Network Working Group | M. Boucadair |
Internet-Draft | C. Jacquenet |
Intended status: Experimental | France Telecom |
Expires: March 24, 2016 | September 21, 2015 |
An MPTCP Option for Network-Assisted MPTCP Deployments: Plain Transport Mode
draft-boucadair-mptcp-plain-mode-00
One of the promising deployment scenarios for Multipath TCP (MPTCP) is to enable a Customer Premises Equipment (CPE) that is connected to multiple networks (e.g., DSL, LTE, WLAN) to optimize the usage of its network attachments. Because of the lack of MPTCP support at the server side, some service providers now consider a “network-assisted mode” that relies upon the activation of a dedicated function called MPTCP Concentrator. This document focuses on a deployment scheme where the identity of the MPTCP Concentrator(s) is explicitly configured on connected hosts.
This document specifies an MPTCP option that is used to get rid of an encapsulation scheme between the CPE and the MPTCP Concentrator.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 24, 2016.
Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
One of the promising deployment scenarios for Multipath TCP (MPTCP, [RFC6824]) is to enable a Customer Premises Equipment (CPE) that is connected to multiple networks (e.g., DSL, LTE, WLAN) to optimize the usage of such resources, see for example [I-D.deng-mptcp-proxy] or [RFC4908]. This deployment scenario relies on MPTCP proxies located on both the CPE and network sides (Figure 1). The latter plays the role of traffic concentrator. A concentrator terminates the MPTCP sessions established from a CPE, before redirecting traffic into a legacy TCP session.
IP Network #1 +------------+ _--------_ +------------+ | | (e.g., LTE ) | | | CPE +=======+ +===+ | | (MPTCP | (_ _) |Concentrator| | Proxy) | (_______) | (MPTCP | | | | Proxy) |------> Internet | | | | | | IP Network #2 | | | | _--------_ | | | | ( e.g., DSL ) | | | +=======+ +==+ | | | (_ _) | | +-----+------+ (_______) +------------+ | ----CPE network---- | end-nodes
Figure 1: "Network-Assisted" MPTCP Design
Both implicit and explicit modes are considered to steer traffic towards an MPTCP Concentrator. This document focuses on the explicit mode that consists in configuring explicitly the reachability information of the MPTCP concentrator on a host (e.g., [I-D.boucadair-mptcp-dhc]).
This specification assumes an MPTCP Concentrator is reachable through one or multiple IP addresses. Also, it assumes the various network attachments provided to an MPTCP-enabled CPE are managed by the same administrative entity. Additional assumptions are listed in Section 2.
This document explains how a plain transport mode, where packets are exchanged between the CPE and the concentrator without requiring the activation of any encapsulation scheme (e.g., IP-in-IPn, GRE, etc.), can be enabled. Also, this document investigates an alternate track where UDP flows can be distributed among available paths without requiring any encapsulation scheme.
The proposed solution does not require changing the structure of the binding information base maintained by both the CPE and the Concentrator. Likewise, the proposed approach does not infer any modification of the Network Address Translator (NAT) functions that may reside in both the CPE and the device that embeds the concentrator. It also works properly when NATs are present in the network between the CPE and the Concentrator, unlike solutions that rely upon GRE tunneling.
The applicability of the proposed solution to applications such as RTP is out of scope. These applications may rely on specific solutions such as [I-D.ietf-avtcore-mprtp].
The following assumptions are made:
The design option for aggregating various network accesses often relies upon the use of an encapsulation scheme (such as GRE) between the CPE and the Concentrator. The use of encapsulation is motivated by the need to steer traffic through the concentrator and also to allow the distribution of UDP flows among the available paths without requiring any advanced traffic engineering tweaking technique in the network side to intercept traffic and redirect it towards the appropriate concentrator.
This document specifies another, presumably more efficient, approach that relies upon plain transport modes between the CPE and the concentrator. The proposed approach is characterized as follows:
A typical flow exchange is shown in Figure 2.
+-------+ |DNS | +--------+ |System | +------------+ | CPE | +-------+ |Concentrator| +--------+ | +------------+ | | | DNS | | | -------->| DNS Query | | Query |------------------------->| | | DNS Reply | | |<-------------------------| | | | | | src=s_@|src=cpe_@1 dst=conc_@1|src=s_@ -------->|--------Plain Mode MPTCP Option(d_@)--------->|--------> dst=d_@| |dst=d_@ .... | | src=d_@|dst=cpe_@1 src=conc_@1|src=d_@ <--------|<-------Plain Mode MPTCP Option(d_@)----------|<------- dst=s_@| |dst=s_@
Figure 2: Flow Example
The format of the Plain Mode MPTCP Option is shown in Section 4.
1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +---------------+---------------+-------+-------+---------------+ | Kind | Length |SubType|D|U| Flag Bits | +---------------+---------------+-------+-------+---------------+ | Address (IPv4 - 4 octets / IPv6 - 16 octets) | +-------------------------------+-------------------------------+ | Port (2 octets, optional) | +-------------------------------+
Figure 3: Plain Mode MPTCP Option
From an application standpoint, there may be a value to distribute UDP datagrams among available network attachments for the sake of network resource optimisation, for example.
Unlike existing proposals that rely upon encapsulation schemes such as IP-in-IP or GRE, this document suggests the use of MPTCP features to control how UDP datagrams are distributed among existing network attachments. The data included in UDP datagrams are transported in MPTCP packets as shown in Figure 4.
+--------+ +------------+ | CPE | |Concentrator| +--------+ +------------+ | /-------------------------------------------\ | || Dedicated MPTCP SubFlows for UDP || | \-------------------------------------------/ | | | src=s_@|src=cpe_@1 dst=conc_@1|src=s_@ ---UDP-->|--------Plain Mode MPTCP Option(U,d_@)------->|---UDP--> dst=d_@| |dst=d_@ .... src=s_@|src=cpe_@2 dst=conc_@2|src=s_@ ---UDP-->|--------Plain Mode MPTCP Option(U,d_@)------->|---UDP--> dst=d_@| |dst=d_@ | | .... src=s_@|src=cpe_@1 dst=conc_@1|src=s_@ ---UDP-->|--------Plain Mode MPTCP Option(U,d1_@)------>|---UDP--> dst=d1_@| |dst=d1_@ | | src=s_@|src=cpe_@1 dst=conc_@2|src=s_@ ---UDP-->|--------Plain Mode MPTCP Option(U,d1_@)------>|---UDP--> dst=d1_@| |dst=d1_@
Figure 4: UDP over TCP: Flow Example
The CPE and the Concentrator MUST establish a set of subflows that are maintained alive. These subflows are used to transport UDP datagrams that are distributed among existent subflows. TCP session tracking is not enabled for the set of subflows that are dedicated to transport UDP traffic. The establishment of these subflows is not conditioned by the receipt of UDP packets; instead, these subflows are initiated upon CPE reboot or when network conditions change (e.g;, whenever a new Concentrator is discovered or a new IP address is assigned to the Concentrator).
When the CPE (or the Concentrator) transforms a UDP packet into a TCP one, it MUST insert the Plain Mode MPTCP Option with the U-bit set. When setting the source IP address, the destination IP address, and the IP address enclosed in the Plain Mode MPTCP Option, the same considerations specified in Section 3 MUST be followed.
In addition, the CPE (or the Concentrator) MUST replace the UDP header with a TCP header. Upon receipt of the packet with the U-bit set, the Concentrator (or the CPE) transforms the packet into a UDP packet and follows the same considerations specified in Section 3.
Relaying UDP packets is not conditioned by TCP session establishment because the required subflows that are dedicated to transport UDP traffic are already in place (either at the CPE or the Concentrator).
This document requests an MPTCP subtype code for this option:
The concentrator may have access to privacy-related information (e.g., IMSI, link identifier, subscriber credentials, etc.). The concentrator must not leak such sensitive information outside a local domain.
Means to protect the MPTCP concentrator against Denial-of-Service (DoS) attacks must be enabled. Such means include the enforcement of ingress filtering policies at the boundaries of the network. In order to prevent exhausting the resources of the concentrator by creating an aggressive number of simultaneous subflows for each MPTCP connection, the administrator should limit the number of allowed subflows per host for a given connection.
Attacks outside the domain can be prevented if ingress filtering is enforced. Nevertheless, attacks from within the network between a host and a concentrator instance are yet another actual threat. Means to ensure that illegitimate nodes cannot connect to a network should be implemented.
Traffic theft is also a risk if an illegitimate concentrator is inserted in the path. Indeed, inserting an illegitimate concentrator in the forwarding path allows to intercept traffic and can therefore provide access to sensitive data issued by or destined to a host. To mitigate this threat, secure means to discover a concentrator (for non-transparent modes) should be enabled.
TBC.
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. |
[RFC6824] | Ford, A., Raiciu, C., Handley, M. and O. Bonaventure, "TCP Extensions for Multipath Operation with Multiple Addresses", RFC 6824, DOI 10.17487/RFC6824, January 2013. |