0-RTT TCP converters

Transport protocols like TCP evolve regularly . Given the end-to-end nature of those protocols, a new feature can only be used once it has been deployed on both clients and servers. Experience with TCP extensions reveals that the deployment of a new TCP extension requires many years . There are some situations where the transport stack used on clients (resp. servers) can be upgraded at a faster pace than the transport stack running on servers (resp. clients). In those situations, clients would typically want to benefit from the features of an improved transport protocol even if the servers have not yet been upgraded and conversely. In the past, Performance Enhancing Proxies have been proposed and deployed as solutions to improve TCP performance over links with specific characteristics. Recent examples of TCP extensions include Multipath TCP or TCPINC . Those extensions provide features that are interesting for clients such as cellular devices. With Multipath TCP, cellular devices could seamlessly use WLAN and cellular networks, either for bonding purposes, for faster handovers, or better resiliency. Unfortunately, deploying those extensions on both a wide range of clients and servers remains difficult. In this document, we propose the utilisation of a Transport Converter. A Transport Converter is a network function that is installed by a network operator to aid the deployment of TCP extensions and to provide the benefits of such extensons to the subscribers. A Transport Converter operates entirely at the transport layer and supports one or more TCP extensions. The converter protocol is an application layer protocol that uses a TCP port number to be assigned by IANA. The main advantage of network-assisted converters is that they enable new TCP extensions to be used on a subset of the end-to-end path, which encourages the deployment of these extensions. A Transport Converter is designed to not alter options that are supplied by the client or the server; those options can still be negotiated directly between the endpoints. This document does not assume that all the traffic is eligible to the network-assisted conversion service. Only a subset of the trafic will be forwarded to a converter according to a set of policies. Furthermore, it is possible to bypass the converter to connect to the servers that already support the required TCP extension. This document assumes that a client is configured with one or a list of transport converters. Configuration means are outside the scope of this document. This document is organised as follows. We first provide a brief explanation of the operation of Transport Converters in . We compare them in with SOCKS proxies that are already used to deploy Multipath TCP in cellular networks . We then describe the Converter protocol in and illustrate its usage with a few examples in . We then discuss the interactions with middleboxes () and the security considerations ().

The architecture considers three types of end hosts: Client endhosts Transport Converters Server endhosts It does not mandate anything on the server side. The architecture assumes that new software will be installed on the Client hosts and on Transport Converters. Further, the architecture allow for making use of new extensions if those are supported by a given server. A Transport Converter is a network function that relays all data exchanged over one upstream connection to one downstream connection and vice versa. A connection can be initiated from both interfaces of the transport converter (Internet-facing Interface, client-facing inetreface). The converter, thus, maintains state that associates one upstream connection to a corresponding downstream connection. One of the benefits of this design is that different transport protocol extensions can be used on the upstream and the downstream connection. This encourages the deployment of new TCP extensions until they are supported by all servers.

| transport |<--- downstream ---> | converter | +------------+ ]]> Transport converters can be operated by either the network operator or third parties. The Client is configured, through means that are outside the scope of this document, with the names and/or the addresses of one or more Transport Converters. The packets belonging to a transport connection that pass through a transport converter may follow a different path than the packets directly exchanged between the Client and the Server. Deployments should minimise this additional delay by carefully selecting the location of the Transport Converter used to reach a given destination. A transport converter can be embedded in a standalone device or be actiavted as a service on a router. How such function is enabled is deployement-specific.

When establishing a transport connection, the Client can, depending on local policies, either contact the Server directly (e.g., by sending a TCP SYN towards the Server) or create the connection via a Transport Converter. In the latter case, the Client initiates a connection towards the Transport Converter and indicates the address and port number of the ultimate Server inside the connection establishment packet (shown between brackets in ). Doing so enables the Transport Converter to immediately initiate a connection towards that Server, without experiencing an extra delay. The Transport Converter waits until the confirmation that the Server agrees to establish the connection before confirming it to the Client. illustrates the establishment of a TCP connection by the Client through a Transport Converter. The information shown between brackets is part of the Converter protocol described later in this document. The connection can also be established from the Internet towards a client via a transport converter. This is typically the case when the client embbeds a server (video server, for example).

SYN [->Server:port] --------------------> SYN <-------------------- SYN+ACK <-------------------- SYN+ACK [ ] --------------------> ACK --------------------> ACK ]]> As shown in , the Converter places its supplied information inside the handshake packets. This information is encoded in a way that separates this information from the user data that can also be carried inside the payload of such packets (e.g., ). With TCP, the Converter protocol places the destination address and port number of the final Server in the payload of the SYN. The SYN+ACK packet returned by the Transport Converter to the Client contains information that confirms the establishment of the connection between the Transport Converter and the final Server. It is important to note that the Transport Converter maintains two transport connections that are combined together. The upstream connection is the one between the Client and the Transport Converter. The downstream connection is between the Transport Converter and the final Server. Any user data received by the Transport Converter over the upstream (resp. downstream) connection is relayed over the downstream (resp. upstream) connection to give to the Client the illusion of an end-to-end connection. As an example, let us consider how such a protocol can help the deployment of Multipath TCP . We assume that both the Client and the Transport Converter support Multipath TCP, but consider two different cases depending whether the Server supports Multipath TCP or not. A Multipath TCP connection is created by placing the MP_CAPABLE (MPC) option in the SYN sent by the Client. describes the operation of the Transport Converter if the Server does not support Multipath TCP.

SYN, MPC [->Server:port] --------------------> SYN, MPC <-------------------- SYN+ACK <-------------------- SYN+ACK,MPC [ NoMPC ] --------------------> ACK,MPC --------------------> ACK ]]> The Client tries to initiate a Multipath TCP connection by sending a SYN with the MP_CAPABLE option (MPC in ). The SYN includes the address and port number of the final Server and the Transport Converter attempts to initiate a Multipath TCP connection towards this Server. Since the Server does not support Multipath TCP, it replies with a SYN+ACK that does not contain the MP_CAPABLE option. The Transport Converter notes that the connection with the Server does not support Multipath TCP. considers a Server that supports Multipath TCP. In this case, it replies to the SYN sent by the Transport Converter with the MP_CAPABLE option. Upon reception of this SYN+ACK, the Transport Converter confirms the establishment of the connection to the Client and indicates in the SYN+ACK packet sent to the Client that the Server supports Multipath TCP. With this information, the Client has discovered that the Server supports Multipath TCP natively. This will enable it to bypass the Transport Converter for the next Multipath TCP connection that it will initiate towards this Server or by creating a subflow to the server directly. The one established via the transport converter can be closed.

SYN, MPC [->Server:port] --------------------> SYN, MPC <-------------------- SYN+ACK, MPC <-------------------- SYN+ACK, MPC [ MPC supported ] --------------------> ACK, MPC --------------------> ACK, MPC ]]>

The description above is a simplified description of the Converter protocol. At a first glance, the proposed solution could seem similar to the SOCKS v5 protocol . This protocol is used to proxy TCP connections. The Client creates a connection to a SOCKS proxy, exchanges authentication information and indicates the destination address and port of the final server. At this point, the SOCKS proxy creates a connection towards the final server and relays all data between the two proxied connections. The operation of SOCKS v5 is illustrated in .

SYN <-------------------- SYN+ACK --------------------> Version=5 <-------------------- No Auth --------------------> Connect Server:Port --------------------> SYN <-------------------- SYN+ACK <-------------------- Succeeded --------------------> Data1 --------------------> Data1 <-------------------- Data2 <-------------------- Data2 ]]> The converter protocol proposed in this document also relays data between an upstream and a downstream connection, but there are important differences with SOCKS v5. A first difference is that the converter protocol leverages the TFO option to place all its control information inside the SYN and SYN+ACK packets. This reduces the connection establishment delay compared to SOCKS that requires two or more round-trip-times before the establishment of the downstream connection towards the final destination. In today's Internet, latency is a important metric and various protocols have been tuned to reduce their latency . A recently proposed extension to SOCKS also leverages the TFO option . A second difference is that the converter protocol takes the TCP extensions explicitly into account. With the converter protocol, the Client can learn whether a given TCP extension is supported by the destination Server. This enables the Client to bypass the Transport Converter when the destination supports the required TCP extension. Neither SOCKSv5 nor the proposed SOCKS v6 provide such feature. A third difference is that a Transport Converter will only accept the connection initiated by the Client provided that the downstream connection is accepted by the Server. If the Server refuses the connection establishment attempt from the Transport Converter, then the upstream connection from the Client is rejected as well. This feature is important for applications that check the availability of a Server or use the time to connect as a hint on the selection of a Server . This is illustrated in.

SYN, MPC [->Server:port] --------------------> SYN, MPC <-------------------- RST <-------------------- RST [ ... ] ]]> These differences between SOCKS and the Converter protocol imply that a Transport Converter cannot be implemented as a regular user-space application like a SOCKS proxy. A Transport Converter needs to interact with the underlying TCP implementation more closely than the regular socket APIs used by the SOCKS proxy.

We now describe in details the messages that are exchanged between a Client and a Transport Converter. The Converter protocol leverages the TCP Fast Open extension defined in . The Converter Protocol uses a 32 bits long fixed header that is sent by both the Client and the Transport Converter. This header indicates both the version of the protocol used and the length of the CP messages.

When a Client initiates a connection to a Transport Converter using the Converter Protocol, it MUST send the fixed-sized header shown in as the first four bytes of the bytestream.

The Version is encoded as an 8 bits unsigned integer value. This document specifies version 1. The Total Length is the number of 32 bits word, including the header, of the bytestram that are consumed by the Converter Protocol messages. Since Total Length is also an 8 bits unsigned integer, those messages cannot consume more than 1020 bytes of data. This limits the number of bytes that a Transport Converter needs to process. A Total Length of zero is invalid and the connection MUST be reset upon reception of such a header. The Reserved field MUST be set to zero in this version of the protocol.

The Converter protocol uses variable length messages that are encoded using a TLV format to simplify the parsing of the messages and leave room to extend the protocol in the future. A given TLV can only appear once on a Converter connection. If two or more copies of the same TLV are exchanged over a Converter connection, the associated TCP connections MUST be closed. Five TLVs are defined in this document. They are listed in . Type Length Description 1 1 Bootstrap TLV 10 Variable Connect TLV 20 Variable Extended TCP Header TLV 21 Variable Supported TCP Options TLV 30 Variable Error TLV

This TLV is used to request the Transport Converter to establish a connection towards the Server address and port included in the TLV. The Server Address is always encoded as an IPv6 address. IPv4 addresses are encoded using the IPv4-Mapped IPv6 Address format defined in . The optional TCP Options field is used to specify how some TCP Options are advertised by the Transport Converter to the final destination. If this field is empty, then the Transport Converter uses the standard TCP options that correspond to its local policy.

The TCP Options field is a variable length field that carries a list of TCP Option fields. Each TCP Option field is encoded as a block of 2+n bytes where the first byte is the TCP Option Type and the second byte is the length of the TCP Option as specified in . The minimum value for the TCPOpt Length is 2. The TCP Options that do not include a length subfield, i.e. option types 0 (EOL) and 1 (NOP) defined in cannot be placed inside the TCP Options field of the Connect TLV. The optional Value field contains the variable-length part of the TCP option. A length of two indicates the absence of the Value field. The TCP Options field always ends on a 32 bits boundary after being padded with zeros.

If a Transport Converter receives a Connect TLV with an empty TCP Options field, it shall place in the SYN that it sends towards the Server the TCP Options that it would have used according to its local policy. If a Transport Converter receives a Connect TLV with an non-empty TCP Options field, it shall place in the SYN that it sends towards the destination Server the TCP Options that it would have used according to its local policies and the options that are listed in the TCP Options field. For the TCP Options that are listed without an optional value, it will generate its own value. For the TCP Options that are included in the TCP Options field with an optional value, it shall copy the entire option in the SYN sent to the Server. This feature is required to support TCP Fast Open as explained in .

The Extended TCP Header TLV is used by the Transport Converter to return to the Client the extended TCP header that was returned by the Server in the SYN+ACK packet. This TLV is only present if the Client has sent a Connect TLV to request the establishment of a connection.

The Returned Extended TCP header field is a copy of the extended header that was received in the SYN+ACK by the Transport Converter. The Reserved field is set to zero by the transmitter and ignored by the receiver.

This optional TLV can be used by the Transport Converter to provide information about some errors that occurred during the processing of a request to convert a connection. This TLV will appear after the Converter header in a RST segment returned by the Transport Converter if the error is fatal and prevented the establishment of the connection. If the error is not fatal and the connection could be established with the final destination, then the error TLV will be placed in the SYN/ACK packet.

The following fatal errors are defined in this document: Administratively prohibited (1). This error indicates that the Converter refused to create a connection towards the specific Server Address Destination or Port. The Value field is set to zero. Connection reset by final destination (2). This Error indicates that the final destination responded with a RST packet. The Value field is set to zero. Destination unreachable (3). This Error indicates that an ICMP destination unreachable, port unreachable or network unreachable was received by the Transport Converter. The Value field contains the Code field of the received ICMP message. Invalid Converter message (4). This Error indicates that the Transport Converter received an unknown TLV. The Value field is set to the type of the unknown TLV. If several unknown TLVs were received, only one of them is reported in the error. Resource Exceeded (5). This Error indicates that the Transport Converter does not have enough resources to perform the Client request. The following non-fatal errors are defined in this document: Unsupported TCP Option (128). A TCP Option that the Client requested to advertise to the final Server is not supported by the Transport Converter. The Value field is set to the type of the unsupported TCP Option. If several unsupported TCP Options were specified in the Connect TLV, only one of them is returned in the Value. summarises the different error messages. Error Description 1 Administratively prohibited 2 Connection reset by final destination 3 Destination unreachable 16 Invalid Converter message 32 Resource Exceeded 128 Error TLV

The Bootstrap TLV is sent by a Client to request the TCP Extensions that are supported by a Transport Converter. It is typically sent on the first connection that a Client establishes with a Transport Converter to learn its capabilities. The Transport Converter replies with the Supported TCP Options TLV described in .

The Supported TCP Options TLV is used by a Converter to announce the TCP options that it supports. Each supported TCP Option is encoded with its TCP option Kind listed in the TCP Parameters registry maintained by IANA. TCP option Kinds 0, 1 and 2 defined in are supported by all TCP implementations and thus cannot appear in this list. The list of supported TCP Options is padded with 0 to end on a 32 bits boundary.

This section provides some examples of the utilisation of the Transport Converter. We consider the following network to illustrate the operation of the Converter protocol.

The Converter protocol is designed with the ability to leverage on the utilisation of TCP Fast Open between the Client and the Transport Converter. To be able to place data inside the SYN packet that it sends, the Client first needs to obtain a TFO cookie from the Transport Converter. This is achieved by establishing a TCP connection to the Transport Converter without requesting the establishment of a connection towards a Server. This connection is established immediatley when a new Converter is configured to the client. Note that the Converter may rely on local policies to decide whether it can service a given requesting client. That is, the Convert may not return a cookie for that client. Also, the Converter may behave in a Cookie-less mode when appropriate means are enforced at the converter and the network in-between to protect against atatcks such spoofing and SYN flood. Under such deployments, the use of TFO is not required. To perform the bootstrap operation, the Client sends the following SYN packet : source IP address: @c (one of the client's IP addresses) destination IP address: @t TCP Options : MSS, TFO (2 bytes), NOP, NOP Payload : empty The Converter replies with the following SYN+ACK packet: source IP address: @t destination IP address: @c TCP Options : MSS, TFO (including @tcookie), NOP, NOP Payload : empty At this point, the Client has learned the TFO cookie (@tcookie) that needs to be used fro subsequent exchanges with this Transport Converter. For the examples in this section, we assume TFO cookies that contain 4 bytes of information. Other cookie lengths are possible as per . The Client sends the third Ack to conclude the three-way handshake. It then sends in a Data packet the fixed header and the Bootstrap TLV to query the TCP options that are supported by the Converter. This message spans 8 bytes (4 for the fixed header and 4 for the Bootstrap TLV). The Converter replies with the converter fixed header and a TCP Options TLV that indicates the TCP extensions that it supports. During the bootstrap phase, the client may register on the converter the set of its available IP addresses. Announcing these addresses will help the converter to place incoming multipath connections to the client. The Client needs to recontact the Converter before the expiry of the TFO Cookie to refresh it or obtain a new one. The TFO-cookie supplied by the Converter is inserted in subsequent messages as part of the Converter TLVs. As such, there is no ambiguity with TFO cookie that is supplied by the Client to the remote server; this second cookie is enclosed according to the procedure in .

The MP_CAPABLE Option defined in allows to negotiate the utilisation of Multipath TCP. Consider a Client that uses the Transport Converter to create a connection on port 123 with a Server that supports . For this, the Client sends the following SYN packet : source IP address: @c destination IP address: @t TCP Options : MSS, TFO (@t cookie), MP_CAPABLE(key@c) Payload : Converter Header, Total Length=7 32 bits words Connect : Length=6 Port=123 Address: @s TCP Options: TCPOpt type: 30 (Multipath TCP) TCPOpt Length: 2 (no value) Padding: zero (2 bytes) Upon reception of this packet, the Transport Converter creates a SYN packet and sends it to the destination Server: source IP address: @t destination IP address: @s TCP Options : MSS, MP_CAPABLE(key@ts) Payload : empty The Server replies with the following SYN+ACK: source IP address: @s destination IP address: @t TCP Options : MSS, MP_CAPABLE(key@ts,key@s) Payload : empty The Transport Converter then confirms the establishment of the connection to the Client with the following SYN+ACK: source IP address: @t destination IP address: @c TCP Options : MSS, MP_CAPABLE(key@c,key@tc) Payload: Converter Header, Total Length=8 TCP Extended Header TLV: Length=7 Value: MSS, MP_CAPABLE(key@ts,key@s) Upon reception of this packet, the Client has the confirmation that the Multipath TCP connection has been established through the Transport Converter. By parsing the TCP Extended Header TLV, it detects that Server @s supports Multipath TCP and will thus be able to bypass the Transport Converter for future connections towards this Server. In order to support incoming connections from remote hosts, the client may use PCP to instruct the converter to create dynamic mappings. Those mappings will be used by the converter to intercept an incoming TCP connection destined to the client and convert it into an MPTCP connection.

SYN+ACK, MPC ---------------------> SYN+ACK <--------------------- ACK <------------------- ACK, MPC ]]>

The TCP Fast Open (TFO) option is defined in . In this section, we show how a Client can use TFO with a remote Server through a Transport Converter. We consider two TCP connections to this Server. The Client has already received the cookie of the Transport Converter (@t cookie). For the first connection, the Client sends the following SYN packet: source IP address: @c destination IP address: @t TCP Options : MSS, TFO (@t cookie) Payload : Converter Header, Total Length=8 Connect: Length=7 Port=123 Address: @s TCP Options: TCPOpt type: 34 (TFO) TCPOpt Length: 2 (no value) Padding: zero (2 bytes) The TFO option of the SYN packet contains the cookie chosen by the Transport Converter. The Transport Converter then issues the following SYN packet towards the Server: source IP address: @t destination IP address: @s TCP Options : MSS, TFO (empty), NOP, NOP Payload : empty The Server replies with its own TFO cookie (@s cookie) in the SYN+ACK packet: source IP address: @s destination IP address: @t TCP Options : MSS, TFO (@s cookie) Payload : empty The Converter confirms the establishment of the TCP connection to the Client by sending the following SYN+ACK packet: source IP address: @t destination IP address: @c TCP Options : MSS, NOP, NOP Payload : Converter Header, Total Length=8 TCP Extended Header TLV: Length=7 Value: MSS, TFO (@s cookie) some data The Client can extract the Server cookie from the TCP Extended Header TLV and initiate future connections to this Server as follows (assuming that it prefers to establish it via the Transport Converter instead of contacting directly the final destination). source IP address: @c destination IP address: @t TCP Options : MSS, TFO (@t cookie) Payload : Converter Header, Total Length=4 Connect: Length=8 Port=123 Address: @s TCP Options: TCPOpt type: 34 (TFO) TCPOpt Length: 6 (value is @s cookie) Padding: zero (2 bytes) The Transport Converter then initiates the connection towards the final destination by sending the following SYN packet: source IP address: @t destination IP address: @s TCP Options : MSS, TFO (@s cookie), NOP, NOP Payload : some data The Server verifies the TFO option and accepts the data in the SYN. It replies with the following SYN+ACK packet: source IP address: @s destination IP address: @t TCP Options : MSS, NOP, NOP Payload : more data The Server confirms the establishment of the TCP connection to the Client by sending the following SYN+ACK packet: source IP address: @t destination IP address: @c TCP Options : MSS, NOP, NOP Payload : Converter Header, Total Length=3 Report: Length=2 Value: MSS, NOP, NOP more data The Client has thus been able to use TFO with a remote Server through the Transport Converter.

The Converter protocol was designed to be used in networks that do not contain middleboxes that interfere with TCP. We describe in this section how a Client can detect middlebox interference and stop using the Transport Converter affected by this interference. Internet measurements have shown that middleboxes can affect the deployment of TCP extensions. In this section, we only discuss the middleboxes that modify SYN and SYN+ACK packets since the Converter protocol places its messages in such packets. Let us first consider a middlebox that removes the TFO Option from the SYN packet. This interference will be detected by the Client during the boostrap procedure described in section . A Client should not use a Transport Converter that does not reply with the TFO option during the Bootstrap. Consider a middlebox that removes the SYN payload after the bootstrap procedure. The Client can detect this problem by looking at the acknowledgement number field of the SYN+ACK returned by the Transport Converter. The Client should stop to use this Transport Converter given the middlebox interference. As explained in , some carrier-grade NATs can affect the operation of TFO if they assign different IP addresses to the same endhost. Such carrier-grade NATs could affect the operation of the TFO Option used by the Converter protocol. See also the discussion in section 7.1 of .

Given its function and its location in the network, a Transport Converter has access to the payload of all the packets that it processes. As such, it must be protected as a core IP router. The Converter protocol is intended to be used in managed networks where endhosts can be identified by their IP address. Thanks to the Bootstrap procedure described in section , the Transport Converter can verify that the Client correctly receives packets sent by the Converter. Stronger authentication schemes should be defined to use the Converter protocol in more open network environments. Upon reception of a SYN that contains a valid TFO Cookie and a Connect TLV, the Transport Converter attempts to establish a TCP connection to a remote Server. There is a risk of denial of service attack if a Client requests too many connections in a short period of time. Implementations should limit the number of pending connections from a given Client. Another possible risk are the amplification attacks since a Transport Converter sends a SYN towards a remote Server upon reception of a SYN from a Client. This could lead to amplification attacks if the SYN sent by the Transport Converter were larger than the SYN received from the Client or if the Transport Converter retransmits the SYN. To mitigate such attack,s the Transport Converter should first limit the number of pending requested for a given Client. It should also avoid sending to remote Servers SYNs that are significantly longer than the SYN received from the Client. In practice, Transport Converters should not advertise to a Server TCP Options that were not specified by the Client in the received SYN. Finally, the Transport Converter should only retransmit a SYN to a Server after having received a retransmitted SYN from the corresponding Client.

This document requests the allocation of a reserved service name and port number for the converter protocol at https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml. This documents specifies version 1 of the Converter protocol. Five types of Converter messages are defined: 1: Bootstrap TLV 10: Connect TLV 20: Extended TCP Header TLV 21: Supported TCP Options TLV 30: Error TLV Furthermore, it also defines 6 types of errors. 1: Administratively prohibited 2: Connection reset by final destination 3: Destination unreachable 16: Invalid Converter message 32: Resource Exceeded -128: Error TLV

We have proposed the utilisation of Transport Converters to aid the deployment of TCP extensions such as Multipath TCP. Compared with deployed solutions such as SOCKS proxies, the Transport Converters provide several benefits. First, they do not increase the connection establishment time. Second, they are compatible and benefit from the TCP Fast Open extension. Third, clients benefit from the Transport Converter when the Server does not support the required extension. Furthermore, they can easily detect when the Server supports the required extension and thus bypass the Transport Converter to contact those Servers.

This document builds upon earlier documents that proposed various forms of Multipath TCP proxies , and . We would like to thank Bart Peirens, Raphael Bauduin and Anand Nandugudi for their help in preparing this draft. Although they could disagree with the contents of the document, we would like to thank Joe Touch and Juliusz Chroboczek whose comments on the MPTCP mailing list have forced us to reconsider the design of the solution several times.