0-RTT TCP Convert ProtocolTessaresOlivier.Bonaventure@tessares.netOrangeClos CourtelRennes35000Francemohamed.boucadair@orange.comCiscosgundave@cisco.comKorea Telecomsh.seo@kt.comTessaresBenjamin.Hesmans@tessares.net
Transport
TCPM Working GroupHybrid accessaggregationtransport evolutionfuture internetextensionTrafic SteeringATSSSMultipath TCPThis document specifies an application proxy, called Transport
Converter, to assist the deployment of TCP extensions such as Multipath
TCP. A Transport Converter may provide conversion service for one or
more TCP extensions. The conversion service is provided by means of the
TCP Convert Protocol (Convert).This protocol provides 0-RTT (Zero Round-Trip Time) conversion
service since no extra delay is induced by the protocol compared to
connections that are not proxied. Also, the Convert Protocol does not
require any encapsulation (no tunnels, whatsoever).This specification assumes an explicit model, where the Transport
Converter is explicitly configured on hosts. As a sample applicability
use case, this document specifies how the Convert Protocol applies for
Multipath TCP.Transport protocols like TCP evolve regularly . TCP has been improved in different ways.
Some improvements such as changing the initial window size or modifying the congestion control scheme
can be applied independently on clients and servers. Other
improvements such as Selective Acknowledgments or large windows require a new TCP option or to change the
semantics of some fields in the TCP header. These modifications must
be deployed on both clients and servers to be actually used on the
Internet. Experience with the latter class of TCP extensions reveals
that their deployment can require many years. Fukuda reports in results of a decade of measurements
showing the deployment of Selective Acknowledgments, Window Scale, and
TCP Timestamps. describes measurements
showing that TCP Fast Open (TFO) is
still not widely deployed.There are some situations where the transport stack used on clients
(or servers) can be upgraded at a faster pace than the transport stack
running on servers (or clients). In those situations, clients would
typically want to benefit from the features of an improved transport
protocol even if the servers have not yet been upgraded and
conversely. Some assistance from the network to make use of these
features is valuable. For example, Performance Enhancing Proxies , and other service functions have been
deployed as solutions to improve TCP performance over links with
specific characteristics.Recent examples of TCP extensions include Multipath TCP (MPTCP)
or TCPINC . Those extensions provide features that are
interesting for clients such as wireless devices. With Multipath TCP,
those devices could seamlessly use Wireless Local Area Network (WLAN)
and cellular networks, for bonding purposes, faster hand-overs, or
better resiliency. Unfortunately, deploying those extensions on both a
wide range of clients and servers remains difficult.More recently, 5G bonding experimentation has been conducted into
global range of the incumbent 4G (LTE) connectivity using newly
devised clients and a Multipath TCP proxy. Even if the 5G and the 4G
bonding (that relies upon Multipath TCP) increases the bandwidth, it
is as well crucial to minimize latency for all the way between
endhosts regardless of whether intermediate nodes are inside or
outside of the mobile core. In order to handle Ultra Reliable Low
Latency Communication (URLLC) for the next generation mobile network,
Multipath TCP and its proxy mechanism such as the one used to provide
Access Traffic Steering, Switching, and Splitting (ATSSS) must be
optimized to reduce latency .This document specifies an application proxy, called Transport
Converter. A Transport Converter is a function that is installed by a
network operator to aid the deployment of TCP extensions and to
provide the benefits of such extensions to clients in particular. A
Transport Converter may provide conversion service for one or more TCP
extensions. Which TCP extensions are eligible to the conversion
service is deployment-specific. The conversion service is provided by
means of the 0-RTT TCP Convert Protocol (Convert), that is an
application-layer protocol which uses a specific TCP port number on
the Converter.The Convert Protocol provides Zero Round-Trip Time (0-RTT)
conversion service since no extra delay is induced by the protocol
compared to connections that are not proxied. Particularly, the
Convert Protocol does not require extra signaling setup delays before
making use of the conversion service. The Convert Protocol does not
require any encapsulation (no tunnels, whatsoever).The Transport Converter adheres to the main steps drawn in Section
3 of . In particular, a Transport
Converter achieves the following:Listen for client sessions;Receive from a client the address of the server;Setup a session to the server;Relay control messages and data between the client and the
server;Perform access controls according to local policies.The main advantage of network-assisted conversion services is that
they enable new TCP extensions to be used on a subset of the path
between endpoints, which encourages the deployment of these
extensions. Furthermore, the Transport Converter allows the client and
the server to directly negotiate TCP extensions for the sake of native
support along the full path.The Convert Protocol is a generic mechanism to provide 0-RTT
conversion service. As a sample applicability use case, this document
specifies how the Convert Protocol applies for Multipath TCP. It is
out of scope of this document to provide a comprehensive list of all
potential conversion services. Applicability documents may be defined
in the future.This document does not assume that all the traffic is eligible to
the network-assisted conversion service. Only a subset of the traffic
will be forwarded to a Transport Converter according to a set of
policies. These policies, and how they are communicated to endpoints,
are out of scope. Furthermore, it is possible to bypass the Transport
Converter to connect directly to the servers that already support the
required TCP extension(s).This document assumes an explicit model in which a client is
configured with one or a list of Transport Converters (statically or
through protocols such as ). Configuration
means are outside the scope of this document.The use of a Transport Converter means that there is no end-to-end
transport connection between the client and server. This could
potentially create problems in some scenarios such as those discussed
in Section 4 of . Some of these problems
may not be applicable, for example, a Transport Converter can inform a
client by means of Network Failure (65) or Destination Unreachable
(97) error messages () that it
encounters a failure problem; the client can react accordingly. An
endpoint, or its network administrator, can assess the benefit
provided by the Transport Converter service versus the risk. This is
one reason why the Transport Converter functionality has to be
explicitly requested by an endpoint.This document is organized as follows. First, provides a brief overview of the
differences between the well-known SOCKS protocol and the 0-RTT
Convert protocol. provides a brief
explanation of the operation of Transport Converters. Then, describes the Convert Protocol. discusses how Transport Converters can
be used to support different TCP extensions. then discusses the interactions with
middleboxes, while focuses on the
security considerations. describes how
a TCP stack would need to support the protocol described in this
document.0-RTT TCP Convert Protocol specified in this document MUST be used
in a single administrative domain deployment model. That is, the
entity offering the connectivity service to a client is also be entity
which owns and operates the Transport Converter, with no transit over
a third-party network.Future deployment of Transport Converters by third parties MUST
adhere to the mutual authentication requirements in to prevent illegitimate traffic
interception (), in
particular.Several IETF protocols provide proxy services; the closest to the
0-RTT Convert protocol being the SOCKSv5 protocol . This protocol is already used to deploy
Multipath TCP in some cellular networks (Section 2.2 of ).A SOCKS Client creates a connection to a SOCKS Proxy, exchanges
authentication information, and indicates the IP address and port number
of the target Server. At this point, the SOCKS Proxy creates a
connection towards the target Server and relays all data between the two
proxied connections. The operation of an implementation based on SOCKSv5
(without authentication) is illustrated in .When SOCKS is used, an "end-to-end" connection between a Client and a
Server becomes a sequence of two TCP connections that are glued together
on the SOCKS Proxy. The SOCKS Client and Server exchange control
information at the beginning of the bytestream on the Client-Proxy
connection. The SOCKS Proxy then creates the connection with the target
Server and then glues the two connections together so that all bytes
sent by the application (Client) to the SOCKS Proxy are relayed to the
Server and vice versa.The Convert Protocol is also used on TCP proxies that relay data
between an upstream and a downstream connection, but there are important
differences with SOCKSv5. A first difference is that the 0-RTT Convert
protocol exchanges all the control information during the initial RTT.
This reduces the connection establishment delay compared to SOCKS which
requires two or more round-trip-times before the establishment of the
downstream connection towards the final destination. In today's
Internet, latency is an important metric and various protocols have been
tuned to reduce their latency . A recently proposed
extension to SOCKS leverages the TCP Fast Open (TFO) option to reduce this delay.A second difference is that the Convert Protocol explicitly takes the
TCP extensions into account. By using the Convert Protocol, the Client
can learn whether a given TCP extension is supported by the destination
Server. This enables the Client to bypass the Transport Converter when
the Server supports the required TCP extension(s). Neither SOCKSv5 nor the proposed SOCKSv6 provide such a feature.A third difference is that a Transport Converter will only confirm
the establishment of the connection initiated by the Client provided
that the downstream connection has already been accepted by the Server.
If the Server refuses the connection establishment attempt from the
Transport Converter, then the upstream connection from the Client is
rejected as well. This feature is important for applications that check
the availability of a Server or use the time to connect as a hint on the
selection of a Server .A fourth difference is that the 0-RTT Convert protocol only allows
the Client to specify the IP address/port number of the destination
server and not a DNS name. We evaluated an alternate design that
included the DNS name of the remote peer instead of its IP address as in
SOCKS . However, that design was not
adopted because it induces both an extra load and increased delays on
the Transport Converter to handle and manage DNS resolution requests.
Note that the name resolution at the Converter may fail (e.g., private
names discussed in Section 2.1 of ) or may
not match the one that would be returned by a Client's resolution
library (e.g., Section 2.2 of ).The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP 14
when, and
only when, they appear in all capitals, as shown here.The Convert Protocol considers three functional elements:Clients;Transport Converters;Servers.A Transport Converter is a network function that proxies all data
exchanged over one upstream connection to one downstream connection
and vice versa (). The Transport
Converter, thus, maintains state that associates one upstream
connection to a corresponding downstream connection.A connection can be initiated from both sides of the Transport
Converter (External realm, Internal realm)."Client" refers to a software instance embedded on a host that can
reach a Transport Converter in the internal realm. The "Client" can
initiate connections via a Transport Converter (referred to as
outgoing connections). Also, the "Client" can accept incoming
connections via a Transport Converter (referred to as incoming
connections).A Transport Converter can be embedded in a standalone device or be
activated as a service on a router. How such function is enabled is
deployment-specific.The architecture assumes that new software will be installed on the
Client hosts to interact with one or more Transport Converters.
Furthermore, the architecture allows for making use of new TCP
extensions even if those are not supported by a given server.A Client is configured, through means that are outside the scope of
this document, with the names and/or the addresses of one or more
Transport Converters and the TCP extensions that they support. The
procedure for selecting a Transport Converter among a list of
configured Transport Converters is outside the scope of this
document.One of the benefits of this design is that different transport
protocol extensions can be used on the upstream and the downstream
connections. This encourages the deployment of new TCP extensions
until they are widely supported by servers, in particular.The architecture does not mandate anything on the Server side.Similar to SOCKS, the architecture does not interfere with
end-to-end TLS connections between the
Client and the Server (). In other words,
end-to-end TLS is supported in the presence of a Converter.It is out of scope of this document to elaborate on specific
considerations related to the use of TLS in the Client-Converter
connection leg to exchange Convert messages (in addition to the
end-to-end TLS connection). In particular, (1) assessment whether
0-RTT data mode discussed in Section 2.3 of is safe under replay and (2) specification of
a profile for its use (Section E.5 of )
are out of scope.At a high level, the objective of the Transport Converter is to
allow the use a specific extension, e.g., Multipath TCP, on a subset
of the path even if the peer does not support this extension. This is
illustrated in where the Client
initiates a Multipath TCP connection with the Transport Converter
(packets belonging to the Multipath TCP connection are shown with
"===") while the Transport Converter uses a TCP connection with the
Server.The packets belonging to a connection established through a
Transport Converter may follow a different path than the packets
directly exchanged between the Client and the Server. Deployments
should minimize the possible additional delay by carefully selecting
the location of the Transport Converter used to reach a given
destination.When establishing a connection, the Client can, depending on local
policies, either contact the Server directly (e.g., by sending a TCP
SYN towards the Server) or create the connection via a Transport
Converter. In the latter case (that is, the conversion service is
used), the Client initiates a connection towards the Transport
Converter and indicates the IP address and port number of the Server
within the connection establishment packet. Doing so enables the
Transport Converter to immediately initiate a connection towards that
Server, without experiencing an extra delay. The Transport Converter
waits until the receipt of the confirmation that the Server agrees to
establish the connection before confirming it to the Client.The Client places the destination address and port number of the
Server in the payload of the SYN sent to the Transport Converter to
minimize connection establishment delays. The Transport Converter
maintains two connections that are combined together:the upstream connection is the one between the Client and the
Transport Converter.the downstream connection is the one between the Transport
Converter and the Server.Any user data received by the Transport Converter over the upstream
(or downstream) connection is proxied over the downstream (or
upstream) connection. illustrates the establishment of
an outgoing TCP connection by a Client through a Transport
Converter.Note: The information shown between brackets in (and other figures in the document)
refers to Convert Protocol messages described in .The Client sends a SYN destined to the Transport Converter. The
payload of this SYN contains the address and port number of the
Server. The Transport Converter does not reply immediately to this
SYN. It first tries to create a TCP connection towards the target
Server. If this upstream connection succeeds, the Transport Converter
confirms the establishment of the connection to the Client by
returning a SYN+ACK and the first bytes of the bytestream contain
information about the TCP options that were negotiated with the
Server. Also, a state entry is instantiated for this connection. This
state entry is used by the Converter to handle subsequent messages
belonging to the connection.The connection can also be established from the Internet towards a
Client via a Transport Converter ().
This is typically the case when the Client hosts an application server
that listens to a specific port number. When the Converter receives an
incoming SYN from a remote host, it checks if it can provide the
conversion service for the destination IP address and destination port
number of that SYN. The Transport Converter receives this SYN because
it is, for example, on the path between the remote host and the Client
or it provides address sharing service for the Client (Section 2 of
). If the check fails, the packet is
silently ignored by the Converter. If the check is successful, the
Converter tries to initiate a TCP connection towards the Client from
its own address and using its configured TCP options. In the SYN that
corresponds to this connection attempt, the Transport Convert inserts
a TLV message that indicates the source address and port number of the
remote host. A transport session entry is created by the Converter for
this connection. SYN+ACK and ACK will be then exchanged between the
Client, the Converter, and remote host to confirm the establishment of
the connection. The Converter uses the transport session entry to
proxy packets belonging to the connection.Standard TCP (, Section 3.4) allows a
SYN packet to carry data inside its payload but forbids the receiver
from delivering it to the application until completion of the
three-way-handshake. To enable applications to exchange data in a TCP
handshake, this specification follows an approach similar to TCP Fast
Open and thus removes the constraint by
allowing data in SYN packets to be delivered to the Transport
Converter application.As discussed in , such change to TCP
semantic raises two issues. First, duplicate SYNs can cause problems
for applications that rely on TCP; whether or not a given application
is affected dependes on the details of that application protocol.
Second, TCP suffers from SYN flooding attacks . TFO solves these two problems for
applications that can tolerate replays by using the TCP Fast Open
option that includes a cookie. However, the utilization of this option
consumes space in the limited TCP header. Furthermore, there are
situations, as noted in Section 7.3 of
where it is possible to accept the payload of SYN packets without
creating additional security risks such as a network where addresses
cannot be spoofed and the Transport Converter only serves a set of
hosts that are identified by these addresses.For these reasons, this specification does not mandate the use of
the TCP Fast Open option when the Client sends a connection
establishment packet towards a Transport Converter. The Convert
Protocol includes an optional Cookie TLV that provides similar
protection as the TCP Fast Open option without consuming space in the
TCP header. Furthermore, this design allows for the use of longer
cookies than .If the downstream (or upstream) connection fails for some reason
(excessive retransmissions, reception of an RST segment, etc.), then
the Converter reacts by forcing the tear-down of the upstream (or
downstream) connection. In particular, if an ICMP error message that
indicates a hard error is received on the downstream connection, the
Converter echoes the Code field of that ICMP message in a Destination
Unreachable Error TLV (see ) that it
transmits to the Client. Note that if an ICMP error message that
indicates a soft error is received on the downstream connection, the
Converter will retransmit the corresponding data until it is
acknowledged or the connection times out. A classification of ICMP
soft and hard errors is provided in Table 1 of .The same reasoning applies when the upstream connection ends with
an exchange of FIN segments. In this case, the Converter will also
terminate the downstream connection by using FIN segments. If the
downstream connection terminates with the exchange of FIN segments,
the Converter should initiate a graceful termination of the upstream
connection.As mentioned in , the Transport
Converter acts as a TCP proxy between the upstream connection (i.e.,
between the Client and the Transport Converter) and the downstream
connection (i.e., between the Transport Converter and the Server).The control messages, discussed in , establish state (called, transport
session entry) in the Transport Converter that will enable it to proxy
between the two TCP connections.The Transport Converter uses the transport session entry to proxy
packets belonging to the connection. An implementation example of a
transport session entry for TCP connections is shown in .Clients send packets bound to connections eligible to the
conversion service to the provisioned Transport Converter and
destination port number. This applies for both control messages and
data. Additional information is supplied by Clients to the Transport
Converter by means of Convert messages as detailed in . User data can be included in SYN or
non-SYN messages. User data is unambiguously distinguished from
Convert TLVs by a Transport Converter owing to the Convert Fixed
Header in the Convert messages ().
These Convert TLVs are destined to the Transport Convert and are,
thus, removed by the Transport Converter when proxying between the two
connections.Upon receipt of a packet that belongs to an existing connection
between a Client and the Transport Converter the Converter proxies the
user data to the Server using the information stored in the
corresponding transport session entry. For example, in reference to
, the Transport Converter proxies the
data received from (C, c) downstream using (T,t) as source transport
address and (S,s) as destination transport address.A similar process happens for data sent from the Server. The
Converter acts as a TCP proxy and sends the data to the Client relying
upon the information stored in a transport session entry. The
Converter associates a lifetime with state entries used to bind an
upstream connection with its downstream connection.When Multipath TCP is used between the Client and the Transport
Converter, the Converter maintains more state (e.g. information about
the subflows) for each Multipath TCP connection. The procedure
described above continues to apply except that the Converter needs to
manage the establishment/termination of subflows and schedule packets
among the established ones. These operations are part of the Multipath
TCP implementation. They are independent of the Convert protocol that
only processes the Convert messages in the beginning of the
bytestream.A Transport Converter may operate in address preservation mode
(that is, the Converter does not rewrite the source IP address (i.e.,
C==T)) or address sharing mode (that is, an address pool is shared
among all Clients serviced by the Converter (i.e., C!=T)); refer to
for more details. Which behavior to use
by a Transport Converter is deployment-specific. If address sharing
mode is enabled, the Transport Converter MUST adhere to REQ-2 of which implies a default "IP address pooling"
behavior of "Paired" (as defined in Section 4.1 of ) MUST be supported. This behavior is meant to
avoid breaking applications that depend on the source address
remaining constant.The Transport Converter is provided with instructions about the
behavior to adopt with regards to the processing of source addresses
of outgoing packets. The following sub-sections discusses two
deployment models for illustration purposes. It is out of the scope of
this document to make a recommendation.In this model, the visible source IP address of a packet proxied
by a Transport Converter to a Server is an IP address of the end
host (Client). No dedicated IP address pool is provisioned to the
Transport Converter, but the Transport Converter is located on the
path between the Client and the Server.For Multipath TCP, the Transport Converter preserves the source
IP address used by the Client when establishing the initial subflow.
Data conveyed in secondary subflows will be proxied by the Transport
Converter using the source IP address of the initial subflow. An
example of a proxied Multipath TCP connection with address
preservation is shown in .The Transport Converter must be on the forwarding path of
incoming traffic. Because the same (destination) IP address is used
for both proxied and non-proxied connections, the Transport
Converter should not drop incoming packets it intercepts if no
matching entry is found for the packets. Unless explicitly
configured otherwise, such packets are forwarded according to the
instructions of a local forwarding table.A pool of global IPv4 addresses is provisioned to the Transport
Converter along with possible instructions about the address sharing
ratio to apply (see Appendix B of ).
An address is thus shared among multiple clients.Likewise, rewriting the source IPv6 prefix may be used to ease redirection of incoming
IPv6 traffic towards the appropriate Transport Converter. A pool of
IPv6 prefixes is then provisioned to the Transport Converter for
this purpose.Adequate forwarding policies are enforced so that traffic
destined to an address of such pool is intercepted by the
appropriate Transport Converter. Unlike , the Transport Converter drops incoming
packets which do not match an active transport session entry.An example is shown in .As an example, let us consider how the Convert Protocol can help
the deployment of Multipath TCP. We assume that both the Client and
the Transport Converter support Multipath TCP, but consider two
different cases depending on whether the Server supports Multipath TCP
or not.As a reminder, a Multipath TCP connection is created by placing the
MP_CAPABLE (MPC) option in the SYN sent by the Client. describes the operation of the
Transport Converter if the Server does not support Multipath TCP.The Client tries to initiate a Multipath TCP connection by sending
a SYN with the MP_CAPABLE option (MPC in ). The SYN includes the address and port
number of the target Server, that are extracted and used by the
Transport Converter to initiate a Multipath TCP connection towards
this Server. Since the Server does not support Multipath TCP, it
replies with a SYN+ACK that does not contain the MP_CAPABLE option.
The Transport Converter notes that the connection with the Server does
not support Multipath TCP and returns the extended TCP header received
from the Server to the Client.Note that, if the TCP connection is reset for some reason, the
Converter tears down the Multipath TCP connection by transmitting a
MP_FASTCLOSE. Likewise, if the Multipath TCP connection ends with the
transmission of DATA_FINs, the Converter terminates the TCP connection
by using FIN segments. As a side note, given that with Multipath TCP,
RST only has the scope of the subflow and will only close the
concerned subflow but not affect the remaining subflows, the Converter
does not terminate the downstream TCP connection upon receipt of an
RST over a Multipath subflow. considers a Server that
supports Multipath TCP. In this case, it replies to the SYN sent by
the Transport Converter with the MP_CAPABLE option. Upon reception of
this SYN+ACK, the Transport Converter confirms the establishment of
the connection to the Client and indicates to the Client that the
Server supports Multipath TCP. With this information, the Client has
discovered that the Server supports Multipath TCP. This will enable
the Client to bypass the Transport Converter for the subsequent
Multipath TCP connections that it will initiate towards this
Server.An example of an incoming Converter-assisted Multipath TCP
connection is depicted in . In order
to support incoming connections from remote hosts, the Client may use
PCP to instruct the Transport Converter
to create dynamic mappings. Those mappings will be used by the
Transport Converter to intercept an incoming TCP connection destined
to the Client and convert it into a Multipath TCP connection.Typically, the Client sends a PCP request to the Converter asking
to create an explicit TCP mapping for (internal IP address, internal
port number). The Converter accepts the request by creating a TCP
mapping (internal IP address, internal port number, external IP
address, external port number). The external IP address, external port
number, and assigned lifetime are returned back the Client in the PCP
response. The external IP address and external port number will be
then advertised by the Client (or the user) using an out-of-band
mechanism so that remote hosts can initiate TCP connections to the
Client via the Converter. Note that the external and internal
information may be the same.Then, when the Converter receives an incoming SYN, it checks its
mapping table to verify if there is an active mapping matching the
destination IP address and destination port of that SYN. If no entry
is found, the Converter silently ignores the message. If an entry is
found, the Converter inserts an MP_CAPABLE option and Connect TLV in
the SYN packet, rewrites the source IP address to one of its IP
addresses and, eventually, the destination IP address and port number
in accordance with the information stored in the mapping. SYN+ACK and
ACK will be then exchanged between the Client and the Converter to
confirm the establishment of the initial subflow. The Client can add
new subflows following normal Multipath TCP procedures.It is out of scope of this document to define specific Convert TLVs
to manage incoming connections (that is, TLVs that mimic PCP
messages). These TLVs can be defined in a separate document.This section defines the Convert Protocol (Convert, for short)
messages that are exchanged between a Client and a Transport
Converter.The Transport Converter listens on a specific TCP port number for
Convert messages from Clients. That port number is configured by an
administrator. Absent any policy, the Transport Converter SHOULD
silently ignore SYNs with no Convert TLVs.Convert messages may appear only in SYN, SYN+ACK, or ACK.Convert messages MUST be included as the first bytes of the
bytestream. All Convert messages starts with a 32 bits long fixed header
() followed by one or more Convert TLVs
(Type, Length, Value) ().If the initial SYN message contains user data in its payload (e.g.,
), that data MUST be placed right after
the Convert TLVs when generating the SYN.The protocol can be extended by defining new TLVs or bumping the
version number if a different message format is needed. If a future
version is defined but with a different message format, the version
negotiation procedure defined in (see
"Unsupported Version") is meant to agree on a version that is supported
by both peers.Implementation note 1: Several implementers expressed concerns
about the use of TFO. As a reminder, the TFO Cookie protects from
some attack scenarios that affect open servers like web servers. The
Convert Protocol is different and, as discussed in RFC7413, there
are different ways to protect from such attacks. Instead of using a
TFO cookie inside the TCP options, which consumes precious space in
the extended TCP header, the Convert Protocol supports the
utilization of a Cookie that is placed in the SYN payload. This
provides the same level of protection as a TFO Cookie in
environments were such protection is required.Implementation note 2: Error messages are not included in RST but
sent in the bytestream. Implementers have indicated that processing
RST on clients was difficult on some platforms. This design
simplifies client implementations.The Convert Protocol uses a 32 bits long fixed header that is sent
by both the Client and the Transport Converter over each established
connection. This header indicates both the version of the protocol
used and the length of the Convert message.The Client and the Transport Converter MUST send the fixed-sized
header, shown in , as the first four
bytes of the bytestream.The Version is encoded as an 8 bits unsigned integer value. This
document specifies version 1. Version 0 is reserved by this document
and MUST NOT be used.Note: Early versions of this specification don't use a
dedicated port number but only rely upon the IP address of the
Converter. Having a bit set in the version field together with the
length field allows to avoid mis-interpreting a data in a SYN as
Convert TLVs. Since the design was updated to use a specific
service port, that constraint was relaxed. Version 0 would work
but given existing implementations already use Version 1, the use
of Version 0 is maintained as reserved.The Total Length is the number of 32 bits word, including the
header, of the bytestream that are consumed by the Convert messages.
Since Total Length is also an 8 bits unsigned integer, those messages
cannot consume more than 1020 bytes of data. This limits the number of
bytes that a Transport Converter needs to process. A Total Length of
zero is invalid and the connection MUST be reset upon reception of a
header with such total length.The Magic Number field MUST be set to the RFC number to be assigned
to this document. This field is meant to further strengthen the
protocol to unambiguously distinguish any data supplied by an
application from Convert TLVs. Note to the RFC Editor: Please replace "the RFC number to be
assigned to this document" with the hex representation of the RFC
number assigned to this document.The Total Length field unambiguously marks the number of 32 bits
words that carry Convert TLVs in the beginning of the bytestream.The Convert Protocol uses variable length messages that are
encoded using the generic TLV format depicted in .The length of all TLVs used by the Convert Protocol is always a
multiple of four bytes. All TLVs are aligned on 32 bits boundaries.
All TLV fields are encoded using the network byte order.The Length field covers Type, Length, and Value fields. It is
expressed in units of 32 bits words. If necessary, Value MUST be
padded with zeroes so that the length of the TLV is a multiple of 32
bits.A given TLV MUST only appear once on a connection. If a Client
receives two or more instances of the same TLV over a Convert
connection, it MUST reset the associated TCP connection. If a
Converter receives two or more instances of the same TLV over a
Convert connection, it MUST return a Malformed Message Error TLV and
close the associated TCP connection.This document specifies the following Convert TLVs:Type 0x0 is a reserved value. If a Client receives a TLV of type
0x0, it MUST reset the associated TCP connection. If a Converter
receives a TLV of type 0x0, it MUST return an Unsupported Message
Error TLV and close the associated TCP connection.The Client typically sends in the first connection it established
with a Transport Converter the Info TLV () to learn its capabilities.
Assuming the Client is authorized to invoke the Transport Converter,
the latter replies with the Supported TCP Extensions TLV ().The Client can request the establishment of connections to
servers by using the Connect TLV (). If the connection can be established
with the final server, the Transport Converter replies with the
Extended TCP Header TLV (). If
not, the Transport Converter MUST return an Error TLV () and then closes the connection. The
Transport Converter MUST NOT send an RST immediately after the
detection of an error to let the Error TLV reach the Client. As
explained later, the Client will anyway send an RST upon reception
of the Error TLV.The Info TLV () is an
optional TLV which can be sent by a Client to request the TCP
extensions that are supported by a Transport Converter. It is
typically sent on the first connection that a Client establishes
with a Transport Converter to learn its capabilities. Assuming a
Client is entitled to invoke the Transport Converter, the latter
replies with the Supported TCP Extensions TLV described in .The Supported TCP Extensions TLV () is used by a Transport Converter to
announce the TCP options for which it provides a conversion service.
A Transport Converter SHOULD include in this list the TCP options
that it supports in outgoing SYNs.Each supported TCP option is encoded with its TCP option Kind
listed in the "TCP Parameters" registry maintained by IANA. The
Unassigned field MUST be set to zero by the Transport Converter and
ignored by the Client.TCP option Kinds 1 and 2 defined in are supported by all TCP implementations
and thus MUST NOT appear in this list.The list of Supported TCP Extensions is padded with 0 to end on a
32 bits boundary.For example, if the Transport Converter supports Multipath TCP,
Kind=30 will be present in the Supported TCP Extensions TLV that it
returns in response to Info TLV.The Connect TLV () is used to
request the establishment of a connection via a Transport Converter.
This connection can be from or to a Client.The 'Remote Peer Port' and 'Remote Peer IP Address' fields
contain the destination port number and IP address of the Server,
for outgoing connections. For incoming connections destined to a
Client serviced via a Transport Converter, these fields convey the
source port number and IP address of the SYN packet received by the
Transport Converter from the server.The Remote Peer IP Address MUST be encoded as an IPv6 address.
IPv4 addresses MUST be encoded using the IPv4-Mapped IPv6 Address
format defined in . Further, Remote
Peer IP address field MUST NOT include multicast, broadcast, and
host loopback addresses . If a
Converter receives a Connect TLVs with such invalid addresses, it
MUST reply with a Malformed Message Error TLV and close the
associated TCP connection.We distinguish two types of Connect TLV based on their length:
(1) the Base Connect TLV has a length set to 5 (i.e., 20 bytes) and
contains a remote address and a remote port (), (2) the Extended Connect TLV spans
more than 20 bytes and also includes the optional 'TCP Options'
field (). This field is used to
request the advertisement of specific TCP options to the server.The 'TCP Options' field is a variable length field that carries a
list of TCP option fields (). Each
TCP option field is encoded as a block of 2+n bytes where the first
byte is the TCP option Kind and the second byte is the length of the
TCP option as specified in . The
minimum value for the TCP option Length is 2. The TCP options that
do not include a length sub-field, i.e., option types 0 (EOL) and 1
(NOP) defined in MUST NOT be placed
inside the TCP options field of the Connect TLV. The optional Value
field contains the variable-length part of the TCP option. A length
of two indicates the absence of the Value field. The TCP options
field always ends on a 32 bits boundary after being padded with
zeros.Upon reception of a Base Connect TLV, and absent any policy
(e.g., rate-limit) or resource exhaustion conditions, a Transport
Converter attempts to establish a connection to the address and port
that it contains. The Transport Converter MUST use by default the
TCP options that correspond to its local policy to establish this
connection. Upon reception of an Extended Connect TLV, a Transport Converter
first checks whether it supports the TCP Options listed in the 'TCP
Options' field. If not, it returns an error TLV set to "Unsupported
TCP Option" (). If the above check
succeeded and absent any rate limit policy or resource exhaustion
conditions, a Transport Converter MUST attempt to establish a
connection to the address and port that it contains. It MUST include
in the SYN that it sends to the Server the options listed in the
'TCP Options' sub-field and the TCP options that it would have used
according to its local policies. For the TCP options that are
included in the TCP Options field without an optional value, the
Transport Converter MUST generate its own value. For the TCP options
that are included in the 'TCP Options' field with an optional value,
it MUST copy the entire option in the SYN sent to the remote server.
This procedure is designed with TFO in mind. Particularly, this
procedure allows to successfully exchange a TFO Cookie between the
client and the server. See for
a detailed discussion of the different types of TCP options.The Transport Converter may refuse a Connect TLV request for
various reasons (e.g., authorization failed, out of resources,
invalid address type, unsupported TCP option). An error message
indicating the encountered error is returned to the requesting
Client (). In order to prevent
denial-of-service attacks, error messages sent to a Client SHOULD be
rate-limited.The Extended TCP Header TLV () is used by the Transport Converter
to return to the Client the TCP options that were returned by the
Server in the SYN+ACK packet. A Transport Converter MUST return this
TLV if the Client sent an Extended Connect TLV and the connection
was accepted by the server. The Returned Extended TCP header field is a copy of the TCP
Options that were included in the SYN+ACK received by the Transport
Converter.The Unassigned field MUST be set to zero by the sender and
ignored by the receiver.The Cookie TLV () is an optional
TLV which is similar to the TCP Fast Open Cookie . A Transport Converter may want to verify
that a Client can receive the packets that it sends to prevent
attacks from spoofed addresses. This verification can be done by
using a Cookie that is bound to, for example, the IP address(es) of
the Client. This Cookie can be configured on the Client by means
that are outside of this document or provided by the Transport
Converter.A Transport Converter that has been configured to use the
optional Cookie TLV MUST verify the presence of this TLV in the
payload of the received SYN. If this TLV is present, the Transport
Converter MUST validate the Cookie by means similar to those in
Section 4.1.2 of (i.e.,
IsCookieValid). If the Cookie is valid, the connection establishment
procedure can continue. Otherwise, the Transport Converter MUST
return an Error TLV set to "Not Authorized" and close the
connection.If the received SYN did not contain a Cookie TLV, and cookie
validation is required, the Transport Converter MAY compute a Cookie
bound to this Client address. In such case, the Transport Converter
MUST return an Error TLV set to "Missing Cookie" and the computed
Cookie and close the connection. The Client will react to this error
by first issuing a reset to terminate the connection. It also stores
the received Cookie in its cache and attempts to reestablish a new
connection to the Transport Converter that includes the Cookie
TLV.The format of the Cookie TLV is shown in .The Error TLV () is meant to
provide information about some errors that occurred during the
processing of a Convert message. This TLV has a variable length.
Upon reception of an Error TLV, a Client MUST reset the associated
connection.An Error TLV can be included in the SYN+ACK or an ACK.Different types of errors can occur while processing Convert
messages. Each error is identified by an Error Code represented as
an unsigned integer. Four classes of error codes are defined:Message validation and processing errors (0-31 range):
returned upon reception of an invalid message (including valid
messages but with invalid or unknown TLVs).Client-side errors (32-63 range): the Client sent a request
that could not be accepted by the Transport Converter (e.g.,
unsupported operation).Converter-side errors (64-95 range): problems encountered on
the Transport Converter (e.g., lack of resources) which prevent
it from fulfilling the Client's request.Errors caused by the destination server (96-127 range): the
final destination could not be reached or it replied with a
reset.The following error codes are defined in this document:Unsupported Version (0): The version number indicated in the
fixed header of a message received from a peer is not supported.
This error code MUST be generated by a
peer (e.g. Transport Converter) when it receives a request
having a version number that it does not support. The value field MUST be set to the version
supported by the peer. When multiple versions are supported by
the peer, it includes the list of supported version in the value
field; each version is encoded in 8 bits. The list of supported
versions MUST be padded with zeros to end on a 32 bits boundary.
Upon receipt of this error code, the
remote peer (e.g., Client) checks whether it supports one of the
versions returned by the peer. The highest common supported
version MUST be used by the remote peer in subsequent exchanges
with the peer.Malformed Message (1): This error code is sent to indicate
that a message received from a peer cannot be successfully
parsed and validated. Typically, this
error code is sent by the Transport Converter if it receives a
Connect TLV enclosing a multicast, broadcast, or loopback IP
address. To ease troubleshooting, the
value field MUST echo the received message using the format
depicted in . This format allows to
keep the original alignment of the message that triggered the
error. Unsupported Message (2): This error code is sent to indicate
that a message type received from a Client is not supported.
To ease troubleshooting, the value
field MUST echo the received message using the format shown in
.Missing Cookie (3): If a Transport Converter requires the
utilization of Cookies to prevent spoofing attacks and a Cookie
TLV was not included in the Convert message, the Transport
Converter MUST return this error to the requesting client only
if it computes a cookie for this client. The first byte of the
value field MUST be set to zero and the remaining bytes of the
Error TLV contain the Cookie computed by the Transport Converter
for this Client. A Client which
receives this error code SHOULD cache the received Cookie and
include it in subsequent Convert messages sent to that Transport
Converter.Not Authorized (32): This error code indicates that the
Transport Converter refused to create a connection because of a
lack of authorization (e.g., administratively prohibited,
authorization failure, invalid Cookie TLV). The Value field MUST
be set to zero. This error code MUST
be sent by the Transport Converter when a request cannot be
successfully processed because the authorization failed.Unsupported TCP Option (33): A TCP option that the Client
requested to advertise to the final Server cannot be safely
used. The Value field is set to the
type of the unsupported TCP option. If several unsupported TCP
options were specified in the Connect TLV, then the list of
unsupported TCP options is returned. The list of unsupported TCP
options MUST be padded with zeros to end on a 32 bits
boundary.Resource Exceeded (64): This error indicates that the
Transport Converter does not have enough resources to perform
the request. This error MUST be sent
by the Transport Converter when it does not have sufficient
resources to handle a new connection. The Transport Converter
may indicate in the Value field the suggested delay (in seconds)
that the Client SHOULD wait before soliciting the Transport
Converter for a new proxied connection. A Value of zero
corresponds to a default delay of at least 30 seconds.Network Failure (65): This error indicates that the Transport
Converter is experiencing a network failure to proxy the
request. The Transport Converter MUST
send this error code when it experiences forwarding issues to
proxy a connection. The Transport Converter may indicate in the
Value field the suggested delay (in seconds) that the Client
SHOULD wait before soliciting the Transport Converter for a new
proxied connection. A Value of zero corresponds to a default
delay of at least 30 seconds.Connection Reset (96): This error indicates that the final
destination responded with an RST segment. The Value field MUST
be set to zero.Destination Unreachable (97): This error indicates that an
ICMP message indicating a hard error (e.g., destination
unreachable, port unreachable, or network unreachable) was
received by the Transport Converter. The Value field MUST echo
the Code field of the received ICMP message. As a reminder, TCP implementations are supposed
to act on an ICMP error message passed up from the IP layer,
directing it to the connection that triggered the error using
the demultiplexing information included in the payload of that
ICMP message. Such demultiplexing issue does not apply for
handling the "Destination Unreachable" Error TLV because the
error is sent in-band. For this reason, the payload of the ICMP
message is not echoed in the Destination Unreachable Error
TLV. summarizes the different
error codes.In this section, we discuss how several deployed standard track TCP
options can be supported through the Convert Protocol. The other TCP
options will be discussed in other documents.Three TCP options were initially defined in : End-of-Option List (Kind=0), No-Operation
(Kind=1) and Maximum Segment Size (Kind=2). The first two options are
mainly used to pad the TCP header. There is no reason for a client to
request a Transport Converter to specifically send these options
towards the final destination.The Maximum Segment Size option (Kind=2) is used by a host to
indicate the largest segment that it can receive over each connection.
This value is function of the stack that terminates the TCP
connection. There is no reason for a Client to request a Transport
Converter to advertise a specific MSS value to a remote server.A Transport Converter MUST ignore options with Kind=0, 1 or 2 if
they appear in a Connect TLV. It MUST NOT announce them in a Supported
TCP Extensions TLV.The Window Scale (WS) option (Kind=3) is defined in . As for the MSS option, the window scale
factor that is used for a connection strongly depends on the TCP stack
that handles the connection. When a Transport Converter opens a TCP
connection towards a remote server on behalf of a Client, it SHOULD
use a WS option with a scaling factor that corresponds to the
configuration of its stack. A local configuration MAY allow for WS
option in the proxied message to be function of the scaling factor of
the incoming connection.There is no benefit from a deployment viewpoint in enabling a
Client of a Transport Converter to specifically request the
utilization of the WS option (Kind=3) with a specific scaling factor
towards a remote Server. For this reason, a Transport Converter MUST
ignore option Kind=3 if it appears in a Connect TLV. It MUST NOT
announce it in a Supported TCP Extensions TLV.Two distinct TCP options were defined to support selective
acknowledgments in . This first one,
SACK Permitted (Kind=4), is used to negotiate the utilization of
selective acknowledgments during the three-way handshake. The second
one, SACK (Kind=5), carries the selective acknowledgments inside
regular segments.The SACK Permitted option (Kind=4) MAY be advertised by a Transport
Converter in the Supported TCP Extensions TLV. Clients connected to
this Transport Converter MAY include the SACK Permitted option in the
Connect TLV.The SACK option (Kind=5) cannot be used during the three-way
handshake. For this reason, a Transport Converter MUST ignore option
Kind=5 if it appears in a Connect TLV. It MUST NOT announce it in a
TCP Supported Extensions TLV.The Timestamp option can be used
during the three-way handshake to negotiate the utilization of
timestamps during the TCP connection. It is notably used to improve
round-trip-time estimations and to provide protection against wrapped
sequence numbers (PAWS). As for the WS option, the timestamps are a
property of a connection and there is limited benefit in enabling a
client to request a Transport Converter to use the timestamp option
when establishing a connection to a remote server. Furthermore, the
timestamps that are used by TCP stacks are specific to each stack and
there is no benefit in enabling a client to specify the timestamp
value that a Transport Converter could use to establish a connection
to a remote server.A Transport Converter MAY advertise the Timestamp option (Kind=8)
in the TCP Supported Extensions TLV. The clients connected to this
Transport Converter MAY include the Timestamp option in the Connect
TLV but without any timestamp.The Multipath TCP options are defined in . defines one
variable length TCP option (Kind=30) that includes a sub-type field to
support several Multipath TCP options. There are several operational
use cases where clients would like to use Multipath TCP through a
Transport Converter . However, none of
these use cases require the Client to specify the content of the
Multipath TCP option that the Transport Converter should send to a
remote server.A Transport Converter which supports Multipath TCP conversion
service MUST advertise the Multipath TCP option (Kind=30) in the
Supported TCP Extensions TLV. Clients serviced by this Transport
Converter may include the Multipath TCP option in the Connect TLV but
without any content.The TCP Fast Open cookie option (Kind=34) is defined in . There are two different usages of this
option that need to be supported by Transport Converters. The first
utilization of the TCP Fast Open cookie option is to request a cookie
from the server. In this case, the option is sent with an empty cookie
by the client and the server returns the cookie. The second
utilization of the TCP Fast Open cookie option is to send a cookie to
the server. In this case, the option contains a cookie.A Transport Converter MAY advertise the TCP Fast Open cookie option
(Kind=34) in the Supported TCP Extensions TLV. If a Transport
Converter has advertised the support for TCP Fast Open in its
Supported TCP Extensions TLV, it needs to be able to process two types
of Connect TLV.If such a Transport Converter receives a Connect TLV with the TCP
Fast Open cookie option that does not contain a cookie, it MUST add an
empty TCP Fast Open cookie option in the SYN sent to the remote
server. If the remote server supports TFO, it responds with a SYN-ACK
according to the procedure in Section 4.1.2 of . This SYN-ACK may contain a Fast Open option
with a cookie. Upon receipt of the SYN-ACK by the Converter, it relays
Fast Open option with the cookie to the Client.If such a Transport Converter receives a Connect TLV with the TCP
Fast Open cookie option that contains a cookie, it MUST copy the TCP
Fast Open cookie option in the SYN sent to the remote server.TCP-AO provides a technique to
authenticate all the packets exchanged over a TCP connection. Given
the nature of this extension, it is unlikely that the applications
that require their packets to be authenticated end-to-end would want
their connections to pass through a converter. For this reason, we do
not recommend the support of the TCP-AO option by Transport
Converters. The only use cases where it could make sense to combine
TCP-AO and the solution in this document are those where the
TCP-AO-NAT extension is in use.A Transport Converter MUST NOT advertise the TCP-AO option
(Kind=29) in the Supported TCP Extensions TLV. If a Transport
Converter receives a Connect TLV that contains the TCP-AO option, it
MUST reject the establishment of the connection with error code set to
"Unsupported TCP Option", except if the TCP-AO-NAT option is used.
Nevertheless, given that TCP-AO-NAT is Experimental, its usage is not
currently defined and must be specified by some other document before
it can be used.The Convert Protocol is designed to be used in networks that do not
contain middleboxes that interfere with TCP. Under such conditions, it
is assumed that the network provider ensures that all involved on-path
nodes are not breaking TCP signals (e.g., strip TCP options, discard
some SYNs, etc.).Nevertheless, and in order to allow for a robust service, this
section describes how a Client can detect middlebox interference and
stop using the Transport Converter affected by this interference.Internet measurements have shown that
middleboxes can affect the deployment of TCP extensions. In this
section, we focus the middleboxes that modify the payload since the
Convert Protocol places its messages at the beginning of the
bytestream.Consider a middlebox that removes the SYN payload. The Client can
detect this problem by looking at the acknowledgment number field of the
SYN+ACK if returned by the Transport Converter. The Client MUST stop to
use this Transport Converter given the middlebox interference.Consider now a middlebox that drops SYN/ACKs with a payload. The
Client won't be able to establish a connection via the Transport
Converter. The case of a middlebox that removes the payload of SYN+ACKs
or from the packet that follows the SYN+ACK (but not the payload of SYN)
can be detected by a Client. This is hinted by the absence of a valid
Convert message in the response.As explained in , some CGNs (Carrier
Grade NATs) can affect the operation of TFO if they assign different IP
addresses to the same end host. Such CGNs could affect the operation of
the cookie validation used by the Convert Protocol. As a reminder CGNs,
enabled on the path between a Client and a Transport Converter, must
adhere to the address preservation defined in . See also the discussion in Section 7.1 of
.An implementation MUST check that the Convert TLVs are properly
framed within the boundary indicated by the Total Length in the fixed
header ().Additional security considerations are discussed in the following
sub-sections.The Transport Converter may have access to privacy-related
information (e.g., subscriber credentials). The Transport Converter is
designed to not leak such sensitive information outside a local
domain.Given its function and location in the network, a Transport
Converter is in a position to observe all packets that it processes,
to include payloads and meta-data; and has the ability to profile and
conduct some traffic analysis of user behavior. The Transport
Converter MUST be as protected as a core IP router (e.g., Section 10
of ).Furthermore, ingress filtering policies MUST be enforced at the
network boundaries .This document assumes that all network attachments are managed by
the same administrative entity. Therefore, enforcing anti-spoofing
filters at these network is a guard that hosts are not sending traffic
with spoofed source IP addresses.The Convert Protocol is RECOMMENDED to be used in a managed network
where end hosts can be securely identified by their IP address. If
such control is not exerted and there is a more open network
environment, a strong mutual authentication scheme MUST be defined to
use the Convert Protocol.One possibility for mutual authentication is to use TLS to perform
mutual authentication between the client and the Converter. That is,
use TLS when a Client retrieves a Cookie from the Converter and rely
on certificate-based client authentication, pre-shared key based or raw public key based client authentication
to secure this connection. If the
authentication succeeds, the Converter returns a cookie to the Client.
Subsequent Connect messages will be authorized as a function of the
content of the Cookie TLV. An attacker from within the network between
a Client and a Transport Converter may intercept the Cookie and use it
to be granted access to the conversion service. Such attack is only
possible if the attacker spoofs the IP address of the Client and the
network does not filter packets with source spoofed IP addresses. The operator that manages the various network attachments
(including the Transport Converters) has various options for enforcing
authentication and authorization policies. For example, a
non-exhaustive list of methods to achieve authorization is provided
hereafter:The network provider may enforce a policy based on the
International Mobile Subscriber Identity (IMSI) to verify that a
user is allowed to benefit from the TCP converter service. If that
authorization fails, the Packet Data Protocol (PDP) context/bearer
will not be mounted. This method does not require any interaction
with the Transport Converter for authorization matters.The network provider may enforce a policy based upon Access
Control Lists (ACLs), e.g., at a Broadband Network Gateway (BNG)
to control the hosts that are authorized to communicate with a
Transport Converter. These ACLs may be installed as a result of
RADIUS exchanges, e.g., . This method
does not require any interaction with the Transport Converter for
authorization matters.A device that embeds a Transport Converter may also host a
RADIUS client that will solicit an AAA server to check whether
connections received from a given source IP address are authorized
or not .A first safeguard against the misuse of Transport Converter
resources by illegitimate users (e.g., users with access networks that
are not managed by the same provider that operates the Transport
Converter) is the Transport Converter to reject Convert connections
received in the external realm. Only Convert connections received in
the internal realm of a Transport Converter will be accepted.In deployments where network-assisted connections are not allowed
between hosts of a domain (i.e., hairpinning), the Converter may be
instructed to discard such connections. Hairpinned connections are
thus rejected by the Transport Converter by returning an Error TLV set
to "Not Authorized". Absent explicit configuration otherwise,
hairpinning is enabled by the Converter (see .Another possible risk is the amplification attacks since a
Transport Converter sends a SYN towards a remote Server upon reception
of a SYN from a Client. This could lead to amplification attacks if
the SYN sent by the Transport Converter were larger than the SYN
received from the Client or if the Transport Converter retransmits the
SYN. To mitigate such attacks, the Transport Converter SHOULD rate
limit the number of pending requests for a given Client. It SHOULD
also avoid sending to remote Servers SYNs that are significantly
longer than the SYN received from the Client. Finally, the Transport
Converter SHOULD only retransmit a SYN to a Server after having
received a retransmitted SYN from the corresponding Client. Means to
protect against SYN flooding attacks should also be enabled (e.g.,
Section 3 of ).Attacks from within the network between a Client and a Transport
Converter (including attacks that change the protocol version) are yet
another threat. Means to ensure that illegitimate nodes cannot connect
to a network should be implemented.Traffic theft is a risk if an illegitimate Converter is inserted in
the path. Indeed, inserting an illegitimate Converter in the
forwarding path allows traffic interception and can therefore provide
access to sensitive data issued by or destined to a host. Converter
discovery and configuration are out of scope of this document.If the Converter is configured to behave in the address sharing
mode (), the logging recommendations
discussed in Section 4 of need to be
considered. Security-related issues encountered in address sharing
environments are documented in Section 13 of .Note to the RFC Editor: Please replace "THISRFC" in the following
sub-sections with the RFC number to be assigned to this document.IANA is requested to assign a service name for the Convert Protocol
from the "Service Name and Transport Protocol Port Number Registry"
available at
https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml.Clients may use this service name to fed the procedure defined in
to discover the IP address(es) and the
port number used by the Transport Converters of a domain.IANA is requested to create a new "The TCP Convert Protocol
(Convert) Parameters" registry.The following subsections detail new registries within "The Convert
Protocol (Convert) Parameters" registry.The Designated Expert is expected to ascertain the existence of
suitable documentation as described in Section 4.6 of and to verify that the document is
permanently and publicly available. The Designated Expert is also
expected to check the clarity of purpose and use of the requested code
points.Also, criteria that should be applied by the Designated Experts
includes determining whether the proposed registration duplicates
existing functionality, whether it is likely to be of general
applicability or whether it is useful only for a private use, and
whether the registration description is clear. IANA must only accept
registry updates to the 128-191 range (for both "Convert TLVs" and
"Convert Error Messages" sub-registries) from the Designated Experts
and should direct all requests for registration to the review mailing
list. It is suggested that multiple Designated Experts be appointed.
In cases where a registration decision could be perceived as creating
a conflict of interest for a particular Expert, that Expert should
defer to the judgment of the other Experts.IANA is requested to create the "Convert versions" sub-registry.
New values are assigned via IETF Review (Section 4.8 of ).The initial values to be assigned at the creation of the registry
are as follows:IANA is requested to create the "Convert TLVs" sub-registry. The
procedure for assigning values from this registry is as follows:The values in the range 1-127 can be assigned via IETF
Review.The values in the range 128-191 can be assigned via
Specification Required.The values in the range 192-255 are reserved for Private
Use.The initial values to be assigned at the creation of the registry
are as follows:IANA is requested to create the "Convert Errors" sub-registry.
Codes in this registry are assigned as a function of the error type.
Four types are defined; the following ranges are reserved for each
of these types:Message validation and processing errors: 0-31Client-side errors: 32-63Transport Converter-side errors: 64-95Errors caused by destination server: 96-127The procedure for assigning values from this sub-registry is as
follows:0-127: Values in this range are assigned via IETF Review.128-191: Values in this range are assigned via Specification
Required.192-255: Values in this range are reserved for Private
Use.The initial values to be assigned at the creation of the registry
are as follows:Transmission Control ProtocolIP Version 6 Addressing ArchitectureThis specification defines the addressing architecture of the
IP Version 6 (IPv6) protocol. The document includes the IPv6
addressing model, text representations of IPv6 addresses,
definition of IPv6 unicast addresses, anycast addresses, and
multicast addresses, and an IPv6 node's required addresses.This document obsoletes RFC 3513, "IP Version 6 Addressing
Architecture". [STANDARDS-TRACK]TCP Extensions for Multipath Operation with Multiple
AddressesTCP/IP communication is currently restricted to a single path
per connection, yet multiple paths often exist between peers. The
simultaneous use of these multiple paths for a TCP/IP session
would improve resource usage within the network and, thus, improve
user experience through higher throughput and improved resilience
to network failure.Multipath TCP provides the ability to simultaneously use
multiple paths between peers. This document presents a set of
extensions to traditional TCP to support multipath operation. The
protocol offers the same type of service to applications as TCP
(i.e., reliable bytestream), and it provides the components
necessary to establish and use multiple TCP flows across
potentially disjoint paths. This document defines an Experimental
Protocol for the Internet community.TCP Fast OpenThis document describes an experimental TCP mechanism called
TCP Fast Open (TFO). TFO allows data to be carried in the SYN and
SYN-ACK packets and consumed by the receiving end during the
initial connection handshake, and saves up to one full round-trip
time (RTT) compared to the standard TCP, which requires a
three-way handshake (3WHS) to complete before data can be
exchanged. However, TFO deviates from the standard TCP semantics,
since the data in the SYN could be replayed to an application in
some rare circumstances. Applications should not use TFO unless
they can tolerate this issue, as detailed in the Applicability
section.TCP SYN Flooding Attacks and Common MitigationsThis document describes TCP SYN flooding attacks, which have
been well-known to the community for several years. Various
countermeasures against these attacks, and the trade-offs of each,
are described. This document archives explanations of the attack
and common defense techniques for the benefit of TCP implementers
and administrators of TCP servers or networks, but does not make
any standards-level recommendations. This memo provides
information for the Internet community.Key words for use in RFCs to Indicate Requirement
LevelsIn many standards track documents several words are used to
signify the requirements in the specification. These words are
often capitalized. This document defines these words as they
should be interpreted in IETF documents. This document specifies
an Internet Best Current Practices for the Internet Community, and
requests discussion and suggestions for improvements.Ambiguity of Uppercase vs Lowercase in RFC 2119 Key
WordsRFC 2119 specifies common key words that may be used in
protocol specifications. This document aims to reduce the
ambiguity by clarifying that only UPPERCASE usage of the key words
have the defined special meanings.The TCP Authentication OptionThis document specifies the TCP Authentication Option (TCP-AO),
which obsoletes the TCP MD5 Signature option of RFC 2385 (TCP
MD5). TCP-AO specifies the use of stronger Message Authentication
Codes (MACs), protects against replays even for long-lived TCP
connections, and provides more details on the association of
security with TCP connections than TCP MD5. TCP-AO is compatible
with either a static Master Key Tuple (MKT) configuration or an
external, out-of-band MKT management mechanism; in either case,
TCP-AO also protects connections when using the same MKT across
repeated instances of a connection, using traffic keys derived
from the MKT, and coordinates MKT changes between endpoints. The
result is intended to support current infrastructure uses of TCP
MD5, such as to protect long-lived connections (as used, e.g., in
BGP and LDP), and to support a larger set of MACs with minimal
other system and operational changes. TCP-AO uses a different
option identifier than TCP MD5, even though TCP-AO and TCP MD5 are
never permitted to be used simultaneously. TCP-AO supports IPv6,
and is fully compatible with the proposed requirements for the
replacement of TCP MD5. [STANDARDS-TRACK]Guidelines for Writing an IANA Considerations Section in
RFCsMany protocols make use of points of extensibility that use
constants to identify various protocol parameters. To ensure that
the values in these fields do not have conflicting uses and to
promote interoperability, their allocations are often coordinated
by a central record keeper. For IETF protocols, that role is
filled by the Internet Assigned Numbers Authority (IANA).To make assignments in a given registry prudently, guidance
describing the conditions under which new values should be
assigned, as well as when and how modifications to existing values
can be made, is needed. This document defines a framework for the
documentation of these guidelines by specification authors, in
order to assure that the provided guidance for the IANA
Considerations is clear and addresses the various issues that are
likely in the operation of a registry.This is the third edition of this document; it obsoletes RFC
5226.Special-Purpose IP Address RegistriesThis memo reiterates the assignment of an IPv4 address block
(192.0.0.0/24) to IANA. It also instructs IANA to restructure its
IPv4 and IPv6 Special-Purpose Address Registries. Upon
restructuring, the aforementioned registries will record all
special-purpose address blocks, maintaining a common set of
information regarding each address block.Common Requirements for Carrier-Grade NATs (CGNs)This document defines common requirements for Carrier-Grade
NATs (CGNs). It updates RFC 4787.Network Address Translation (NAT) Behavioral Requirements for
Unicast UDPThis document defines basic terminology for describing
different types of Network Address Translation (NAT) behavior when
handling Unicast UDP and also defines a set of requirements that
would allow many applications, such as multimedia communications
or online gaming, to work consistently. Developing NATs that meet
this set of requirements will greatly increase the likelihood that
these applications will function properly. This document specifies
an Internet Best Current Practices for the Internet Community, and
requests discussion and suggestions for improvements.TCP Extensions for High PerformanceThis document specifies a set of TCP extensions to improve
performance over paths with a large bandwidth * delay product and
to provide reliable operation over very high-speed paths. It
defines the TCP Window Scale (WS) option and the TCP Timestamps
(TS) option and their semantics. The Window Scale option is used
to support larger receive windows, while the Timestamps option can
be used for at least two distinct mechanisms, Protection Against
Wrapped Sequences (PAWS) and Round-Trip Time Measurement (RTTM),
that are also described herein.This document obsoletes RFC 1323 and describes changes from
it.TCP Selective Acknowledgment OptionsThis memo proposes an implementation of SACK and discusses its
performance and related issues. [STANDARDS-TRACK]Network Ingress Filtering: Defeating Denial of Service
Attacks which employ IP Source Address SpoofingThis paper discusses a simple, effective, and straightforward
method for using ingress traffic filtering to prohibit DoS (Denial
of Service) attacks which use forged IP addresses to be propagated
from 'behind' an Internet Service Provider's (ISP) aggregation
point. This document specifies an Internet Best Current Practices
for the Internet Community, and requests discussion and
suggestions for improvements.A TCP Authentication Option Extension for NAT
TraversalThis document describes an extension to the TCP Authentication
Option (TCP-AO) to support its use over connections that pass
through Network Address Translators and/or Network Address and
Port Translators (NATs/NAPTs). This extension changes the data
used to compute traffic keys, but it does not alter TCP-AO's
packet processing or key generation algorithms.A DNS RR for specifying the location of services (DNS
SRV)This document describes a DNS RR which specifies the location
of the server(s) for a specific protocol and domain.
[STANDARDS-TRACK]Pre-Shared Key Ciphersuites for Transport Layer Security
(TLS)This document specifies three sets of new ciphersuites for the
Transport Layer Security (TLS) protocol to support authentication
based on pre-shared keys (PSKs). These pre-shared keys are
symmetric keys, shared in advance among the communicating parties.
The first set of ciphersuites uses only symmetric key operations
for authentication. The second set uses a Diffie-Hellman exchange
authenticated with a pre-shared key, and the third set combines
public key authentication of the server with pre-shared key
authentication of the client. [STANDARDS-TRACK]Using Raw Public Keys in Transport Layer Security (TLS) and
Datagram Transport Layer Security (DTLS)This document specifies a new certificate type and two TLS
extensions for exchanging raw public keys in Transport Layer
Security (TLS) and Datagram Transport Layer Security (DTLS). The
new certificate type allows raw public keys to be used for
authentication.Requirements for IP Version 4 RoutersThis memo defines and discusses requirements for devices that
perform the network layer forwarding function of the Internet
protocol suite. [STANDARDS-TRACK]Classical versus Transparent IP ProxiesThis document explains "classical" and "transparent" proxy
techniques and attempts to provide rules to help determine when
each proxy system may be used without causing problems. This memo
provides information for the Internet community. This memo does
not specify an Internet standard of any kind.SOCKS Protocol Version 5This memo describes a protocol that is an evolution of the
previous version of the protocol, version 4 [1]. This new protocol
stems from active discussions and prototype implementations.
[STANDARDS-TRACK]Performance Enhancing Proxies Intended to Mitigate
Link-Related DegradationsThis document is a survey of Performance Enhancing Proxies
(PEPs) often employed to improve degraded TCP performance caused
by characteristics of specific link environments, for example, in
satellite, wireless WAN, and wireless LAN environments. This memo
provides information for the Internet community.A Roadmap for Transmission Control Protocol (TCP)
Specification DocumentsThis document contains a roadmap to the Request for Comments
(RFC) documents relating to the Internet's Transmission Control
Protocol (TCP). This roadmap provides a brief summary of the
documents defining TCP and various TCP extensions that have
accumulated in the RFC series. This serves as a guide and quick
reference for both TCP implementers and other parties who desire
information contained in the TCP-related RFCs.This document obsoletes RFC 4614.Port Control Protocol (PCP)The Port Control Protocol allows an IPv6 or IPv4 host to
control how incoming IPv6 or IPv4 packets are translated and
forwarded by a Network Address Translator (NAT) or simple
firewall, and also allows a host to optimize its outgoing NAT
keepalive messages.Increasing TCP's Initial WindowThis document proposes an experiment to increase the permitted
TCP initial window (IW) from between 2 and 4 segments, as
specified in RFC 3390, to 10 segments with a fallback to the
existing recommendation when performance issues are detected. It
discusses the motivation behind the increase, the advantages and
disadvantages of the higher initial window, and presents results
from several large-scale experiments showing that the higher
initial window improves the overall performance of many web
services without resulting in a congestion collapse. The document
closes with a discussion of usage and deployment for further
experimental purposes recommended by the IETF TCP Maintenance and
Minor Extensions (TCPM) working group.Use Cases and Operational Experience with Multipath
TCPThis document discusses both use cases and operational
experience with Multipath TCP (MPTCP) in real networks. It lists
several prominent use cases where Multipath TCP has been
considered and is being used. It also gives insight to some
heuristics and decisions that have helped to realize these use
cases and suggests possible improvements.Happy Eyeballs Version 2: Better Connectivity Using
ConcurrencyMany communication protocols operating over the modern Internet
use hostnames. These often resolve to multiple IP addresses, each
of which may have different performance and connectivity
characteristics. Since specific addresses or address families
(IPv4 or IPv6) may be blocked, broken, or sub-optimal on a
network, clients that attempt multiple connections in parallel
have a chance of establishing a connection more quickly. This
document specifies requirements for algorithms that reduce this
user-visible delay and provides an example algorithm, referred to
as "Happy Eyeballs". This document obsoletes the original
algorithm description in RFC 6555.The Transport Layer Security (TLS) Protocol Version
1.3This document specifies version 1.3 of the Transport Layer
Security (TLS) protocol. TLS allows client/server applications to
communicate over the Internet in a way that is designed to prevent
eavesdropping, tampering, and message forgery.This document updates RFCs 5705 and 6066, and obsoletes RFCs
5077, 5246, and 6961. This document also specifies new
requirements for TLS 1.2 implementations.Issues with IP Address SharingThe completion of IPv4 address allocations from IANA and the
Regional Internet Registries (RIRs) is causing service providers
around the world to question how they will continue providing IPv4
connectivity service to their subscribers when there are no longer
sufficient IPv4 addresses to allocate them one per subscriber.
Several possible solutions to this problem are now emerging based
around the idea of shared IPv4 addressing. These solutions give
rise to a number of issues, and this memo identifies those common
to all such address sharing approaches. Such issues include
application failures, additional service monitoring complexity,
new security vulnerabilities, and so on. Solution-specific
discussions are out of scope.Deploying IPv6 is the only perennial way to ease pressure on
the public IPv4 address pool without the need for address sharing
mechanisms that give rise to the issues identified herein. This
document is not an Internet Standards Track specification; it is
published for informational purposes.IPv6-to-IPv6 Network Prefix TranslationThis document describes a stateless, transport-agnostic
IPv6-to-IPv6 Network Prefix Translation (NPTv6) function that
provides the address-independence benefit associated with
IPv4-to-IPv4 NAT (NAPT44) and provides a 1:1 relationship between
addresses in the "inside" and "outside" prefixes, preserving
end-to-end reachability at the network layer. This document
defines an Experimental Protocol for the Internet community.DHCP Options for 0-RTT TCP ConvertersBecause of the lack of important TCP extensions, e.g.,
Multipath TCP support at the server side, some service providers
now consider a network-assisted model that relies upon the
activation of a dedicated function called Transport Converters.
For example, network-assisted Multipath TCP deployment models are
designed to facilitate the adoption of Multipath TCP for the
establishment of multi-path communications without making any
assumption about the support of Multipath TCP by the remote
servers. Transport Converters located in the network are
responsible for establishing multi-path communications on behalf
of endpoints, thereby taking advantage of Multipath TCP
capabilities to achieve different goals that include (but are not
limited to) optimization of resource usage (e.g., bandwidth
aggregation), of resiliency (e.g., primary/backup communication
paths), and traffic offload management. This document focuses on
the explicit deployment scheme where the identity of the Transport
Converters is explicitly configured on connected hosts. This
document specifies DHCP (IPv4 and IPv6) options to configure hosts
with Converters parameters.Cryptographic Protection of TCP Streams (tcpcrypt)This document specifies "tcpcrypt", a TCP encryption protocol
designed for use in conjunction with the TCP Encryption
Negotiation Option (TCP-ENO). Tcpcrypt coexists with middleboxes
by tolerating resegmentation, NATs, and other manipulations of the
TCP header. The protocol is self-contained and specifically
tailored to TCP implementations, which often reside in kernels or
other environments in which large external software dependencies
can be undesirable. Because the size of TCP options is limited,
the protocol requires one additional one-way message latency to
perform key exchange before application data can be transmitted.
However, the extra latency can be avoided between two hosts that
have recently established a previous tcpcrypt connection.SOCKS Protocol Version 6The SOCKS protocol is used primarily to proxy TCP connections
to arbitrary destinations via the use of a proxy server. Under the
latest version of the protocol (version 5), it takes 2 RTTs (or 3,
if authentication is used) before data can flow between the client
and the server. This memo proposes SOCKS version 6, which reduces
the number of RTTs used, takes full advantage of TCP Fast Open,
and adds support for 0-RTT authentication.Extensions for Network-Assisted MPTCP Deployment
ModelsBecause of the lack of Multipath TCP (MPTCP) support at the
server side, some service providers now consider a
network-assisted model that relies upon the activation of a
dedicated function called MPTCP Conversion Point (MCP).
Network-Assisted MPTCP deployment models are designed to
facilitate the adoption of MPTCP for the establishment of
multi-path communications without making any assumption about the
support of MPTCP by the communicating peers. MCPs located in the
network are responsible for establishing multi-path communications
on behalf of endpoints, thereby taking advantage of MPTCP
capabilities to achieve different goals that include (but are not
limited to) optimization of resource usage (e.g., bandwidth
aggregation), of resiliency (e.g., primary/backup communication
paths), and traffic offload management. This document specifies
extensions for Network-Assisted MPTCP deployment models.Link bonding with transparent Multipath TCPThis document describes the utilisation of the transparent
Multipath TCP mode to enable network operators to provide link
bonding services in hybrid access networks.Low Latency Applications and the Internet
ArchitectureSome recent Internet technology developments relate to
improvements in communications latency. For instance, improvements
in radio communications or the recent work in IETF transport,
security, and web protocols. There are also potential applications
where latency would play a more significant role than it has
traditionally been in the Internet communications. Modern
networking systems offer many tools for building low-latency
networks, from highly optimised individual protocol components to
software controlled, virtualised and tailored network functions.
This memo views the developments from a system viewpoint, and
considers the potential future stresses that the strive for
low-latency support for applications may bring.RADIUS Extensions for 0-RTT TCP ConvertersBecause of the lack of Multipath TCP (MPTCP) support at the
server side, some service providers now consider a
network-assisted model that relies upon the activation of a
dedicated function called Converters. Network-assisted MPTCP
deployment models are designed to facilitate the adoption of MPTCP
for the establishment of multi-path communications without making
any assumption about the support of MPTCP by the communicating
peers. Converters located in the network are responsible for
establishing multi-path communications on behalf of endpoints,
thereby taking advantage of MPTCP capabilities to achieve
different goals that include (but are not limited to) optimization
of resource usage (e.g., bandwidth aggregation), of resiliency
(e.g., primary/backup communication paths), and traffic offload
management. This document specifies a new Remote Authentication
Dial-In User Service (RADIUS) attributes that carry the IP
addresses that will be returned to authorized users to reach one
or multiple Converters.Technical Specification Group Services and System Aspects;
System Architecture for the 5G System; Stage 2 (Release 16)An Analysis of Longitudinal TCP Passive Measurements (Short
Paper)Tracking transport-layer evolution with PATHspiderIs it still possible to extend TCP?Multipath TCP DeploymentMultipath in the Middle(Box)On the client side, the support of the 0-RTT Converter protocol
does not require any other changes than those identified in Appendix A
of . Those modifications are already
supported by multiple TCP stacks.As an example, on Linux, a client can send the 0-RTT Convert
message inside a SYN by using sendto with the MSG_FASTOPEN flag as
shown in the example below:The client side of the Linux TCP TFO can be used in two different
modes depending on the host configuration (sysctl tcp_fastopen
variable):0x1: (client) enables sending data in the opening SYN on the
client.0x4: (client) send data in the opening SYN regardless of cookie
availability and without a cookie option.By setting this configuration variable to 0x5, a Linux client using
the above code would send data inside the SYN without using a TFO
option.The Converter needs to enable the reception of data inside the SYN
independently of the utilization of the TFO option. This implies that
the Transport Converter application cannot rely on the TFO cookies to
validate the reachability of the IP address that sent the SYN. It must
rely on other techniques, such as the Cookie TLV described in this
document, to verify this reachability. suggested the utilization of a
TCP_FASTOPEN socket option the enable the reception of SYNs containing
data. Later, Appendix A of ,
mentioned:To support the 0-RTT Convert Protocol, this behavior should be
modified as follows:The Linux server side can be configured with the following
sysctls:0x2: (server) enables the server support, i.e., allowing data
in a SYN packet to be accepted and passed to the application
before 3-way handshake finishes.0x200: (server) accept data-in-SYN w/o any cookie option
present.However, this configuration is system-wide. This is convenient for
typical Transport Converter deployments where no other applications
relying on TFO are collocated on the same device.Recently, the TCP_FASTOPEN_NO_COOKIE socket option has been added
to provide the same behavior on a per socket basis. This enables a
single host to support both servers that require the TFO cookie and
servers that do not use it.Although they could disagree with the contents of the document, we
would like to thank Joe Touch and Juliusz Chroboczek whose comments on
the MPTCP mailing list have forced us to reconsider the design of the
solution several times.We would like to thank Raphael Bauduin, Stefano Secci, Anandatirtha
Nandugudi and Gregory Vander Schueren for their help in preparing this
document. Nandini Ganesh provided valuable feedback about the handling
of TFO and the error codes. Yuchung Cheng and Praveen Balasubramanian
helped to clarify the discussion on supplying data in SYNs. Phil Eardley
and Michael Scharf's helped to clarify different parts of the text.
Thanks to Eric Vyncke, Roman Danyliw, Benjamin Kaduk, and Alexey
Melnikov for the IESG review, and Christian Huitema for the security
directorate review.Many thanks to Mirja Kuehlewind for the detailed AD review.This document builds upon earlier documents that proposed various
forms of Multipath TCP proxies , and .From :Many thanks to Chi Dung Phung, Mingui Zhang, Rao Shoaib, Yoshifumi
Nishida, and Christoph Paasch for their valuable comments.Thanks to Ian Farrer, Mikael Abrahamsson, Alan Ford, Dan Wing, and
Sri Gundavelli for the fruitful discussions in IETF#95 (Buenos
Aires).Special thanks to Pierrick Seite, Yannick Le Goff, Fred Klamm, and
Xavier Grall for their inputs.Thanks also to Olaf Schleusing, Martin Gysi, Thomas Zasowski, Andreas
Burkhard, Silka Simmen, Sandro Berger, Michael Melloul, Jean-Yves
Flahaut, Adrien Desportes, Gregory Detal, Benjamin David, Arun
Srinivasan, and Raghavendra Mallya for the discussion.Bart Peirens contributed to an early version of the document.As noted above, this document builds on two previous documents.The authors of
were:Mohamed BoucadairChristian JacquenetOlivier BonaventureDenis BehaghelStefano SecciWim HenderickxRobert SkogSuresh VinapamulaSungHoon SeoWouter CloetensUllrich MeyerLuis M. ContrerasBart PeirensThe authors of
were:Bart PeirensGregory DetalSebastien BarreOlivier Bonaventure