]
Peirens, B., Detal, G., Barre, S., and O. Bonaventure,
"Link bonding with transparent Multipath TCP", Work in
Progress, Internet-Draft, draft-peirens-mptcp-transparent-
00, 8 July 2016, <https://tools.ietf.org/html/draft-
peirens-mptcp-transparent-00>.
[RFC1812] Baker, F., Ed., "Requirements for IP Version 4 Routers",
RFC 1812, DOI 10.17487/RFC1812, June 1995,
<https://www.rfc-editor.org/info/rfc1812>.
[RFC1919] Chatel, M., "Classical versus Transparent IP Proxies",
RFC 1919, DOI 10.17487/RFC1919, March 1996,
<https://www.rfc-editor.org/info/rfc1919>.
[RFC1928] Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., and
L. Jones, "SOCKS Protocol Version 5", RFC 1928,
DOI 10.17487/RFC1928, March 1996,
<https://www.rfc-editor.org/info/rfc1928>.
[RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782,
DOI 10.17487/RFC2782, February 2000,
<https://www.rfc-editor.org/info/rfc2782>.
[RFC3135] Border, J., Kojo, M., Griner, J., Montenegro, G., and Z.
Shelby, "Performance Enhancing Proxies Intended to
Mitigate Link-Related Degradations", RFC 3135,
DOI 10.17487/RFC3135, June 2001,
<https://www.rfc-editor.org/info/rfc3135>.
[RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key
Ciphersuites for Transport Layer Security (TLS)",
RFC 4279, DOI 10.17487/RFC4279, December 2005,
<https://www.rfc-editor.org/info/rfc4279>.
[RFC5461] Gont, F., "TCP's Reaction to Soft Errors", RFC 5461,
DOI 10.17487/RFC5461, February 2009,
<https://www.rfc-editor.org/info/rfc5461>.
[RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and
P. Roberts, "Issues with IP Address Sharing", RFC 6269,
DOI 10.17487/RFC6269, June 2011,
<https://www.rfc-editor.org/info/rfc6269>.
[RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix
Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011,
<https://www.rfc-editor.org/info/rfc6296>.
[RFC6731] Savolainen, T., Kato, J., and T. Lemon, "Improved
Recursive DNS Server Selection for Multi-Interfaced
Nodes", RFC 6731, DOI 10.17487/RFC6731, December 2012,
<https://www.rfc-editor.org/info/rfc6731>.
[RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and
P. Selkirk, "Port Control Protocol (PCP)", RFC 6887,
DOI 10.17487/RFC6887, April 2013,
<https://www.rfc-editor.org/info/rfc6887>.
[RFC6928] Chu, J., Dukkipati, N., Cheng, Y., and M. Mathis,
"Increasing TCP's Initial Window", RFC 6928,
DOI 10.17487/RFC6928, April 2013,
<https://www.rfc-editor.org/info/rfc6928>.
[RFC6978] Touch, J., "A TCP Authentication Option Extension for NAT
Traversal", RFC 6978, DOI 10.17487/RFC6978, July 2013,
<https://www.rfc-editor.org/info/rfc6978>.
[RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J.,
Weiler, S., and T. Kivinen, "Using Raw Public Keys in
Transport Layer Security (TLS) and Datagram Transport
Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250,
June 2014, <https://www.rfc-editor.org/info/rfc7250>.
[RFC7414] Duke, M., Braden, R., Eddy, W., Blanton, E., and A.
Zimmermann, "A Roadmap for Transmission Control Protocol
(TCP) Specification Documents", RFC 7414,
DOI 10.17487/RFC7414, February 2015,
<https://www.rfc-editor.org/info/rfc7414>.
[RFC8041] Bonaventure, O., Paasch, C., and G. Detal, "Use Cases and
Operational Experience with Multipath TCP", RFC 8041,
DOI 10.17487/RFC8041, January 2017,
<https://www.rfc-editor.org/info/rfc8041>.
[RFC8305] Schinazi, D. and T. Pauly, "Happy Eyeballs Version 2:
Better Connectivity Using Concurrency", RFC 8305,
DOI 10.17487/RFC8305, December 2017,
<https://www.rfc-editor.org/info/rfc8305>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
[RFC8548] Bittau, A., Giffin, D., Handley, M., Mazieres, D., Slack,
Q., and E. Smith, "Cryptographic Protection of TCP Streams
(tcpcrypt)", RFC 8548, DOI 10.17487/RFC8548, May 2019,
<https://www.rfc-editor.org/info/rfc8548>.
[TCPM-CONVERTER]
Boucadair, M. and C. Jacquenet, "RADIUS Extensions for
0-RTT TCP Converters", Work in Progress, Internet-Draft,
draft-boucadair-opsawg-tcpm-converter-01, 28 February
2020, <https://tools.ietf.org/html/draft-boucadair-opsawg-
tcpm-converter-01>.
[TS23501] 3GPP (3rd Generation Partnership Project), "Technical
Specification Group Services and System Aspects; System
architecture for the 5G System; Stage 2 (Release 16)",
2019, <https://www.3gpp.org/ftp/Specs/
archive/23_series/23.501/>.
Appendix A. Example Socket API Changes to Support the 0-RTT TCP Convert
Protocol
A.1. Active Open (Client Side)
On the Client side, the support of the 0-RTT Converter protocol does
not require any other changes than those identified in Appendix A of
[RFC7413]. Those modifications are already supported by multiple TCP
stacks.
As an example, on Linux, a Client can send the 0-RTT Convert message
inside a SYN by using sendto with the MSG_FASTOPEN flag as shown in
the example below:
s = socket(AF_INET, SOCK_STREAM, 0);
sendto(s, buffer, buffer_len, MSG_FASTOPEN,
(struct sockaddr *) &server_addr, addr_len);
The Client side of the Linux TFO can be used in two different modes
depending on the host configuration (sysctl tcp_fastopen variable):
0x1: (client) enables sending data in the opening SYN on the Client.
0x4: (client) enables sending data in the opening SYN regardless of
cookie availability and without a cookie option.
By setting this configuration variable to 0x5, a Linux Client using
the above code would send data inside the SYN without using a TFO
option.
A.2. Passive Open (Converter Side)
The Converter needs to enable the reception of data inside the SYN
independently of the utilization of the TFO option. This implies
that the Transport Converter application cannot rely on the Fast Open
Cookies to validate the reachability of the IP address that sent the
SYN. It must rely on other techniques, such as the Cookie TLV
described in this document, to verify this reachability.
[RFC7413] suggested the utilization of a TCP_FASTOPEN socket option
to enable the reception of SYNs containing data. Later, Appendix A
of [RFC7413] mentioned:
| Traditionally, accept() returns only after a socket is connected.
| But, for a Fast Open connection, accept() returns upon receiving a
| SYN with a valid Fast Open cookie and data, and the data is
| available to be read through, e.g., recvmsg(), read().
To support the 0-RTT TCP Convert Protocol, this behavior should be
modified as follows:
| Traditionally, accept() returns only after a socket is connected.
| But, for a Fast Open connection, accept() returns upon receiving a
| SYN with data, and the data is available to be read through, e.g.,
| recvmsg(), read(). The application that receives such SYNs with
| data must be able to validate the reachability of the source of
| the SYN and also deal with replayed SYNs.
The Linux Server side can be configured with the following sysctls:
0x2: (server) enables the Server support, i.e., allowing data in a
SYN packet to be accepted and passed to the application before a
3-way handshake finishes.
0x200: (server) accepts data-in-SYN w/o any cookie option present.
However, this configuration is system wide. This is convenient for
typical Transport Converter deployments where no other applications
relying on TFO are collocated on the same device.
Recently, the TCP_FASTOPEN_NO_COOKIE socket option has been added to
provide the same behavior on a per-socket basis. This enables a
single host to support both Servers that require the Fast Open Cookie
and Servers that do not use it.
Acknowledgments
Although they could disagree with the contents of the document, we
would like to thank Joe Touch and Juliusz Chroboczek, whose comments
on the MPTCP mailing list have forced us to reconsider the design of
the solution several times.
We would like to thank Raphael Bauduin, Stefano Secci, Anandatirtha
Nandugudi, and Gregory Vander Schueren for their help in preparing
this document. Nandini Ganesh provided valuable feedback about the
handling of TFO and the error codes. Yuchung Cheng and Praveen
Balasubramanian helped to clarify the discussion on supplying data in
SYNs. Phil Eardley and Michael Scharf helped to clarify different
parts of the text. Thanks to Éric Vyncke, Roman Danyliw, Benjamin
Kaduk, and Alexey Melnikov for the IESG review, and Christian Huitema
for the Security Directorate review.
Many thanks to Mirja Kühlewind for the detailed AD review.
This document builds upon earlier documents that proposed various
forms of Multipath TCP proxies: [MPTCP-PLAIN], [MPTCP-TRANSPARENT],
and [HOT-MIDDLEBOX13].
From [MPTCP-PLAIN]:
Many thanks to Chi Dung Phung, Mingui Zhang, Rao Shoaib, Yoshifumi
Nishida, and Christoph Paasch for their valuable comments.
Thanks to Ian Farrer, Mikael Abrahamsson, Alan Ford, Dan Wing, and
Sri Gundavelli for the fruitful discussions at IETF 95 (Buenos
Aires).
Special thanks to Pierrick Seite, Yannick Le Goff, Fred Klamm, and
Xavier Grall for their input.
Thanks also to Olaf Schleusing, Martin Gysi, Thomas Zasowski, Andreas
Burkhard, Silka Simmen, Sandro Berger, Michael Melloul, Jean-Yves
Flahaut, Adrien Desportes, Gregory Detal, Benjamin David, Arun
Srinivasan, and Raghavendra Mallya for their input.
Contributors
Bart Peirens contributed to an early draft version of this document.
As noted above, this document builds on two previous documents.
The authors of [MPTCP-PLAIN] were:
* Mohamed Boucadair
* Christian Jacquenet
* Olivier Bonaventure
* Denis Behaghel
* Stefano Secci
* Wim Henderickx
* Robert Skog
* Suresh Vinapamula
* SungHoon Seo
* Wouter Cloetens
* Ullrich Meyer
* Luis M. Contreras
* Bart Peirens
The authors of [MPTCP-TRANSPARENT] were:
* Bart Peirens
* Gregory Detal
* Sebastien Barre
* Olivier Bonaventure
Authors' Addresses
Olivier Bonaventure (editor)
Tessares
Avenue Jean Monnet 1
B-1348 Louvain-la-Neuve
Belgium
Email: Olivier.Bonaventure@tessares.net
Mohamed Boucadair (editor)
Orange
Clos Courtel
35000 Rennes
France
Email: mohamed.boucadair@orange.com
Sri Gundavelli
Cisco
170 West Tasman Drive
San Jose, CA 95134
United States of America
Email: sgundave@cisco.com
SungHoon Seo
Korea Telecom
151 Taebong-ro
Seocho-gu, Seoul, 06763
Republic of Korea
Email: sh.seo@kt.com
Benjamin Hesmans
Tessares
Avenue Jean Monnet 1
B-1348 Louvain-la-Neuve
Belgium
Email: Benjamin.Hesmans@tessares.net
|
