This document specifies an application proxy, called Transport Converter, to assist the deployment of TCP extensions such as Multipath TCP. A Transport Converter may provide conversion service for one or more TCP extensions. The conversion service is provided by means of the 0-RTT TCP Convert Protocol (Convert).
This protocol provides 0-RTT (Zero Round-Trip Time) conversion service since no extra delay is induced by the protocol compared to connections that are not proxied. Also, the Convert Protocol does not require any encapsulation (no tunnels whatsoever).
This specification assumes an explicit model, where the Transport Converter is explicitly configured on hosts. As a sample applicability use case, this document specifies how the Convert Protocol applies for Multipath TCP.
This document is not an Internet Standards Track specification; it is published for examination, experimental implementation, and evaluation.
This document defines an Experimental Protocol for the Internet community. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are candidates for any level of Internet Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8803.
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
Transport protocols like TCP evolve regularly [RFC 7414]. TCP has been improved in different ways. Some improvements such as changing the initial window size [RFC 6928] or modifying the congestion control scheme can be applied independently on Clients and Servers. Other improvements such as Selective Acknowledgments [RFC 2018] or large windows [RFC 7323] require a new TCP option or changing the semantics of some fields in the TCP header. These modifications must be deployed on both Clients and Servers to be actually used on the Internet. Experience with the latter class of TCP extensions reveals that their deployment can require many years. Fukuda reports in [Fukuda2011] results of a decade of measurements showing the deployment of Selective Acknowledgments, Window Scale, and TCP Timestamps. [ANRW17] describes measurements showing that TCP Fast Open (TFO) [RFC 7413] is still not widely deployed.
There are some situations where the transport stack used on Clients (or Servers) can be upgraded at a faster pace than the transport stack running on Servers (or Clients). In those situations, Clients (or Servers) would typically want to benefit from the features of an improved transport protocol even if the Servers (or Clients) have not yet been upgraded. Some assistance from the network to make use of these features is valuable. For example, Performance Enhancing Proxies [RFC 3135] and other service functions have been deployed as solutions to improve TCP performance over links with specific characteristics.
Recent examples of TCP extensions include Multipath TCP (MPTCP) [RFC 8684] or tcpcrypt [RFC 8548]. Those extensions provide features that are interesting for Clients such as wireless devices. With Multipath TCP, those devices could seamlessly use Wireless Local Area Network (WLAN) and cellular networks for bonding purposes, faster hand-overs, or better resiliency. Unfortunately, deploying those extensions on both a wide range of Clients and Servers remains difficult.
More recently, 5G bonding experimentation has been conducted into global range of the incumbent 4G (LTE) connectivity using newly devised Clients and a Multipath TCP proxy. Even if the 5G and 4G bonding (that relies upon Multipath TCP) increases the bandwidth, it is also crucial to minimize latency entirely between end hosts regardless of whether intermediate nodes are inside or outside of the mobile core. In order to handle Ultra-Reliable Low Latency Communication (URLLC) for the next-generation mobile network, Multipath TCP and its proxy mechanism such as the one used to provide Access Traffic Steering, Switching, and Splitting (ATSSS) must be optimized to reduce latency [TS23501].
This document specifies an application proxy called Transport Converter. A Transport Converter is a function that is installed by a network operator to aid the deployment of TCP extensions and to provide the benefits of such extensions to Clients in particular. A Transport Converter may provide conversion service for one or more TCP extensions. Which TCP extensions are eligible for the conversion service is deployment specific. The conversion service is provided by means of the 0-RTT TCP Convert Protocol (Convert), which is an application-layer protocol that uses a specific TCP port number on the Converter.
The Convert Protocol provides Zero Round-Trip Time (0-RTT) conversion service since no extra delay is induced by the protocol compared to connections that are not proxied. Particularly, the Convert Protocol does not require extra signaling setup delays before making use of the conversion service. The Convert Protocol does not require any encapsulation (no tunnels, whatsoever).
The Transport Converter adheres to the main steps drawn in Section 3 of RFC 1919. In particular, a Transport Converter achieves the following:
Listening for Client sessions;
Receiving the address of the Server from the Client;
Setting up a session to the Server;
Relaying control messages and data between the Client and the Server;
Performing access controls according to local policies.
The main advantage of network-assisted conversion services is that they enable new TCP extensions to be used on a subset of the path between endpoints, which encourages the deployment of these extensions. Furthermore, the Transport Converter allows the Client and the Server to directly negotiate TCP extensions for the sake of native support along the full path.
The Convert Protocol is a generic mechanism to provide 0-RTT conversion service. As a sample applicability use case, this document specifies how the Convert Protocol applies for Multipath TCP. It is out of scope of this document to provide a comprehensive list of all potential conversion services. Applicability documents may be defined in the future.
This document does not assume that all the traffic is eligible for the network-assisted conversion service. Only a subset of the traffic will be forwarded to a Transport Converter according to a set of policies. These policies, and how they are communicated to endpoints, are out of scope. Furthermore, it is possible to bypass the Transport Converter to connect directly to the Servers that already support the required TCP extension(s).
This document assumes an explicit model in which a Client is configured with one or a list of Transport Converters (statically or through protocols such as [DHC-CONVERTER]). Configuration means are outside the scope of this document.
The use of a Transport Converter means that there is no end-to-end transport connection between the Client and Server. This could potentially create problems in some scenarios such as those discussed in Section 4 of RFC 3135. Some of these problems may not be applicable. For example, a Transport Converter can inform a Client by means of Network Failure (65) or Destination Unreachable (97) error messages (Section 6.2.8) that it encounters a failure problem; the Client can react accordingly. An endpoint, or its network administrator, can assess the benefit provided by the Transport Converter service versus the risk. This is one reason why the Transport Converter functionality has to be explicitly requested by an endpoint.
This document is organized as follows:
Section 3 provides a brief overview of the differences between the well-known SOCKS protocol and the 0-RTT TCP Convert Protocol.
Section 4 provides a brief explanation of the operation of Transport Converters.
Section 5 includes a set of sample examples to illustrate the overall behavior.
The 0-RTT TCP Convert Protocol specified in this document MUST be used in a single administrative domain deployment model. That is, the entity offering the connectivity service to a Client is also the entity that owns and operates the Transport Converter, with no transit over a third-party network.
Future deployment of Transport Converters by third parties MUST adhere to the mutual authentication requirements in Section 9.2 to prevent illegitimate traffic interception (Section 9.4) in particular.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC 2119] [RFC 8174] when, and only when, they appear in all capitals, as shown here.
Several IETF protocols provide proxy services, the closest to the 0-RTT TCP Convert Protocol being the SOCKSv5 protocol [RFC 1928]. This protocol is already used to deploy Multipath TCP in some cellular networks (Section 2.2 of RFC 8041).
A SOCKS Client creates a connection to a SOCKS Proxy, exchanges authentication information, and indicates the IP address and port number of the target Server. At this point, the SOCKS Proxy creates a connection towards the target Server and relays all data between the two proxied connections. The operation of an implementation based on SOCKSv5 (without authentication) is illustrated in Figure 1.
When SOCKS is used, an "end-to-end" connection between a Client and a Server becomes a sequence of two TCP connections that are glued together on the SOCKS Proxy. The SOCKS Client and Server exchange control information at the beginning of the bytestream on the Client-Proxy connection. The SOCKS Proxy then creates the connection with the target Server and then glues the two connections together so that all bytes sent by the application (Client) to the SOCKS Proxy are relayed to the Server and vice versa.
The Convert Protocol is also used on TCP proxies that relay data between an upstream and a downstream connection, but there are important differences with SOCKSv5. A first difference is that the 0-RTT TCP Convert Protocol exchanges all the control information during the initial RTT. This reduces the connection establishment delay compared to SOCKS, which requires two or more round-trip times before the establishment of the downstream connection towards the final destination. In today's Internet, latency is an important metric, and various protocols have been tuned to reduce their latency [LOW-LATENCY]. A recently proposed extension to SOCKS leverages the TCP Fast Open (TFO) option [INTAREA-SOCKS] to reduce this delay.
A second difference is that the Convert Protocol explicitly takes the TCP extensions into account. By using the Convert Protocol, the Client can learn whether a given TCP extension is supported by the destination Server. This enables the Client to bypass the Transport Converter when the Server supports the required TCP extension(s). Neither SOCKSv5 [RFC 1928] nor the proposed SOCKSv6 [INTAREA-SOCKS] provide such a feature.
A third difference is that a Transport Converter will only confirm the establishment of the connection initiated by the Client provided that the downstream connection has already been accepted by the Server. If the Server refuses the connection establishment attempt from the Transport Converter, then the upstream connection from the Client is rejected as well. This feature is important for applications that check the availability of a Server or use the time to connect as a hint on the selection of a Server [RFC 8305].
A fourth difference is that the 0-RTT TCP Convert Protocol only allows the Client to specify the IP address/port number of the destination Server and not a DNS name. We evaluated an alternate design that included the DNS name of the remote peer instead of its IP address as in SOCKS [RFC 1928]. However, that design was not adopted because it induces both an extra load and increased delays on the Transport Converter to handle and manage DNS resolution requests. Note that the name resolution at the Converter may fail (e.g., private names discussed in Section 2.1 of RFC 6731) or may not match the one that would be returned by a Client's resolution library (e.g., Section 2.2 of RFC 6731).
The Convert Protocol considers three functional elements:
A Transport Converter is a network function that proxies all data exchanged over one upstream connection to one downstream connection and vice versa (Figure 2). Thus, the Transport Converter maintains state that associates one upstream connection to a corresponding downstream connection.
A connection can be initiated from both sides of the Transport Converter (External realm, Internal realm).
"Client" refers to a software instance embedded on a host that can reach a Transport Converter in the internal realm. The "Client" can initiate connections via a Transport Converter (referred to as outgoing connections). Also, the "Client" can accept incoming connections via a Transport Converter (referred to as incoming connections).
A Transport Converter can be embedded in a standalone device or be activated as a service on a router. How such a function is enabled is deployment specific.
The architecture assumes that new software will be installed on the Client hosts to interact with one or more Transport Converters. Furthermore, the architecture allows for making use of new TCP extensions even if those are not supported by a given Server.
A Client is configured, through means that are outside the scope of this document, with the names and/or addresses of one or more Transport Converters and the TCP extensions that they support. The procedure for selecting a Transport Converter among a list of configured Transport Converters is outside the scope of this document.
One of the benefits of this design is that different transport protocol extensions can be used on the upstream and the downstream connections. This encourages the deployment of new TCP extensions until they are widely supported, in particular, by Servers.
The architecture does not mandate anything on the Server side.
Similar to SOCKS, the architecture does not interfere with end-to-end TLS connections [RFC 8446] between the Client and the Server (Figure 3). In other words, end-to-end TLS is supported in the presence of a Converter.
Client Transport Server
| Converter |
| | |
| End-to-end TLS |
* TLS messages exchanged between the Client
and the Server are not shown.
It is out of scope of this document to elaborate on specific considerations related to the use of TLS in the Client-Converter connection leg to exchange Convert messages (in addition to the end-to-end TLS connection). In particular, (1) assessment of whether 0-RTT data mode discussed in Section 2.3 of RFC 8446 is safe under replay and (2) specification of a profile for its use (Appendix E.5 of RFC 8446) are out of scope.
At a high level, the objective of the Transport Converter is to allow the use a specific extension, e.g., Multipath TCP, on a subset of the path even if the peer does not support this extension. This is illustrated in Figure 4 where the Client initiates a Multipath TCP connection with the Transport Converter (packets belonging to the Multipath TCP connection are shown with "===") while the Transport Converter uses a TCP connection with the Server.
The packets belonging to a connection established through a Transport Converter may follow a different path than the packets directly exchanged between the Client and the Server. Deployments should minimize the possible additional delay by carefully selecting the location of the Transport Converter used to reach a given destination.
When establishing a connection, the Client can, depending on local policies, either contact the Server directly (e.g., by sending a TCP SYN towards the Server) or create the connection via a Transport Converter. In the latter case (that is, the conversion service is used), the Client initiates a connection towards the Transport Converter and indicates the IP address and port number of the Server within the connection establishment packet. Doing so enables the Transport Converter to immediately initiate a connection towards that Server without experiencing an extra delay. The Transport Converter waits until the receipt of the confirmation that the Server agrees to establish the connection before confirming it to the Client.
The Client places the destination address and port number of the Server in the payload of the SYN sent to the Transport Converter to minimize connection establishment delays. The Transport Converter maintains two connections that are combined together:
The upstream connection is the one between the Client and the Transport Converter.
The downstream connection is the one between the Transport Converter and the Server.
Any user data received by the Transport Converter over the upstream (or downstream) connection is proxied over the downstream (or upstream) connection.
Figure 5 illustrates the establishment of an outgoing TCP connection by a Client through a Transport Converter.
Client Converter Server
| | |
|SYN [->Server:port]| SYN |
| SYN+ACK [ ] | SYN+ACK |
| ... | ... |
The Client sends a SYN destined to the Transport Converter. The payload of this SYN contains the address and port number of the Server. The Transport Converter does not reply immediately to this SYN. It first tries to create a TCP connection towards the target Server. If this upstream connection succeeds, the Transport Converter confirms the establishment of the connection to the Client by returning a SYN+ACK and the first bytes of the bytestream contain information about the TCP options that were negotiated with the Server. Also, a state entry is instantiated for this connection. This state entry is used by the Converter to handle subsequent messages belonging to the connection.
The connection can also be established from the Internet towards a Client via a Transport Converter (Figure 6). This is typically the case when the Client hosts an application Server that listens to a specific port number. When the Converter receives an incoming SYN from a remote host, it checks if it can provide the conversion service for the destination IP address and destination port number of that SYN. The Transport Converter receives this SYN because it is, for example, on the path between the remote host and the Client or it provides address-sharing service for the Client (Section 2 of RFC 6269). If the check fails, the packet is silently ignored by the Converter. If the check is successful, the Converter tries to initiate a TCP connection towards the Client from its own address and using its configured TCP options. In the SYN that corresponds to this connection attempt, the Transport Convert inserts a TLV message that indicates the source address and port number of the remote host. A transport session entry is created by the Converter for this connection. SYN+ACK and ACK will then be exchanged between the Client, the Converter, and remote host to confirm the establishment of the connection. The Converter uses the transport session entry to proxy packets belonging to the connection.
Standard TCP (Section 3.4 of RFC 0793) allows a SYN packet to carry data inside its payload but forbids the receiver from delivering it to the application until completion of the three-way-handshake. To enable applications to exchange data in a TCP handshake, this specification follows an approach similar to TCP Fast Open [RFC 7413] and thus, removes the constraint by allowing data in SYN packets to be delivered to the Transport Converter application.
As discussed in [RFC 7413], such change to TCP semantics raises two issues. First, duplicate SYNs can cause problems for applications that rely on TCP; whether or not a given application is affected depends on the details of that application protocol. Second, TCP suffers from SYN flooding attacks [RFC 4987]. TFO solves these two problems for applications that can tolerate replays by using the TCP Fast Open option that includes a cookie. However, the utilization of this option consumes space in the limited TCP header. Furthermore, there are situations, as noted in Section 7.3 of RFC 7413, where it is possible to accept the payload of SYN packets without creating additional security risks such as a network where addresses cannot be spoofed and the Transport Converter only serves a set of hosts that are identified by these addresses.
For these reasons, this specification does not mandate the use of the TCP Fast Open option when the Client sends a connection establishment packet towards a Transport Converter. The Convert Protocol includes an optional Cookie TLV that provides similar protection as the TCP Fast Open option without consuming space in the TCP header. Furthermore, this design allows for the use of longer cookies than [RFC 7413].
If the downstream (or upstream) connection fails for some reason (excessive retransmissions, reception of an RST segment, etc.), then the Converter reacts by forcing the teardown of the upstream (or downstream) connection. In particular, if an ICMP error message that indicates a hard error is received on the downstream connection, the Converter echoes the Code field of that ICMP message in a Destination Unreachable Error TLV (see Section 6.2.8) that it transmits to the Client. Note that if an ICMP error message that indicates a soft error is received on the downstream connection, the Converter will retransmit the corresponding data until it is acknowledged or the connection times out. A classification of ICMP soft and hard errors is provided in Table 1 of [RFC 5461].
The same reasoning applies when the upstream connection ends with an exchange of FIN segments. In this case, the Converter will also terminate the downstream connection by using FIN segments. If the downstream connection terminates with the exchange of FIN segments, the Converter should initiate a graceful termination of the upstream connection.
As mentioned in Section 4.2, the Transport Converter acts as a TCP proxy between the upstream connection (i.e., between the Client and the Transport Converter) and the downstream connection (i.e., between the Transport Converter and the Server).
The control messages (i.e., the Convert messages discussed in Section 6) establish state (called transport session entry) in the Transport Converter that will enable it to proxy between the two TCP connections.
The Transport Converter uses the transport session entry to proxy packets belonging to the connection. An implementation example of a transport session entry for TCP connections is shown in Figure 7.
C and c are the source IP address and source port number used by the Client for the upstream connection.
S and s are the Server's IP address and port number.
T and t are the source IP address and source port number used by the Transport Converter to proxy the connection.
Lifetime is a timer that tracks the remaining lifetime of the entry as assigned by the Converter. When the timer expires, the entry is deleted.
Clients send packets bound to connections eligible for the conversion service to the provisioned Transport Converter and destination port number. This applies for both control messages and data. Additional information is supplied by Clients to the Transport Converter by means of Convert messages as detailed in Section 6. User data can be included in SYN or non-SYN messages. User data is unambiguously distinguished from Convert TLVs by a Transport Converter owing to the Convert Fixed Header in the Convert messages (Section 6.1). These Convert TLVs are destined to the Transport Convert and are, thus, removed by the Transport Converter when proxying between the two connections.
Upon receipt of a packet that belongs to an existing connection between a Client and the Transport Converter, the Converter proxies the user data to the Server using the information stored in the corresponding transport session entry. For example, in reference to Figure 7, the Transport Converter proxies the data received from (C, c) downstream using (T,t) as source transport address and (S,s) as destination transport address.
A similar process happens for data sent from the Server. The Converter acts as a TCP proxy and sends the data to the Client relying upon the information stored in a transport session entry. The Converter associates a lifetime with state entries used to bind an upstream connection with its downstream connection.
When Multipath TCP is used between the Client and the Transport Converter, the Converter maintains more state (e.g., information about the subflows) for each Multipath TCP connection. The procedure described above continues to apply except that the Converter needs to manage the establishment/termination of subflows and schedule packets among the established ones. These operations are part of the Multipath TCP implementation. They are independent of the Convert Protocol that only processes the Convert messages in the beginning of the bytestream.
A Transport Converter may operate in address preservation mode (that is, the Converter does not rewrite the source IP address (i.e., C==T)) or address-sharing mode (that is, an address pool is shared among all Clients serviced by the Converter (i.e., C!=T)); refer to Section 4.4 for more details. Which behavior to use by a Transport Converter is deployment specific. If address-sharing mode is enabled, the Transport Converter MUST adhere to REQ-2 of [RFC 6888], which implies a default "IP address pooling" behavior of "Paired" (as defined in Section 4.1 of RFC 4787) MUST be supported. This behavior is meant to avoid breaking applications that depend on the source address remaining constant.
The Transport Converter is provided with instructions about the behavior to adopt with regard to the processing of source addresses of outgoing packets. The following subsections discuss two deployment models for illustration purposes. It is out of the scope of this document to make a recommendation.
In this model, the visible source IP address of a packet proxied by a Transport Converter to a Server is an IP address of the end host (Client). No dedicated IP address pool is provisioned to the Transport Converter, but the Transport Converter is located on the path between the Client and the Server.
For Multipath TCP, the Transport Converter preserves the source IP address used by the Client when establishing the initial subflow. Data conveyed in secondary subflows will be proxied by the Transport Converter using the source IP address of the initial subflow. An example of a proxied Multipath TCP connection with address preservation is shown in Figure 8.
Client Converter Server
@:C1,C2 @:Tc @:S
|| | |
|src:C1 SYN dst:Tc|src:C1 dst:S|
|| | |
||dst:C1 src:Tc|dst:C1 src:S|
|| | |
|src:C1 dst:Tc|src:C1 dst:S|
| | |
|src:C2 ... dst:Tc| ... |
||<-----Secondary Subflow---->|src:C1 dst:S|
| .. | ... |
Tc: IP address used by the Transport Converter on the internal
The Transport Converter must be on the forwarding path of incoming traffic. Because the same (destination) IP address is used for both proxied and non-proxied connections, the Transport Converter should not drop incoming packets it intercepts if no matching entry is found for the packets. Unless explicitly configured otherwise, such packets are forwarded according to the instructions of a local forwarding table.
A pool of global IPv4 addresses is provisioned to the Transport Converter along with possible instructions about the address-sharing ratio to apply (see Appendix B of RFC 6269). An address is thus shared among multiple Clients.
Likewise, rewriting the source IPv6 prefix [RFC 6296] may be used to ease redirection of incoming IPv6 traffic towards the appropriate Transport Converter. A pool of IPv6 prefixes is then provisioned to the Transport Converter for this purpose.
Adequate forwarding policies are enforced so that traffic destined to an address of such a pool is intercepted by the appropriate Transport Converter. Unlike Section 4.4.1, the Transport Converter drops incoming packets that do not match an active transport session entry.
An example is shown in Figure 9.
Client Converter Server
@:C @:Tc|Te @:S
| | |
|src:C dst:Tc|src:Te dst:S|
| | |
|dst:C src:Tc|dst:Te src:S|
| | |
|src:C dst:Tc|src:Te dst:S|
| | |
| ... | ... |
Tc: IP address used by the Transport Converter on the internal
Te: IP address used by the Transport Converter on the external
As an example, let us consider how the Convert Protocol can help the deployment of Multipath TCP. We assume that both the Client and the Transport Converter support Multipath TCP but consider two different cases depending on whether or not the Server supports Multipath TCP.
As a reminder, a Multipath TCP connection is created by placing the MP_CAPABLE (MPC) option in the SYN sent by the Client.
Figure 10 describes the operation of the Transport Converter if the Server does not support Multipath TCP.
The Client tries to initiate a Multipath TCP connection by sending a SYN with the MP_CAPABLE option (MPC in Figure 10). The SYN includes the address and port number of the target Server, that are extracted and used by the Transport Converter to initiate a Multipath TCP connection towards this Server. Since the Server does not support Multipath TCP, it replies with a SYN+ACK that does not contain the MP_CAPABLE option. The Transport Converter notes that the connection with the Server does not support Multipath TCP and returns the extended TCP header received from the Server to the Client.
Note that, if the TCP connection is reset for some reason, the Converter tears down the Multipath TCP connection by transmitting an MP_FASTCLOSE. Likewise, if the Multipath TCP connection ends with the transmission of DATA_FINs, the Converter terminates the TCP connection by using FIN segments. As a side note, given that with Multipath TCP, RST only has the scope of the subflow and will only close the concerned subflow but not affect the remaining subflows, the Converter does not terminate the downstream TCP connection upon receipt of an RST over a Multipath subflow.
Figure 11 considers a Server that supports Multipath TCP. In this case, it replies to the SYN sent by the Transport Converter with the MP_CAPABLE option. Upon reception of this SYN+ACK, the Transport Converter confirms the establishment of the connection to the Client and indicates to the Client that the Server supports Multipath TCP. With this information, the Client has discovered that the Server supports Multipath TCP. This will enable the Client to bypass the Transport Converter for the subsequent Multipath TCP connections that it will initiate towards this Server.
An example of an incoming Converter-assisted Multipath TCP connection is depicted in Figure 12. In order to support incoming connections from remote hosts, the Client may use the Port Control Protocol (PCP) [RFC 6887] to instruct the Transport Converter to create dynamic mappings. Those mappings will be used by the Transport Converter to intercept an incoming TCP connection destined to the Client and convert it into a Multipath TCP connection.
Typically, the Client sends a PCP request to the Converter asking to create an explicit TCP mapping for the internal IP address and internal port number. The Converter accepts the request by creating a TCP mapping for the internal IP address, internal port number, external IP address, and external port number. The external IP address, external port number, and assigned lifetime are returned back to the Client in the PCP response. The external IP address and external port number will then be advertised by the Client (or the user) using an out-of-band mechanism so that remote hosts can initiate TCP connections to the Client via the Converter. Note that the external and internal information may be the same.
Then, when the Converter receives an incoming SYN, it checks its mapping table to verify if there is an active mapping matching the destination IP address and destination port of that SYN. If no entry is found, the Converter silently ignores the message. If an entry is found, the Converter inserts an MP_CAPABLE option and Connect TLV in the SYN packet, and rewrites the source IP address to one of its IP addresses and, eventually, the destination IP address and port number in accordance with the information stored in the mapping. SYN+ACK and ACK will then be exchanged between the Client and the Converter to confirm the establishment of the initial subflow. The Client can add new subflows following normal Multipath TCP procedures.
This section defines the Convert Protocol (Convert, for short) messages that are exchanged between a Client and a Transport Converter.
The Transport Converter listens on a specific TCP port number for Convert messages from Clients. That port number is configured by an administrator. Absent any policy, the Transport Converter SHOULD silently ignore SYNs with no Convert TLVs.
Convert messages may appear only in SYN, SYN+ACK, or ACK.
Convert messages MUST be included as the first bytes of the bytestream. All Convert messages start with a fixed header that is 32 bits long (Section 6.1) followed by one or more Convert TLVs (Type, Length, Value) (Section 6.2).
If the initial SYN message contains user data in its payload (e.g., see [RFC 7413]), that data MUST be placed right after the Convert TLVs when generating the SYN.
The protocol can be extended by defining new TLVs or bumping the version number if a different message format is needed. If a future version is defined but with a different message format, the version negotiation procedure defined in Section 6.2.8 (see "Unsupported Version") is meant to agree on a version that is supported by both peers.
The Convert Protocol uses a fixed header that is 32 bits long sent by both the Client and the Transport Converter over each established connection. This header indicates both the version of the protocol used and the length of the Convert message.
The Client and the Transport Converter MUST send the fixed-sized header, shown in Figure 13, as the first four bytes of the bytestream.
The version is encoded as an 8-bit unsigned integer value. This document specifies version 1. Version 0 is reserved by this document and MUST NOT be used.
The Total Length is the number of 32-bit words, including the header, of the bytestream that are consumed by the Convert messages. Since Total Length is also an 8-bit unsigned integer, those messages cannot consume more than 1020 bytes of data. This limits the number of bytes that a Transport Converter needs to process. A Total Length of zero is invalid and the connection MUST be reset upon reception of a header with such a total length.
The Magic Number field MUST be set to 0x2263. This field is meant to further strengthen the protocol to unambiguously distinguish any data supplied by an application from Convert TLVs.
The Total Length field unambiguously marks the number of 32-bit words that carry Convert TLVs in the beginning of the bytestream.
The Convert Protocol uses variable length messages that are encoded using the generic TLV format depicted in Figure 14.
The length of all TLVs used by the Convert Protocol is always a multiple of four bytes. All TLVs are aligned on 32-bit boundaries. All TLV fields are encoded using the network byte order.
The Length field covers Type, Length, and Value fields. It is expressed in units of 32-bit words. If necessary, Value MUST be padded with zeroes so that the length of the TLV is a multiple of 32 bits.
A given TLV MUST only appear once on a connection. If a Client receives two or more instances of the same TLV over a Convert connection, it MUST reset the associated TCP connection. If a Converter receives two or more instances of the same TLV over a Convert connection, it MUST return a Malformed Message Error TLV and close the associated TCP connection.
This document specifies the following Convert TLVs:
Extended TCP Header TLV
Supported TCP Extensions TLV
Table 1: The TLVs Used by the Convert Protocol
Type 0x0 is a reserved value. If a Client receives a TLV of type 0x0, it MUST reset the associated TCP connection. If a Converter receives a TLV of type 0x0, it MUST return an Unsupported Message Error TLV and close the associated TCP connection.
The Client typically sends, in the first connection it established with a Transport Converter, the Info TLV (Section 6.2.3) to learn its capabilities. Assuming the Client is authorized to invoke the Transport Converter, the latter replies with the Supported TCP Extensions TLV (Section 6.2.4).
The Client can request the establishment of connections to Servers by using the Connect TLV (Section 6.2.5). If the connection can be established with the final Server, the Transport Converter replies with the Extended TCP Header TLV (Section 6.2.6). If not, the Transport Converter MUST return an Error TLV (Section 6.2.8) and then close the connection. The Transport Converter MUST NOT send an RST immediately after the detection of an error to let the Error TLV reach the Client. As explained later, the Client will send an RST regardless upon reception of the Error TLV.
The Info TLV (Figure 15) is an optional TLV that can be sent by a Client to request the TCP extensions that are supported by a Transport Converter. It is typically sent on the first connection that a Client establishes with a Transport Converter to learn its capabilities. Assuming a Client is entitled to invoke the Transport Converter, the latter replies with the Supported TCP Extensions TLV described in Section 6.2.4.
The Supported TCP Extensions TLV (Figure 16) is used by a Transport Converter to announce the TCP options for which it provides a conversion service. A Transport Converter SHOULD include in this list the TCP options that it supports in outgoing SYNs.
Each supported TCP option is encoded with its TCP option Kind listed in the "Transmission Control Protocol (TCP) Parameters" registry maintained by IANA [IANA-CONVERT]. The Unassigned field MUST be set to zero by the Transport Converter and ignored by the Client.
TCP option Kinds 1 and 2 defined in [RFC 0793] are supported by all TCP implementations and thus, MUST NOT appear in this list.
The list of Supported TCP Extensions is padded with 0 to end on a 32-bit boundary.
For example, if the Transport Converter supports Multipath TCP, Kind=30 will be present in the Supported TCP Extensions TLV that it returns in response to the Info TLV.
The Connect TLV (Figure 17) is used to request the establishment of a connection via a Transport Converter. This connection can be from or to a Client.
The Remote Peer Port and Remote Peer IP Address fields contain the destination port number and IP address of the Server, for outgoing connections. For incoming connections destined to a Client serviced via a Transport Converter, these fields convey the source port number and IP address of the SYN packet received by the Transport Converter from the Server.
The Remote Peer IP Address MUST be encoded as an IPv6 address. IPv4 addresses MUST be encoded using the IPv4-mapped IPv6 address format defined in [RFC 4291]. Further, the Remote Peer IP Address field MUST NOT include multicast, broadcast, or host loopback addresses [RFC 6890]. If a Converter receives a Connect TLV with such invalid addresses, it MUST reply with a Malformed Message Error TLV and close the associated TCP connection.
We distinguish two types of Connect TLV based on their length: (1) the Base Connect TLV has a length set to 5 (i.e., 20 bytes) and contains a remote address and a remote port (Figure 17), and (2) the Extended Connect TLV spans more than 20 bytes and also includes the optional TCP Options field (Figure 18). This field is used to request the advertisement of specific TCP options to the Server.
The TCP Options field is a variable length field that carries a list of TCP option fields (Figure 19). Each TCP option field is encoded as a block of 2+n bytes where the first byte is the TCP option Kind and the second byte is the length of the TCP option as specified in [RFC 0793]. The minimum value for the TCP option Length is 2. The TCP options that do not include a length sub-field, i.e., option types 0 (EOL) and 1 (NOP) defined in [RFC 0793] MUST NOT be placed inside the TCP options field of the Connect TLV. The optional Value field contains the variable-length part of the TCP option. A length of 2 indicates the absence of the Value field. The TCP options field always ends on a 32-bit boundary after being padded with zeros.
Upon reception of a Base Connect TLV, and absent any policy (e.g., rate-limit) or resource exhaustion conditions, a Transport Converter attempts to establish a connection to the address and port that it contains. The Transport Converter MUST use by default the TCP options that correspond to its local policy to establish this connection.
Upon reception of an Extended Connect TLV, a Transport Converter first checks whether or not it supports the TCP Options listed in the TCP Options field. If not, it returns an error TLV set to "Unsupported TCP Option" (Section 6.2.8). If the above check succeeded, and absent any rate-limit policy or resource exhaustion conditions, a Transport Converter MUST attempt to establish a connection to the address and port that it contains. It MUST include in the SYN that it sends to the Server the options listed in the TCP Options subfield and the TCP options that it would have used according to its local policies. For the TCP options that are included in the TCP Options field without an optional value, the Transport Converter MUST generate its own value. For the TCP options that are included in the TCP Options field with an optional value, it MUST copy the entire option in the SYN sent to the remote Server. This procedure is designed with TFO in mind. Particularly, this procedure allows to successfully exchange a Fast Open Cookie between the Client and the Server. See Section 7 for a detailed discussion of the different types of TCP options.
The Transport Converter may refuse a Connect TLV request for various reasons (e.g., authorization failed, out of resources, invalid address type, or unsupported TCP option). An error message indicating the encountered error is returned to the requesting Client (Section 6.2.8). In order to prevent denial-of-service attacks, error messages sent to a Client SHOULD be rate-limited.
The Extended TCP Header TLV (Figure 20) is used by the Transport Converter to return to the Client the TCP options that were returned by the Server in the SYN+ACK packet. A Transport Converter MUST return this TLV if the Client sent an Extended Connect TLV and the connection was accepted by the Server.
The Returned Extended TCP header field is a copy of the TCP Options that were included in the SYN+ACK received by the Transport Converter.
The Unassigned field MUST be set to zero by the sender and ignored by the receiver.
The Cookie TLV (Figure 21) is an optional TLV that is similar to the TCP Fast Open Cookie [RFC 7413]. A Transport Converter may want to verify that a Client can receive the packets that it sends to prevent attacks from spoofed addresses. This verification can be done by using a Cookie that is bound to, for example, the IP address(es) of the Client. This Cookie can be configured on the Client by means that are outside of this document or provided by the Transport Converter.
A Transport Converter that has been configured to use the optional Cookie TLV MUST verify the presence of this TLV in the payload of the received SYN. If this TLV is present, the Transport Converter MUST validate the Cookie by means similar to those in Section 4.1.2 of RFC 7413 (i.e., IsCookieValid). If the Cookie is valid, the connection establishment procedure can continue. Otherwise, the Transport Converter MUST return an Error TLV set to "Not Authorized" and close the connection.
If the received SYN did not contain a Cookie TLV, and cookie validation is required, the Transport Converter MAY compute a Cookie bound to this Client address. In such case, the Transport Converter MUST return an Error TLV set to "Missing Cookie" and the computed Cookie and close the connection. The Client will react to this error by first issuing a reset to terminate the connection. It also stores the received Cookie in its cache and attempts to reestablish a new connection to the Transport Converter that includes the Cookie TLV.
The format of the Cookie TLV is shown in Figure 21.
The Error TLV (Figure 22) is meant to provide information about some errors that occurred during the processing of a Convert message. This TLV has a variable length. Upon reception of an Error TLV, a Client MUST reset the associated connection.
An Error TLV can be included in the SYN+ACK or an ACK.
Different types of errors can occur while processing Convert messages. Each error is identified by an Error Code represented as an unsigned integer. Four classes of error codes are defined:
Message validation and processing errors (0-31 range):
Returned upon reception of an invalid message (including valid messages but with invalid or unknown TLVs).
Client-side errors (32-63 range):
The Client sent a request that could not be accepted by the Transport Converter (e.g., unsupported operation).
Converter-side errors (64-95 range):
Problems encountered on the Transport Converter (e.g., lack of resources) that prevent it from fulfilling the Client's request.
Errors caused by the destination Server (96-127 range):
The final destination could not be reached or it replied with a reset.
The following error codes are defined in this document:
Unsupported Version (0):
The version number indicated in the fixed header of a message received from a peer is not supported.
This error code MUST be generated by a peer (e.g., Transport Converter) when it receives a request having a version number that it does not support.
The Value field MUST be set to the version supported by the peer. When multiple versions are supported by the peer, it includes the list of supported versions in the Value field; each version is encoded in 8 bits. The list of supported versions MUST be padded with zeros to end on a 32-bit boundary.
Upon receipt of this error code, the remote peer (e.g., Client) checks whether it supports one of the versions returned by the peer. The highest commonly supported version number MUST be used by the remote peer in subsequent exchanges with the peer.
Malformed Message (1):
This error code is sent to indicate that a message received from a peer cannot be successfully parsed and validated.
Typically, this error code is sent by the Transport Converter if it receives a Connect TLV enclosing a multicast, broadcast, or loopback IP address.
To ease troubleshooting, the Value field MUST echo the received message using the format depicted in Figure 23. This format allows keeping the original alignment of the message that triggered the error.
This error code is sent to indicate that a message type received from a Client is not supported.
To ease troubleshooting, the Value field MUST echo the received message using the format shown in Figure 23.
Missing Cookie (3):
If a Transport Converter requires the utilization of Cookies to prevent spoofing attacks and a Cookie TLV was not included in the Convert message, the Transport Converter MUST return this error to the requesting Client only if it computes a cookie for this Client. The first byte of the Value field MUST be set to zero and the remaining bytes of the Error TLV contain the Cookie computed by the Transport Converter for this Client.
A Client that receives this error code SHOULD cache the received Cookie and include it in subsequent Convert messages sent to that Transport Converter.
Not Authorized (32):
This error code indicates that the Transport Converter refused to create a connection because of a lack of authorization (e.g., administratively prohibited, authorization failure, or invalid Cookie TLV). The Value field MUST be set to zero.
This error code MUST be sent by the Transport Converter when a request cannot be successfully processed because the authorization failed.
Unsupported TCP Option (33):
A TCP option that the Client requested to advertise to the final Server cannot be safely used.
The Value field is set to the type of the unsupported TCP option. If several unsupported TCP options were specified in the Connect TLV, then the list of unsupported TCP options is returned. The list of unsupported TCP options MUST be padded with zeros to end on a 32-bit boundary.
Resource Exceeded (64):
This error indicates that the Transport Converter does not have enough resources to perform the request.
This error MUST be sent by the Transport Converter when it does not have sufficient resources to handle a new connection. The Transport Converter may indicate in the Value field the suggested delay (in seconds) that the Client SHOULD wait before soliciting the Transport Converter for a new proxied connection. A Value of zero corresponds to a default delay of at least 30 seconds.
Network Failure (65):
This error indicates that the Transport Converter is experiencing a network failure to proxy the request.
The Transport Converter MUST send this error code when it experiences forwarding issues to proxy a connection. The Transport Converter may indicate in the Value field the suggested delay (in seconds) that the Client SHOULD wait before soliciting the Transport Converter for a new proxied connection. A Value of zero corresponds to a default delay of at least 30 seconds.
Connection Reset (96):
This error indicates that the final destination responded with an RST segment. The Value field MUST be set to zero.
Destination Unreachable (97):
This error indicates that an ICMP message indicating a hard error (e.g., destination unreachable, port unreachable, or network unreachable) was received by the Transport Converter. The Value field MUST echo the Code field of the received ICMP message.
As a reminder, TCP implementations are supposed to act on an ICMP error message passed up from the IP layer, directing it to the connection that triggered the error using the demultiplexing information included in the payload of that ICMP message. Such a demultiplexing issue does not apply for handling the "Destination Unreachable" Error TLV because the error is sent in-band. For this reason, the payload of the ICMP message is not echoed in the Destination Unreachable Error TLV.
Three TCP options were initially defined in [RFC 0793]: End-of-Option List (Kind=0), No-Operation (Kind=1), and Maximum Segment Size (Kind=2). The first two options are mainly used to pad the TCP header. There is no reason for a Client to request a Transport Converter to specifically send these options towards the final destination.
The Maximum Segment Size option (Kind=2) is used by a host to indicate the largest segment that it can receive over each connection. This value is a function of the stack that terminates the TCP connection. There is no reason for a Client to request a Transport Converter to advertise a specific Maximum Segment Size (MSS) value to a remote Server.
A Transport Converter MUST ignore options with Kind=0, 1, or 2 if they appear in a Connect TLV. It MUST NOT announce them in a Supported TCP Extensions TLV.
The Window Scale (WS) option (Kind=3) is defined in [RFC 7323]. As for the MSS option, the window scale factor that is used for a connection strongly depends on the TCP stack that handles the connection. When a Transport Converter opens a TCP connection towards a remote Server on behalf of a Client, it SHOULD use a WS option with a scaling factor that corresponds to the configuration of its stack. A local configuration MAY allow for a WS option in the proxied message to be a function of the scaling factor of the incoming connection.
From a deployment viewpoint, there is no benefit in enabling a Client of a Transport Converter to specifically request the utilization of the WS option (Kind=3) with a specific scaling factor towards a remote Server. For this reason, a Transport Converter MUST ignore option Kind=3 if it appears in a Connect TLV. The Transport Converter MUST NOT announce a WS option (Kind=3) in a Supported TCP Extensions TLV.
Two distinct TCP options were defined to support Selective Acknowledgment (SACK) in [RFC 2018]. This first one, SACK-Permitted (Kind=4), is used to negotiate the utilization of Selective Acknowledgments during the three-way handshake. The second one, SACK (Kind=5), carries the Selective Acknowledgments inside regular segments.
The SACK-Permitted option (Kind=4) MAY be advertised by a Transport Converter in the Supported TCP Extensions TLV. Clients connected to this Transport Converter MAY include the SACK-Permitted option in the Connect TLV.
The SACK option (Kind=5) cannot be used during the three-way handshake. For this reason, a Transport Converter MUST ignore option Kind=5 if it appears in a Connect TLV. It MUST NOT announce it in a TCP Supported Extensions TLV.
The Timestamp option [RFC 7323] can be used during the three-way handshake to negotiate the utilization of timestamps during the TCP connection. It is notably used to improve round-trip-time estimations and to provide Protection Against Wrapped Sequences (PAWS). As for the WS option, the timestamps are a property of a connection and there is limited benefit in enabling a Client to request a Transport Converter to use the timestamp option when establishing a connection to a remote Server. Furthermore, the timestamps that are used by TCP stacks are specific to each stack and there is no benefit in enabling a Client to specify the timestamp value that a Transport Converter could use to establish a connection to a remote Server.
A Transport Converter MAY advertise the Timestamp option (Kind=8) in the TCP Supported Extensions TLV. The Clients connected to this Transport Converter MAY include the Timestamp option in the Connect TLV but without any timestamp.
The Multipath TCP options are defined in [RFC 8684], which defines one variable length TCP option (Kind=30) that includes a sub-type field to support several Multipath TCP options. There are several operational use cases where Clients would like to use Multipath TCP through a Transport Converter [IETFJ16]. However, none of these use cases require the Client to specify the content of the Multipath TCP option that the Transport Converter should send to a remote Server.
A Transport Converter that supports Multipath TCP conversion service MUST advertise the Multipath TCP option (Kind=30) in the Supported TCP Extensions TLV. Clients serviced by this Transport Converter may include the Multipath TCP option in the Connect TLV but without any content.
The TCP Fast Open Cookie option (Kind=34) is defined in [RFC 7413]. There are two different usages of this option that need to be supported by Transport Converters. The first utilization of the TCP Fast Open Cookie option is to request a cookie from the Server. In this case, the option is sent with an empty cookie by the Client, and the Server returns the cookie. The second utilization of the TCP Fast Open Cookie option is to send a cookie to the Server. In this case, the option contains a cookie.
A Transport Converter MAY advertise the TCP Fast Open Cookie option (Kind=34) in the Supported TCP Extensions TLV. If a Transport Converter has advertised the support for TCP Fast Open in its Supported TCP Extensions TLV, it needs to be able to process two types of Connect TLV.
If such a Transport Converter receives a Connect TLV with the TCP Fast Open Cookie option that does not contain a cookie, it MUST add an empty TCP Fast Open Cookie option in the SYN sent to the remote Server. If the remote Server supports TFO, it responds with a SYN-ACK according to the procedure in Section 4.1.2 of RFC 7413. This SYN-ACK may contain a Fast Open option with a cookie. Upon receipt of the SYN-ACK by the Converter, it relays the Fast Open option with the cookie to the Client.
If such a Transport Converter receives a Connect TLV with the TCP Fast Open Cookie option that contains a cookie, it MUST copy the TCP Fast Open Cookie option in the SYN sent to the remote Server.
The TCP Authentication Option (TCP-AO) [RFC 5925] provides a technique to authenticate all the packets exchanged over a TCP connection. Given the nature of this extension, it is unlikely that the applications that require their packets to be authenticated end to end would want their connections to pass through a converter. For this reason, we do not recommend the support of the TCP-AO by Transport Converters. The only use cases where it could make sense to combine TCP-AO and the solution in this document are those where the TCP-AO-NAT extension [RFC 6978] is in use.
A Transport Converter MUST NOT advertise the TCP-AO (Kind=29) in the Supported TCP Extensions TLV. If a Transport Converter receives a Connect TLV that contains the TCP-AO, it MUST reject the establishment of the connection with error code set to "Unsupported TCP Option", except if the TCP-AO-NAT option is used. Nevertheless, given that TCP-AO-NAT is Experimental, its usage is not currently defined and must be specified by some other document before it can be used.
The Convert Protocol is designed to be used in networks that do not contain middleboxes that interfere with TCP. Under such conditions, it is assumed that the network provider ensures that all involved on-path nodes are not breaking TCP signals (e.g., strip TCP options, discard some SYNs, etc.).
Nevertheless, and in order to allow for a robust service, this section describes how a Client can detect middlebox interference and stop using the Transport Converter affected by this interference.
Internet measurements [IMC11] have shown that middleboxes can affect the deployment of TCP extensions. In this section, we focus the middleboxes that modify the payload since the Convert Protocol places its messages at the beginning of the bytestream.
Consider a middlebox that removes the SYN payload. The Client can detect this problem by looking at the acknowledgment number field of the SYN+ACK if returned by the Transport Converter. The Client MUST stop to use this Transport Converter given the middlebox interference.
Consider now a middlebox that drops SYN/ACKs with a payload. The Client won't be able to establish a connection via the Transport Converter. The case of a middlebox that removes the payload of SYN+ACKs or from the packet that follows the SYN+ACK (but not the payload of SYN) can be detected by a Client. This is hinted by the absence of a valid Convert message in the response.
As explained in [RFC 7413], some Carrier Grade NATs (CGNs) can affect the operation of TFO if they assign different IP addresses to the same end host. Such CGNs could affect the operation of the cookie validation used by the Convert Protocol. As a reminder, CGNs that are enabled on the path between a Client and a Transport Converter must adhere to the address preservation defined in [RFC 6888]. See also the discussion in Section 7.1 of RFC 7413.
An implementation MUST check that the Convert TLVs are properly framed within the boundary indicated by the Total Length in the fixed header (Section 6.1).
Additional security considerations are discussed in the following subsections.
The Transport Converter may have access to privacy-related information (e.g., subscriber credentials). The Transport Converter is designed to not leak such sensitive information outside a local domain.
Given its function and location in the network, a Transport Converter is in a position to observe all packets that it processes, to include payloads and metadata, and has the ability to profile and conduct some traffic analysis of user behavior. The Transport Converter MUST be as protected as a core IP router (e.g., Section 10 of RFC 1812).
Furthermore, ingress filtering policies MUST be enforced at the network boundaries [RFC 2827].
This document assumes that all network attachments are managed by the same administrative entity. Therefore, enforcing anti-spoofing filters at these networks is a guard that hosts are not sending traffic with spoofed source IP addresses.
The Convert Protocol is RECOMMENDED for use in a managed network where end hosts can be securely identified by their IP address. If such control is not exerted and there is a more open network environment, a strong mutual authentication scheme MUST be defined to use the Convert Protocol.
One possibility for mutual authentication is to use TLS to perform mutual authentication between the Client and the Converter. That is, use TLS when a Client retrieves a Cookie from the Converter and rely on certificate-based, pre-shared key-based [RFC 4279], or raw public key-based Client authentication [RFC 7250] to secure this connection. If the authentication succeeds, the Converter returns a cookie to the Client. Subsequent Connect messages will be authorized as a function of the content of the Cookie TLV. An attacker from within the network between a Client and a Transport Converter may intercept the Cookie and use it to be granted access to the conversion service. Such an attack is only possible if the attacker spoofs the IP address of the Client and the network does not filter packets with source-spoofed IP addresses.
The operator that manages the various network attachments (including the Transport Converters) has various options for enforcing authentication and authorization policies. For example, a non-exhaustive list of methods to achieve authorization is provided hereafter:
The network provider may enforce a policy based on the International Mobile Subscriber Identity (IMSI) to verify that a user is allowed to benefit from the TCP converter service. If that authorization fails, the Packet Data Protocol (PDP) context/bearer will not be mounted. This method does not require any interaction with the Transport Converter for authorization matters.
The network provider may enforce a policy based upon Access Control Lists (ACLs), e.g., at a Broadband Network Gateway (BNG) to control the hosts that are authorized to communicate with a Transport Converter. These ACLs may be installed as a result of RADIUS exchanges, e.g., [TCPM-CONVERTER]. This method does not require any interaction with the Transport Converter for authorization matters.
A device that embeds a Transport Converter may also host a RADIUS Client that will solicit a AAA Server to check whether or not connections received from a given source IP address are authorized [TCPM-CONVERTER].
A first safeguard against the misuse of Transport Converter resources by illegitimate users (e.g., users with access networks that are not managed by the same provider that operates the Transport Converter) is the Transport Converter to reject Convert connections received in the external realm. Only Convert connections received in the internal realm of a Transport Converter will be accepted.
In deployments where network-assisted connections are not allowed between hosts of a domain (i.e., hairpinning), the Converter may be instructed to discard such connections. Hairpinned connections are thus rejected by the Transport Converter by returning an Error TLV set to "Not Authorized". Otherwise, absent explicit configuration, hairpinning is enabled by the Converter (see Figure 24).
+----+ from X1:x1 to X2':x2' +-----+ X1':x1'
| C1 |>>>>>>>>>>>>>>>>>>>>>>>>>>>>>--+---
+----+ | v |
| v |
| v |
| v |
+----+ from X1':x1' to X2:x2 | v | X2':x2'
| C2 |<<<<<<<<<<<<<<<<<<<<<<<<<<<<<--+---
Note: X2':x2' may be equal to
Another possible risk is amplification attacks, since a Transport Converter sends a SYN towards a remote Server upon reception of a SYN from a Client. This could lead to amplification attacks if the SYN sent by the Transport Converter were larger than the SYN received from the Client, or if the Transport Converter retransmits the SYN. To mitigate such attacks, the Transport Converter SHOULD rate-limit the number of pending requests for a given Client. It SHOULD also avoid sending SYNs that are significantly longer than the SYN received from the Client, to remote Servers. Finally, the Transport Converter SHOULD only retransmit a SYN to a Server after having received a retransmitted SYN from the corresponding Client. Means to protect against SYN flooding attacks should also be enabled (e.g., Section 3 of RFC 4987).
Attacks from within the network between a Client and a Transport Converter (including attacks that change the protocol version) are yet another threat. Means to ensure that illegitimate nodes cannot connect to a network should be implemented.
Traffic theft is a risk if an illegitimate Converter is inserted in the path. Indeed, inserting an illegitimate Converter in the forwarding path allows traffic interception and can therefore provide access to sensitive data issued by or destined to a host. Converter discovery and configuration are out of scope of this document.
If the Converter is configured to behave in the address-sharing mode (Section 4.4.2), the logging recommendations discussed in Section 4 of RFC 6888 need to be considered. Security-related issues encountered in address-sharing environments are documented in Section 13 of RFC 6269.
IANA has created a new "TCP Convert Protocol (Convert) Parameters" registry.
The following subsections detail new registries within the "Convert Protocol (Convert) Parameters" registry.
The designated expert is expected to ascertain the existence of suitable documentation as described in Section 4.6 of RFC 8126 and to verify that the document is permanently and publicly available. The designated expert is also expected to check the clarity of purpose and use of the requested code points.
Also, criteria that should be applied by the designated experts includes determining whether the proposed registration duplicates existing functionality, whether it is likely to be of general applicability or useful only for private use, and whether the registration description is clear. All requests should be directed to the review mailing list. For both the "Convert TLVs" and "Convert Errors" subregistries, IANA must only accept registry updates in the 128-191 range from the designated experts. It is suggested that multiple designated experts be appointed. In cases where a registration decision could be perceived as creating a conflict of interest for a particular expert, that expert should defer to the judgment of the other experts.
IANA has created the "Convert Errors" subregistry. Codes in this registry are assigned as a function of the error type. Four types are defined; the following ranges are reserved for each of these types:
Message validation and processing errors
Transport Converter-side errors
Errors caused by destination Server
The procedures for assigning values from this subregistry are as follows:
The initial values of the registry are as follows:
P. Ferguson, and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827, May 2000, <https://www.rfc-editor.org/info/rfc2827>.
F. Audet, and C. Jennings, "Network Address Translation (NAT) Behavioral Requirements for Unicast UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 2007, <https://www.rfc-editor.org/info/rfc4787>.
S. Perreault, I. Yamagata, S. Miyakawa, A. Nakagawa, and H. Ashida, "Common Requirements for Carrier-Grade NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, April 2013, <https://www.rfc-editor.org/info/rfc6888>.
A. Ford, C. Raiciu, M. Handley, O. Bonaventure, and C. Paasch, "TCP Extensions for Multipath Operation with Multiple Addresses", RFC 8684, DOI 10.17487/RFC8684, March 2020, <https://www.rfc-editor.org/info/rfc8684>.
K. Honda, Y. Nishida, C. Raiciu, A. Greenhalgh, M. Handley, and T. Hideyuki, "Is it still possible to extend TCP?", DOI 10.1145/2068816.2068834, November 2011, <https://doi.org/10.1145/2068816.2068834>.
M Boucadair, C Jacquenet, O Bonaventure, D Behaghel, S Secci, W Henderickx, R Skog, S Vinapamula, S Seo, W Cloetens, U Meyer, L Contreras, and B Peirens, "Extensions for Network-Assisted MPTCP Deployment Models", Internet-Draft draft-boucadair-mptcp-plain-mode-10, March 2017, <https://tools.ietf.org/html/draft-boucadair-mptcp-plain-mode-10>.
J. Border, M. Kojo, J. Griner, G. Montenegro, and Z. Shelby, "Performance Enhancing Proxies Intended to Mitigate Link-Related Degradations", RFC 3135, DOI 10.17487/RFC3135, June 2001, <https://www.rfc-editor.org/info/rfc3135>.
P. Wouters, H. Tschofenig, J. Gilmore, S. Weiler, and T. Kivinen, "Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250, June 2014, <https://www.rfc-editor.org/info/rfc7250>.
M. Duke, R. Braden, W. Eddy, E. Blanton, and A. Zimmermann, "A Roadmap for Transmission Control Protocol (TCP) Specification Documents", RFC 7414, DOI 10.17487/RFC7414, February 2015, <https://www.rfc-editor.org/info/rfc7414>.
A. Bittau, D. Giffin, M. Handley, D. Mazieres, Q. Slack, and E. Smith, "Cryptographic Protection of TCP Streams (tcpcrypt)", RFC 8548, DOI 10.17487/RFC8548, May 2019, <https://www.rfc-editor.org/info/rfc8548>.
On the Client side, the support of the 0-RTT Converter protocol does not require any other changes than those identified in Appendix A of RFC 7413. Those modifications are already supported by multiple TCP stacks.
As an example, on Linux, a Client can send the 0-RTT Convert message inside a SYN by using sendto with the MSG_FASTOPEN flag as shown in the example below:
The Converter needs to enable the reception of data inside the SYN independently of the utilization of the TFO option. This implies that the Transport Converter application cannot rely on the Fast Open Cookies to validate the reachability of the IP address that sent the SYN. It must rely on other techniques, such as the Cookie TLV described in this document, to verify this reachability.
[RFC 7413] suggested the utilization of a TCP_FASTOPEN socket option to enable the reception of SYNs containing data. Later, Appendix A of RFC 7413 mentioned:
Traditionally, accept() returns only after a socket is connected. But, for a Fast Open connection, accept() returns upon receiving a SYN with a valid Fast Open cookie and data, and the data is available to be read through, e.g., recvmsg(), read().
To support the 0-RTT TCP Convert Protocol, this behavior should be modified as follows:
Traditionally, accept() returns only after a socket is connected. But, for a Fast Open connection, accept() returns upon receiving a SYN with data, and the data is available to be read through, e.g., recvmsg(), read(). The application that receives such SYNs with data must be able to validate the reachability of the source of the SYN and also deal with replayed SYNs.
The Linux Server side can be configured with the following sysctls:
(server) enables the Server support, i.e., allowing data in a SYN packet to be accepted and passed to the application before a 3-way handshake finishes.
(server) accepts data-in-SYN w/o any cookie option present.
However, this configuration is system wide. This is convenient for typical Transport Converter deployments where no other applications relying on TFO are collocated on the same device.
Recently, the TCP_FASTOPEN_NO_COOKIE socket option has been added to provide the same behavior on a per-socket basis. This enables a single host to support both Servers that require the Fast Open Cookie and Servers that do not use it.
Although they could disagree with the contents of the document, we would like to thank Joe Touch and Juliusz Chroboczek, whose comments on the MPTCP mailing list have forced us to reconsider the design of the solution several times.
We would like to thank Raphael Bauduin, Stefano Secci, Anandatirtha Nandugudi, and Gregory Vander Schueren for their help in preparing this document. Nandini Ganesh provided valuable feedback about the handling of TFO and the error codes. Yuchung Cheng and Praveen Balasubramanian helped to clarify the discussion on supplying data in SYNs. Phil Eardley and Michael Scharf helped to clarify different parts of the text. Thanks to Éric Vyncke, Roman Danyliw, Benjamin Kaduk, and Alexey Melnikov for the IESG review, and Christian Huitema for the Security Directorate review.
Many thanks to Mirja Kühlewind for the detailed AD review.
This document builds upon earlier documents that proposed various forms of Multipath TCP proxies: [MPTCP-PLAIN], [MPTCP-TRANSPARENT], and [HOT-MIDDLEBOX13].
Many thanks to Chi Dung Phung, Mingui Zhang, Rao Shoaib, Yoshifumi Nishida, and Christoph Paasch for their valuable comments.
Thanks to Ian Farrer, Mikael Abrahamsson, Alan Ford, Dan Wing, and Sri Gundavelli for the fruitful discussions at IETF 95 (Buenos Aires).
Special thanks to Pierrick Seite, Yannick Le Goff, Fred Klamm, and Xavier Grall for their input.
Thanks also to Olaf Schleusing, Martin Gysi, Thomas Zasowski, Andreas Burkhard, Silka Simmen, Sandro Berger, Michael Melloul, Jean-Yves Flahaut, Adrien Desportes, Gregory Detal, Benjamin David, Arun Srinivasan, and Raghavendra Mallya for their input.