Network Working Group | M. Boucadair |
Internet-Draft | C. Jacquenet |
Intended status: Experimental | France Telecom |
Expires: June 10, 2016 | D. Behaghel |
OneAccess | |
S. Secci | |
Universite Pierre et Marie Curie (UPMC) | |
W. Henderickx | |
Alcatel-Lucent | |
R. Skog | |
Ericsson | |
December 8, 2015 |
An MPTCP Option for Network-Assisted MPTCP Deployments: Plain Transport Mode
draft-boucadair-mptcp-plain-mode-06
One of the promising deployment scenarios for Multipath TCP (MPTCP) is to enable a Customer Premises Equipment (CPE) that is connected to multiple networks (e.g., DSL, LTE, WLAN) to optimize the usage of its network attachments. Because of the lack of MPTCP support at the server side, some service providers now consider a network-assisted model that relies upon the activation of a dedicated function called MPTCP Concentrator. This document focuses on a deployment scheme where the identity of the MPTCP Concentrator(s) is explicitly configured on connected hosts.
This document specifies an MPTCP option that is used to avoid an encapsulation scheme between the CPE and the MPTCP Concentrator. Also, this document specifies how UDP traffic can be distributed among available paths without requiring any encapsulation scheme.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 10, 2016.
Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
One of the promising deployment scenarios for Multipath TCP (MPTCP, [RFC6824]) is to enable a Customer Premises Equipment (CPE) that is connected to multiple networks (e.g., DSL, LTE, WLAN) to optimize the usage of such resources, see for example [I-D.deng-mptcp-proxy] or [RFC4908]. This deployment scenario relies on MPTCP proxies located on both the CPE and network sides (Figure 1). The latter plays the role of traffic concentrator. A concentrator terminates the MPTCP sessions established from a CPE, before redirecting traffic into a legacy TCP session.
IP Network #1 +------------+ _--------_ +------------+ | | (e.g., LTE ) | | | CPE +=======+ +===+ | | (MPTCP | (_ _) |Concentrator| | Proxy) | (_______) | (MPTCP | | | | Proxy) |------> Internet | | | | | | IP Network #2 | | | | _--------_ | | | | ( e.g., DSL ) | | | +=======+ +==+ | | | (_ _) | | +-----+------+ (_______) +------------+ | ----CPE network---- | end-nodes
Figure 1: "Network-Assisted" MPTCP Design
Both implicit and explicit models are considered to steer traffic towards an MPTCP Concentrator. This document focuses on the explicit model that consists in configuring explicitly the reachability information of the MPTCP concentrator on a host (e.g., [I-D.boucadair-mptcp-dhc]).
This specification assumes an MPTCP Concentrator is reachable through one or multiple IP addresses. Also, it assumes the various network attachments provided to an MPTCP-enabled CPE are managed by the same administrative entity. Additional assumptions are listed in Section 3.
This document explains how a plain transport mode, where packets are exchanged between the CPE and the concentrator without requiring the activation of any encapsulation scheme (e.g., IP-in-IP [RFC2473], GRE [RFC1701], SOCKS [RFC1928], etc.), can be enabled.
Also, this document investigates an alternate track where UDP flows can be distributed among available paths without requiring any encapsulation scheme.
The solution in this document does not require the modification of the binding information base (BIB) structure maintained by both the CPE and the Concentrator. Likewise, this approach does not infer any modification of the Network Address Translator (NAT) functions that may reside in both the CPE and the device that embeds the concentrator.
The solution also works properly when NATs are present in the network between the CPE and the Concentrator, unlike solutions that rely upon GRE tunneling. Likewise, the solution accommodates deployments that involve CGN (Carrier Grade NAT) upstream the Concentrator.
This document makes use of the following terms:
The following assumptions are made:
The design option for aggregating various network accesses often relies upon the use of an encapsulation scheme (such as GRE) between the CPE and the Concentrator. The use of encapsulation is motivated by the need to steer traffic through the concentrator and also to allow the distribution of UDP flows among the available paths without requiring any advanced traffic engineering tweaking technique in the network side to intercept traffic and redirect it towards the appropriate concentrator.
This document specifies another approach that relies upon plain transport mode between the CPE and the Concentrator.
The use of a plain transport mode does not require the upgrade of any intermediate function (security, TCP optimizer, etc.) that may be located on-path. Thus, the introduction of MPTCP concentrators in operational networks to operate plain mode does not add any extra complexity as far as the operation of possible intermediate functions is concerned.
The format of the Plain Mode MPTCP option is shown in Figure 2.
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +---------------+---------------+-------+-------+---------------+ | Kind | Length |SubType|D|U| Flag Bits | +---------------+---------------+-------+-------+---------------+ | Address (IPv4 - 4 octets / IPv6 - 16 octets) | +-------------------------------+-------------------------------+ | Port (2 octets, optional) | +-------------------------------+
Figure 2: Plain Mode MPTCP Option
Plain mode operation is as follows:
A typical flow exchange is shown in Figure 3.
This example assumes no NAT is located between the CPE and the concentrator.
Because the remote server is not MPTCP-aware, the Concentrator is responsible for preserving the same IP address (conc_@, in the example) for the same CPE even if distinct IP addresses (cpe_@1 and cpe_@2, in the example) are used by the CPE to establish subflows with the Concentrator.
+-------+ |DNS | +--------+ |System | +------------+ | CPE | +-------+ |Concentrator| +--------+ | +------------+ | | | DNS | | | -------->| DNS Query | | Query |------------------------->| | | DNS Reply | | |<-------------------------| | | | | | src=s_@|src=cpe_@1 dst=conc_@1|src=conc_@ -------->|--------Plain Mode MPTCP Option(d_@)--------->|--------> dst=d_@| |dst=d_@ .... | | src=d_@|dst=cpe_@1 src=conc_@1|src=d_@ <--------|<-------Plain Mode MPTCP Option(d_@)----------|<------- dst=s_@| |dst=conc_@ .... src=s_@|src=cpe_@2 dst=conc_@1|src=conc_@ -------->|--------Plain Mode MPTCP Option(d_@)--------->|--------> dst=d_@| |dst=d_@ .... Legend: * "--Plain Mode MPTCP Option()->" indicates the packet is sent in a plain mode, i.e., without any encapsulation hander, and that "Plain Mode MPTCP Option" is carried in the packet.
Figure 3: Flow Example (No NAT between the CPE and the Concentrator)
From an application standpoint, there may be a value to distribute UDP datagrams among available network attachments for the sake of network resource optimisation, for example.
Unlike existing proposals that rely upon encapsulation schemes such as IP-in-IP or GRE, this document suggests the use of MPTCP features to control how UDP datagrams are distributed among existing network attachments. UDP datagrams are therefore transformed into TCP-formatted packets.
The CPE and the Concentrator establish a set of MPTCP subflows. These subflows are used to transport UDP datagrams that are distributed among existent subflows. TCP session tracking may not be enabled for the set of subflows that are dedicated to transport UDP traffic. The establishment of these subflows is not conditioned by the receipt of UDP packets; instead, these subflows are initiated upon CPE reboot or when network conditions change (e.g., whenever a new Concentrator is discovered or a new IP address is assigned to the Concentrator). Additional MPTCP connections may be established to anticipate UDP traffic to be distributed among several paths. The maximum number of MPTCP connections that can be dedicated to UDP traffic may be configured locally to the CPE and the Concentrator. How this parameter is configured is implementation and deployment-specific.
When the CPE (or the Concentrator) transforms a UDP packet into a TCP one, it must insert the Plain Mode MPTCP Option with the U-bit set. When setting the source IP address, the destination IP address, and the IP address enclosed in the Plain Mode MPTCP Option, the same considerations specified in Section 4.3 must be followed.
In addition, the CPE (or the Concentrator) must replace the UDP header with a TCP header. Upon receipt of the packet with the U-bit set, the Concentrator (or the CPE) transforms the packet into a UDP packet and follows the same considerations specified in Section 4.3. Both the CPE and the Concentrator may be configured to disable some features (e.g., reordering). Enabling these features is deployment and implementation-specific.
Relaying UDP packets is not conditioned by TCP session establishment because the required subflows that are dedicated to transport UDP traffic are already in place (either at the CPE or the Concentrator).
A flow example is shown in Figure 4.
+--------+ +------------+ | CPE | |Concentrator| +--------+ +------------+ | /------------------------------------------\ | || Dedicated MPTCP SubFlows for UDP || | \------------------------------------------/ | | | src=s_@|src=cpe_@1 dst=conc_@1|src=conc_@ ---UDP-->|---------------------TCP--------------------->|---UDP--> dst=d_@| Plain Mode MPTCP Option(U,d_@) |dst=d_@ .... src=s_@|src=cpe_@2 dst=conc_@2|src=conc_@ ---UDP-->|---------------------TCP--------------------->|---UDP--> dst=d_@| Plain Mode MPTCP Option(U,d_@) |dst=d_@ | | .... src=s_@|src=cpe_@1 dst=conc_@1|src=conc_@ ---UDP-->|---------------------TCP--------------------->|---UDP--> dst=d1_@| Plain Mode MPTCP Option(U,d_@) |dst=d1_@ | | src=s_@|src=cpe_@1 dst=conc_@2|src=conc_@ ---UDP-->|---------------------TCP--------------------->|---UDP--> dst=d1_@| Plain Mode MPTCP Option(U,d_@) |dst=d1_@ | |
Figure 4: Distributing UDP packets over multiple paths
This document requests an MPTCP subtype code for this option:
The concentrator may have access to privacy-related information (e.g., IMSI, link identifier, subscriber credentials, etc.). The concentrator must not leak such sensitive information outside a local domain.
Means to protect the MPTCP concentrator against Denial-of-Service (DoS) attacks must be enabled. Such means include the enforcement of ingress filtering policies at the boundaries of the network. In order to prevent exhausting the resources of the concentrator by creating an aggressive number of simultaneous subflows for each MPTCP connection, the administrator should limit the number of allowed subflows per host for a given connection.
Attacks outside the domain can be prevented if ingress filtering is enforced. Nevertheless, attacks from within the network between a host and a concentrator instance are yet another actual threat. Means to ensure that illegitimate nodes cannot connect to a network should be implemented.
Traffic theft is also a risk if an illegitimate concentrator is inserted in the path. Indeed, inserting an illegitimate concentrator in the forwarding path allows to intercept traffic and can therefore provide access to sensitive data issued by or destined to a host. To mitigate this threat, secure means to discover a concentrator (for non-transparent modes) should be enabled.
Many thanks to Chi Dung Phung, Mingui Zhang, and Christoph Paasch for the comments.
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. |
[RFC6824] | Ford, A., Raiciu, C., Handley, M. and O. Bonaventure, "TCP Extensions for Multipath Operation with Multiple Addresses", RFC 6824, DOI 10.17487/RFC6824, January 2013. |