]> UCLouvain

maxime.piraux@uclouvain.be

University of Namur

florentin.rochet@unamur.be

UCLouvain

olivier.bonaventure@uclouvain.be

Transport Area Internet-Draft This document specifies a protocol leveraging TCP and TLS to provide modern transport services such as multiplexing, connection migration and multipath in a secure manner. Discussion Venues Source for this draft and an issue tracker can be found at .

Introduction The TCP/IP protocol stack continuously evolves. In the early days, most applications were interacting with the transport layer (mainly TCP, but also UDP) using the socket API. This is illustrated in .

The classical TCP/IP protocol stack

The TCP/IP stack has slowly evolved and the figure above does not anymore describe current Internet applications. IPv6 is now widely deployed next to IPv4 in the network layer. In the transport layer, protocols such as SCTP or DCCP and TCP extensions including Multipath TCP or tcpcrypt have been specified. The security aspects of the TCP/IP protocol suite are much more important today than in the past . Many applications rely on TLS and their stack is similar to the one shown in .

Today's TCP/IP protocol stack

Recently, the IETF went one step further in improving the transport layer with the QUIC protocol . QUIC is a new secure transport protocol primarily designed for HTTP/3. It includes the reliability and congestion control features that are part of TCP and integrates the security features of TLS 1.3 . This close integration between the reliability and security features brings a lot of benefits in QUIC. QUIC runs above UDP to be able to pass through most middleboxes and to be implementable in user space. While QUIC reuses TLS, it does not strictly layer TLS on top of UDP as DTLS . This organization, illustrated in provides much more flexibility than simply layering TLS above UDP. For example, the QUIC migration capabilities enable an application to migrate an existing QUIC session from an IPv4 path to an IPv6 one.

QUIC protocol stack

In this document, we revisit how TCP and TLS 1.3 can be used to provide modern transport services to applications. We apply a similar principle and combine TCP and TLS 1.3 in a protocol that we call TCPLS. TCPLS leverages the security features of TLS 1.3 like QUIC, but without begin simply layered above a single TCP connection. In addition, TCPLS reuses the existing TCP stacks and TCP's wider support in current networks. A preliminary version of the TCPLS protocol is described in .

TCPLS in the TCP/IP protocol stack

In this document, we use the term TLS/TCP to refer to the TLS 1.3 protocol running over one TCP connection. We reserve the word TCPLS for the protocol proposed in this document. This document is organized as follows. First, summarizes the different types of services that modern transports expose to application. gives an overview of TCPLS and how it supports these services. Finally, describes the TCPLS in more details and the TLS Extensions introduced in this document.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Notational conventions This document uses the same conventions as defined in Section 1.3 of . This document uses network byte order (that is, big endian) values. Fields are placed starting from the high-order bits of each byte.

Modern Transport Services Application requirements and the devices they run on evolve over time. In the early days, most applications involved single-file transfer and ran on single-homed computers with a fixed-line network. Today, web-based applications require exchanging multiple objects, with different priorities, on devices that can move from one access network to another and that often have multiple access networks available. Security is also a key requirement of applications that evolved from only guaranteeing the confidentiality and integrity of application messages to also preventing pervasive monitoring. With TCP and TLS/TCP, applications use a single connection that supports a single bytestream in each direction. Some TCP applications such as HTTP/2 use multiple streams, but these are mapped to a single TCP connection which leads to Head-of-Line (HoL) blocking when packet losses occur. SCTP supports multiple truly-concurrent streams and QUIC adopted a similar approach to prevent HoL blocking. Modern transport services also changed the utilization of the underlying network. With TCP, when a host creates a connection, it is bound to the IP addresses used by the client and the server during the handshake. When the client moves and receives a different IP address, it has to reestablish all TCP connections bound to the previous address. When the client and the server are dual-stack, they cannot easily switch from one address family to another. Happy Eyeballs provides a partial answer to this problem for web applications with heuristics that clients can use to probe TCP connections with different address families. With Multipath TCP, the client and the server can learn other addresses of the remote host and combine several TCP connections within a single Multipath TCP connection that is exposed to the application. This supports various use cases . QUIC enables applications to migrate from one network path to another, but not to simultaneously use different paths.

TCPLS Overview In order for TCPLS to be widely compatible with middleboxes that inspect TCP segments and TLS records, TCPLS does not modify the TCP connection establishment and only adds a TLS extension to the TLS handshake. illustrates the opening of a TCPLS session which starts with the TCP 3-way handshake, followed by the TLS handshake. In the Extensions of the ClientHello and in the server EncryptedExtensions, the tcpls TLS Extension is introduced to announce the support of TCPLS.

Starting a TCPLS session | | SYN+ACK | |<------------------------------------------| | ACK, TLS ClientHello + tcpls | |------------------------------------------>| | TLS ServerHello, TLS EncryptedExtensions | | + tcpls, ... | |<------------------------------------------| | TLS Finished | |------------------------------------------>| | | ]]>

TCP/TLS offers a single encrypted bytestream service to the application. To achieve this, TLS records are used to encrypt and secure chunks of the application bytestream and are then sent through the TCP bytestream. TCPLS leverages TLS records differently. TCPLS defines its own framing that allows encoding application data and control information. A TCPLS frame is the basic unit of information for TCPLS. A TCPLS frame always fits in a single record. One or more TCPLS frames can be encoded in a TLS record. This TLS record is then reliably transported by a TCP connection. illustrates the relationship between TCPLS frames and TLS records.

The first TLS record contains two TCPLS frames <-----------> <------------> / / / / | / | / | / | / | / | / +----------------+ +-----------------+ | TLS record n | | TLS record n+1 | .... +----------------+ +-----------------+ ]]>

Multiple Streams TCPLS extends the service provided by TCP with streams. Streams are independent bidirectional bytestreams that can be used by applications to concurrently convey several objects over a TCPLS session. Streams can be opened by the client and by the server. Streams are identified by a 32-bit unsigned integer. The parity of this number indicates the initiator of the stream. The client opens even-numbered streams while the server opens odd-numbered streams. Streams are opened in sequence, e.g. a client that has opened stream 0 will use stream 2 as the next one. Data is exchanged using Stream frames whose format is described in . Each Stream frame carries a chunk of data of a given stream. Applications can mark the end of a stream to close it. TCPLS enables the receiver to decrypt and process TLS records in zero copy similarly to TLS 1.3 under circumstances discussed in . Similarly to HTTP/2 , conveying several streams on a single TCP connection introduces Head-of-Line (HoL) blocking between the streams. To alleviate this, TCPLS provides means to the application to choose the degree of HoL blocking resilience it needs for its application objects by spreading streams among different underlying TCP connections.

Multiple TCP connections TCPLS is not restricted to using a single TCP connection to exchange frames. A TCPLS session starts with the TCP connection that was used to transport the TLS handshake. After this handshake, other TCP connections can be added to a TCPLS session, either to spread the load or for failover. TCPLS manages the utilization of the underlying TCP connections within a TCPLS session. Multipath TCP enables both the client and the server to establish additional TCP connections. However, experience has shown that additional subflows are only established by the clients. TCPLS focuses on this deployment and only allows clients to create additional TCP connections. Using Multipath TCP, a client can try establishing a new TCP connection at any time. If a server wishes to restrict the number of TCP connections that correspond to one Multipath TCP connection, it has to respond with RST to the in excess connection attempts. TCPLS takes another approach. To control the number of connections that a client can establish, a TCPLS server supplies unique tokens. A client includes one of the server supplied tokens when it attaches a new TCP connection to a TCPLS session. Each token can only be used once, hence limiting the amount of additional TCP connections. TCPLS endpoints can advertise their local addresses, allowing new TCP connections for a given TCPLS session to be established between new pairs of addresses. When an endpoint is no more willing new TCP connections to use one of its advertised addresses, it can remove this address from the TCPLS session.

Joining TCP connections The TCPLS server provides tokens to the client in order to join new TCP connections to the TCPLS session. illustrates a client and server first establishing a new TCPLS session as described in . Then the server sends a token over this connection using the New Token frame. Each token has a sequence number (e.g. 1) and a value (e.g. "abc"). The client uses this token to open a new TCP connection and initiates the TCPLS handshake. It adds the token inside the TCPLS Join TLS extension in the ClientHello.

Joining a new TCP connection .----------------------------------. | <-2.New Token(1,abc) | v v +--------+ +--------+ | Client | | Server | +--------+ +--------+ ^ ^ | 3.TCPLS Hsh. + tcpls_join(abc)-> | Legend: .----------------------------------. --- TCP connection ]]>

When receiving a TCPLS Join Extension, the server validates the token and associates the TCP connection to the TCPLS session. Each TCP connection that is part of a TCPLS session is identified by a 32-bit unsigned integer called its Connection ID. The first TCP connection of a session corresponds to Connection ID 0. When joining a new connection, the sequence number of the token, i.e. 1 in our example, becomes the Connection ID of the connection. The Connection ID enables the Client and the Server to identify a specific TCP connection within a given TCPLS session.

Robust session establishment The TCPLS protocol also supports robust session establishment, where a multihomed or dual-stack client can establish a TCPLS session when at least one network path to the server can be established. This guarantees robustness against network failures and lowers the overall latency of a session establishment. illustrates a dual-homed client that robustly establish a TCPLS session over two local addresses. In this example, the path from IP b towards the server exhibits a higher delay.

Robust session establishment example | /--------------| | SYN+ACK |<-------------/ | |<-----------------------------| SYN+ACK | | ACK, TLS CH + tcpls |--------------\ | |----------------------------->| \------------->| | TLS SH, EE + tcpls, | ACK | | tcpls_token(abc), ... |<-----------------------------| |<-----------------------------|TLS CH + tcpls,tcpls_join(abc)| | TLS Finished |<-----------------------------| |----------------------------->| | | TCPLS session established and 2nd connection can be joined. | ... ]]>

The client starts by opening a TCP connection on from each of its local addresses. The TCP connection from IP "a" towards the server completes faster than the other. The client then starts a TCPLS Handshake on this connection. When the other connection is established, the client waits for receiving a TCPLS token allowing to join it to the session being established. In addition to the New Token frame, the TCPLS protocol enables the server to provide one such token during the handshake using the TCPLS Token TLS extension. The server uses this extension when sending its EncryptedExtensions over the faster connection to provide the TCPLS token "abc". As soon as the client has received this token, it uses it over the other connection to join it to the session. When the TLS handshake completes over the fastest connection, the TCPLS session is established and the other connection can be joined to the session.

Failover TCPLS supports two types of failover. In make-before-break, the client creates a TCP connection using the procedure described in but only uses it once the initial connection fails. In break-before-make, the client creates the initial TCP connection and uses it for the TCPLS handshake and the data. The server advertises one or more tokens over this connection. Upon failure of the initial TCP connection, the client initiates a second TCP connection using the server-provided token. In both cases, some records sent by the client or the server might be in transit when the failure occurs. Some of these records could have been partially received but not yet delivered to the TCPLS layer when the underlying TCP connection fails. Other records could have already been received, decrypted and data of their frames could have been delivered to the application. To prevent data losses and duplication, TCPLS includes its own acknowledgments. A TCPLS receiver acknowledges the received records using the ACK frame. Records are acknowledged after the record protection has been successfully removed. This enables the sender to know which records have been received. TCPLS enables the endpoint to send acknowledgments for a TCP connection over any connections, e.g. not only the receiving connection.

Migration To migrate from a given TCP connection, an endpoint stops transmitting over this TCP connection and sends the following frames on other TCP connections. It leverages the acknowledgments to retransmit the frames of TLS records that have not been yet acknowledged. When an endpoint abortfully closes a TCP connection, its peer leverages the acknowlegments to retransmit the TLS records that were not acknowlegded.

Multipath TCPLS also supports the utilization of different TCP connections, over different paths or interfaces, to improve throughput or spread stream frames over different TCP connections. When the endpoints have opened several TCP connections, they can send frames over the connections. TCPLS can send all the stream frames belonging to a given stream over one or more underlying TCP connections. The latter enables bandwidth aggregation by using TCP connections established over different network paths.

Record protection When adding new TCP connections to a TCPLS session, an endpoint does not complete the TLS handshake. TCPLS provides a nonce construction for TLS record protection that is used for all connections of a session. This reduces the cryptographic cost of adding connections. The endpoints SHOULD send TLS messages to form an apparent complete TLS handshake to middleboxes. In order to use the TLS session over multiple connections, TCPLS adds a record sequence number space per connection that is maintained independently at both sides. Each record sent over a TCPLS session is identified by the Connection ID of its connection and its record sequence number. Each record nonce is constructed as defined in .

TCPLS TLS record nonce construction

This construction guarantees that every TLS record sent over the TLS session is protected with a unique nonce. As in TLS 1.3, the per-connection record sequence is implicit.

Closing a TCPLS session Endpoints notify their peers that they do not intend to send more data over a given TCPLS session by sending a TLS Alert "close_notify". The alert can be sent over one or more TCP connections of the session. The alert MUST be sent before closing the last TCP connection of the TCPLS session. The endpoint MAY close its side of the TCP connections after sending the alert. When all TCP connections of a session are closed and the TLS Alert "close_notify" was exchanged in both directions, the TCPLS session is considered as closed. We leave defining an abortful and idle session closure mechanisms for future versions of this document.

Zero-Copy Receive Path TCPLS enables the receiver to process TLS records in a zero-copy manner under several conditions. When they are met, the application data carried in TCPLS frames can be decrypted at the right place in the application buffers. First, zero-copy can be achieved when Stream frames of a given stream arrive in order. When using several TCP connections, out-of-order Stream frames cannot be processed in zero copy. A Multipath scheduling algorithm may target the minimization of out-of-order packets. Second, the composition of TCPLS frames in a TLS record is impactful. The sender SHOULD encode a single Stream Data frame as the first frame of the record, followed by control-related frames if needed. When the sender encodes several Stream frames, the frame at the start of the record SHOULD be the largest, in order to maximise the use of zero copy. When several Stream frames are included in a record, they SHOULD belong to different streams.

TCPLS Protocol

TCPLS TLS Extensions This document specifies three TLS extensions used by TCPLS. The first, "tcpls", is used to announce the support of TCPLS. The second, "tcpls_join", is used to join a TCP connection to a TCPLS session. The third, "tcpls_token", is used to provide a token to the client before the handshake completes. Their types are defined as follows. The table below indicates the TLS messages where these extensions can appear. "CH" indicates ClientHello while "EE" indicates EncryptedExtensions. TLS messages allowed to carry TCPLS TLS Extensions

Extension	Allowed TLS messages
tcpls	CH, EE
tcpls_join	CH
tcpls_token	EE

TCPLS The "tcpls" extension is used by the client and the server to announce their support of TCPLS. The extension contains no value. When it is present in both the ClientHello and the EncryptedExtensions, the endpoints MUST use TCPLS after completing the TLS handshake.

TCPLS Join ; } TCPLSJoin; ]]> The "tcpls_join" extension is used by the client to join the TCP connection on which it is sent to a TCPLS session. The extension contains a token provided by the server. The client MUST NOT send more than one "tcpls_join" extension in its ClientHello. When receiving a ClientHello with this extension, the server checks that the token is valid and joins the TCP connection to the corresponding TCPLS session. When the token is not valid, the server MUST abort the handshake with an illegal_parameter alert.

TCPLS Token ; } TCPLSToken; ]]> The "tcpls_token" extension is used by the server to provide a token to the client during the TLS handshake. When receiving this extension, the client associates the token value as the first token of the TCPLS session, i.e. with a sequence number of 1. The server MUST NOT send this extension when the corresponding ClientHello contains a "tcpls_join" extension.

TCPLS Frames TCPLS uses TLS Application Data records to exchange TCPLS frames. After decryption, the record payload consists of a sequence of TCPLS frames. illustrates the manner in which TCPLS frames are parsed from a decrypted TLS record. The receiver processes the frames starting from the last one to the first one. The fields of each frames are also parsed from the end towards the beginning of the TLS Application Data content. The parsing of a frame starts with the last byte indicating the frame type and then with type-specific fields preceeding it, forming a Type-Value unit. Such ordering enables a zero-copy processing of the type-specific fields as explained in .

Parsing TCPLS frames inside a TLS record starts from the end.

lists the frames specified in this document. TCPLS frames

Type value	Frame name	Rules	Definition
0x00	Padding	N
0x01	Ping
0x02-0x03	Stream
0x04	ACK	N
0x05	New Token	S
0x06	Connection Reset
0x07	New Address
0x08	Remove Address
0x09	Stream Change	Cs

The "Rules" column in indicates special requirements regarding certain frames.

N:

Non-ack-eliciting. Receiving this frame does not elicit the sending of a TCPLS acknowledgment.

S:

Server only. This frame MUST NOT be sent by the client.

Cs:

Connection-specific semantics. This frame is not idempotent and has specific semantics based on the TCP connection over which it is exchanged.

Padding frame This frame has no semantic value. It can be used to mitigate traffic analysis on the TLS records of a TCPLS session. The Padding frame has no content.

Padding frame format

Ping frame This frame is used to elicit an acknowledgment from its peer. It has no content. When an endpoint receives a Ping frame, it acknowledges the TLS record that contains this frame. This frame can be used by an endpoint to check that its peer can receive TLS records over a particular TCP connection.

Ping frame format

Stream frame This frame is used to carry chunks of data of a given stream.

Stream frame format

FIN:

The last bit of the frame type bit indicates that this Stream frame ends the stream when its value is 1. The last byte of the stream is at the sum of the Offset and Length fields of this frame.

Stream ID:

A 32-bit unsigned integer indicating the ID of the stream this frame relates to.

Offset:

A 64-bit unsigned integer indicating the offset in bytes of the carried data in the stream.

Length:

A 16-bit unsigned integer indicating the length of the Stream Data field.

ACK frame This frame is sent by the receiver to acknowledge the receipt of TLS records on a particular TCP connection of the TCPLS session. Although the reliability of the data exchange on a connection is handled by TCP, there are situations such as the failure of a TCP connection where a sender does not know whether the TLS frames that it sent have been correctly received by the peer. The ACK frame allows a TCPLS receiver to indicate the highest TLS record sequence number received on a specific connection. The ACK frame can be sent over any TCP connection of a TCPLS session.

ACK frame format

Connection ID:

A 32-bit unsigned integer indicating the TCP connection for which the acknowledgment was sent.

Highest Record Sequence Received:

A 64-bit unsigned integer indicating the highest TLS record sequence number received on the connection indicated by the Connection ID.

New Token frame This frame is used by the server to provide tokens to the client. Each token can be used to join a new TCP connection to the TCPLS session, as described in . Clients MUST NOT send New Token frames.

New Token frame format

Sequence:

A 8-bit unsigned integer indicating the sequence number of this token

Token:

A 32-byte opaque value that can be used as a token by the client.

By controlling the amount of tokens given to the client, the server can control the number of active TCP connections of a TCPLS session. The server SHOULD replenish the tokens when TCP connections are removed from the TCPLS session.

Connection Reset frame This frame is used by the receiver to inform the sender that a TCP connection has been reset.

Connection Reset format

Connection ID:

A 32-bit unsigned integer indicating the ID of the connection that failed.

New Address frame This frame is used by an endpoint to add a new local address to the TCPLS session. This address can then be used to establish new TCP connections. The server advertises addresses that the client can use as destination when adding TCP connections. The client advertises address that it can use as source when adding TCP connections.

New Address format

Address ID:

A 8-bit identifier for this address. For a given Address ID, an endpoint receiving a frame with a content that differs from previously received frames MUST ignore the frame. An endpoint receiving a frame for an Address ID that was previously removed MUST ignore the frame.

Address Version:

A 8-bit value identifying the Internet address version of this address. The number 4 indicates IPv4 while 6 indicates IPv6.

Address:

The address value. Its size depends on its version. IPv4 addresses are 32-bit long while IPv6 addresses are 128-bit long.

Port:

A 16-bit value indicating the TCP port used with this address.

Remove Address frame This frame is used by an endpoint to announce that it is not willing to use a given address to establish new TCP connections. After receiving this frame, a client MUST NOT establish new TCP connections to the given address. After receiving this frame, an endpoint MUST close all TCP connections using the given address.

Remove Address format

Address ID:

A 8-bit identifier for the address to remove. An endpoint receiving a frame for an address that was nonexistent or already removed MUST ignore the frame.

Stream Change frame This frame is used by a sender to announce the Stream ID and Offset of the next record over a given TCP connection. It can be used to make explicit a change in stream scheduling over a connection to the receiver, enabling a zero-copy receive path as explained in . The hint contained in this frame relates to the connection over which it was exchanged.

Stream Change format

Next Record Stream ID:

A 32-bit unsigned integer indicating the Stream ID of the Stream frame in the next record .

Next Offset:

A 64-bit unsigned integer indicating the Offset of the Stream frame in the next record.

Security Considerations When issuing tokens to the client as presented in , the server SHOULD ensure that their values appear as random to observers and cannot be correlated together for a given TCPLS session. The security considerations for TLS apply to TCPLS. The next versions of this document will elaborate on other security considerations following the guidelines of .

IANA Considerations IANA is requested to create a new "TCPLS" heading for the new registry described in . New registrations in TCPLS registries follow the "Specification Required" policy of .

TCPLS TLS Extensions IANA is requested to add the following entries to the existing "TLS ExtensionType Values" registry.

Value	Extension Name	TLS 1.3	Recommended	Reference
TBD1	tcpls	CH, EE	N	This document
TBD2	tcpls_join	CH	N	This document
TBD3	tcpls_token	EE	N	This document

Note that "Recommended" is set to N as these extensions are intended for uses as described in this document.

TCPLS Frames IANA is requested to create a new registry "TCPLS Frames Types" under the "TCPLS" heading. The registry governs an 8-bit space. Entries in this registry must include a "Frame name" field containing a short mnemonic for the frame type. The initial content of the registry is present in , without the "Rules" column.

References Normative References This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations. Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA). To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry. This is the third edition of this document; it obsoletes RFC 5226. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References This document obsoletes RFC 2960 and RFC 3309. It describes the Stream Control Transmission Protocol (SCTP). SCTP is designed to transport Public Switched Telephone Network (PSTN) signaling messages over IP networks, but is capable of broader applications. SCTP is a reliable transport protocol operating on top of a connectionless packet network such as IP. It offers the following services to its users: -- acknowledged error-free non-duplicated transfer of user data, -- data fragmentation to conform to discovered path MTU size, -- sequenced delivery of user messages within multiple streams, with an option for order-of-arrival delivery of individual user messages, -- optional bundling of multiple user messages into a single SCTP packet, and -- network-level fault tolerance through supporting of multi-homing at either or both ends of an association. The design of SCTP includes appropriate congestion avoidance behavior and resistance to flooding and masquerade attacks. [STANDARDS-TRACK] This document defines the procedures that the Internet Assigned Numbers Authority (IANA) uses when handling assignment and other requests related to the Service Name and Transport Protocol Port Number registry. It also discusses the rationale and principles behind these procedures and how they facilitate the long-term sustainability of the registry. This document updates IANA's procedures by obsoleting the previous UDP and TCP port assignment procedures defined in Sections 8 and 9.1 of the IANA Allocation Guidelines, and it updates the IANA service name and port assignment procedures for UDP-Lite, the Datagram Congestion Control Protocol (DCCP), and the Stream Control Transmission Protocol (SCTP). It also updates the DNS SRV specification to clarify what a service name is and how it is registered. This memo documents an Internet Best Current Practice. Pervasive monitoring is a technical attack that should be mitigated in the design of IETF protocols, where possible. This document discusses both use cases and operational experience with Multipath TCP (MPTCP) in real networks. It lists several prominent use cases where Multipath TCP has been considered and is being used. It also gives insight to some heuristics and decisions that have helped to realize these use cases and suggests possible improvements. Many communication protocols operating over the modern Internet use hostnames. These often resolve to multiple IP addresses, each of which may have different performance and connectivity characteristics. Since specific addresses or address families (IPv4 or IPv6) may be blocked, broken, or sub-optimal on a network, clients that attempt multiple connections in parallel have a chance of establishing a connection more quickly. This document specifies requirements for algorithms that reduce this user-visible delay and provides an example algorithm, referred to as "Happy Eyeballs". This document obsoletes the original algorithm description in RFC 6555. This document specifies "tcpcrypt", a TCP encryption protocol designed for use in conjunction with the TCP Encryption Negotiation Option (TCP-ENO). Tcpcrypt coexists with middleboxes by tolerating resegmentation, NATs, and other manipulations of the TCP header. The protocol is self-contained and specifically tailored to TCP implementations, which often reside in kernels or other environments in which large external software dependencies can be undesirable. Because the size of TCP options is limited, the protocol requires one additional one-way message latency to perform key exchange before application data can be transmitted. However, the extra latency can be avoided between two hosts that have recently established a previous tcpcrypt connection. TCP/IP communication is currently restricted to a single path per connection, yet multiple paths often exist between peers. The simultaneous use of these multiple paths for a TCP/IP session would improve resource usage within the network and thus improve user experience through higher throughput and improved resilience to network failure. Multipath TCP provides the ability to simultaneously use multiple paths between peers. This document presents a set of extensions to traditional TCP to support multipath operation. The protocol offers the same type of service to applications as TCP (i.e., a reliable bytestream), and it provides the components necessary to establish and use multiple TCP flows across potentially disjoint paths. This document specifies v1 of Multipath TCP, obsoleting v0 as specified in RFC 6824, through clarifications and modifications primarily driven by deployment experience. This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm. This specification describes an optimized expression of the semantics of the Hypertext Transfer Protocol (HTTP), referred to as HTTP version 2 (HTTP/2). HTTP/2 enables a more efficient use of network resources and a reduced perception of latency by introducing header field compression and allowing multiple concurrent exchanges on the same connection. It also introduces unsolicited push of representations from servers to clients. This specification is an alternative to, but does not obsolete, the HTTP/1.1 message syntax. HTTP's existing semantics remain unchanged. All RFCs are required to have a Security Considerations section. Historically, such sections have been relatively weak. This document provides guidelines to RFC authors on how to write a good Security Considerations section. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RTFM, Inc. Arm Limited Google, Inc. This document specifies version 1.3 of the Datagram Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. The DTLS 1.3 protocol is based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection / non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol. This document obsoletes RFC 6347.

Alternative Designs In this section, we discuss alternatives to mechanisms defined in this document.

Securing new TCP connections with New Session Tickets When adding a new TCP connection to a TCPLS session, endpoints derive a Initial Vector based on the technique presented in . An alternative is to use New Session Tickets to derive separate cryptographic protection materials based on a pre-shared key sent by the server. In this mode of operation, the server provides New Session Tickets to control the amount of additional TCP connections that can be opened by the client. The server could encode the Connection ID in the ticket value. Using this mechanism differs from our proposal in several ways. While it enables to use an existing TLS mechanism for this purpose, it has a number of differences. First, it requires the server to compute pre-shared keys which could be more costly than computing the TCPLS tokens defined in . Second, when used to establish a TLS session, additional TLS messages must be computed and exchanged to complete the handshake, which the current mechanism does not require. Third, TLS New Session Tickets have a lifetime that is separated from the session they are exchanged over. This is unneeded in the context of TCPLS and may require additional protocol specification and guidance to implementers.

Acknowledgments This work has been partially supported by the ``Programme de recherche d'interet general WALINNOV - MQUIC project (convention number 1810018)'' and European Union through the NGI Pointer programme for the TCPLS project (Horizon 2020 Framework Programme, Grant agreement number 871528). The authors thank Quentin De Coninck and Louis Navarre for their comments on the first version of this draft.

Change log

Since draft-piraux-tcpls-02

• Adds the TCPLS Token TLS extension to enable fast robust session establishment.

Since draft-piraux-tcpls-01

• Change frames and fields order to enable zero-copy receiver.

Since draft-piraux-tcpls-00

• Added the addresses exchange mechanism with New Address and Remove Address frames.