TCPM Working Group                                   O. Bonaventure, Ed.
Internet-Draft                                                  Tessares
Intended status: Experimental                          M. Boucadair, Ed.
Expires: May 7, August 14, 2020                                          Orange
                                                           S. Gundavelli
                                                                   Cisco
                                                                  S. Seo
                                                           Korea Telecom
                                                              B. Hesmans
                                                                Tessares
                                                       November 04, 2019
                                                       February 11, 2020

                       0-RTT TCP Convert Protocol
                     draft-ietf-tcpm-converters-14
                     draft-ietf-tcpm-converters-15

Abstract

   This document specifies an application proxy, called Transport
   Converter, to assist the deployment of TCP extensions such as
   Multipath TCP.  This proxy  A Transport Converter may provide conversion service
   for one or more TCP extensions.  The conversion service is designed to avoid inducing provided
   by means of the TCP Convert Protocol (Convert).

   This protocol provides 0-RTT (Zero Round-Trip Time) conversion
   service since no extra delay
   when involved in a network-assisted connection (that is, 0-RTT). is induced by the protocol compared to
   connections that are not proxied.  Also, the Convert Protocol does
   not require any encapsulation (no tunnels, whatsoever).

   This specification assumes an explicit model, where the proxy Transport
   Converter is explicitly configured on hosts.

   -- Editorial Note (To be removed by RFC Editor)

   Please update these statements with the RFC number to be assigned to
   this document: [This-RFC]

   Please update TBA statements with the port number to be assigned to
   the 0-RTT TCP Convert Protocol.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on May 7, August 14, 2020.

Copyright Notice

   Copyright (c) 2019 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  The Problem . . . . . . . . . . . . . . . . . . . . . . .   3
     1.2.  Network-Assisted Connections: The Rationale . . . . . . .   4
   2.  Differences with SOCKSv5  . . . . . . . . . . . . . . . . . .   6
   3.  Conventions and Definitions . . . . . . . . . . . . . . . . .   6
   3.   8
   4.  Architecture & Behaviors  . . . . . . . . . . . . . . . . . .   7
     3.1.   9
     4.1.  Functional Elements . . . . . . . . . . . . . . . . . . .   7
     3.2.   9
     4.2.  Theory of Operation . . . . . . . . . . . . . . . . . . .   9
     3.3.  11
     4.3.  Data Processing at the Transport Converter  . . . . . . .  12
       3.3.1.  Base Behavior  14
     4.4.  Address Preservation vs. Address Sharing  . . . . . . . .  16
       4.4.1.  Address Preservation  . . . . . . . . . . . . .  12
       3.3.2.  Multipath TCP Specifics . . .  16
       4.4.2.  Address/Prefix Sharing  . . . . . . . . . . . . . . .  14
   4.  17
   5.  Sample Examples . . . . . . . . . . . . . . . . . . . . . . .  15
     4.1.  18
     5.1.  Outgoing Converter-Assisted Multipath TCP Connections . .  15
     4.2.  18
     5.2.  Incoming Converter-Assisted Multipath TCP Connection  . .  16
   5.  20
   6.  The Convert Protocol (Convert)  . . . . . . . . . . . . . . .  17
     5.1.  21
     6.1.  The Convert Fixed Header  . . . . . . . . . . . . . . . .  18
     5.2.  22
     6.2.  Convert TLVs  . . . . . . . . . . . . . . . . . . . . . .  18
       5.2.1.  22
       6.2.1.  Generic Convert TLV Format  . . . . . . . . . . . . .  18
       5.2.2.  22
       6.2.2.  Summary of Supported Convert TLVs . . . . . . . . . .  19
       5.2.3.  23
       6.2.3.  The Info TLV  . . . . . . . . . . . . . . . . . . . .  20
       5.2.4.  24
       6.2.4.  Supported TCP Extensions TLV  . . . . . . . . . . . .  20
       5.2.5.  24
       6.2.5.  Connect TLV . . . . . . . . . . . . . . . . . . . . .  21
       5.2.6.  25
       6.2.6.  Extended TCP Header TLV . . . . . . . . . . . . . . .  23
       5.2.7.  28
       6.2.7.  The Cookie TLV  . . . . . . . . . . . . . . . . . . .  24
       5.2.8.  28
       6.2.8.  Error TLV . . . . . . . . . . . . . . . . . . . . . .  24
   6.  29
   7.  Compatibility of Specific TCP Options with the Conversion
       Service . . . . . . . . . . . . . . . . . . . . . . . . . . .  28
     6.1.  32
     7.1.  Base TCP Options  . . . . . . . . . . . . . . . . . . . .  28
     6.2.  32
     7.2.  Window Scale (WS) . . . . . . . . . . . . . . . . . . . .  29
     6.3.  33
     7.3.  Selective Acknowledgments . . . . . . . . . . . . . . . .  29
     6.4.  33
     7.4.  Timestamp . . . . . . . . . . . . . . . . . . . . . . . .  29
     6.5.  34
     7.5.  Multipath TCP . . . . . . . . . . . . . . . . . . . . . .  30
     6.6.  34
     7.6.  TCP Fast Open . . . . . . . . . . . . . . . . . . . . . .  30
     6.7.  TCP User Timeout  34
     7.7.  TCP-AO  . . . . . . . . . . . . . . . . . . . .  31
     6.8.  TCP-AO . . . . .  35
   8.  Interactions with Middleboxes . . . . . . . . . . . . . . . .  35
   9.  Security Considerations . . . .  31
     6.9.  TCP Experimental Options . . . . . . . . . . . . . . .  36
     9.1.  Privacy & Ingress Filtering .  31
   7.  Interactions with Middleboxes . . . . . . . . . . . . . . . .  31
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .  32
     8.1.  Privacy & Ingress Filtering . . . .  36
     9.2.  Authorization . . . . . . . . . . .  32
     8.2.  Authorization . . . . . . . . . . . . . . . . . . . . . .  33
     8.3.  37
     9.3.  Denial of Service . . . . . . . . . . . . . . . . . . . .  34
     8.4.  38
     9.4.  Traffic Theft . . . . . . . . . . . . . . . . . . . . . .  34
     8.5.  Multipath TCP-specific  38
     9.5.  Authentication Considerations . . . . . . . . . .  34
   9. . . . .  38
   10. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  35
     9.1.  39
     10.1.  Convert Service Port Number Name . . . . . . . . . . . . . . .  35
     9.2. . . .  39
     10.2.  The Convert Protocol (Convert) Parameters  . . . . . . . .  35
       9.2.1.  39
       10.2.1.  Convert Versions . . . . . . . . . . . . . . . . . .  35
       9.2.2.  40
       10.2.2.  Convert TLVs . . . . . . . . . . . . . . . . . . . .  36
       9.2.3.  41
       10.2.3.  Convert Error Messages . . . . . . . . . . . . . . .  36
   10.  41
   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .  37
     10.1.  42
     11.1.  Normative References . . . . . . . . . . . . . . . . . .  37
     10.2.  42
     11.2.  Informative References . . . . . . . . . . . . . . . . .  39  44
   Appendix A.  Change Log . . . . . . . . . . . . . . . . . . . . .  42
   Appendix B.  Example Socket API Changes to Support the 0-RTT
                Convert Protocol . . . . . . . . . . . . . . . . . .  44
     B.1.  47
     A.1.  Active Open (Client Side) . . . . . . . . . . . . . . . .  44
     B.2.  47
     A.2.  Passive Open (Converter Side) . . . . . . . . . . . . . .  45
   Appendix C.  Some Design Considerations . . . . . . . . . . . . .  46
   Appendix D.  Address Preservation vs. Address Sharing . .  48
   Acknowledgments . . . .  46
     D.1.  Address Preservation . . . . . . . . . . . . . . . . . .  46
     D.2.  Address/Prefix Sharing . . .  49
   Contributors  . . . . . . . . . . . . . .  47
   Appendix E.  Differences with SOCKSv5 . . . . . . . . . . . .  49
   Change Log  . .  48
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .  50
   Contributors  . . . . . . . . . . . . . . . . . . . . . . . . . .  51
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  52

1.  Introduction

1.1.  The Problem

   Transport protocols like TCP evolve regularly [RFC7414].  TCP has
   been improved in different ways.  Some improvements such as changing
   the initial window size [RFC6928] or modifying the congestion control
   scheme can be applied independently on clients and servers.  Other
   improvements such as Selective Acknowledgments [RFC2018] or large
   windows [RFC7323] require a new TCP option or to change the semantics
   of some fields in the TCP header.  These modifications must be
   deployed on both clients and servers to be actually used on the
   Internet.  Experience with the latter TCP extensions reveals that
   their deployment can require many years.  Fukuda reports in
   [Fukuda2011] results of a decade of measurements showing the
   deployment of Selective Acknowledgments, Window Scale and TCP
   Timestamps.  [ANRW17] describes measurements showing that TCP Fast
   Open (TFO) [RFC7413] is still not widely deployed.

   There are some situations where the transport stack used on clients
   (or servers) can be upgraded at a faster pace than the transport
   stack running on servers (or clients).  In those situations, clients
   would typically want to benefit from the features of an improved
   transport protocol even if the servers have not yet been upgraded and
   conversely.  Some assistance from the network to make use of these
   features is valuable.  For example, Performance Enhancing Proxies
   [RFC3135], and other service functions have been deployed as
   solutions to improve TCP performance over links with specific
   characteristics.

   Recent examples of TCP extensions include Multipath TCP (MPTCP)
   [RFC6824] or TCPINC [RFC8548].  Those extensions provide features
   that are interesting for clients such as wireless devices.  With
   Multipath TCP, those devices could seamlessly use WLAN (Wireless
   Local Area Network) and cellular networks, for bonding purposes,
   faster hand-overs, or better resiliency.  Unfortunately, deploying
   those extensions on both a wide range of clients and servers remains
   difficult.

   More recently, 5G bonding experimentation has been conducted into
   global range of the incumbent 4G (LTE) connectivity using newly
   devised clients and a Multipath TCP proxy.  Even if the 5G and the 4G
   bonding relying upon Multipath TCP increases the bandwidth, it is as
   well crucial to minimize latency for all the way between endhosts
   regardless of whether intermediate nodes are inside or outside of the
   mobile core.  In order to handle URLLC (Ultra Reliable Low Latency
   Communication) for the next generation mobile network, Multipath TCP
   and its proxy mechanism such as the one used to provide Access
   Traffic Steering, Switching, and Splitting (ATSSS) must be optimized
   to reduce latency [TS23501].

1.2.  Network-Assisted Connections: The Rationale

   This document specifies an application proxy, called Transport
   Converter.  A Transport Converter is a function that is installed by
   a network operator to aid the deployment of TCP extensions and to
   provide the benefits of such extensions to clients.  A Transport
   Converter may provide conversion service for one or more TCP
   extensions.  Which TCP extensions are eligible to the conversion
   service is deployment-specific.  The conversion service is provided
   by means of the 0-RTT TCP Convert Protocol (Convert), that is an
   application-layer protocol which uses a dedicated TCP port number TBA
   (Section 9). number.

   The Convert Protocol provides 0-RTT (Zero Round-Trip Time) conversion
   service since no extra delay is induced by the protocol compared to
   connections that are not proxied.  Particularly, the Convert Protocol
   does not require extra signaling setup delays before making use of
   the conversion service.  The Convert Protocol does not require any
   encapsulation (no tunnels, whatsoever).

   The Transport Converter adheres to the main principles drawn in
   [RFC1919].  In particular, a Transport Converter achieves the
   following:

   o  Listen for client sessions;

   o  Receive from a client the address of the final target server;

   o  Setup a session to the final server;

   o  Relay control messages and data between the client and the server;

   o  Perform access controls according to local policies.

   The main advantage of network-assisted conversion services is that
   they enable new TCP extensions to be used on a subset of the path
   between endpoints, which encourages the deployment of these
   extensions.  Furthermore, the Transport Converter allows the client
   and the server to directly negotiate TCP extensions for the sake of
   native support along the full path.

   The Convert Protocol is a generic mechanism to provide 0-RTT
   conversion service.  As a sample applicability use case, this
   document specifies how the Convert Protocol applies for Multipath
   TCP.  It is out of scope of this document to provide a comprehensive
   list of all potential conversion services.  Applicability documents
   may be defined in the future.

   This document does not assume that all the traffic is eligible to the
   network-assisted conversion service.  Only a subset of the traffic
   will be forwarded to a Transport Converter according to a set of
   policies.  These policies, and how they are communicated to
   endpoints, are out of scope.  Furthermore, it is possible to bypass
   the Transport Converter to connect directly to the servers that
   already support the required TCP extension(s).

   This document assumes an explicit model in which a client is
   configured with one or a list of Transport Converters (statically or
   through protocols such as [I-D.boucadair-tcpm-dhc-converter]).
   Configuration means are outside the scope of this document.

   The use of a Transport Converter means that there is no end-to-end
   transport connection between the client and server.  This could
   potentially create problems in some scenarios such as those discussed
   in Section 4 of [RFC3135].  Some of these problems may not be
   applicable, for example, a Transport Converter can inform a client by
   means of Network Failure (65) or Destination Unreachable (97) error
   messages (Section 5.2.8) 6.2.8) that it encounters a failure problem; the
   client can react accordingly.  An endpoint, or its network
   administrator, can assess the benefit provided by the Transport
   Converter service versus the risk.  This is one reason why the
   Transport Converter functionality has to be explicitly requested by
   an endpoint.

   This document is organized as follows.  First, Section 3 2 provides a
   brief overview of the differences between the well-known SOCKS
   protocol and the 0-RTT Convert protocol.  Section 4 provides a brief
   explanation of the operation of Transport Converters.  Then,
   Section 5 6 describes the Convert Protocol.  Section 6 7 discusses how
   Transport Converters can be used to support different TCP extensions.
   Section 7 8 then discusses the interactions with middleboxes, while
   Section 8 9 focuses on the security considerations.  Appendix B A
   describes how a TCP stack would need to support the protocol
   described in this document.  Appendix C records some
   considerations that impacted the design of the protocol.  Appendix E
   provides a comparison

2.  Differences with SOCKS proxies that are already used SOCKSv5

   Several IETF protocols provide proxy services; the closest to
   deploy Multipath TCP in some the
   0-RTT Convert protocol being the SOCKSv5 protocol [RFC1928].  This
   protocol is already used to deploy Multipath TCP in some cellular
   networks (Section 2.2 of [RFC8041]).

2.  Conventions and Definitions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are

   A SOCKS Client creates a connection to be interpreted as described in BCP
   14 [RFC2119][RFC8174] when, a SOCKS Proxy, exchanges
   authentication information, and only when, they appear in all
   capitals, as shown here.

   The information shown between brackets in the figures refers to
   Convert Protocol messages described in Section 5.

   Only indicates the exchange IP address and port
   number of control messages is depicted in the figures.

3.  Architecture & Behaviors

3.1.  Functional Elements

   The Convert Protocol considers three functional elements:

   o  Clients;

   o  Transport Converters;

   o  Servers.

   A Transport Converter is target Server.  At this point, the SOCKS Proxy creates
   a network function that proxies all data
   exchanged over one upstream connection to one downstream connection towards the target Server and vice versa (Figure 1). relays all data between
   the two proxied connections.  The Transport Converter, thus, maintains
   state that associates one upstream connection to a corresponding
   downstream connection.

   A connection can be initiated from both sides operation of the Transport
   Converter (Internet-facing interface, customer-facing interface).

                              |
                              :
                              |
                        +------------+ an implementation
   based on SOCKSv5 (without authentication) is illustrated in Figure 1.

   Client <- upstream ->| Transport  |<- downstream ->                SOCKS Proxy               Server
            connection
      | Converter                       |   connection
                        +------------+                       |
    customer-facing interface : Internet-facing interface
      |

     Figure 1: A Transport Converter Proxies Data between Pairs of TCP
                                Connections

   "Client" refers to a software instance embedded on a host that can
   reach --------------------> |                       |
      |         SYN           |                       |
      | <-------------------- |                       |
      |       SYN+ACK         |                       |
      | --------------------> |                       |
      |         ACK           |                       |
      |                       |                       |
      | --------------------> |                       |
      |Version=5, Auth Methods|                       |
      | <-------------------- |                       |
      |       Method          |                       |
      | --------------------> |                       |
      |Auth Request (unless "No auth" method negotiated)
      | <-------------------- |                       |
      |     Auth Response     |                       |
      | --------------------> |                       |
      | Connect Server:Port   | --------------------> |
      |                       |          SYN          |
      |                       | <-------------------- |
      |                       |        SYN+ACK        |
      | <-------------------- |                       |
      |      Succeeded        |                       |
      | --------------------> |                       |
      |       Data1           |                       |
      |                       | --------------------> |
      |                       |         Data1         |
      |                       | <-------------------- |
      |                       |         Data2         |
      | <-------------------- |                       |
      |          Data2        |                       |
                            ...

     Figure 1: Establishment of a Transport Converter via its customer-facing interface.  The
   "Client" can initiate connections via TCP Connection through a Transport Converter (referred
   to as outgoing connections (Section 4.1)).  Also, the "Client" can
   accept incoming connections via SOCKS Proxy
                          Without Authentication

   When SOCKS is used, an "end-to-end" connection between a Transport Converter (referred to as
   incoming Client and a
   Server becomes a sequence of two TCP connections (Section 4.2)).

   Transport Converters can be operated by network operators or third
   parties.  Nevertheless, this document focuses that are glued
   together on the single
   administrative deployment case where SOCKS Proxy.  The SOCKS Client and Server exchange
   control information at the entity offering beginning of the
   connectivity service to a client is also bytestream on the entity which owns Client-
   Proxy connection.  The SOCKS Proxy then creates the connection with
   the target Server and
   operates then glues the Transport Converter.

   A Transport Converter can be embedded in a standalone device or be
   activated as a service on a router.  How such function is enabled is
   deployment-specific.  A sample deployment is depicted in Figure 2.

                 +-+    +-+    +-+
       Client -  |R| -- |R| -- |R| - - -  Server
                 +-+    +-+    +-+
                         |
                        +-+
                        |R|
                        +-+
                         |
                    +---------+
                    |Transport|
                    |Converter|
                    +---------+
     R: Router

     Figure 2: A Transport Converter Can Be Installed Anywhere in the
                                  Network

   The architecture assumes two connections together so that new software will be installed on
   all bytes sent by the
   Client hosts application (Client) to interact with one or more Transport Converters.
   Furthermore, the architecture allows for making use of new TCP
   extensions even if those SOCKS Proxy are not supported by
   relayed to the Server and vice versa.

   The Convert Protocol is also used on TCP proxies that relay data
   between an upstream and a given server. downstream connection, but there are
   important differences with SOCKSv5.  A Client first difference is configured, through means that are outside the scope of
   this document, with
   0-RTT Convert protocol exchanges all the names and/or control information during
   the addresses of one initial RTT.  This reduces the connection establishment delay
   compared to SOCKS which requires two or more
   Transport Converters and round-trip-times before
   the TCP extensions that they support.  The
   procedure for selecting a Transport Converter among a list establishment of
   configured Transport Converters is outside the scope of this
   document.

   One of downstream connection towards the benefits of final
   destination.  In today's Internet, latency is a important metric and
   various protocols have ben tuned to reduce their latency
   [I-D.arkko-arch-low-latency].  A recently proposed extension to SOCKS
   leverages the TFO (TCP Fast Open) option
   [I-D.olteanu-intarea-socks-6] to reduce this design delay.

   A second difference is that different transport
   protocol extensions can be used on the upstream and the downstream
   connections.  This encourages Convert Protocol explicitly takes the deployment of new
   TCP extensions
   until they are widely supported by servers, in particular.

   The architecture does not mandate anything on the Server side.

   Similar to address sharing mechanisms, into account.  By using the architecture does not
   interfere with end-to-end TLS connections [RFC8446] between Convert Protocol, the
   Client and the Server (Figure 3).  In other words, end-to-end TLS can learn whether a given TCP extension is supported in by the presence of a Converter.

       Client             Transport                Server
          |               Converter                  |
          |                   |                      |
          /==========================================\
         |            End-to-end TLS                  |
          \==========================================/

       * TLS messages exchanged between
   destination Server.  This enables the Client
         and to bypass the Server are not shown.

            Figure 3: End-to-end TLS via a Transport
   Converter

   It is out of scope of this document to elaborate on specific
   considerations related to when the use of TLS in Server supports the Client-Converter
   connection leg to exchange Convert messages (in addition to required TCP extension(s).
   Neither SOCKSv5 [RFC1928] nor the end-
   to-end TLS connection).

3.2.  Theory of Operation

   At proposed SOCKSv6
   [I-D.olteanu-intarea-socks-6] provide such a feature.

   A third difference is that a high level, the objective of the Transport Converter is to allow will only confirm
   the use a specific extension, e.g., Multipath TCP, on a subset establishment of the
   path even if the peer does not support this extension.  This is
   illustrated in Figure 4 where connection initiated by the Client initiates a Multipath TCP provided
   that the downstream connection with has already been accepted by the Transport Converter (packets belonging to
   Server.  If the Server refuses the
   Multipath TCP connection are shown with "===") while establishment attempt
   from the Transport
   Converter uses a regular TCP Converter, then the upstream connection with from the Server.
   Client             Transport is rejected as well.  This feature is important for
   applications that check the availability of a Server
          |               Converter                  |
          |                   |                      |
          |==================>|--------------------->|
          |                   |                      |
          |<==================|<---------------------|
          |                   |                      |
         Multipath TCP packets   Regular TCP packets

       Figure 4: An Example of 0-RTT Network-Assisted Outgoing MPTCP
                                Connection

   The packets belonging to the pair of connections between the Client
   and Server passing through a Transport Converter may follow a
   different path than the packets directly exchanged between the Client
   and the Server.  Deployments should minimize the possible additional
   delay by carefully selecting the location of or use the Transport Converter
   used time
   to reach a given destination.

   When establishing connect as a connection, the Client can, depending hint on local
   policies, either contact the Server directly (e.g., by sending a TCP
   SYN towards the Server) or create the connection via selection of a Transport
   Converter.  In the latter case (that is, the conversion service Server [RFC8305].

   A fourth difference is
   used), that the Client initiates a connection towards 0-RTT Convert protocol only allows
   the Transport
   Converter and indicates Client to specify the IP address and port address/port number of the Server
   within the connection establishment packet.  Doing so enables the
   Transport Converter to immediately initiate destination
   server and not a connection towards that
   Server, without experiencing DNS name.  We evaluated an extra delay.  The Transport Converter
   waits until alternate design that
   included the receipt DNS name of the confirmation remote peer instead of its IP address as
   in SOCKS [RFC1928].  However, that the Server agrees to
   establish the connection before confirming design was not adopted because it to the Client.

   The Client places the destination address
   induces both an extra load and port number of the
   Server in the payload of the SYN sent to increased delays on the Transport
   Converter to
   minimize connection establishment delays. handle and manage DNS resolution requests.

3.  Conventions and Definitions

   The Transport Converter
   maintains two connections that key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are combined together:

   o  the upstream connection is the one between the Client to be interpreted as described in BCP
   14 [RFC2119][RFC8174] when, and the only when, they appear in all
   capitals, as shown here.

4.  Architecture & Behaviors

4.1.  Functional Elements

   The Convert Protocol considers three functional elements:

   o  Clients;

   o  Transport Converter. Converters;

   o  the downstream connection is between the  Servers.

   A Transport Converter and
      the Server.

   Any user is a network function that proxies all data received by the Transport Converter
   exchanged over the one upstream
   (or downstream) connection is proxied over the to one downstream (or
   upstream) connection.  In particular, if the initial SYN message
   contains data in its payload (e.g., [RFC7413]), that data MUST be
   placed right after the Convert TLVs when generating the SYN. connection
   and vice versa (Figure 2).  The Converter associates a lifetime with Transport Converter, thus, maintains
   state entries used to bind
   an that associates one upstream connection with its to a corresponding
   downstream connection.

   Figure 5 illustrates the establishment of an outgoing TCP

   A connection
   by a Client through a Transport Converter. can be initiated from both sides of the Transport
       Client
   Converter              Server
          |                   |                      |
          |SYN [->Server:port]|         SYN          |
          |------------------>|--------------------->|
          |<------------------|<---------------------| (Internet-facing interface, customer-facing interface).

                              |    SYN+ACK [ ]
                              :
                              |        SYN+ACK
                        +------------+
   Client <- upstream ->| Transport  |<- downstream -> Server
            connection  | Converter  |        ...   connection
                        +------------+
                              |          ...
    customer-facing interface : Internet-facing interface
                              |

     Figure 5: Establishment of an Outgoing TCP Connection Through a 2: A Transport Converter

   The Client sends a SYN destined Proxies Data between Pairs of TCP
                                Connections

   "Client" refers to the a software instance embedded on a host that can
   reach a Transport Converter.  The
   payload of this SYN contains the address and port number of the
   Server. Converter via its customer-facing interface.  The
   "Client" can initiate connections via a Transport Converter does not reply immediately to this
   SYN.  It first tries (referred
   to create a TCP connection towards the target
   Server.  If this upstream connection succeeds, as outgoing connections).  Also, the "Client" can accept incoming
   connections via a Transport Converter confirms the establishment of the connection (referred to the Client as incoming
   connections).

   Transport Converters can be operated by returning a SYN+ACK and the first bytes of network operators or third
   parties.  Nevertheless, this document focuses on the bytestream contain
   information about single
   administrative deployment case where the TCP options that were negotiated with entity offering the
   Server.  Also,
   connectivity service to a state entry is instantiated for this connection.
   This state entry client is used by also the Converter to handle subsequent
   messages belonging to entity which owns and
   operates the connection.

   The connection Transport Converter.

   A Transport Converter can also be established from the Internet towards embedded in a
   Client via standalone device or be
   activated as a Transport Converter (Figure 6).  This service on a router.  How such function is typically the
   case when an application enabled is
   deployment-specific.

   The architecture assumes that new software will be installed on the
   Client listens to a specific port
   (the Client hosts an application server, typically).  When to interact with one or more Transport Converters.
   Furthermore, the
   Converter receives an incoming SYN from a remote host, it checks if
   it can provide the conversion service architecture allows for the destination IP address
   and destination port number making use of new TCP
   extensions even if those are not supported by a given server.

   A Client is configured, through means that SYN.  If are outside the check fails, scope of
   this document, with the
   packet is silently ignored by names and/or the Converter.  If addresses of one or more
   Transport Converters and the check TCP extensions that they support.  The
   procedure for selecting a Transport Converter among a list of
   configured Transport Converters is
   successful, outside the Converter inserts scope of this
   document.

   One of the source IP address benefits of this design is that different transport
   protocol extensions can be used on the upstream and source
   port number in the SYN packet, rewrites downstream
   connections.  This encourages the source IP address to one deployment of its IP addresses and, eventually (i.e., only when the Converter is
   configured new TCP extensions
   until they are widely supported by servers, in an address sharing mode), particular.

   The architecture does not mandate anything on the destination IP address
   and port number in accordance with any information stored locally.
   That SYN is then forwarded Server side.

   Similar to SOCKS, the next hop.  A transport session
   entry architecture does not interfere with end-to-end
   TLS connections [RFC8446] between the Client and the Server
   (Figure 3).  In other words, end-to-end TLS is created by supported in the
   presence of a Converter.

       Client             Transport                Server
          |               Converter for this connection.  SYN+ACK and
   ACK will be then                  |
          |                   |                      |
          /==========================================\
         |            End-to-end TLS                  |
          \==========================================/

       * TLS messages exchanged between the Client, the Converter, Client
         and
   remote host to confirm the establishment Server are not shown.

            Figure 3: End-to-end TLS via a Transport Converter

   It is out of scope of this document to elaborate on specific
   considerations related to the connection.  The
   Converter uses use of TLS in the transport session entry Client-Converter
   connection leg to proxy packets exchange Convert messages (in addition to the end-
   to-end TLS connection).

4.2.  Theory of Operation

   At a high level, the objective of the Transport Converter is to allow
   the use a specific extension, e.g., Multipath TCP, on a subset of the
   path even if the peer does not support this extension.  This is
   illustrated in Figure 4 where the Client initiates a Multipath TCP
   connection with the Transport Converter (packets belonging to the connection.
   Multipath TCP connection are shown with "===") while the Transport              Remote
   Converter uses a regular TCP connection with the Server.

       Client             Transport                Server
          |               Converter             Host (RH)                  |
          |                   |
          |SYN [<-RH IP@:port]|         SYN                      |
          |<------------------|<---------------------|
          |------------------>|--------------------->|
          |==================>|--------------------->|
          |    SYN+ACK [ ]                   |        SYN+ACK                      |
          |<==================|<---------------------|
          |        ...                   |          ...                      |
         Multipath TCP packets   Regular TCP packets

       Figure 6: Establishment 4: An Example of an Incoming TCP 0-RTT Network-Assisted Outgoing MPTCP
                                Connection Through

   The packets belonging to a connection established through a Transport
   Converter

   Standard TCP ([RFC0793], Section 3.4) allows may follow a SYN packet to carry
   data inside its payload but forbids different path than the receiver from delivering it
   to packets directly
   exchanged between the application until completion Client and the Server.  Deployments should
   minimize the possible additional delay by carefully selecting the
   location of the three-way-handshake.  To
   enable applications Transport Converter used to exchange data in reach a TCP handshake, this
   specification follows an approach similar to TCP Fast Open [RFC7413]
   and thus removes the constraint by allowing data in SYN packets to be
   delivered to given
   destination.

   When establishing a connection, the Transport Converter application.

   As discussed in [RFC7413], such change to TCP semantic raises two
   issues.  First, duplicate SYNs can cause problems for some
   applications that rely Client can, depending on TCP.  Second, local
   policies, either contact the Server directly (e.g., by sending a TCP suffers from
   SYN flooding
   attacks [RFC4987].  TFO solves these two problems for applications
   that can tolerate replays by using towards the TCP Fast Open option that
   includes Server) or create the connection via a cookie.  However, Transport
   Converter.  In the utilization of this option consumes
   space in latter case (that is, the limited TCP header.  Furthermore, there are situations,
   as noted in Section 7.3 of [RFC7413] where it conversion service is possible to accept
   used), the payload of SYN packets without creating additional security risks
   such as Client initiates a network where addresses cannot be spoofed and connection towards the Transport
   Converter only serves a set of hosts that are identified by these
   addresses.

   For these reasons, this specification does not mandate and indicates the use IP address and port number of the
   TCP Fast Open option when Server
   within the Client sends a connection establishment
   packet towards a packet.  Doing so enables the
   Transport Converter.  The Convert Protocol includes
   an optional Cookie TLV Converter to immediately initiate a connection towards that provides similar protection as the TCP
   Fast Open option
   Server, without consuming space in the extended TCP header.
   In particular, this design allows for experiencing an extra delay.  The Transport Converter
   waits until the use receipt of longer cookies.

   If the downstream (or upstream) connection fails for some reason
   (excessive retransmissions, reception of an RST segment, etc.), then
   the Converter should force the tear-down of the upstream (or
   downstream) connection.

   The same reasoning applies when the upstream connection ends.  In
   this case, confirmation that the Converter should also terminate Server agrees to
   establish the downstream connection by using FIN segments.  If before confirming it to the downstream connection
   terminates with Client.

   The Client places the exchange destination address and port number of FIN segments, the Converter should
   initiate a graceful termination
   Server in the payload of the upstream connection.

3.3.  Data Processing at SYN sent to the Transport Converter

3.3.1.  Base Behavior

   As mentioned in Section 3.2, the to
   minimize connection establishment delays.  The Transport Converter acts as a TCP
   proxy between
   maintains two connections that are combined together:

   o  the upstream connection (i.e., is the one between the Client and the
      Transport Converter) and Converter.

   o  the downstream connection (i.e., is the one between the Transport
      Converter and the Server).

   The control messages, discussed in Section 5, establish state
   (called, transport session entry) in Server.

   Any user data received by the Transport Converter over the upstream
   (or downstream) connection is proxied over the downstream (or
   upstream) connection.  In particular, if the initial SYN message
   contains user data in its payload (e.g., [RFC7413]), that
   will enable it to proxy between data MUST
   be placed right after the two TCP connections.

   The Transport Converter uses Convert TLVs when generating the transport session entry to proxy
   packets belonging to SYN.

   Figure 5 illustrates the connection.  An implementation example establishment of a
   transport session entry for an outgoing TCP connections is connection
   by a Client through a Transport Converter.

   o  Note: The information shown between brackets in Figure 7.

                (C,c) <--> (T,t), (S,s), Lifetime

   Where:
     * C and c are the source IP address and source port number
       used by 5 (and
      other figures in the document) refers to Convert Protocol messages
      described in Section 6.

                           Transport
       Client for the upstream connection.
     * S and s are              Converter              Server
          |                   |                      |
          |SYN [->Server:port]|         SYN          |
          |------------------>|--------------------->|
          |<------------------|<---------------------|
          |    SYN+ACK [ ]    |        SYN+ACK       |
          |        ...        |          ...         |

      Figure 5: Establishment of an Outgoing TCP Connection Through a
                            Transport Converter

   The Client sends a SYN destined to the Server's IP address and port number.
     * T and t are Transport Converter.  The
   payload of this SYN contains the source IP address and source port number
       used by of the
   Server.  The Transport Converter does not reply immediately to proxy this
   SYN.  It first tries to create a TCP connection towards the connection.
     * Lifetime is target
   Server.  If this upstream connection succeeds, the validity lifetime Transport
   Converter confirms the establishment of the entry as assigned connection to the Client
   by returning a SYN+ACK and the Converter.

           Figure 7: An Example first bytes of Transport Session Entry (TCP)

   Clients send packets bound to connections eligible to the conversion
   service to bytestream contain
   information about the provisioned Transport Converter using TBA as
   destination port number.  This applies TCP options that were negotiated with the
   Server.  Also, a state entry is instantiated for both control messages and
   data.  Additional information this connection.
   This state entry is supplied used by Clients to the Transport Converter by means of Convert to handle subsequent
   messages as detailed in Section 5.
   User data belonging to the connection.

   The connection can also be included in SYN or non-SYN messages.  User data is
   unambiguously distinguished established from Convert TLVs by the Internet towards a
   Client via a Transport Converter owing to (Figure 6).  This is typically the Convert Fixed Header in the Convert messages
   (Section 5.1).  These Convert TLVs are destined to the Transport
   Convert and are, thus, removed by the Transport Converter
   case when
   proxying between the two connections.

   Upon receipt of a Non-SYN (or Client hosts an application server that listens to a secondary subflow for Multipath TCP)
   on
   specific port number TBA by number.  When the Transport Converter receives an incoming SYN
   from a Client, the
   Converter remote host, it checks if it can provide the packet matches an active transport session
   entry.  If no entry is found, conversion
   service for the destination IP address and destination port number of
   that SYN.  The Transport Converter MUST silently
   ignore receives this SYN because it is,
   for example, on the packet. path between the remote host and the Client or it
   provides address sharing service for the Client.  If an entry the check fails,
   the packet is found, silently ignored by the user data Converter.  If the check is proxied
   successful, the Converter tries to initiate a TCP connection towards
   the Server Client from its own address and using its configured TCP options.
   In the information stored in the corresponding
   transport session entry.  For example, in reference SYN that corresponds to Figure 7, this connection attempt, the Transport Converter proxies
   Convert inserts a TLV message that indicates the data received from (C, c) downstream
   using (T,t) as source transport address and (S,s) as destination
   transport address.
   port number of the remote host.  A similar process happens for data sent from transport session entry is created
   by the Server.  The Converter acts as a TCP proxy for this connection.  SYN+ACK and sends ACK will be then
   exchanged between the data Client, the Converter, and remote host to
   confirm the Client
   relying upon establishment of the information stored in a transport connection.  The Converter uses the
   transport session entry.

   Considerations that are specific entry to Multipath proxy packets belonging to the connection.

     Transport              Remote
       Client              Converter             Host (RH)
          |                   |                      |
          |SYN [<-RH IP@:port]|         SYN          |
          |<------------------|<---------------------|
          |------------------>|--------------------->|
          |    SYN+ACK [ ]    |        SYN+ACK       |
          |        ...        |          ...         |

      Figure 6: Establishment of an Incoming TCP are described in
   Section 3.3.2.

   A Connection Through a
                            Transport Converter may operate in address preservation mode (that
   is,

   Standard TCP ([RFC0793], Section 3.4) allows a SYN packet to carry
   data inside its payload but forbids the Converter does not rewrite receiver from delivering it
   to the source IP address (i.e.,
   C==T)) or address sharing mode (that is, an address pool is shared
   among all Clients serviced by application until completion of the Converter (i.e., C!=T)); refer three-way-handshake.  To
   enable applications to
   Appendix D for more details.  Which behavior exchange data in a TCP handshake, this
   specification follows an approach similar to use TCP Fast Open [RFC7413]
   and thus removes the constraint by a Transport
   Converter is deployment-specific.  If address sharing mode is
   enabled, allowing data in SYN packets to be
   delivered to the Transport Converter MUST adhere to REQ-2 of [RFC6888]
   which implies a default "IP address pooling" behavior of "Paired" (as
   defined application.

   As discussed in Section 4.1 of [RFC4787]) must be supported.  This
   behavior is meant [RFC7413], such change to avoid breaking TCP semantic raises two
   issues.  First, duplicate SYNs can cause problems for some
   applications that depend rely on the
   source address remaining constant.

3.3.2.  Multipath TCP.  Second, TCP Specifics

   Note that suffers from SYN flooding
   attacks [RFC4987].  TFO solves these two problems for applications
   that can tolerate replays by using the Multipath TCP case, the Convert TLVs are only
   exchanged during Fast Open option that
   includes a cookie.  However, the establishment utilization of this option consumes
   space in the initial subflow.

   The Transport Converter identifies an MPTCP connection by means,
   e.g., limited TCP header.  Furthermore, there are situations,
   as noted in Section 7.3 of the token assigned [RFC7413] where it is possible to accept
   the MPTCP connection (Section 2.2 of
   [RFC6824]).  An implementation example payload of an MPTCP transport session
   entry maintained by SYN packets without creating additional security risks
   such as a network where addresses cannot be spoofed and the Transport
   Converter is shown in Figure 8.  The
   entry needs to be updated whenever subflows only serves a set of hosts that are added to, or deleted
   from, identified by these
   addresses.

   For these reasons, this specification does not mandate the MPTCP connection.

         token, {(C1,c1), .., (Cn, cn)} <--> (T,t), (S,s), Lifetime

   Where:
     * Token is a locally unique identifier given to use of the
   TCP Fast Open option when the Client sends a (upstream)
       multipath connection by the establishment
   packet towards a Transport Converter.  The token
       is a one-way hash of Convert Protocol includes
   an optional Cookie TLV that provides similar protection as the MPTCP key.
     * Ci and ci are TCP
   Fast Open option without consuming space in the source IP address and source port number
       used by TCP header.
   Furthermore, this design allows for the Client use of longer cookies than
   [RFC7413].

   If the downstream (or upstream) connection fails for a subflow some reason
   (excessive retransmissions, reception of an (upstream) MPTCP
       connection.
     * S and s are the Server's IP address and port number.
     * T and t are RST segment, etc.), then
   the source IP address and source port number
       used Converter reacts by forcing the Transport Converter to proxy tear-down of the upstream (or
   downstream) connection.
     * Lifetime is

   The same reasoning applies when the validity lifetime upstream connection ends with an
   exchange of FIN packets.  In this case, the entry as assigned Converter should also
   terminate the downstream connection by using FIN packets.  If the Converter.

           Figure 8: An Example of MPTCP Transport Session Entry

   Upon receipt
   downstream connection terminates with the exchange of a secondary subflow by FIN packets,
   the Transport Converter from should initiate a
   Client, graceful termination of the Converter follows upstream
   connection.

4.3.  Data Processing at the same behavior specified Transport Converter

   As mentioned in Section 3.3.1 for processing Non-SYNs.  For example, in reference to
   Figure 8, 4.2, the Transport Converter proxies the data received from acts as a
   new subflow of an existing Multipath TCP
   proxy between the upstream connection (Cn, cn)
   downstream using (T,t) as source transport address (i.e., between the Client and (S,s) as
   destination transport address.

4.  Sample Examples

4.1.  Outgoing Converter-Assisted Multipath TCP Connections

   As an example, let us consider how
   the Convert Protocol can help Transport Converter) and the
   deployment of Multipath TCP.  We assume that both downstream connection (i.e., between
   the Client Transport Converter and the Server).

   The control messages, discussed in Section 6, establish state
   (called, transport session entry) in the Transport Converter support Multipath TCP, but consider two different
   cases depending on whether that
   will enable it to proxy between the Server supports Multipath two TCP or not.

   As a reminder, connections.

   The Transport Converter uses the transport session entry to proxy
   packets belonging to the connection.  An implementation example of a Multipath
   transport session entry for TCP connection connections is created by placing the
   MP_CAPABLE (MPC) option shown in the SYN sent by the Client. Figure 9 describes 7.

                      (C,c) <--> (T,t), (S,s), Lifetime

      Where:
        * C and c are the operation of the Transport Converter if source IP address and source port number
          used by the
   Server does not support Multipath TCP.

                           Transport
       Client              Converter              Server
          |SYN,               |                      |
          |MPC [->Server:port]|         SYN, MPC     |
          |------------------>|--------------------->|
          |<------------------|<---------------------|
          |  SYN+ACK,MPC [.]  |      SYN+ACK         |
          |------------------>|--------------------->|
          |     ACK, MPC      |          ACK         |
          |        ...        |          ...         |

      Figure 9: Establishment of a Multipath TCP Connection Through a
   Transport Converter towards a Server that Does Not Support Multipath
                                    TCP

   The Client tries to initiate a Multipath TCP connection by sending a
   SYN with for the MP_CAPABLE option (MPC in Figure 9).  The SYN includes upstream connection.
        * S and s are the Server's IP address and port number of the target Server, that number.
        * T and t are extracted the source IP address and source port number
          used by the Transport Converter to initiate a Multipath TCP
   connection towards this Server.  Since the Server does not support
   Multipath TCP, it replies with a SYN+ACK that does not contain the
   MP_CAPABLE option.  The Transport Converter notes that proxy the connection
   with connection.
        * Lifetime is the Server does not support Multipath TCP and returns validity lifetime of the
   extended TCP header received from entry as assigned
          by the Server Converter.

           Figure 7: An Example of Transport Session Entry (TCP)

   Clients send packets bound to connections eligible to the Client.

   Note that, if conversion
   service to the TCP connection fails provisioned Transport Converter and destination port
   number.  This applies for some reason, both control messages and data.  Additional
   information is supplied by Clients to the Transport Converter
   tears down the Multipath TCP connection by transmitting a
   MP_FASTCLOSE.  Likewise, if the Multipath TCP connection ends with
   the transmission
   means of DATA_FINs, the Converter terminates the TCP
   connection Convert messages as detailed in Section 6.  User data can be
   included in SYN or non-SYN messages.  User data is unambiguously
   distinguished from Convert TLVs by using FIN segments.  As a side note, given that with
   Multipath TCP, RST only has the scope of Transport Converter owing to the subflow and will only
   close
   Convert Fixed Header in the concerned subflow but not affect Convert messages (Section 6.1).  These
   Convert TLVs are destined to the remaining subflows, Transport Convert and are, thus,
   removed by the Transport Converter does not terminate when proxying between the TCP connection upon two
   connections.

   Upon receipt of
   an RST over a Multipath subflow.

   Figure 10 considers a Server packet that supports Multipath TCP.  In this
   case, it replies belongs to the SYN sent by an existing connection
   between a Client and the Transport Converter with the
   MP_CAPABLE option.  Upon reception of this SYN+ACK, the Transport Converter confirms proxies
   the establishment of user data to the connection Server using the information stored in the
   corresponding transport session entry.  For example, in reference to
   Figure 7, the Client Transport Converter proxies the data received from (C,
   c) downstream using (T,t) as source transport address and indicates to (S,s) as
   destination transport address.

   A similar process happens for data sent from the Client that Server.  The
   Converter acts as a TCP proxy and sends the Server supports Multipath TCP.
   With this information, data to the Client has discovered that
   relying upon the Server
   supports information stored in a transport session entry.
   The Converter associates a lifetime with state entries used to bind
   an upstream connection with its downstream connection.

   When Multipath TCP natively.  This will enable is used between the Client to
   bypass and the Transport
   Converter, the Converter for maintains more state (e.g. information about
   the subsequent subflows) for each Multipath TCP
   connections connection.  The procedure
   described above continues to apply except that it will initiate towards this Server.

                           Transport
       Client the Converter              Server
          |SYN,               |                      |
          |MPC [->Server:port]|         SYN, MPC     |
          |------------------>|--------------------->|
          |<------------------|<---------------------|
          |SYN+ACK,           |      SYN+ACK, MPC    |
          |MPC [MPC supported]|                      |
          |------------------>|--------------------->|
          |     ACK, MPC      |        ACK, MPC      |
          |        ...        |          ...         |

     Figure 10: Establishment needs to
   manage the establishment/termination of a Multipath TCP Connection Through a
                 Converter Towards an MPTCP-capable Server

4.2.  Incoming Converter-Assisted Multipath TCP Connection

   An example subflows and schedule packets
   among the established ones.  These operations are part of an incoming Converter-assisted the
   Multipath TCP connection
   is depicted implementation.  They are independent of the Convert
   protocol that only processes the Convert messages in Figure 11.  In order to support incoming connections
   from remote hosts, the Client may use PCP [RFC6887] to instruct beginning of
   the bytestream.

   A Transport Converter to create dynamic mappings.  Those mappings will
   be used by may operate in address preservation mode (that
   is, the Transport Converter to intercept an incoming TCP
   connection destined to the Client and convert it into a Multipath TCP
   connection.

   Typically, does not rewrite the Client sends a PCP request to source IP address (i.e.,
   C==T)) or address sharing mode (that is, an address pool is shared
   among all Clients serviced by the Converter asking (i.e., C!=T)); refer to
   create an explicit TCP mapping
   Section 4.4 for (internal IP address, internal
   port number).  The Converter accepts the request more details.  Which behavior to use by creating a TCP
   mapping (internal IP address, internal port number, external IP
   address, external port number).  The external IP Transport
   Converter is deployment-specific.  If address and external
   port number will be then advertised using an out-of-band mechanism so
   that remote hosts can initiate TCP connections to the Client via the
   Converter.  Note that the external and internal information may be
   the same.

   Then, when sharing mode is
   enabled, the Transport Converter receives an incoming SYN, it checks its
   mapping table MUST adhere to verify if there is an active mapping matching the
   destination IP REQ-2 of [RFC6888]
   which implies a default "IP address and destination port pooling" behavior of that SYN.  If no entry "Paired" (as
   defined in Section 4.1 of [RFC4787]) MUST be supported.  This
   behavior is found, meant to avoid breaking applications that depend on the
   source address remaining constant.

4.4.  Address Preservation vs. Address Sharing

   The Transport Converter silently ignores the message.  If an entry is
   found, provided with instructions about the Converter inserts an MP_CAPABLE option and Connect TLV in
   behavior to adopt with regards to the SYN packet, rewrites processing of source addresses
   of outgoing packets.  The following sub-sections discusses two
   deployment models for illustration purposes.  It is out of the scope
   of this document to make a recommendation.

4.4.1.  Address Preservation

   In this model, the visible source IP address to one of its a packet proxied by a
   Transport Converter to a Server is an IP
   addresses and, eventually, address of the destination end host
   (Client).  No dedicated IP address and port number
   in accordance with pool is provisioned to the information stored in
   Transport Converter, but the mapping.  SYN+ACK
   and ACK will be then exchanged the Transport Converter is located on
   the path between the Client and the Server.

   For Multipath TCP, the Transport Converter
   to confirm preserves the establishment of source IP
   address used by the Client when establishing the initial subflow.  The Client can
   add new subflows following normal
   Data conveyed in secondary subflows will be proxied by the Transport
   Converter using the source IP address of the initial subflow.  An
   example of a proxied Multipath TCP procedures. connection with address
   preservation is shown in Figure 8.

                                          Transport             Remote
           Client                        Converter              Host
         |                     |          Server

            @:C1,C2                        @:Tc                @:S
               ||                            |
         |<--------------------|<-------------------|
         |SYN,                  |
               |src:C1     SYN         dst:Tc|src:C1       dst:S|
               |-------MPC [->S:port]------->|-------SYN------->|
               ||                            |
         |MPC[Remote Host:port]|                  |
         |-------------------->|------------------->|
               ||dst:C1                src:Tc|dst:C1       src:S|
               |<---------SYN/ACK------------|<-----SYN/ACK-----|
               ||                            |      SYN+ACK, MPC                  |       SYN+ACK
               |src:C1                 dst:Tc|src:C1       dst:S|
               |------------ACK------------->|-------ACK------->|
               |
         |<--------------------|<-------------------|                             |       ACK, MPC                  |           ACK
               |src:C2          ...    dst:Tc|       ...        |
               ||<-----Secondary Subflow---->|src:C1       dst:S|
               ||                            |-------data------>|
               |        ...               ..            |    ...           |

 Legend:
   Tc: IP address used by the Transport Converter on its customer-facing
       interface.

                 Figure 11: Establishment 8: Example of an Incoming Multipath TCP Connection
                       through a Address Preservation

   The Transport Converter

   It is out of scope must be on the forwarding path of this document to define specific Convert TLVs
   to manage incoming connections.  These TLVs can be defined in a
   separate document.

5.  The Convert Protocol (Convert)

   This section defines
   traffic.  Because the Convert Protocol (Convert, same (destination) IP address is used for short)
   messages that are exchanged between a Client both
   proxied and a Transport
   Converter.

   By default, non-proxied connections, the Transport Converter listens on TCP port number TBA should
   not drop incoming packets it intercepts if no matching entry is found
   for Convert messages from Clients.

   Convert messages may appear only in a SYN, SYN+ACK, or ACK.

   Convert messages MUST be included as the first bytes packets.  Unless explicitly configured otherwise, such
   packets are forwarded according to the instructions of a local
   forwarding table.

4.4.2.  Address/Prefix Sharing

   A pool of global IPv4 addresses is provisioned to the
   bytestream.  All Convert messages starts Transport
   Converter along with a 32 bits long fixed
   header (Section 5.1) followed by one or more Convert TLVs (Type,
   Length, Value) (Section 5.2).

5.1.  The Convert Fixed Header

   The Convert Protocol uses a 32 bits long fixed header possible instructions about the address sharing
   ratio to apply (see Appendix B of [RFC6269]).  An address is thus
   shared among multiple clients.

   Likewise, rewriting the source IPv6 prefix [RFC6296] may be used to
   ease redirection of incoming IPv6 traffic towards the appropriate
   Transport Converter.  A pool of IPv6 prefixes is then provisioned to
   the Transport Converter for this purpose.

   Adequate forwarding policies are enforced so that traffic destined to
   an address of such pool is sent intercepted by
   both the appropriate Transport
   Converter.  Unlike Section 4.4.1, the Transport Converter drops
   incoming packets which do not match an active transport session
   entry.

   An example is shown in Figure 9.

                                        Transport
         Client and                         Converter          Server

            @:C                        @:Tc|Te                @:S
             |                             |                  |
             |src:C                  dst:Tc|src:Te       dst:S|
             |-------SYN [->S:port]------->|-------SYN------->|
             |                             |                  |
             |dst:C                  src:Tc|dst:Te       src:S|
             |<---------SYN/ACK------------|<-----SYN/ACK-----|
             |                             |                  |
             |src:C                  dst:Tc|src:Te       dst:S|
             |------------ACK------------->|-------ACK------->|
             |                             |                  |
             |              ...            |    ...           |

Legend:
  Tc: IP address used by the Transport Converter over each established
   connection.  This header indicates both for its customer-facing
      interface.
  Te: IP address used by the version of Transport Converter for its Internet-facing
      interface.

                         Figure 9: Address Sharing

5.  Sample Examples

5.1.  Outgoing Converter-Assisted Multipath TCP Connections

   As an example, let us consider how the protocol
   used and Convert Protocol can help the length
   deployment of Multipath TCP.  We assume that both the Convert message.

   The Client and the
   Transport Converter MUST send support Multipath TCP, but consider two different
   cases depending on whether the fixed-sized
   header, shown in Figure 12, as Server supports Multipath TCP or not.

   As a reminder, a Multipath TCP connection is created by placing the first four bytes
   MP_CAPABLE (MPC) option in the SYN sent by the Client.

   Figure 10 describes the operation of the
   bytestream.

                           1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +---------------+---------------+-------------------------------+ Transport Converter if the
   Server does not support Multipath TCP.

                           Transport
       Client              Converter              Server
          |SYN, MPC           |  Version                      |  Total Length
          |[->Server:port]    |          Unassigned         SYN, MPC     |
          |------------------>|--------------------->|
          |<------------------|<---------------------|
          |  SYN+ACK,MPC [.]  |      SYN+ACK         |
          |------------------>|--------------------->|
          |     ACK, MPC      |          ACK         |
          |        ...        |          ...         |
      +---------------+---------------+-------------------------------+

     Figure 12: The Convert Fixed Header 10: Establishment of a Multipath TCP Connection through a
   Transport Converter towards a Server that does not support Multipath
                                    TCP

   The Version is encoded as an 8 bits unsigned integer value.  This
   document specifies version 1.  Version 0 is reserved Client tries to initiate a Multipath TCP connection by this document
   and MUST NOT be used. sending a
   SYN with the MP_CAPABLE option (MPC in Figure 10).  The Total Length is SYN includes
   the address and port number of 32 bits word, including the header,
   of the bytestream target Server, that are consumed extracted
   and used by the Convert messages.  Since
   Total Length is also an 8 bits unsigned integer, those messages
   cannot consume more than 1020 bytes of data.  This limits the number
   of bytes that a Transport Converter needs to process.  A Total Length
   of zero is invalid and the connection MUST be reset upon reception of initiate a header Multipath TCP
   connection towards this Server.  Since the Server does not support
   Multipath TCP, it replies with such total length. a SYN+ACK that does not contain the
   MP_CAPABLE option.  The Unassigned field MUST be set to zero in this version of Transport Converter notes that the
   protocol.  These bits are available for future use [RFC8126].

   Data added by connection
   with the Convert Protocol Server does not support Multipath TCP and returns the
   extended TCP header received from the Server to the Client.

   Note that, if the TCP bytestream connection is
   unambiguously distinguished from payload data reset for some reason, the
   Converter tears down the Multipath TCP connection by transmitting a
   MP_FASTCLOSE.  Likewise, if the Total Length
   field in Multipath TCP connection ends with
   the Convert messages.

5.2.  Convert TLVs

5.2.1.  Generic Convert TLV Format

   The Convert Protocol uses variable length messages that are encoded transmission of DATA_FINs, the Converter terminates the TCP
   connection by using FIN segments.  As a side note, given that with
   Multipath TCP, RST only has the generic TLV format depicted in Figure 13.

   The length scope of all TLVs used by the Convert Protocol is always subflow and will only
   close the concerned subflow but not affect the remaining subflows,
   the Converter does not terminate the downstream TCP connection upon
   receipt of an RST over a
   multiple Multipath subflow.

   Figure 11 considers a Server that supports Multipath TCP.  In this
   case, it replies to the SYN sent by the Transport Converter with the
   MP_CAPABLE option.  Upon reception of four bytes.  All TLVs are aligned on 32 bits boundaries.
   All TLV fields are encoded using this SYN+ACK, the network byte order.

                           1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +---------------+---------------+-------------------------------+
      |     Type      |     Length    |             Value  ...        |
      +---------------+---------------+-------------------------------+
      //              ...   (optional) Value                         //
      +---------------------------------------------------------------+

                   Figure 13: Convert Generic TLV Format

   The Length field covers Type, Length, and Value fields.  It is
   expressed in units Transport
   Converter confirms the establishment of 32 bits words.  If necessary, Value MUST be
   padded with zeroes so the connection to the Client
   and indicates to the Client that the length of Server supports Multipath TCP.
   With this information, the TLV is a multiple of 32
   bits.

   A given TLV MUST only appear once on a connection.  If two or more
   instances of Client has discovered that the same TLV are exchanged over a Convert connection, Server
   supports Multipath TCP.  This will enable the associated Client to bypass the
   Transport Converter for the subsequent Multipath TCP connections MUST be closed.

5.2.2.  Summary of Supported Convert TLVs

   This document specifies the following Convert TLVs:

   +------+-----+----------+------------------------------------------+
   | Type | Hex |  Length  | Description that
   it will initiate towards this Server.

                           Transport
       Client              Converter              Server
          |SYN, MPC           |
   +------+-----+----------+------------------------------------------+                      |   1
          |[->Server:port]    | 0x1         SYN, MPC     |    1
          |------------------>|--------------------->|
          |<------------------|<---------------------|
          |SYN+ACK, MPC       | Info TLV      SYN+ACK, MPC    |
          |[MPC supported]    |  10                      | 0xA
          |------------------>|--------------------->|
          | Variable     ACK, MPC      | Connect TLV        ACK, MPC      |
          |  20        ...        | 0x14| Variable          ...         | Extended

     Figure 11: Establishment of a Multipath TCP Header TLV                  |
   |  21  | 0x15| Variable | Supported Connection through a
                 Converter towards an MPTCP-capable Server

5.2.  Incoming Converter-Assisted Multipath TCP Extensions TLV             |
   |  22  | 0x16| Variable | Cookie TLV                               |
   |  30  | 0x1E| Variable | Error TLV                                |
   +------+-----+----------+------------------------------------------+ Connection

   An example of an incoming Converter-assisted Multipath TCP connection
   is depicted in Figure 14: The TLVs used by 12.  In order to support incoming connections
   from remote hosts, the Convert Protocol

   Type 0x0 is a reserved valued.  Implementations MUST discard messages
   with such TLV.

   The Client typically sends in may use PCP [RFC6887] to instruct the first connection it established
   with a
   Transport Converter to create dynamic mappings.  Those mappings will
   be used by the Info TLV (Section 5.2.3) Transport Converter to intercept an incoming TCP
   connection destined to learn its
   capabilities.  Assuming the Client is authorized to invoke and convert it into a Multipath TCP
   connection.

   Typically, the
   Transport Converter, Client sends a PCP request to the latter replies with Converter asking to
   create an explicit TCP mapping for (internal IP address, internal
   port number).  The Converter accepts the Supported request by creating a TCP
   Extensions TLV (Section 5.2.4).
   mapping (internal IP address, internal port number, external IP
   address, external port number).  The Client external IP address and external
   port number will be then advertised using an out-of-band mechanism so
   that remote hosts can request the establishment of initiate TCP connections to servers by
   using the Connect TLV (Section 5.2.5).  If Client via the connection can
   Converter.  Note that the external and internal information may be
   established with
   the final server, same.

   Then, when the Transport Converter replies
   with receives an incoming SYN, it checks its
   mapping table to verify if there is an active mapping matching the Extended TCP Header TLV (Section 5.2.6).
   destination IP address and destination port of that SYN.  If not, no entry
   is found, the
   Transport Converter returns an Error TLV (Section 5.2.8) and then
   closes silently ignores the connection.

   When message.  If an error entry is encountered
   found, the Converter inserts an Error MP_CAPABLE option and Connect TLV in
   the SYN packet, rewrites the source IP address to one of its IP
   addresses and, eventually, the destination IP address and port number
   in accordance with the appropriate error
   code MUST be returned by information stored in the Transport Converter.

5.2.3.  The Info TLV

   The Info TLV (Figure 15) is an optional TLV which can mapping.  SYN+ACK
   and ACK will be sent by a then exchanged between the Client and the Converter
   to request confirm the establishment of the initial subflow.  The Client can
   add new subflows following normal Multipath TCP extensions that are supported by procedures.

                           Transport             Remote
       Client              Converter              Host
         |                     |                    |
         |<--------------------|<-------------------|
         |SYN, MPC             |         SYN        |
         |[Remote Host:port]   |                    |
         |-------------------->|------------------->|
         |      SYN+ACK, MPC   |       SYN+ACK      |
         |<--------------------|<-------------------|
         |       ACK, MPC      |           ACK      |
         |        ...          |          ...       |

     Figure 12: Establishment of an Incoming Multipath TCP Connection
                       through a Transport Converter. Converter

   It is typically sent on out of scope of this document to define specific Convert TLVs
   to manage incoming connections.  These TLVs can be defined in a
   separate document.

6.  The Convert Protocol (Convert)

   This section defines the first connection Convert Protocol (Convert, for short)
   messages that are exchanged between a Client establishes with and a Transport
   Converter.

   The Transport Converter to learn its
   capabilities.  Assuming listens on a Client dedicated TCP port number for
   Convert messages from Clients.  That port number is entitled to invoke the Transport
   Converter, configured by an
   administrator.

   Convert messages MUST be included as the latter replies with first bytes of the Supported TCP Extensions TLV
   described
   bytestream.  All Convert messages starts with a 32 bits long fixed
   header (Section 6.1) followed by one or more Convert TLVs (Type,
   Length, Value) (Section 6.2).

   o  Implementation note 1: Several implementers expressed concerns
      about the use of TFO.  As a reminder, the TFO Cookie protects from
      some attack scenarios that affect open servers like web servers.
      The Convert Protocol is different and, as discussed in Section 5.2.4. RFC7413,
      there are different ways to protect from such attacks.  Instead of
      using a TFO cookie inside the TCP options, which consumes precious
      space in the extended TCP header, the Convert Protocol supports
      the utilization of a Cookie that is placed in the SYN payload.
      This provides the same level of protection as a TFO Cookie in
      environments were such protection is required.

   o  Implementation note 2: Error messages are not included in RST but
      sent in the bytestream.  Implementers have indicated that
      processing RST on clients was difficult on some platforms.  This
      design simplifies client implementations.

6.1.  The Convert Fixed Header

   The Convert Protocol uses a 32 bits long fixed header that is sent by
   both the Client and the Transport Converter over each established
   connection.  This header indicates both the version of the protocol
   used and the length of the Convert message.

   The Client and the Transport Converter MUST send the fixed-sized
   header, shown in Figure 13, as the first four bytes of the
   bytestream.

                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +---------------+---------------+-------------------------------+
   |     Type=0x1  Version      |  Total Length |             Zero          Unassigned           |
   +---------------+---------------+-------------------------------+

                    Figure 15: 13: The Info TLV

5.2.4.  Supported TCP Extensions TLV Convert Fixed Header

   The Supported TCP Extensions TLV (Figure 16) Version is encoded as an 8 bits unsigned integer value.  This
   document specifies version 1.  Version 0 is reserved by this document
   and MUST NOT be used.

   The Total Length is used by a Transport
   Converter to announce the TCP options for which it provides number of 32 bits word, including the header,
   of the bytestream that are consumed by the Convert messages.  Since
   Total Length is also an 8 bits unsigned integer, those messages
   cannot consume more than 1020 bytes of data.  This limits the number
   of bytes that a
   conversion service.  A Transport Converter SHOULD include needs to process.  A Total Length
   of zero is invalid and the connection MUST be reset upon reception of
   a header with such total length.

   The Unassigned field MUST be set to zero in this
   list version of the TCP options that it accepts from Clients; these options
   protocol.  These bits are
   included by available for future use.

   The Total Length field unambiguously marks the Transport Converter number of 32 bits
   words that carry Convert TLVs in the SYN packets beginning of the bytestream.

6.2.  Convert TLVs

6.2.1.  Generic Convert TLV Format

   The Convert Protocol uses variable length messages that it sends
   to initiate connections.

   Each supported TCP option is are encoded with its TCP option Kind listed
   in
   using the "TCP Parameters" registry maintained generic TLV format depicted in Figure 14.

   The length of all TLVs used by IANA. the Convert Protocol is always a
   multiple of four bytes.  All TLVs are aligned on 32 bits boundaries.
   All TLV fields are encoded using the network byte order.

                           1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +---------------+---------------+-------------------------------+
      |     Type=0x15     Type      |     Length    |           Unassigned          |
      +---------------+---------------+-------------------------------+
      |     Kind #1   |     Kind #2   |             Value  ...        |
      +---------------+---------------+-------------------------------+
      /
      //              ...                              /
      /                                                               /   (optional) Value                         //
      +---------------------------------------------------------------+

                   Figure 16: The Supported TCP Extensions 14: Convert Generic TLV

   TCP option Kinds 0, 1, and 2 defined in [RFC0793] are supported by
   all TCP implementations Format

   The Length field covers Type, Length, and thus MUST NOT appear Value fields.  It is
   expressed in this list.

   The list units of Supported TCP Extensions is padded with 0 to end on a 32 bits boundary.

   For example, if the Transport Converter supports Multipath TCP,
   Kind=30 will words.  If necessary, Value MUST be present in the Supported TCP Extensions TLV
   padded with zeroes so that it
   returns in response to Info TLV.

5.2.5.  Connect TLV

   The Connect the length of the TLV (Figure 17) is used to request the establishment a multiple of 32
   bits.

   A given TLV MUST only appear once on a
   connection via connection.  If a Transport Converter.  This connection can be from Client
   receives two or
   to more instances of the same TLV over a Client.

   The 'Remote Peer Port' and 'Remote Peer IP Address' fields contain Convert
   connection, it MUST reset the destination port number and IP address associated TCP connection.  If a
   Converter receives two or more instances of the Server, for
   outgoing connections.  For incoming connections destined to same TLV over a Client
   serviced via
   Convert connection, it MUST return a Transport Converter, these fields convey the source
   port number Malformed Message Error TLV and IP address.

   The Remote Peer IP Address MUST be encoded as an IPv6 address.  IPv4
   addresses MUST be encoded using
   close the IPv4-Mapped IPv6 Address format
   defined in [RFC4291].  Further, Remote Peer IP address field MUST NOT
   include multicast, broadcast, and host loopback addresses [RFC6890].
   Connect TLVs witch such messages MUST be discarded by the Transport
   Converter.

   We distinguish two types associated TCP connection.

6.2.2.  Summary of Connect TLV based on their length: (1) Supported Convert TLVs

   This document specifies the base Connect following Convert TLVs:

   +------+-----+----------+------------------------------------------+
   | Type | Hex |  Length  | Description                              |
   +------+-----+----------+------------------------------------------+
   |   1  | 0x1 |    1     | Info TLV has a length of 20 bytes and contains a remote
   address and a remote port, (2) the extended                                 |
   |  10  | 0xA | Variable | Connect TLV spans more
   than                              |
   |  20 bytes and also includes the optional 'TCP Options' field.
   This field is used to specify how specific  | 0x14| Variable | Extended TCP options should be
   advertised by the Transport Converter to the server.

                           1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +---------------+---------------+-------------------------------+ Header TLV                  |     Type=0xA
   |     Length  21  |      Remote Peer Port 0x15| Variable |
      +---------------+---------------+-------------------------------+ Supported TCP Extensions TLV             |
   |  22  |         Remote Peer IP Address (128 bits) 0x16| Variable | Cookie TLV                               |
   |  30  | 0x1E| Variable |
      +---------------------------------------------------------------+
      /                          TCP Options (Variable)               /
      /                              ...                              /
      +---------------------------------------------------------------+

                        Figure 17: The Connect Error TLV                                |
   +------+-----+----------+------------------------------------------+

             Figure 15: The 'TCP Options' field TLVs used by the Convert Protocol

   Type 0x0 is a variable length field that carries reserved value.  If a
   list of TCP option fields (Figure 18).  Each TCP option field is
   encoded as Client receives a block TLV of 2+n bytes where the first byte is type
   0x0, it MUST reset the associated TCP
   option Kind and the second byte is the length connection.  If a Converter
   receives a TLV of type 0x0, it MUST return an Unsupported Message
   Error TLV and close the associated TCP option as
   specified in [RFC0793].  The minimum value for the TCP option Length
   is 2.  The TCP options that do not include a length sub-field, i.e.,
   option types 0 (EOL) and 1 (NOP) defined in [RFC0793] connection.

   Implementations MUST NOT be
   placed inside reset the TCP options field connection upon reception of the Connect messages
   with such TLV.

   The optional
   Value field contains the variable-length part of the TCP option.  A
   length of two indicates the absence of Client typically sends in the Value field.  The TCP
   options field always ends on a 32 bits boundary after being padded
   with zeros.

                           1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +---------------+---------------+---------------+---------------+
      |  TCPOpt kind  | TCPOpt Length | Value  (opt)  |  ....         |
      +---------------+---------------+---------------+---------------+
      |                             ....                              |
      +---------------------------------------------------------------+
      |                              ...                              |
      +---------------------------------------------------------------+

                     Figure 18: The TCP Options Field

   Upon reception of a Connect TLV, and absent any policy (e.g., rate-
   limit) or resource exhaustion conditions, a Transport Converter
   attempts to establish a first connection to the address and port that it
   contains.  The established
   with a Transport Converter MUST use by default the TCP
   options that correspond Info TLV (Section 6.2.3) to learn its local policy
   capabilities.  Assuming the Client is authorized to establish this
   connection.  These are invoke the options that it advertises in
   Transport Converter, the latter replies with the Supported TCP
   Extensions TLV.

   Upon reception of an extended Connect TLV, and absent any rate limit
   policy or resource exhaustion conditions, a Transport Converter MUST
   attempt to establish a connection to the address and port that it
   contains.  It MUST include TLV (Section 6.2.4).

   The Client can request the options establishment of the 'TCP Options' sub-field
   in the SYN sent connections to servers by
   using the Server in addition to Connect TLV (Section 6.2.5).  If the TCP options that it
   would have used according to its local policies.  For connection can be
   established with the TCP options
   that are listed without an optional value, final server, the Transport Converter
   MUST generate its own value.  For replies
   with the Extended TCP options that are included
   in Header TLV (Section 6.2.6).  If not, the 'TCP Options' field with
   Transport Converter returns an optional value, it MUST copy the
   entire option for use in the connection with Error TLV (Section 6.2.8) and then
   closes the destination peer.
   This feature is required to support TCP Fast Open. connection.  The Transport Converter may discard MUST NOT send a Connect TLV request for various
   reasons (e.g., authorization failed, out RST
   immediately after the detection of resources, invalid
   address type).  An an error message indicating to let the encountered Error TLV
   reach the Client.  As explained later, the Client will anyway send a
   RST upon reception of the Error TLV.

   When an error is
   returned to encountered an Error TLV with the requesting Client (Section 5.2.8).  In order to
   prevent denial-of-service attacks, appropriate error messages sent to a Client
   SHOULD
   code MUST be rate-limited.

5.2.6.  Extended TCP Header returned by the Transport Converter.

6.2.3.  The Info TLV

   The Extended TCP Header Info TLV (Figure 19) 16) is used an optional TLV which can be sent by the Transport
   Converter to send to the a
   Client to request the extended TCP header extensions that was
   returned are supported by the Server in the SYN+ACK packet.  This TLV a
   Transport Converter.  It is only typically sent
   if on the first connection
   that a Client sent establishes with a Connect TLV Transport Converter to request the establishment of learn its
   capabilities.  Assuming a
   connection. Client is entitled to invoke the Transport
   Converter, the latter replies with the Supported TCP Extensions TLV
   described in Section 6.2.4.

                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +---------------+---------------+-------------------------------+
   |     Type=0x14     Type=0x1  |     Length    |           Unassigned             Zero              |
   +---------------+---------------+-------------------------------+
      /               Returned Extended TCP header                    /
      /                              ...                              /
      +---------------------------------------------------------------+

                          Figure 19: 16: The Extended Info TLV

6.2.4.  Supported TCP Header Extensions TLV

   The Returned Extended Supported TCP header field Extensions TLV (Figure 17) is a copy of the extended
   header that was received in the SYN+ACK used by the a Transport Converter.

   The Unassigned field MUST be set
   Converter to zero by the sender and ignored by announce the receiver.  These bits are available TCP options for future use [RFC8126].

5.2.7.  The Cookie TLV

   The Cookie TLV (Figure 20 is an optional TLV which use is similar to
   the TCP Fast Open Cookie [RFC7413]. it provides a
   conversion service.  A Transport Converter may want
   to verify that a Client can receive SHOULD include in this
   list the packets TCP options that it sends to
   prevent attacks from spoofed addresses.  This verification can be
   done by using a Cookie that supports in outgoing SYNs.

   Each supported TCP option is bound to, for example, the IP
   address(es) of the Client.  This Cookie can be configured on encoded with its TCP option Kind listed
   in the
   Client by means that are outside of this document or provided "TCP Parameters" registry maintained by the
   Transport Converter as follows.

   A Transport Converter that has been configured to use the optional
   Cookie TLV MUST verify the presence of this TLV in the payload of the
   received SYN.  If this TLV is present, the Transport Converter MUST
   validate the Cookie by means similar to those in Section 4.1.2 of
   [RFC7413] (i.e., IsCookieValid).  If the Cookie is valid, the
   connection establishment procedure can continue.  Otherwise, the
   Transport Converter MUST return an Error TLV set to "Not Authorized"
   and close the connection.

   If the received SYN did not contain a Cookie TLV, and cookie
   validation is required, the Transport Converter should compute a
   Cookie bound to this Client address and return a Convert message
   containing the fixed header, an Error TLV set to "Missing Cookie" and
   the computed Cookie and close the connection.  The Client will react
   to this error by storing the received Cookie in its cache and attempt
   to reestablish a new connection to the Transport Converter that
   includes the Cookie TLV.

   The format of the Cookie TLV is shown in Figure 20. IANA.

                         1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +---------------+---------------+-------------------------------+
    |     Type=0x16     Type=0x15 |     Length    |             Zero           Unassigned          |
    +---------------+---------------+-------------------------------+
    |     Kind #1   |     Kind #2   |           ...                 |
    +---------------+---------------+-------------------------------+
    /                        Opaque  Cookie                              ...                              /
    /                              ...                                                               /
    +---------------------------------------------------------------+

                Figure 20: 17: The Cookie TLV

5.2.8.  Error Supported TCP Extensions TLV

   TCP option Kinds 0, 1, and 2 defined in [RFC0793] are supported by
   all TCP implementations and thus MUST NOT appear in this list.

   The Error TLV (Figure 21) list of Supported TCP Extensions is meant padded with 0 to provide information about some
   errors that occurred during the processing of a Convert message.
   This TLV has a variable length.  Upon reception of an Error TLV, end on a
   Client MUST close 32
   bits boundary.

   For example, if the Transport Converter supports Multipath TCP,
   Kind=30 will be present in the Supported TCP Extensions TLV that it
   returns in response to Info TLV.

6.2.5.  Connect TLV

   The Connect TLV (Figure 18) is used to request the establishment of a
   connection via a Transport Converter.  This connection can be from or
   to a Client.

   The 'Remote Peer Port' and 'Remote Peer IP Address' fields contain
   the destination port number and IP address of the Server, for
   outgoing connections.  For incoming connections destined to a Client
   serviced via a Transport Converter, these fields convey the source
   port number and IP address of the SYN packet received by the
   Transport Converter from the server.

   The Remote Peer IP Address MUST be encoded as an IPv6 address.  IPv4
   addresses MUST be encoded using the IPv4-Mapped IPv6 Address format
   defined in [RFC4291].  Further, Remote Peer IP address field MUST NOT
   include multicast, broadcast, and host loopback addresses [RFC6890].
   If a Converter receives a Connect TLVs witch such invalid addresses,
   it MUST reply with a Malformed Message Error TLV and close the
   associated TCP connection.

   We distinguish two types of Connect TLV based on their length: (1)
   the Base Connect TLV has a length of 20 bytes and contains a remote
   address and a remote port (Figure 18), (2) the Extended Connect TLV
   spans more than 20 bytes and also includes the optional 'TCP Options'
   field (Figure 19).  This field is used to request the advertisement
   of specific TCP options to the server.

                         1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +---------------+---------------+----------------+--------------+
    +---------------+---------------+-------------------------------+
    |     Type=0x1E     Type=0xA  |     Length    |    Error Code      Remote Peer Port         |  Value
    +---------------+---------------+-------------------------------+
    |
      +---------------+---------------+----------------+--------------+
      //                                                               |
    |         Remote Peer IP Address (128 bits)                     |
    |                                                               |
    |                                                               |
    +---------------------------------------------------------------+

                      Figure 18: The Base Connect TLV

                         1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +---------------+---------------+-------------------------------+
    |     Type=0xA  |     Length    |      Remote Peer Port         |
    +---------------+---------------+-------------------------------+
    |                                                               |
    |         Remote Peer IP Address (128 bits)                     |
    |                                                               |
    |                                                               |
    +---------------------------------------------------------------+
    /                          TCP Options (Variable)               /
    /                              ...   (optional) Value                         //                              /
    +---------------------------------------------------------------+

                    Figure 21: 19: The Error Extended Connect TLV

   Different types

   The 'TCP Options' field is a variable length field that carries a
   list of errors can occur while processing Convert
   messages. TCP option fields (Figure 20).  Each error TCP option field is identified by an Error Code represented
   encoded as
   an unsigned integer.  Four classes a block of error codes are defined:

   o  Message validation 2+n bytes where the first byte is the TCP
   option Kind and processing errors (0-31 range): returned
      upon reception the second byte is the length of an invalid message (including valid messages but
      with invalid or unknown TLVs).

   o  Client-side errors (32-63 range): the Client sent a request TCP option as
   specified in [RFC0793].  The minimum value for the TCP option Length
   is 2.  The TCP options that
      could do not include a length sub-field, i.e.,
   option types 0 (EOL) and 1 (NOP) defined in [RFC0793] MUST NOT be accepted by
   placed inside the Transport Converter (e.g.,
      unsupported operation).

   o  Converter-side errors (64-95 range): problems encountered on TCP options field of the
      Transport Converter (e.g., lack Connect TLV.  The optional
   Value field contains the variable-length part of resources) which prevent it
      from fulfilling the Client's request.

   o  Errors caused by TCP option.  A
   length of two indicates the destination server (96-127 range): absence of the final
      destination could not be reached or it replied with a reset. Value field.  The following error codes are defined in this document:

   o  Unsupported Version (0): TCP
   options field always ends on a 32 bits boundary after being padded
   with zeros.

                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +---------------+---------------+---------------+---------------+
    |  TCPOpt kind  | TCPOpt Length | Value  (opt)  |  ....         |
    +---------------+---------------+---------------+---------------+
    |                             ....                              |
    +---------------------------------------------------------------+
    |                              ...                              |
    +---------------------------------------------------------------+

                     Figure 20: The version number indicated in the fixed
      header TCP Options Field

   Upon reception of a message received from a peer is not supported.

      This error code MUST be generated by Base Connect TLV, and absent any policy (e.g.,
   rate-limit) or resource exhaustion conditions, a Transport Converter (or
      Client) when it receives a request having
   attempts to establish a version number connection to the address and port that it
      does not support.
   contains.  The value field Transport Converter MUST be set to the version supported use by default the
      Transport Converter (or Client).  When multiple versions TCP
   options that correspond to its local policy to establish this
   connection.  These are
      supported by the options that it advertises in the
   Supported TCP Extensions TLV.

   Upon reception of an Extended Connect TLV, a Transport Converter (or Client),
   first checks whether it includes supports the
      list of supported version TCP Options listed in the value field; each version is
      encoded in 8 bits.  The list of supported versions should be
      padded with zeros to end on a 32 bits boundary.

      Upon receipt of this 'TCP
   Options' field.  If not, it returns an error code, message (Section 6.2.8).
   If the Client (or above check succeeded and absent any rate limit policy or
   resource exhaustion conditions, a Transport
      Converter) checks whether Converter MUST attempt to
   establish a connection to the address and port that it supports one of contains.  It
   MUST include in the versions returned
      by SYN that it sends to the Transport Converter (or Client).  The highest common
      supported version MUST be used by Server the Client (or Transport
      Converter) options
   listed in subsequent exchanges with the Transport Converter
      (or Client).

   o  Malformed Message (1): This error code is sent 'TCP Options' sub-field and the TCP options that it
   would have used according to indicate its local policies.  For the TCP options
   that a
      message received from a peer is can not be successfully parsed and
      validated.

      Typically, this error code is sent by are included in the TCP Options field without an optional value,
   the Transport Converter if
      it receives a Connect TLV enclosing a multicast, broadcast, or
      loopback IP address.

      To ease troubleshooting, MUST generate its own value.  For the value TCP
   options that are included in the 'TCP Options' field with an optional
   value, it MUST echo copy the received
      message shifted by one byte to keep entire option in the SYN sent to original alignment of the
      message.

   o  Unsupported Message (2): remote
   server.  This error code feature is sent required to indicate that
      a message type received from support TCP Fast Open.  See
   Section 7 for a peer is not supported.

      To ease troubleshooting, the value field MUST echo the received
      message shifted by one byte to keep to original alignment detailed discussion of the
      message.

   o  Missing Cookie (3): If a different types of TCP
   options.

   The Transport Converter requires the
      utilization may refuse a Connect TLV request for various
   reasons (e.g., authorization failed, out of Cookies resources, invalid
   address type, unsupported TCP option).  An error message indicating
   the encountered error is returned to the requesting Client
   (Section 6.2.8).  In order to prevent spoofing attacks and denial-of-service attacks,
   error messages sent to a Cookie Client SHOULD be rate-limited.

6.2.6.  Extended TCP Header TLV was not included in

   The Extended TCP Header TLV (Figure 21) is used by the Convert message, Transport
   Converter to return to the Client the TCP options that were returned
   by the Server in the SYN+ACK packet.  A Transport Converter MUST
   return this error to TLV if the requesting client. Client sent an Extended Connect TLV and the
   connection was accepted by the server.

                         1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +---------------+---------------+-------------------------------+
    |     Type=0x14 |     Length    |           Unassigned          |
    +---------------+---------------+-------------------------------+
    /               Returned Extended TCP header                    /
    /                              ...                              /
    +---------------------------------------------------------------+

                  Figure 21: The
      first byte Extended TCP Header TLV

   The Returned Extended TCP header field is a copy of the value TCP Options
   that were included in the SYN+ACK received by the Transport
   Converter.

   The Unassigned field MUST be set to zero and by the
      remaining bytes of sender and ignored by
   the Error receiver.

6.2.7.  The Cookie TLV contain the

   The Cookie computed by TLV (Figure 22) is an optional TLV which is similar to the
   TCP Fast Open Cookie [RFC7413].  A Transport Converter for this Client.

      A may want to
   verify that a Client which receives this error code MUST cache can receive the received
      Cookie and include packets that it in subsequent Convert messages sent sends to that
      Transport Converter.

   o  Not Authorized (32): prevent
   attacks from spoofed addresses.  This error code indicates verification can be done by
   using a Cookie that is bound to, for example, the Transport
      Converter refused to create a connection because of a lack IP address(es) of
      authorization (e.g., administratively prohibited, authorization
      failure, invalid Cookie TLV, etc.).  The Value field MUST be set
      to zero.
   the Client.  This error code MUST Cookie can be sent configured on the Client by means
   that are outside of this document or provided by the Transport
   Converter when a
      request cannot be successfully processed because the authorization
      failed.

   o  Unsupported TCP Option (33): as follows.

   A TCP option Transport Converter that the Client
      requested to advertise has been configured to use the final Server cannot be safely used.

      The Value field is set to optional
   Cookie TLV MUST verify the type presence of the unsupported TCP option.
      If several unsupported TCP options were specified this TLV in the Connect
      TLV, then the list payload of unsupported TCP options the
   received SYN.  If this TLV is returned.  The
      list of unsupported TCP options MUST be padded with zeros to end
      on a 32 bits boundary.

   o  Resource Exceeded (64): This error indicates that present, the Transport Converter does not have enough resources to perform the request.

      This error MUST be sent by
   validate the Transport Converter when it does
      not have sufficient resources Cookie by means similar to handle a new connection.  The
      Transport Converter may indicate those in the Value field the suggested
      delay (in seconds) that the Client SHOULD wait before soliciting
      the Transport Converter for a new proxied connection.  A Value of
      zero corresponds to a default delay Section 4.1.2 of at least 30 seconds.

   o  Network Failure (65): This error indicates that
   [RFC7413] (i.e., IsCookieValid).  If the Transport
      Converter Cookie is experiencing a network failure to proxy valid, the
   connection establishment procedure can continue.  Otherwise, the request.

      The
   Transport Converter MUST send this error code when it
      experiences forwarding issues return an Error TLV set to proxy a connection.  The
      Transport Converter may indicate in the Value field "Not Authorized"
   and close the suggested
      delay (in seconds) that connection.

   If the Client SHOULD wait before soliciting received SYN did not contain a Cookie TLV, and cookie
   validation is required, the Transport Converter for MAY compute a new proxied connection.  A Value of
      zero corresponds Cookie
   bound to this Client address and return a default delay of at least 30 seconds.

   o  Connection Reset (96): This error indicates that Convert message containing
   the final
      destination responded with fixed header, an RST packet.  The Value field MUST be Error TLV set to zero.

   o  Destination Unreachable (97): This error indicates that an ICMP
      destination unreachable, port unreachable, or network unreachable
      was received by "Missing Cookie" and the Transport Converter.
   computed Cookie and close the connection.  The Value field MUST
      echo Client will react to
   this error by first issuing a reset to terminate the Code field of connection.  It
   also stores the received ICMP message.

   Figure 22 summarizes Cookie in its cache and attempts to
   reestablish a new connection to the different error codes.

    +-------+------+-----------------------------------------------+
    | Error | Hex  | Description                                   |
    +-------+------+-----------------------------------------------+
    | Transport Converter that includes
   the Cookie TLV.

   The format of the Cookie TLV is shown in Figure 22.

                         1                   2                   3
     0  | 0x00 | Unsupported Version                           |
    | 1  | 0x01 | Malformed Message                             |
    | 2  | 0x02 | Unsupported Message                           |
    | 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +---------------+---------------+-------------------------------+
    | 0x03 | Missing Cookie                                |
    |   32  | 0x20 | Not Authorized                                |
    |   33  | 0x21 | Unsupported TCP Option                        |
    |   64  | 0x40 | Resource Exceeded                             |
    |   65  | 0x41 | Network Failure                               |     Type=0x16 |   96     Length    | 0x60             Zero              | Connection Reset
    +---------------+---------------+-------------------------------+
    /                        Opaque  Cookie                         /
    /                              ...                              /
    +---------------------------------------------------------------+

                         Figure 22: The Cookie TLV

6.2.8.  Error TLV

   The Error TLV (Figure 23) is meant to provide information about some
   errors that occurred during the processing of a Convert message.
   This TLV has a variable length.  Upon reception of an Error TLV, a
   Client MUST reset the associated connection.

                         1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +---------------+---------------+----------------+--------------+
    |     Type=0x1E |   97     Length    | 0x61    Error Code  | Destination Unreachable  Value       |
    +-------+------+-----------------------------------------------+
    +---------------+---------------+----------------+--------------+
    //              ...   (optional) Value                         //
    +---------------------------------------------------------------+

                         Figure 22: Convert 23: The Error Values

6.  Compatibility TLV

   Different types of Specific TCP Options errors can occur while processing Convert
   messages.  Each error is identified by an Error Code represented as
   an unsigned integer.  Four classes of error codes are defined:

   o  Message validation and processing errors (0-31 range): returned
      upon reception of an invalid message (including valid messages but
      with invalid or unknown TLVs).

   o  Client-side errors (32-63 range): the Conversion Service

   In this section, we discuss how several standard track TCP options
   can Client sent a request that
      could not be supported through accepted by the Convert Protocol.  The non-standard
   track options and Transport Converter (e.g.,
      unsupported operation).

   o  Converter-side errors (64-95 range): problems encountered on the experimental options will
      Transport Converter (e.g., lack of resources) which prevent it
      from fulfilling the Client's request.

   o  Errors caused by the destination server (96-127 range): the final
      destination could not be discussed in other
   documents.

6.1.  Base TCP Options

   Three TCP options were initially reached or it replied with a reset.

   The following error codes are defined in [RFC0793]: End-of-Option
   List (Kind=0), No-Operation (Kind=1) and Maximum Segment Size
   (Kind=2). this document:

   o  Unsupported Version (0): The first two options are mainly used to pad version number indicated in the TCP
   header.  There is no reason for fixed
      header of a client to request message received from a Transport
   Converter to specifically send these options towards the final
   destination.

   The Maximum Segment Size option (Kind=2) peer is used not supported.

      This error code MUST be generated by a host to
   indicate the largest segment peer (e.g.  Transport
      Converter) when it receives a request having a version number that
      it can receive over each
   connection.  This does not support.

      The value is function of field MUST be set to the stack that terminates version supported by the
   TCP connection.  There peer.
      When multiple versions are supported by the peer, it includes the
      list of supported version in the value field; each version is no reason for a Client
      encoded in 8 bits.  The list of supported versions should be
      padded with zeros to request end on a
   Transport Converter 32 bits boundary.

      Upon receipt of this error code, the remote peer (e.g., Client)
      checks whether it supports one of the versions returned by the
      peer.  The highest common supported version MUST be used by the
      remote peer in subsequent exchanges with the peer.

   o  Malformed Message (1): This error code is sent to advertise indicate that a specific MSS value to
      message received from a remote
   server.

   A peer cannot be successfully parsed and
      validated.

      Typically, this error code is sent by the Transport Converter MUST ignore options with Kind=0, 1 or 2 if they
   appear in
      it receives a Connect TLV.  It MUST NOT announce them in TLV enclosing a Supported
   TCP Extensions TLV.

6.2.  Window Scale (WS)

   The Window Scale (WS) option (Kind=3) is defined in [RFC7323].  As
   for multicast, broadcast, or
      loopback IP address.

      To ease troubleshooting, the MSS option, value field MUST echo the window scale factor that is used for a
   connection strongly depends on received
      message shifted by one byte to keep to original alignment of the TCP stack
      message.

   o  Unsupported Message (2): This error code is sent to indicate that handles the
   connection.  When
      a Transport Converter opens message type received from a TCP connection
   towards a remote server on behalf of a Client, it SHOULD use a WS
   option with a scaling factor that corresponds to Client is not supported.

      To ease troubleshooting, the configuration of
   its stack.  A local configuration MAY allow for WS option in value field MUST echo the
   proxied received
      message shifted by one byte to be function of the scaling factor keep to original alignment of the incoming
   connection.

   There is no benefit from a deployment viewpoint in enabling a Client
   of
      message.

   o  Missing Cookie (3): If a Transport Converter to specifically request requires the
      utilization of
   the WS option (Kind=3) with a specific scaling factor towards a
   remote Server.  For this reason, Cookies to prevent spoofing attacks and a Cookie
      TLV was not included in the Convert message, the Transport
      Converter MUST ignore
   option Kind=3 if it appears in a Connect TLV.  It MUST NOT announce
   it in a Supported TCP Extensions TLV.

6.3.  Selective Acknowledgments

   Two distinct TCP options were defined return this error to support selective
   acknowledgments in [RFC2018].  This the requesting client.  The
      first one, SACK Permitted
   (Kind=4), is used byte of the value field MUST be set to negotiate zero and the utilization
      remaining bytes of selective
   acknowledgments during the three-way handshake.  The second one, SACK
   (Kind=5), carries Error TLV contain the selective acknowledgments inside regular
   segments.

   The SACK Permitted option (Kind=4) MAY be advertised Cookie computed by a
      the Transport Converter in for this Client.

      A Client which receives this error code SHOULD cache the Supported TCP Extensions TLV.  Clients connected received
      Cookie and include it in subsequent Convert messages sent to
   this that
      Transport Converter.

   o  Not Authorized (32): This error code indicates that the Transport
      Converter MAY include the SACK Permitted option in the
   Connect TLV. refused to create a connection because of a lack of
      authorization (e.g., administratively prohibited, authorization
      failure, invalid Cookie TLV, etc.).  The SACK option (Kind=5) cannot Value field MUST be used during set
      to zero.

      This error code MUST be sent by the three-way
   handshake.  For this reason, a Transport Converter MUST ignore option
   Kind=5 if it appears in a Connect TLV.  It MUST NOT announce it in when a
      request cannot be successfully processed because the authorization
      failed.

   o  Unsupported TCP Option (33): A TCP Supported Extensions TLV.

6.4.  Timestamp

   The Timestamp option was initially defined in [RFC1323] and later
   refined in [RFC7323].  It can be used during that the three-way handshake Client
      requested to advertise to negotiate the utilization final Server cannot be safely used.

      The Value field is set to the type of timestamps during the unsupported TCP connection.
   It is notably used to improve round-trip-time estimations and to
   provide protection against wrapped sequence numbers (PAWS).  As for option.
      If several unsupported TCP options were specified in the WS option, Connect
      TLV, then the timestamps are a property list of a connection and
   there unsupported TCP options is limited benefit in enabling a client returned.  The
      list of unsupported TCP options MUST be padded with zeros to request end
      on a 32 bits boundary.

   o  Resource Exceeded (64): This error indicates that the Transport
      Converter does not have enough resources to use perform the timestamp option request.

      This error MUST be sent by the Transport Converter when establishing a connection it does
      not have sufficient resources to handle a remote server.  Furthermore, new connection.  The
      Transport Converter may indicate in the timestamps that are used by TCP
   stacks are specific to each stack and there is no benefit in enabling
   a client to specify Value field the timestamp value suggested
      delay (in seconds) that a the Client SHOULD wait before soliciting
      the Transport Converter
   could use to establish for a connection new proxied connection.  A Value of
      zero corresponds to a remote server.

   A default delay of at least 30 seconds.

   o  Network Failure (65): This error indicates that the Transport
      Converter MAY advertise the Timestamp option (Kind=8) in is experiencing a network failure to proxy the TCP Supported Extensions TLV. request.

      The clients connected to this Transport Converter MAY include the Timestamp option in the Connect
   TLV but without any timestamp.

6.5.  Multipath TCP

   The Multipath TCP options are defined in [RFC6824].  [RFC6824]
   defines one variable length TCP option (Kind=30) that includes a sub-
   type field to support several Multipath TCP options.  There are
   several operational use cases where clients would like MUST send this error code when it
      experiences forwarding issues to use
   Multipath TCP through proxy a connection.  The
      Transport Converter [IETFJ16].  However, none
   of these use cases require the Client to specify may indicate in the content of Value field the
   Multipath TCP option suggested
      delay (in seconds) that the Client SHOULD wait before soliciting
      the Transport Converter should send to for a
   remote server. new proxied connection.  A Transport Converter which supports Multipath TCP conversion service
   MUST advertise the Multipath TCP option (Kind=30) in the Supported
   TCP Extensions TLV.  Clients serviced by this Transport Converter may
   include the Multipath TCP option in Value of
      zero corresponds to a default delay of at least 30 seconds.

   o  Connection Reset (96): This error indicates that the Connect TLV but without any
   content.

6.6.  TCP Fast Open final
      destination responded with an RST packet.  The TCP Fast Open cookie option (Kind=34) is defined in [RFC7413].
   There are two different usages of this option that need to Value field MUST be
   supported by Transport Converters.  The first utilization of the TCP
   Fast Open cookie option is
      set to request a cookie from the server.  In
   this case, the option is sent with zero.

   o  Destination Unreachable (97): This error indicates that an empty cookie ICMP
      destination unreachable, port unreachable, or network unreachable
      was received by the client and
   the server returns the cookie. Transport Converter.  The second utilization Value field MUST
      echo the Code field of the received ICMP message.

   Figure 24 summarizes the different error codes.

    +-------+------+-----------------------------------------------+
    | Error | Hex  | Description                                   |
    +-------+------+-----------------------------------------------+
    |    0  | 0x00 | Unsupported Version                           |
    |    1  | 0x01 | Malformed Message                             |
    |    2  | 0x02 | Unsupported Message                           |
    |    3  | 0x03 | Missing Cookie                                |
    |   32  | 0x20 | Not Authorized                                |
    |   33  | 0x21 | Unsupported TCP
   Fast Open cookie option is to send a cookie to Option                        |
    |   64  | 0x40 | Resource Exceeded                             |
    |   65  | 0x41 | Network Failure                               |
    |   96  | 0x60 | Connection Reset                              |
    |   97  | 0x61 | Destination Unreachable                       |
    +-------+------+-----------------------------------------------+

                      Figure 24: Convert Error Values

7.  Compatibility of Specific TCP Options with the server. Conversion Service

   In this
   case, the option contains a cookie.

   A Transport Converter MAY advertise the section, we discuss how several deployed standard track TCP Fast Open cookie option
   (Kind=34) in the Supported TCP Extensions TLV.  If a Transport
   Converter has advertised
   options can be supported through the support for Convert Protocol.  The other TCP Fast Open
   options will be discussed in its
   Supported other documents.

7.1.  Base TCP Extensions TLV, it needs Options

   Three TCP options were initially defined in [RFC0793]: End-of-Option
   List (Kind=0), No-Operation (Kind=1) and Maximum Segment Size
   (Kind=2).  The first two options are mainly used to be able pad the TCP
   header.  There is no reason for a client to process two
   types of Connect TLV.  If such request a Transport
   Converter receives a
   Connect TLV with to specifically send these options towards the TCP Fast Open cookie final
   destination.

   The Maximum Segment Size option that does not
   contain (Kind=2) is used by a cookie, host to
   indicate the largest segment that it MUST add an empty TCP Fast Open cookie option in can receive over each
   connection.  This value is function of the SYN sent to stack that terminates the remote server.  If such
   TCP connection.  There is no reason for a Client to request a
   Transport Converter
   receives to advertise a Connect TLV specific MSS value to a remote
   server.

   A Transport Converter MUST ignore options with the TCP Fast Open cookie option that
   contains Kind=0, 1 or 2 if they
   appear in a cookie, it Connect TLV.  It MUST copy the TCP Fast Open cookie option NOT announce them in
   the SYN sent to the remote server.

6.7. a Supported
   TCP User Timeout Extensions TLV.

7.2.  Window Scale (WS)

   The TCP User Timeout Window Scale (WS) option (Kind=3) is defined in [RFC5482].  The associated
   TCP option (Kind=28) does not appear to be widely deployed.

6.8.  TCP-AO

   TCP-AO [RFC5925] provides a technique to authenticate all [RFC7323].  As
   for the packets
   exchanged over MSS option, the window scale factor that is used for a
   connection strongly depends on the TCP connection.  Given stack that handles the nature
   connection.  When a Transport Converter opens a TCP connection
   towards a remote server on behalf of this extension, a Client, it is unlikely that the applications SHOULD use a WS
   option with a scaling factor that require their packets to be
   authenticated end-to-end would want their connections corresponds to pass through
   a converter.  For this reason, we do not recommend the support configuration of the
   TCP-AO
   its stack.  A local configuration MAY allow for WS option by Transport Converters.  The only use cases where it
   could make sense in the
   proxied message to combine TCP-AO and be function of the solution in this document
   are those where scaling factor of the TCP-AO-NAT extension [RFC6978] incoming
   connection.

   There is no benefit from a deployment viewpoint in use.

   A enabling a Client
   of a Transport Converter MUST NOT advertise to specifically request the TCP-AO option (Kind=29)
   in utilization of
   the Supported TCP Extensions TLV.  If WS option (Kind=3) with a specific scaling factor towards a
   remote Server.  For this reason, a Transport Converter
   receives MUST ignore
   option Kind=3 if it appears in a Connect TLV that contains the TCP-AO option, it TLV.  It MUST
   reject the establishment of the connection with error code set to
   "Unsupported TCP Option", except if the TCP-AO-NAT option is used.

6.9. NOT announce
   it in a Supported TCP Experimental Options

   The Extensions TLV.

7.3.  Selective Acknowledgments

   Two distinct TCP Experimental options are were defined to support selective
   acknowledgments in [RFC4727].  Given [RFC2018].  This first one, SACK Permitted
   (Kind=4), is used to negotiate the
   variety utilization of semantics for these options and their experimental nature,
   it is impossible to discuss them in details in this document.

7.  Interactions with Middleboxes selective
   acknowledgments during the three-way handshake.  The Convert Protocol is designed to second one, SACK
   (Kind=5), carries the selective acknowledgments inside regular
   segments.

   The SACK Permitted option (Kind=4) MAY be used advertised by a Transport
   Converter in networks that do not
   contain middleboxes that interfere with TCP.  Under such conditions,
   it is assumed that the network provider ensures that all involved on-
   path nodes are not breaking TCP signals (e.g., strip Supported TCP options,
   discard some SYNs, etc.).

   Nevertheless, and in order Extensions TLV.  Clients connected to allow for a robust service,
   this
   section describes how a Client can detect middlebox interference and
   stop using the Transport Converter affected by this interference.

   Internet measurements [IMC11] have shown that middleboxes can affect
   the deployment of TCP extensions.  In this section, we only discuss
   the middleboxes that modify SYN and SYN+ACK packets since MAY include the Convert
   Protocol places its messages SACK Permitted option in such packets.

   Consider a middlebox that removes the SYN payload.
   Connect TLV.

   The Client can
   detect this problem by looking at the acknowledgment number field of
   the SYN+ACK returned by SACK option (Kind=5) cannot be used during the Transport Converter.  The Client MUST
   stop to use three-way
   handshake.  For this reason, a Transport Converter given the middlebox
   interference.

   Consider now MUST ignore option
   Kind=5 if it appears in a middlebox that drops SYN/ACKs with Connect TLV.  It MUST NOT announce it in a payload.
   TCP Supported Extensions TLV.

7.4.  Timestamp

   The
   Client won't Timestamp option [RFC7323] can be able used during the three-way
   handshake to establish a connection via negotiate the Transport
   Converter.

   The case utilization of a middlebox that removes timestamps during the payload of SYN+ACKs (but not TCP
   connection.  It is notably used to improve round-trip-time
   estimations and to provide protection against wrapped sequence
   numbers (PAWS).  As for the payload WS option, the timestamps are a property
   of SYN) can be detected by a Client.  This connection and there is hinted by
   the absence of an Error or Extended TCP Header TLV limited benefit in enabling a response.  If
   an Error was returned by the Transport Converter, a message client to close
   the connection would normally follow from the Converter.  If no such
   message is received, the Client may continue
   request a Transport Converter to use this Converter.

   As explained in [RFC7413], some CGNs (Carrier Grade NATs) can affect the operation of TFO if they assign different IP addresses timestamp option when
   establishing a connection to a remote server.  Furthermore, the
   same end host.  Such CGNs could affect the operation of the cookie
   validation
   timestamps that are used by the Convert Protocol.  As a reminder CGNs, enabled
   on the path between a Client TCP stacks are specific to each stack and
   there is no benefit in enabling a Transport Converter, must adhere client to specify the address preservation defined in [RFC6888].  See also the
   discussion in Section 7.1 of [RFC7413].

8.  Security Considerations

8.1.  Privacy & Ingress Filtering

   The Transport Converter may have access to privacy-related
   information (e.g., subscriber credentials).  The timestamp
   value that a Transport Converter
   is designed could use to not leak such sensitive information outside establish a local
   domain.

   Given its function and its location in the network, connection
   to a remote server.

   A Transport Converter has access to MAY advertise the payload of all the packets that it
   processes.  As such, it MUST be protected as a core IP router (e.g.,
   [RFC1812]).

   Furthermore, ingress filtering policies MUST be enforced at the
   network boundaries [RFC2827].

   This document assumes that all network attachments are managed by Timestamp option (Kind=8) in
   the
   same administrative entity.  Therefore, enforcing anti-spoofing
   filters at these network ensures that hosts are not sending traffic
   with spoofed source IP addresses.

8.2.  Authorization TCP Supported Extensions TLV.  The Convert Protocol is intended clients connected to be used this
   Transport Converter MAY include the Timestamp option in managed networks where
   end hosts can be identified by their IP address.

   Stronger mutual authentication schemes MUST be defined to use the
   Convert Protocol Connect
   TLV but without any timestamp.

7.5.  Multipath TCP

   The Multipath TCP options are defined in more open network environments.  One possibility
   is [RFC6824].  [RFC6824]
   defines one variable length TCP option (Kind=30) that includes a sub-
   type field to support several Multipath TCP options.  There are
   several operational use TLS cases where clients would like to perform mutual authentication between the client and
   the Converter.  That is, use TLS when a Client retrieves
   Multipath TCP through a Cookie
   from the Transport Converter and rely on certificate-based client
   authentication, pre-shared key based [RFC4279] or raw public key
   based client authentication [RFC7250] to secure this connection.

   If the authentication succeeds, [IETFJ16].  However, none
   of these use cases require the Converter returns a cookie Client to the
   Client.  Subsequent Connect messages will be authorized as a function
   of specify the content of the Cookie TLV.

   In deployments where network-assisted connections are not allowed
   between hosts of a domain (i.e., hairpinning), the Converter may be
   instructed to discard such connections.  Hairpinned connections are
   thus rejected by
   Multipath TCP option that the Transport Converter by returning an Error TLV
   set should send to "Not Authorized".  Absent explicit configuration otherwise,
   hairpinning is enabled by the a
   remote server.

   A Transport Converter (see Figure 23.

             <===Network Provider===>

      +----+ from X1:x1 to X2':x2'   +-----+ X1':x1'
      | C1 |>>>>>>>>>>>>>>>>>>>>>>>>>>>>>--+---
      +----+                         |  v  |
                                     |  v  |
                                     |  v  |
                                     |  v  |
      +----+ from X1':x1' to X2:x2   |  v  | X2':x2'
      | C2 |<<<<<<<<<<<<<<<<<<<<<<<<<<<<<--+---
      +----+                         +-----+ which supports Multipath TCP conversion service
   MUST advertise the Multipath TCP option (Kind=30) in the Supported
   TCP Extensions TLV.  Clients serviced by this Transport Converter

      Note: X2':x2' may be equal to
            X2:x2

                      Figure 23: Hairpinning Example

   See below for authorization considerations that are specific for
   include the Multipath TCP.

8.3.  Denial of Service

   Another possible risk is TCP option in the amplification attacks since a Connect TLV but without any
   content.

7.6.  TCP Fast Open

   The TCP Fast Open cookie option (Kind=34) is defined in [RFC7413].
   There are two different usages of this option that need to be
   supported by Transport
   Converter sends a SYN towards a remote Server upon reception Converters.  The first utilization of the TCP
   Fast Open cookie option is to request a SYN cookie from a Client.  This could lead to amplification attacks if the SYN server.  In
   this case, the option is sent with an empty cookie by the Transport Converter were larger than client and
   the SYN received
   from server returns the Client or if cookie.  The second utilization of the Transport Converter retransmits TCP
   Fast Open cookie option is to send a cookie to the SYN.
   To mitigate such attacks, server.  In this
   case, the option contains a cookie.

   A Transport Converter SHOULD rate limit
   the number of pending requests for a given Client.  It SHOULD also
   avoid sending to remote Servers SYNs that are significantly longer
   than the SYN received from MAY advertise the Client.  Finally, TCP Fast Open cookie option
   (Kind=34) in the Supported TCP Extensions TLV.  If a Transport
   Converter SHOULD only retransmit a SYN has advertised the support for TCP Fast Open in its
   Supported TCP Extensions TLV, it needs to be able to process two
   types of Connect TLV.  If such a Server after having
   received Transport Converter receives a retransmitted SYN from
   Connect TLV with the corresponding Client.  Means to
   protect against SYN flooding attacks MUST also be enabled [RFC4987].

8.4.  Traffic Theft

   Traffic theft is TCP Fast Open cookie option that does not
   contain a risk if cookie, it MUST add an illegitimate Converter is inserted empty TCP Fast Open cookie option in
   the path.  Indeed, inserting an illegitimate SYN sent to the remote server.  If such a Transport Converter
   receives a Connect TLV with the TCP Fast Open cookie option that
   contains a cookie, it MUST copy the TCP Fast Open cookie option in
   the
   forwarding path allows traffic interception and can therefore provide
   access SYN sent to sensitive data issued by or destined the remote server.

7.7.  TCP-AO

   TCP-AO [RFC5925] provides a technique to authenticate all the packets
   exchanged over a host.  Converter
   discovery and configuration are out of scope TCP connection.  Given the nature of this document.

8.5.  Multipath TCP-specific Considerations

   Multipath TCP-related security threats are discussed in [RFC6181] and
   [RFC6824].

   The operator extension,
   it is unlikely that manages the various network attachments (including
   the Transport Converters) can enforce authentication and
   authorization policies using appropriate mechanisms.  For example, a
   non-exhaustive list of methods to achieve authorization is provided
   hereafter:

   o  The network provider may enforce a policy based on the
      International Mobile Subscriber Identity (IMSI) to verify applications that a
      user is allowed require their packets to benefit from the Multipath TCP converter
      service.  If that authorization fails, the Packet Data Protocol
      (PDP) context/bearer will not be mounted.  This method does
   authenticated end-to-end would want their connections to pass through
   a converter.  For this reason, we do not
      require any interaction with recommend the support of the
   TCP-AO option by Transport Converter for
      authorization matters.

   o Converters.  The network provider may enforce a policy based upon Access
      Control Lists (ACLs), e.g., at a Broadband Network Gateway (BNG) only use cases where it
   could make sense to control combine TCP-AO and the hosts that solution in this document
   are authorized to communicate with a
      Transport Converter.  These ACLs may be installed as a result of
      RADIUS exchanges, e.g., [I-D.boucadair-radext-tcpm-converter].

      This method does not require any interaction with those where the TCP-AO-NAT extension [RFC6978] is in use.

   A Transport Converter for authorization matters.

   o  A device that embeds MUST NOT advertise the TCP-AO option (Kind=29)
   in the Supported TCP Extensions TLV.  If a Transport Converter may also host
   receives a RADIUS
      client Connect TLV that will solicit an AAA server to check whether
      connections received from a given source IP address are authorized
      or not [I-D.boucadair-radext-tcpm-converter].

   A first safeguard against contains the misuse TCP-AO option, it MUST
   reject the establishment of Transport Converter resources
   by illegitimate users (e.g., users the connection with access error code set to
   "Unsupported TCP Option", except if the TCP-AO-NAT option is used.

8.  Interactions with Middleboxes

   The Convert Protocol is designed to be used in networks that are do not
   managed by
   contain middleboxes that interfere with TCP.  Under such conditions,
   it is assumed that the same network provider ensures that operates the Transport Converter)
   is all involved on-
   path nodes are not breaking TCP signals (e.g., strip TCP options,
   discard some SYNs, etc.).

   Nevertheless, and in order to allow for a robust service, this
   section describes how a Client can detect middlebox interference and
   stop using the Transport Converter to reject Multipath affected by this interference.

   Internet measurements [IMC11] have shown that middleboxes can affect
   the deployment of TCP connections
   received on extensions.  In this section, we focus the
   middleboxes that modify the payload since the Convert Protocol places
   its Internet-facing interfaces.  Only Multipath TCP
   connections received on messages at the customer-facing interfaces beginning of the bytestream.

   Consider a middlebox that removes the SYN payload.  The Client can
   detect this problem by looking at the acknowledgment number field of
   the SYN+ACK returned by the Transport Converter.  The Client MUST
   stop to use this Transport Converter will given the middlebox
   interference.

   Consider now a middlebox that drops SYN/ACKs with a payload.  The
   Client won't be accepted.

9.  IANA Considerations

9.1.  Convert Service Port Number

   IANA is requested able to assign establish a TCP port number (TBA) for the Convert
   Protocol from connection via the "Service Name and Transport Protocol Port Number
   Registry" available at https://www.iana.org/assignments/service-
   names-port-numbers/service-names-port-numbers.xhtml.

      Service Name:           convert
      Port Number:            TBD Transport Protocol(s):  TCP
      Description:            0-RTT TCP Convert Protocol
      Assignee:               IESG <iesg@ietf.org>
      Contact:                IETF Chair <chair@ietf.org>
      Reference:              RFC XXXX

9.2.
   Converter.  The Convert Protocol (Convert) Parameters

   IANA is requested to create case of a new "The Convert Protocol (Convert)
   Parameters" registry.

   The following subsections detail new registries within "The Convert
   Protocol (Convert) Parameters" registry.

9.2.1.  Convert Versions

   IANA is requested to create middlebox that removes the "Convert versions" sub-registry.  New
   values are assigned via IETF Review (Section 4.8 payload of [RFC8126]).

   The initial values to be assigned at
   SYN+ACKs or from the creation of packet that follows the registry are
   as follows:

    +---------+--------------------------------------+-------------+
    | Version | Description                          | Reference   |
    +---------+--------------------------------------+-------------+
    |    0    | Reserved by this document            | [This-RFC]  |
    |    1    | Assigned SYN+ACK (but not the
   payload of SYN) can be detected by this document            | [This-RFC]  |
    +---------+--------------------------------------+-------------+

9.2.2.  Convert TLVs

   IANA a Client.  This is requested to create hinted by the "Convert TLVs" sub-registry.  The
   procedure for assigning values from this registry is as follows:

   o  The values
   absence of a valid Convert message in the range 1-127 can be assigned via IETF Review.

   o  The values response.

   As explained in the range 128-191 [RFC7413], some CGNs (Carrier Grade NATs) can be assigned via Specification
      Required.

   o  The values in affect
   the range 192-255 can be assigned for Private Use.

   The initial values operation of TFO if they assign different IP addresses to be assigned at the creation
   same end host.  Such CGNs could affect the operation of the registry are
   as follows:

    +---------+--------------------------------------+-------------+
    |  Code   | Name                                 | Reference   |
    +---------+--------------------------------------+-------------+
    |    0    | Reserved                             | [This-RFC]  |
    |    1    | Info TLV                             | [This-RFC]  |
    |   10    | Connect TLV                          | [This-RFC]  |
    |   20    | Extended TCP Header TLV              | [This-RFC]  |
    |   21    | Supported TCP Extension TLV          | [This-RFC]  |
    |   22    | Cookie TLV                           | [This-RFC]  |
    |   30    | Error TLV                            | [This-RFC]  |
    +---------+--------------------------------------+-------------+

9.2.3. cookie
   validation used by the Convert Error Messages

   IANA is requested to create Protocol.  As a reminder CGNs, enabled
   on the "Convert Errors" sub-registry.  Codes
   in this registry are assigned as path between a function of Client and a Transport Converter, must adhere
   to the error type.  Four
   types are defined; address preservation defined in [RFC6888].  See also the following ranges are reserved for each
   discussion in Section 7.1 of
   these types:

   o  Message validation and processing errors: 0-31

   o  Client-side errors: 32-63

   o [RFC7413].

9.  Security Considerations

9.1.  Privacy & Ingress Filtering

   The Transport Converter-side errors: 64-95

   o  Errors caused by destination server: 96-127 Converter may have access to privacy-related
   information (e.g., subscriber credentials).  The procedure for assigning values from this sub-registry Transport Converter
   is as
   follows:

   o  0-127: Values in this range are assigned via IETF Review.

   o  128-191: Values in this range are assigned via Specification
      Required.

   o  192-255: Values designed to not leak such sensitive information outside a local
   domain.

   Given its function and its location in this range are assigned for Private Use.

   The initial values the network, a Transport
   Converter has access to be assigned at the creation payload of all the registry are packets that it
   processes.  As such, it MUST be protected as follows:

    +-------+------+-----------------------------------+-----------+
    | Error | Hex  | Description                       | Reference |
    +-------+------+-----------------------------------+-----------+
    |    0  | 0x00 | Unsupported Version               | [This-RFC]|
    |    1  | 0x01 | Malformed Message                 | [This-RFC]|
    |    2  | 0x02 | Unsupported Message               | [This-RFC]|
    |    3  | 0x03 | Missing a core IP router (e.g.,
   [RFC1812]).

   Furthermore, ingress filtering policies MUST be enforced at the
   network boundaries [RFC2827].

   This document assumes that all network attachments are managed by the
   same administrative entity.  Therefore, enforcing anti-spoofing
   filters at these network ensures that hosts are not sending traffic
   with spoofed source IP addresses.

9.2.  Authorization

   The Convert Protocol is intended to be used in managed networks where
   end hosts can be identified by their IP address.

   Stronger mutual authentication schemes MUST be defined to use the
   Convert Protocol in more open network environments.  One possibility
   is to use TLS to perform mutual authentication between the client and
   the Converter.  That is, use TLS when a Client retrieves a Cookie
   from the Converter and rely on certificate-based client
   authentication, pre-shared key based [RFC4279] or raw public key
   based client authentication [RFC7250] to secure this connection.

   If the authentication succeeds, the Converter returns a cookie to the
   Client.  Subsequent Connect messages will be authorized as a function
   of the content of the Cookie TLV.

   In deployments where network-assisted connections are not allowed
   between hosts of a domain (i.e., hairpinning), the Converter may be
   instructed to discard such connections.  Hairpinned connections are
   thus rejected by the Transport Converter by returning an Error TLV
   set to "Not Authorized".  Absent explicit configuration otherwise,
   hairpinning is enabled by the Converter (see Figure 25.

             <===Network Provider===>

      +----+ from X1:x1 to X2':x2'   +-----+ X1':x1'
      | [This-RFC]|
    |   32  | 0x20 C1 |>>>>>>>>>>>>>>>>>>>>>>>>>>>>>--+---
      +----+                         | Not Authorized  v  | [This-RFC]|
                                     |   33  v  | 0x21
                                     | Unsupported TCP Option  v  | [This-RFC]|
                                     |   64  v  | 0x40 | Resource Exceeded                 | [This-RFC]|
    |   65  | 0x41 | Network Failure                   | [This-RFC]|
    |   96  | 0x60 | Connection Reset                  | [This-RFC]|
    |   97
      +----+ from X1':x1' to X2:x2   | 0x61  v  | Destination Unreachable X2':x2'
      | [This-RFC]|
    +-------+------+-----------------------------------+-----------+ C2 |<<<<<<<<<<<<<<<<<<<<<<<<<<<<<--+---
      +----+                         +-----+
                                    Converter

      Note: X2':x2' may be equal to
            X2:x2

                      Figure 24: The Convert Error Codes

10.  References

10.1.  Normative References

   [RFC0793]  Postel, J., "Transmission Control Protocol", STD 7,
              RFC 793, DOI 10.17487/RFC0793, September 1981,
              <https://www.rfc-editor.org/info/rfc793>.

   [RFC2119]  Bradner, S., "Key words 25: Hairpinning Example

   See below for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC4279]  Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key
              Ciphersuites authorization considerations that are specific for
   Multipath TCP.

9.3.  Denial of Service

   Another possible risk is the amplification attacks since a Transport Layer Security (TLS)",
              RFC 4279, DOI 10.17487/RFC4279, December 2005,
              <https://www.rfc-editor.org/info/rfc4279>.

   [RFC4291]  Hinden, R. and S. Deering, "IP Version 6 Addressing
              Architecture", RFC 4291, DOI 10.17487/RFC4291, February
              2006, <https://www.rfc-editor.org/info/rfc4291>.

   [RFC4727]  Fenner, B., "Experimental Values In IPv4, IPv6, ICMPv4,
              ICMPv6, UDP, and TCP Headers", RFC 4727,
              DOI 10.17487/RFC4727, November 2006,
              <https://www.rfc-editor.org/info/rfc4727>.

   [RFC4787]  Audet, F., Ed. and C. Jennings, "Network Address
              Translation (NAT) Behavioral Requirements for Unicast
              UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January
              2007, <https://www.rfc-editor.org/info/rfc4787>.

   [RFC4987]  Eddy, W., "TCP
   Converter sends a SYN Flooding Attacks and Common
              Mitigations", RFC 4987, DOI 10.17487/RFC4987, August 2007,
              <https://www.rfc-editor.org/info/rfc4987>.

   [RFC5482]  Eggert, L. and F. Gont, "TCP User Timeout Option",
              RFC 5482, DOI 10.17487/RFC5482, March 2009,
              <https://www.rfc-editor.org/info/rfc5482>.

   [RFC5925]  Touch, J., Mankin, A., and R. Bonica, "The TCP
              Authentication Option", RFC 5925, DOI 10.17487/RFC5925,
              June 2010, <https://www.rfc-editor.org/info/rfc5925>.

   [RFC6824]  Ford, A., Raiciu, C., Handley, M., and O. Bonaventure,
              "TCP Extensions for Multipath Operation with Multiple
              Addresses", RFC 6824, DOI 10.17487/RFC6824, January 2013,
              <https://www.rfc-editor.org/info/rfc6824>.

   [RFC6888]  Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa,
              A., and H. Ashida, "Common Requirements for Carrier-Grade
              NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888,
              April 2013, <https://www.rfc-editor.org/info/rfc6888>.

   [RFC6890]  Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman,
              "Special-Purpose IP Address Registries", BCP 153,
              RFC 6890, DOI 10.17487/RFC6890, April 2013,
              <https://www.rfc-editor.org/info/rfc6890>.

   [RFC7250]  Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J.,
              Weiler, S., and T. Kivinen, "Using Raw Public Keys in towards a remote Server upon reception of a SYN
   from a Client.  This could lead to amplification attacks if the SYN
   sent by the Transport Layer Security (TLS) and Datagram Converter were larger than the SYN received
   from the Client or if the Transport
              Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250,
              June 2014, <https://www.rfc-editor.org/info/rfc7250>.

   [RFC7413]  Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP
              Fast Open", RFC 7413, DOI 10.17487/RFC7413, December 2014,
              <https://www.rfc-editor.org/info/rfc7413>.

   [RFC8126]  Cotton, M., Leiba, B., and T. Narten, "Guidelines Converter retransmits the SYN.
   To mitigate such attacks, the Transport Converter SHOULD rate limit
   the number of pending requests for
              Writing an IANA Considerations a given Client.  It SHOULD also
   avoid sending to remote Servers SYNs that are significantly longer
   than the SYN received from the Client.  Finally, the Transport
   Converter SHOULD only retransmit a SYN to a Server after having
   received a retransmitted SYN from the corresponding Client.  Means to
   protect against SYN flooding attacks should also be enabled (e.g.,
   Section in RFCs", BCP 26,
              RFC 8126, DOI 10.17487/RFC8126, June 2017,
              <https://www.rfc-editor.org/info/rfc8126>.

   [RFC8174]  Leiba, B., "Ambiguity 3 of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

10.2.  Informative References

   [ANRW17]   Trammell, B., Kuhlewind, M., De Vaere, P., Learmonth, I.,
              and G. Fairhurst, "Tracking transport-layer evolution with
              PATHspider", Applied Networking Research Workshop 2017
              (ANRW17) , July 2017.

   [Fukuda2011]
              Fukuda, K., "An Analysis of Longitudinal TCP Passive
              Measurements (Short Paper)", [RFC4987]).

9.4.  Traffic Monitoring and
              Analysis. TMA 2011. Lecture Notes Theft

   Traffic theft is a risk if an illegitimate Converter is inserted in Computer Science, vol
              6613. , 2011.

   [HotMiddlebox13b]
              Detal, G., Paasch, C., and O. Bonaventure, "Multipath
   the path.  Indeed, inserting an illegitimate Converter in the Middle(Box)", HotMiddlebox'13 , December 2013,
              <http://inl.info.ucl.ac.be/publications/multipath-
              middlebox>.

   [I-D.arkko-arch-low-latency]
              Arkko, J.
   forwarding path allows traffic interception and J. Tantsura, "Low Latency Applications can therefore provide
   access to sensitive data issued by or destined to a host.  Converter
   discovery and configuration are out of scope of this document.

9.5.  Authentication Considerations

   The operator that manages the Internet Architecture", draft-arkko-arch-low-
              latency-02 (work in progress), October 2017.

   [I-D.boucadair-mptcp-plain-mode]
              Boucadair, M., Jacquenet, C., Bonaventure, O., Behaghel,
              D., stefano.secci@lip6.fr, s., Henderickx, W., Skog, R.,
              Vinapamula, S., Seo, S., Cloetens, W., Meyer, U.,
              Contreras, L., and B. Peirens, "Extensions for Network-
              Assisted MPTCP Deployment Models", draft-boucadair-mptcp-
              plain-mode-10 (work in progress), March 2017.

   [I-D.boucadair-radext-tcpm-converter]
              Boucadair, M. and C. Jacquenet, "RADIUS Extensions for
              0-RTT TCP Converters", draft-boucadair-radext-tcpm-
              converter-02 (work in progress), April 2019.

   [I-D.boucadair-tcpm-dhc-converter]
              Boucadair, M., Jacquenet, C., and R. K, "DHCP Options for
              0-RTT TCP Converters", draft-boucadair-tcpm-dhc-
              converter-03 (work in progress), October 2019.

   [I-D.olteanu-intarea-socks-6]
              Olteanu, V. various network attachments (including
   the Transport Converters) can enforce authentication and D. Niculescu, "SOCKS Protocol Version 6",
              draft-olteanu-intarea-socks-6-07 (work in progress), July
              2019.

   [I-D.peirens-mptcp-transparent]
              Peirens, B., Detal, G., Barre, S., and O. Bonaventure,
              "Link bonding with transparent Multipath TCP", draft-
              peirens-mptcp-transparent-00 (work in progress), July
              2016.

   [IETFJ16]  Bonaventure, O. and S. Seo, "Multipath
   authorization policies using appropriate mechanisms.  For example, a
   non-exhaustive list of methods to achieve authorization is provided
   hereafter:

   o  The network provider may enforce a policy based on the
      International Mobile Subscriber Identity (IMSI) to verify that a
      user is allowed to benefit from the TCP Deployment",
              IETF Journal, Fall 2016 , n.d..

   [IMC11]    Honda, K., Nishida, Y., Raiciu, C., Greenhalgh, A.,
              Handley, M., and T. Hideyuki, "Is it still possible converter service.  If
      that authorization fails, the Packet Data Protocol (PDP) context/
      bearer will not be mounted.  This method does not require any
      interaction with the Transport Converter for authorization
      matters.

   o  The network provider may enforce a policy based upon Access
      Control Lists (ACLs), e.g., at a Broadband Network Gateway (BNG)
      to
              extend TCP?", Proceedings control the hosts that are authorized to communicate with a
      Transport Converter.  These ACLs may be installed as a result of
      RADIUS exchanges, e.g., [I-D.boucadair-radext-tcpm-converter].
      This method does not require any interaction with the 2011 ACM SIGCOMM
              conference on Internet measurement conference , 2011.

   [RFC1323]  Jacobson, V., Braden, R., and D. Borman, "TCP Extensions
              for High Performance", RFC 1323, DOI 10.17487/RFC1323, May
              1992, <https://www.rfc-editor.org/info/rfc1323>.

   [RFC1812]  Baker, F., Ed., "Requirements Transport
      Converter for authorization matters.

   o  A device that embeds a Transport Converter may also host a RADIUS
      client that will solicit an AAA server to check whether
      connections received from a given source IP Version 4 Routers",
              RFC 1812, DOI 10.17487/RFC1812, June 1995,
              <https://www.rfc-editor.org/info/rfc1812>.

   [RFC1919]  Chatel, M., "Classical versus Transparent IP Proxies",
              RFC 1919, DOI 10.17487/RFC1919, March 1996,
              <https://www.rfc-editor.org/info/rfc1919>.

   [RFC1928]  Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., and
              L. Jones, "SOCKS Protocol Version 5", RFC 1928,
              DOI 10.17487/RFC1928, March 1996,
              <https://www.rfc-editor.org/info/rfc1928>.

   [RFC2018]  Mathis, M., Mahdavi, J., Floyd, S., and A. Romanow, "TCP
              Selective Acknowledgment Options", RFC 2018,
              DOI 10.17487/RFC2018, October 1996,
              <https://www.rfc-editor.org/info/rfc2018>.

   [RFC2827]  Ferguson, P. and D. Senie, "Network Ingress Filtering:
              Defeating Denial address are authorized
      or not [I-D.boucadair-radext-tcpm-converter].

   A first safeguard against the misuse of Service Attacks which employ IP Source
              Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827,
              May 2000, <https://www.rfc-editor.org/info/rfc2827>.

   [RFC3135]  Border, J., Kojo, M., Griner, J., Montenegro, G., and Z.
              Shelby, "Performance Enhancing Proxies Intended Transport Converter resources
   by illegitimate users (e.g., users with access networks that are not
   managed by the same provider that operates the Transport Converter)
   is the Transport Converter to
              Mitigate Link-Related Degradations", reject Convert connections received on
   its Internet-facing interfaces.  Only Convert connections received on
   the customer-facing interfaces of a Transport Converter will be
   accepted.

10.  IANA Considerations

   Note to the RFC 3135,
              DOI 10.17487/RFC3135, June 2001,
              <https://www.rfc-editor.org/info/rfc3135>.

   [RFC6181]  Bagnulo, M., "Threat Analysis for TCP Extensions for
              Multipath Operation Editor: Please replace "THISRFC" in the following
   sub-sections with Multiple Addresses", the RFC 6181,
              DOI 10.17487/RFC6181, March 2011,
              <https://www.rfc-editor.org/info/rfc6181>.

   [RFC6269]  Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., number to be assigned to this document.

10.1.  Convert Service Name

   IANA is requested to assign a service name for the Convert Protocol
   from the "Service Name and
              P. Roberts, "Issues with IP Address Sharing", RFC 6269,
              DOI 10.17487/RFC6269, June 2011,
              <https://www.rfc-editor.org/info/rfc6269>.

   [RFC6296]  Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix
              Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011,
              <https://www.rfc-editor.org/info/rfc6296>.

   [RFC6887]  Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and
              P. Selkirk, "Port Control Transport Protocol (PCP)", RFC 6887,
              DOI 10.17487/RFC6887, April 2013,
              <https://www.rfc-editor.org/info/rfc6887>.

   [RFC6928]  Chu, J., Dukkipati, N., Cheng, Y., and M. Mathis,
              "Increasing TCP's Initial Window", RFC 6928,
              DOI 10.17487/RFC6928, April 2013,
              <https://www.rfc-editor.org/info/rfc6928>.

   [RFC6978]  Touch, J., "A Port Number Registry"
   available at https://www.iana.org/assignments/service-names-port-
   numbers/service-names-port-numbers.xhtml.

      Service Name:           convert
      Port Number:            N/A
      Transport Protocol(s):  TCP Authentication Option Extension for NAT
              Traversal", RFC 6978, DOI 10.17487/RFC6978, July 2013,
              <https://www.rfc-editor.org/info/rfc6978>.

   [RFC7323]  Borman, D., Braden, B., Jacobson, V., and R.
              Scheffenegger, Ed., "TCP Extensions for High Performance",
              RFC 7323, DOI 10.17487/RFC7323, September 2014,
              <https://www.rfc-editor.org/info/rfc7323>.

   [RFC7414]  Duke, M., Braden, R., Eddy, W., Blanton, E., and A.
              Zimmermann, "A Roadmap for Transmission Control
      Description:            0-RTT TCP Convert Protocol
              (TCP) Specification Documents", RFC 7414,
              DOI 10.17487/RFC7414, February 2015,
              <https://www.rfc-editor.org/info/rfc7414>.

   [RFC8041]  Bonaventure, O., Paasch, C., and G. Detal, "Use Cases and
              Operational Experience with Multipath TCP", RFC 8041,
              DOI 10.17487/RFC8041, January 2017,
              <https://www.rfc-editor.org/info/rfc8041>.

   [RFC8305]  Schinazi, D.
      Assignee:               IESG <iesg@ietf.org>
      Contact:                IETF Chair <chair@ietf.org>
      Reference:              THISRFC

   Clients may use this service name to fed the procedure defined in
   [RFC2782] to discover the IP address(es) and T. Pauly, "Happy Eyeballs Version 2:
              Better Connectivity Using Concurrency", RFC 8305,
              DOI 10.17487/RFC8305, December 2017,
              <https://www.rfc-editor.org/info/rfc8305>.

   [RFC8446]  Rescorla, E., "The the port number used by
   the Transport Layer Security (TLS) Protocol
              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
              <https://www.rfc-editor.org/info/rfc8446>.

   [RFC8548]  Bittau, A., Giffin, D., Handley, M., Mazieres, D., Slack,
              Q., and E. Smith, "Cryptographic Protection Converters of TCP Streams
              (tcpcrypt)", RFC 8548, DOI 10.17487/RFC8548, May 2019,
              <https://www.rfc-editor.org/info/rfc8548>.

   [TS23501]  3GPP (3rd Generation Partnership Project), ., "Technical
              Specification Group Services and System Aspects; System
              Architecture for the 5G System; Stage 2 (Release 16)",
              2019, <https://www.3gpp.org/ftp/Specs/
              archive/23_series/23.501/>.

Appendix A.  Change Log

   This section to be removed before publication.

   o  00 : initial version, designed a domain.

10.2.  The Convert Protocol (Convert) Parameters

   IANA is requested to support Multipath create a new "The TCP Convert Protocol (Convert)
   Parameters" registry.

   The following subsections detail new registries within "The Convert
   Protocol (Convert) Parameters" registry.

   Registration requests for the 128-191 range (for both "Convert TLVs"
   and TFO
      only

   o  00 "Convert Error Messages" sub-registries) are evaluated after a
   three-week review period on the tcp-convert-review@ietf.org mailing
   list, on the advice of one or more Designated Experts.  However, to -01 : added section Section 6 describing
   allow for the support allocation of
      different standard tracks TCP options by Transport Converters,
      clarification values prior to publication, the
   Designated Experts may approve registration once they are satisfied
   that such a specification will be published.  New registration
   requests should be sent in the form of an email to the review mailing
   list; the request should use an appropriate subject (e.g., "Request
   to register 0-RTT Convert TLV: example" or "Request to register 0-RTT
   Convert Error Message: example").  IANA section, moved will only accept new
   registrations from the SOCKS comparison Designated Experts, and will check that review
   was requested on the mailing list in accordance with these
   procedures.

   Within the review period, the Designated Experts will either approve
   or deny the registration request, communicating this decision to the appendix
   review list and various minor modifications

   o  01 IANA.  Denials should include an explanation and, if
   applicable, suggestions as to -02: Minor modifications

   o  02 how to -03: Minor modifications

   o  03 make the request successful.
   Registration requests that are undetermined for a period longer than
   21 days can be brought to -04: Minor modifications
   o  04 the IESG's attention (using the
   iesg@ietf.org mailing list) for resolution.

   The Designated Expert is expected to -05: Integrate a lot ascertain the existence of feedback from implementors who have
      worked on client
   suitable documentation as described in Section 4.6 of [RFC8126] and server side implementations.  The main
      modifications are
   to verify that the following :

      *  TCP Fast Open document is not strictly required anymore.  Several
         implementors expressed concerns about this requirement.  The
         TFO Cookie protects from some attack scenarios that affect open
         servers like web servers. permanently and publicly available.
   The Convert Protocol Designated Expert is different
         and as discussed in RFC7413, there are different ways also expected to
         protect from such attacks.  Instead of using a TFO cookie
         inside the TCP options, which consumes precious space in the
         extended TCP header, this version supports check the utilization clarity of a
         Cookie
   purpose and use of the requested code points.

   Also, criteria that is placed in should be applied by the SYN payload.  This provides Designated Experts
   includes determining whether the
         same level proposed registration duplicates
   existing functionality, whether it is likely to be of protection as general
   applicability or whether it is useful only for a TFO Cookie in environments were
         such protection private use, and
   whether the registration description is required.

      * clear.  IANA must only accept
   registry updates to the Bootstrap procedure has been simplified based on feedback
         from implementors

      * 128-191 range (for both "Convert TLVs" and
   "Convert Error messages are not included in RST segments anymore but
         sent in Messages" sub-registries) from the bytestream.  Implementors have indicated that
         processing such segments on clients was difficult on some
         platforms.  This change simplifies client implementations.

      *  Many minor editorial changes Designated Experts
   and should direct all requests for registration to clarify the text based on
         implementors feedback.

   o  05 to -06: Many clarifications review mailing
   list.  It is suggested that multiple Designated Experts be appointed.
   In cases where a registration decision could be perceived as creating
   a conflict of interest for a particular Expert, that Expert should
   defer to integrate the comments from judgment of the
      chairs in preparation other Experts.

10.2.1.  Convert Versions

   IANA is requested to create the WGLC:

      *  Updated IANA policy "Convert versions" sub-registry.  New
   values are assigned via IETF Review (Section 4.8 of [RFC8126]).

   The initial values to require "IETF Review" instead be assigned at the creation of
         "Standard Action"

      *  Call out explicitly that data in SYNs the registry are relayed
   as follows:

    +---------+--------------------------------------+-------------+
    | Version | Description                          | Reference   |
    +---------+--------------------------------------+-------------+
    |    0    | Reserved by this document            |  THISRFC    |
    |    1    | Assigned by this document            |  THISRFC    |
    +---------+--------------------------------------+-------------+

10.2.2.  Convert TLVs

   IANA is requested to create the
         Converter

      *  Reiterate "Convert TLVs" sub-registry.  The
   procedure for assigning values from this registry is as follows:

   o  The values in the scope

      *  Hairpinning behavior range 1-127 can be disabled (policy-based)

      *  Fix nits assigned via IETF Review.

   o  07:

      *  Update the text about supplying data in SYNs to make it clear
         that a constraint defined  The values in RFC793 is relaxed following the
         same rationale as in RFC7413.

      *  Nits

      *  Added Appendix A on example Socket API changes range 128-191 can be assigned via Specification
      Required.

   o  08:

      *  Added short discussion on  The values in the termination of connections

   o  09:

      *  Address various comments received during last call

   o  10-13:

      *  Changes range 192-255 are reserved for Private Use.

   The initial values to address be assigned at the comments from Phil: Add a new section to
         group data plane considerations in one place + add a new
         appendix with more details on address modes + rearrange creation of the
         MPTCP text.

   o  14: fixed nits (the shepherd write-up)

Appendix B.  Example Socket API Changes registry are
   as follows:

    +---------+--------------------------------------+-------------+
    |  Code   | Name                                 | Reference   |
    +---------+--------------------------------------+-------------+
    |    0    | Reserved                             |   THISRFC   |
    |    1    | Info TLV                             |   THISRFC   |
    |   10    | Connect TLV                          |   THISRFC   |
    |   20    | Extended TCP Header TLV              |   THISRFC   |
    |   21    | Supported TCP Extension TLV          |   THISRFC   |
    |   22    | Cookie TLV                           |   THISRFC   |
    |   30    | Error TLV                            |   THISRFC   |
    +---------+--------------------------------------+-------------+

10.2.3.  Convert Error Messages

   IANA is requested to Support create the 0-RTT Convert
             Protocol

B.1.  Active Open (Client Side)

   On "Convert Errors" sub-registry.  Codes
   in this registry are assigned as a function of the client side, error type.  Four
   types are defined; the support following ranges are reserved for each of the 0-RTT Converter protocol does
   not require any other changes than those identified
   these types:

   o  Message validation and processing errors: 0-31

   o  Client-side errors: 32-63

   o  Transport Converter-side errors: 64-95

   o  Errors caused by destination server: 96-127
   The procedure for assigning values from this sub-registry is as
   follows:

   o  0-127: Values in Appendix A this range are assigned via IETF Review.

   o  128-191: Values in this range are assigned via Specification
      Required.

   o  192-255: Values in this range are reserved for Private Use.

   The initial values to be assigned at the creation of the registry are
   as follows:

    +-------+------+-----------------------------------+-----------+
    | Error | Hex  | Description                       | Reference |
    +-------+------+-----------------------------------+-----------+
    |    0  | 0x00 | Unsupported Version               |  THISRFC  |
    |    1  | 0x01 | Malformed Message                 |  THISRFC  |
    |    2  | 0x02 | Unsupported Message               |  THISRFC  |
    |    3  | 0x03 | Missing Cookie                    |  THISRFC  |
    |   32  | 0x20 | Not Authorized                    |  THISRFC  |
    |   33  | 0x21 | Unsupported TCP Option            |  THISRFC  |
    |   64  | 0x40 | Resource Exceeded                 |  THISRFC  |
    |   65  | 0x41 | Network Failure                   |  THISRFC  |
    |   96  | 0x60 | Connection Reset                  |  THISRFC  |
    |   97  | 0x61 | Destination Unreachable           |  THISRFC  |
    +-------+------+-----------------------------------+-----------+

                    Figure 26: The Convert Error Codes

11.  References

11.1.  Normative References

   [RFC0793]  Postel, J., "Transmission Control Protocol", STD 7,
              RFC 793, DOI 10.17487/RFC0793, September 1981,
              <https://www.rfc-editor.org/info/rfc793>.

   [RFC2018]  Mathis, M., Mahdavi, J., Floyd, S., and A. Romanow, "TCP
              Selective Acknowledgment Options", RFC 2018,
              DOI 10.17487/RFC2018, October 1996,
              <https://www.rfc-editor.org/info/rfc2018>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC2827]  Ferguson, P. and D. Senie, "Network Ingress Filtering:
              Defeating Denial of Service Attacks which employ IP Source
              Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827,
              May 2000, <https://www.rfc-editor.org/info/rfc2827>.

   [RFC4291]  Hinden, R. and S. Deering, "IP Version 6 Addressing
              Architecture", RFC 4291, DOI 10.17487/RFC4291, February
              2006, <https://www.rfc-editor.org/info/rfc4291>.

   [RFC4787]  Audet, F., Ed. and C. Jennings, "Network Address
              Translation (NAT) Behavioral Requirements for Unicast
              UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January
              2007, <https://www.rfc-editor.org/info/rfc4787>.

   [RFC4987]  Eddy, W., "TCP SYN Flooding Attacks and Common
              Mitigations", RFC 4987, DOI 10.17487/RFC4987, August 2007,
              <https://www.rfc-editor.org/info/rfc4987>.

   [RFC5925]  Touch, J., Mankin, A., and R. Bonica, "The TCP
              Authentication Option", RFC 5925, DOI 10.17487/RFC5925,
              June 2010, <https://www.rfc-editor.org/info/rfc5925>.

   [RFC6824]  Ford, A., Raiciu, C., Handley, M., and O. Bonaventure,
              "TCP Extensions for Multipath Operation with Multiple
              Addresses", RFC 6824, DOI 10.17487/RFC6824, January 2013,
              <https://www.rfc-editor.org/info/rfc6824>.

   [RFC6888]  Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa,
              A., and H. Ashida, "Common Requirements for Carrier-Grade
              NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888,
              April 2013, <https://www.rfc-editor.org/info/rfc6888>.

   [RFC6890]  Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman,
              "Special-Purpose IP Address Registries", BCP 153,
              RFC 6890, DOI 10.17487/RFC6890, April 2013,
              <https://www.rfc-editor.org/info/rfc6890>.

   [RFC6978]  Touch, J., "A TCP Authentication Option Extension for NAT
              Traversal", RFC 6978, DOI 10.17487/RFC6978, July 2013,
              <https://www.rfc-editor.org/info/rfc6978>.

   [RFC7323]  Borman, D., Braden, B., Jacobson, V., and R.
              Scheffenegger, Ed., "TCP Extensions for High Performance",
              RFC 7323, DOI 10.17487/RFC7323, September 2014,
              <https://www.rfc-editor.org/info/rfc7323>.

   [RFC7413]  Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP
              Fast Open", RFC 7413, DOI 10.17487/RFC7413, December 2014,
              <https://www.rfc-editor.org/info/rfc7413>.

   [RFC8126]  Cotton, M., Leiba, B., and T. Narten, "Guidelines for
              Writing an IANA Considerations Section in RFCs", BCP 26,
              RFC 8126, DOI 10.17487/RFC8126, June 2017,
              <https://www.rfc-editor.org/info/rfc8126>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

11.2.  Informative References

   [ANRW17]   Trammell, B., Kuehlewind, M., De Vaere, P., Learmonth, I.,
              and G. Fairhurst, "Tracking transport-layer evolution with
              PATHspider", Applied Networking Research Workshop 2017
              (ANRW17) , July 2017.

   [Fukuda2011]
              Fukuda, K., "An Analysis of
   [RFC7413].  Those modifications are already supported by multiple Longitudinal TCP
   stacks.

   As an example, on Linux, a client can send the 0-RTT Convert message
   inside a SYN by using sendto with the MSG_FASTOPEN flag as shown Passive
              Measurements (Short Paper)", Traffic Monitoring and
              Analysis. TMA 2011. Lecture Notes in Computer Science, vol
              6613. , 2011.

   [HotMiddlebox13b]
              Detal, G., Paasch, C., and O. Bonaventure, "Multipath in
              the example below:

     s = socket(AF_INET, SOCK_STREAM, 0);

     sendto(s, buffer, buffer_len, MSG_FASTOPEN,
                    (struct sockaddr *) &server_addr, addr_len);

   The client side of Middle(Box)", HotMiddlebox'13 , December 2013,
              <http://inl.info.ucl.ac.be/publications/
              multipath-middlebox>.

   [I-D.arkko-arch-low-latency]
              Arkko, J. and J. Tantsura, "Low Latency Applications and
              the Linux Internet Architecture", draft-arkko-arch-low-
              latency-02 (work in progress), October 2017.

   [I-D.boucadair-mptcp-plain-mode]
              Boucadair, M., Jacquenet, C., Bonaventure, O., Behaghel,
              D., stefano.secci@lip6.fr, s., Henderickx, W., Skog, R.,
              Vinapamula, S., Seo, S., Cloetens, W., Meyer, U.,
              Contreras, L., and B. Peirens, "Extensions for Network-
              Assisted MPTCP Deployment Models", draft-boucadair-mptcp-
              plain-mode-10 (work in progress), March 2017.

   [I-D.boucadair-radext-tcpm-converter]
              Boucadair, M. and C. Jacquenet, "RADIUS Extensions for
              0-RTT TCP TFO can be used Converters", draft-boucadair-radext-tcpm-
              converter-02 (work in two different
   modes depending on the host configuration (sysctl tcp_fastopen
   variable):

   o  0x1: (client) enables sending data progress), April 2019.

   [I-D.boucadair-tcpm-dhc-converter]
              Boucadair, M., Jacquenet, C., and T. Reddy.K, "DHCP
              Options for 0-RTT TCP Converters", draft-boucadair-tcpm-
              dhc-converter-03 (work in the opening SYN on the
      client.

   o  0x4: (client) send data progress), October 2019.

   [I-D.olteanu-intarea-socks-6]
              Olteanu, V. and D. Niculescu, "SOCKS Protocol Version 6",
              draft-olteanu-intarea-socks-6-08 (work in the opening SYN regardless of cookie
      availability progress),
              November 2019.

   [I-D.peirens-mptcp-transparent]
              Peirens, B., Detal, G., Barre, S., and without a cookie option.

   By setting this configuration variable to 0x5, a Linux client using
   the above code would send data inside the SYN without using a TFO
   option.

B.2.  Passive Open (Converter Side)

   The Converter needs to enable the reception of data inside the SYN
   independently of the utilization of the TFO option.  This implies
   that the Transport Converter application cannot rely on the TFO
   cookies to validate the reachability of the IP address that sent the
   SYN.  It must rely on other techniques, such as the Cookie TLV
   described O. Bonaventure,
              "Link bonding with transparent Multipath TCP", draft-
              peirens-mptcp-transparent-00 (work in this document, progress), July
              2016.

   [IETFJ16]  Bonaventure, O. and S. Seo, "Multipath TCP Deployment",
              IETF Journal, Fall 2016 , n.d..

   [IMC11]    Honda, K., Nishida, Y., Raiciu, C., Greenhalgh, A.,
              Handley, M., and T. Hideyuki, "Is it still possible to verify this reachability.

   [RFC7413] suggested the utilization
              extend TCP?", Proceedings of a TCP_FASTOPEN socket option
   the enable the reception of SYNs containing data.  Later, Appendix A
   of [RFC7413], mentioned:

   Traditionally, accept() returns only after a socket is connected.
   But, 2011 ACM SIGCOMM
              conference on Internet measurement conference , 2011.

   [RFC1812]  Baker, F., Ed., "Requirements for a Fast Open connection, accept() returns upon receiving
   SYN with a valid Fast Open cookie IP Version 4 Routers",
              RFC 1812, DOI 10.17487/RFC1812, June 1995,
              <https://www.rfc-editor.org/info/rfc1812>.

   [RFC1919]  Chatel, M., "Classical versus Transparent IP Proxies",
              RFC 1919, DOI 10.17487/RFC1919, March 1996,
              <https://www.rfc-editor.org/info/rfc1919>.

   [RFC1928]  Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., and data,
              L. Jones, "SOCKS Protocol Version 5", RFC 1928,
              DOI 10.17487/RFC1928, March 1996,
              <https://www.rfc-editor.org/info/rfc1928>.

   [RFC2782]  Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
              specifying the data is available location of services (DNS SRV)", RFC 2782,
              DOI 10.17487/RFC2782, February 2000,
              <https://www.rfc-editor.org/info/rfc2782>.

   [RFC3135]  Border, J., Kojo, M., Griner, J., Montenegro, G., and Z.
              Shelby, "Performance Enhancing Proxies Intended to be read through, e.g., recvmsg(), read().

   To support the 0-RTT Convert Protocol, this behavior should be
   modified as follows:

    Traditionally, accept() returns only after a socket is connected.
    But,
              Mitigate Link-Related Degradations", RFC 3135,
              DOI 10.17487/RFC3135, June 2001,
              <https://www.rfc-editor.org/info/rfc3135>.

   [RFC4279]  Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key
              Ciphersuites for a Fast Open connection, accept() returns upon receiving a
    SYN with data, Transport Layer Security (TLS)",
              RFC 4279, DOI 10.17487/RFC4279, December 2005,
              <https://www.rfc-editor.org/info/rfc4279>.

   [RFC6269]  Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and the data is available to be read through, e.g.,
    recvmsg(), read(). The application that receives such SYNs
              P. Roberts, "Issues with data
    must be able to validate the reachability of the source of the SYN IP Address Sharing", RFC 6269,
              DOI 10.17487/RFC6269, June 2011,
              <https://www.rfc-editor.org/info/rfc6269>.

   [RFC6296]  Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix
              Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011,
              <https://www.rfc-editor.org/info/rfc6296>.

   [RFC6887]  Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and
              P. Selkirk, "Port Control Protocol (PCP)", RFC 6887,
              DOI 10.17487/RFC6887, April 2013,
              <https://www.rfc-editor.org/info/rfc6887>.

   [RFC6928]  Chu, J., Dukkipati, N., Cheng, Y., and M. Mathis,
              "Increasing TCP's Initial Window", RFC 6928,
              DOI 10.17487/RFC6928, April 2013,
              <https://www.rfc-editor.org/info/rfc6928>.

   [RFC7250]  Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J.,
              Weiler, S., and also deal with replayed SYNs.

   The Linux server side can be configured with the following sysctls:

   o  0x2: (server) enables the server support, i.e., allowing data T. Kivinen, "Using Raw Public Keys in a
      SYN packet to be accepted
              Transport Layer Security (TLS) and passed to the application before
      3-way handshake finishes.

   o  0x200: (server) accept data-in-SYN w/o any cookie option present.

   However, this configuration is system-wide.  This is convenient for
   typical Datagram Transport Converter deployments where no other applications
   relying on TFO are collocated on the same device.

   Recently, the TCP_FASTOPEN_NO_COOKIE socket option has been added to
   provide the same behavior on a per socket basis.  This enables a
   single host to support both servers that require the TFO cookie
              Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250,
              June 2014, <https://www.rfc-editor.org/info/rfc7250>.

   [RFC7414]  Duke, M., Braden, R., Eddy, W., Blanton, E., and
   servers that do not use it.

Appendix C.  Some Design Considerations

   Several implementors expressed concerns about the use of TFO.  As a
   reminder, the TFO Cookie protects from some attack scenarios that
   affect open servers like web servers.  The Convert A.
              Zimmermann, "A Roadmap for Transmission Control Protocol is
   different and, as discussed in RFC7413, there are different ways to
   protect from such attacks.  Instead
              (TCP) Specification Documents", RFC 7414,
              DOI 10.17487/RFC7414, February 2015,
              <https://www.rfc-editor.org/info/rfc7414>.

   [RFC8041]  Bonaventure, O., Paasch, C., and G. Detal, "Use Cases and
              Operational Experience with Multipath TCP", RFC 8041,
              DOI 10.17487/RFC8041, January 2017,
              <https://www.rfc-editor.org/info/rfc8041>.

   [RFC8305]  Schinazi, D. and T. Pauly, "Happy Eyeballs Version 2:
              Better Connectivity Using Concurrency", RFC 8305,
              DOI 10.17487/RFC8305, December 2017,
              <https://www.rfc-editor.org/info/rfc8305>.

   [RFC8446]  Rescorla, E., "The Transport Layer Security (TLS) Protocol
              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
              <https://www.rfc-editor.org/info/rfc8446>.

   [RFC8548]  Bittau, A., Giffin, D., Handley, M., Mazieres, D., Slack,
              Q., and E. Smith, "Cryptographic Protection of using a TFO cookie inside the TCP options, which consumes precious space in Streams
              (tcpcrypt)", RFC 8548, DOI 10.17487/RFC8548, May 2019,
              <https://www.rfc-editor.org/info/rfc8548>.

   [TS23501]  3GPP (3rd Generation Partnership Project), ., "Technical
              Specification Group Services and System Aspects; System
              Architecture for the extended TCP
   header, 5G System; Stage 2 (Release 16)",
              2019, <https://www.3gpp.org/ftp/Specs/
              archive/23_series/23.501/>.

Appendix A.  Example Socket API Changes to Support the 0-RTT Convert
             Protocol supports the utilization of a Cookie
   that is placed in

A.1.  Active Open (Client Side)

   On the SYN payload.  This provides client side, the same level support of
   protection as a TFO Cookie in environments were such protection is
   required.

   Error messages are the 0-RTT Converter protocol does
   not included in RST segments but sent require any other changes than those identified in the
   bytestream.  Implementors have indicated that processing such
   segments on clients was difficult on some platforms.  This change
   simplifies client implementations. Appendix D.  Address Preservation vs. Address Sharing

   The Transport Converter is provided with instructions about the
   behavior to adopt with regards to the processing of source addresses
   of outgoing packets.  The following sub-sections discusses two
   deployment models for illustration purposes.  It is out of the scope
   of this document to make a recommendation.

D.1.  Address Preservation

   In this model, the visible source IP address A of a packet proxied
   [RFC7413].  Those modifications are already supported by a
   Transport Converter to a Server is multiple TCP
   stacks.

   As an IP address of example, on Linux, a client can send the end host
   (Client).  No dedicated IP address pool is provisioned to 0-RTT Convert message
   inside a SYN by using sendto with the
   Transport Converter.

   For Multipath TCP, MSG_FASTOPEN flag as shown in
   the Transport Converter preserves example below:

     s = socket(AF_INET, SOCK_STREAM, 0);

     sendto(s, buffer, buffer_len, MSG_FASTOPEN,
                    (struct sockaddr *) &server_addr, addr_len);

   The client side of the source IP
   address Linux TCP TFO can be used by in two different
   modes depending on the Client when establishing host configuration (sysctl tcp_fastopen
   variable):

   o  0x1: (client) enables sending data in the initial subflow.
   Data conveyed opening SYN on the
      client.

   o  0x4: (client) send data in secondary subflows will be proxied by the Transport
   Converter opening SYN regardless of cookie
      availability and without a cookie option.

   By setting this configuration variable to 0x5, a Linux client using
   the source IP address of above code would send data inside the initial subflow.  An
   example of SYN without using a proxied Multipath TCP connection with address
   preservation is shown in Figure 25.

                                         Transport
          Client TFO
   option.

A.2.  Passive Open (Converter Side)

   The Converter          Server

           @:C1,C2                        @:Tc                @:S
              ||                            |                  |
              |src:C1 needs to enable the reception of data inside the SYN         dst:Tc|src:C1       dst:S|
              |-------MPC [->S:port]------->|-------SYN------->|
              ||                            |                  |
              ||dst:C1                src:Tc|dst:C1       src:S|
              |<---------SYN/ACK------------|<-----SYN/ACK-----|
              ||                            |                  |
              |src:C1                 dst:Tc|src:C1       dst:S|
              |------------ACK------------->|-------ACK------->|
              |                             |                  |
              |src:C2          ...    dst:Tc|       ...        |
              ||<-----Secondary Subflow---->|src:C1       dst:S|
              ||                            |-------data------>|
              |               ..            |    ...           |

 Legend:
   Tc: IP address used by
   independently of the Transport Converter on its customer-facing
       interface.

                Figure 25: Example utilization of Address Preservation

   The the TFO option.  This implies
   that the Transport Converter must be application cannot rely on the forwarding path TFO
   cookies to validate the reachability of incoming
   traffic.  Because the same (destination) IP address is used for both
   proxied and non-proxied connections, the Transport Converter should
   not drop incoming packets it intercepts if no matching entry is found
   for that sent the packets.  Unless explicitly configured otherwise,
   SYN.  It must rely on other techniques, such
   packets are forwarded according as the Cookie TLV
   described in this document, to verify this reachability.

   [RFC7413] suggested the instructions utilization of a local
   forwarding table.

D.2.  Address/Prefix Sharing TCP_FASTOPEN socket option
   the enable the reception of SYNs containing data.  Later, Appendix A pool
   of global IPv4 addresses [RFC7413], mentioned:

   Traditionally, accept() returns only after a socket is provisioned connected.
   But, for a Fast Open connection, accept() returns upon receiving
   SYN with a valid Fast Open cookie and data, and the data is available
   to be read through, e.g., recvmsg(), read().

   To support the Transport
   Converter along 0-RTT Convert Protocol, this behavior should be
   modified as follows:

    Traditionally, accept() returns only after a socket is connected.
    But, for a Fast Open connection, accept() returns upon receiving a
    SYN with possible instructions about data, and the address sharing
   ratio data is available to apply (see Appendix B be read through, e.g.,
    recvmsg(), read(). The application that receives such SYNs with data
    must be able to validate the reachability of [RFC6269]).  An address is thus
   shared among multiple clients.

   Likewise, rewriting the source IPv6 prefix [RFC6296] may of the SYN
    and also deal with replayed SYNs.

   The Linux server side can be configured with the following sysctls:

   o  0x2: (server) enables the server support, i.e., allowing data in a
      SYN packet to be used accepted and passed to
   ease redirection of incoming IPv6 traffic towards the appropriate
   Transport Converter.  A pool of IPv6 prefixes application before
      3-way handshake finishes.

   o  0x200: (server) accept data-in-SYN w/o any cookie option present.

   However, this configuration is then provisioned to
   the system-wide.  This is convenient for
   typical Transport Converter for this purpose.

   Adequate forwarding policies deployments where no other applications
   relying on TFO are enforced so that traffic destined collocated on the same device.

   Recently, the TCP_FASTOPEN_NO_COOKIE socket option has been added to
   an address of such pool is intercepted by
   provide the appropriate Transport
   Converter.  Unlike Appendix D.1, same behavior on a per socket basis.  This enables a
   single host to support both servers that require the Transport Converter drops
   incoming packets which TFO cookie and
   servers that do not match an active transport session
   entry.

   An example is shown in Figure 26.

                                        Transport
         Client                         Converter          Server

            @:C                        @:Tc|Te                @:S
             |                             |                  |
             |src:C                  dst:Tc|src:Te       dst:S|
             |-------SYN [->S:port]------->|-------SYN------->|
             |                             |                  |
             |dst:C                  src:Tc|dst:Te       src:S|
             |<---------SYN/ACK------------|<-----SYN/ACK-----|
             |                             |                  |
             |src:C                  dst:Tc|src:Te       dst:S|
             |------------ACK------------->|-------ACK------->|
             |                             |                  |
             |              ...            |    ...           |

Legend:
  Tc: IP address used by the Transport Converter for its customer-facing
      interface.
  Te: IP address used by the Transport Converter for its Internet-facing
      interface.

                        Figure 26: Address Sharing

Appendix E.  Differences use it.

Acknowledgments

   Although they could disagree with SOCKSv5

   At a first glance, the solution proposed in this document could seem
   similar to contents of the SOCKS v5 protocol [RFC1928] which is used document, we
   would like to proxy TCP
   connections.  The Client creates a connection thank Joe Touch and Juliusz Chroboczek whose comments
   on the MPTCP mailing list have forced us to a SOCKS proxy,
   exchanges authentication information and indicates reconsider the destination
   address and port design of
   the final server.  At solution several times.

   We would like to thank Raphael Bauduin, Stefano Secci, Anandatirtha
   Nandugudi and Gregory Vander Schueren for their help in preparing
   this point, document.  Nandini Ganesh provided valuable feedback about the SOCKS proxy
   creates a connection towards
   handling of TFO and the final server error codes.  Yuchung Cheng and relays all data
   between Praveen
   Balasubramanian helped to clarify the two proxied connections.  The operation of an
   implementation based discussion on SOCKSv5 is illustrated in Figure 27.

   Client                     SOCKS Proxy                  Server
        -------------------->
                SYN
        <--------------------
              SYN+ACK
        -------------------->
                ACK

        -------------------->
        Version=5, Auth Methods
        <--------------------
              Method
        -------------------->
            Auth Request (unless "No auth" method negotiated)
        <--------------------
            Auth Response
        -------------------->
        Connect Server:Port            -------------------->
                                              SYN

                                       <--------------------
                                            SYN+ACK
        <--------------------
             Succeeded

        -------------------->
               Data1
                                       -------------------->
                                              Data1

                                       <--------------------
                                              Data2
        <--------------------
                 Data2

    Figure 27: Establishment of a TCP connection through a SOCKS proxy
                          without authentication

   The Convert Protocol also relays supplying data between an upstream in
   SYNs.  Phil Eardley and a
   downstream connection, but there are important differences with
   SOCKSv5.

   A first difference is that Michael Scharf's helped to clarify different
   parts of the Convert Protocol exchanges all control
   information during text.

   Many thanks to Mirja Kuehlewind for the three-way handshake. detailed AD review.

   This reduces the
   connection establishment delay compared to SOCKS document builds upon earlier documents that requires two or
   more round-trip-times before the establishment proposed various
   forms of the downstream
   connection towards the final destination.  In today's Internet,
   latency is a important metric Multipath TCP proxies [I-D.boucadair-mptcp-plain-mode],
   [I-D.peirens-mptcp-transparent] and [HotMiddlebox13b].

   From [I-D.boucadair-mptcp-plain-mode]:

   Many thanks to Chi Dung Phung, Mingui Zhang, Rao Shoaib, Yoshifumi
   Nishida, and various protocols have been tuned
   to reduce Christoph Paasch for their latency [I-D.arkko-arch-low-latency].  A recently
   proposed extension valuable comments.

   Thanks to SOCKS leverages the TFO option
   [I-D.olteanu-intarea-socks-6].

   A second difference is that the Convert Protocol explicitly takes the
   TCP extensions into account.  By using Ian Farrer, Mikael Abrahamsson, Alan Ford, Dan Wing, and
   Sri Gundavelli for the Convert Protocol, fruitful discussions in IETF#95 (Buenos
   Aires).

   Special thanks to Pierrick Seite, Yannick Le Goff, Fred Klamm, and
   Xavier Grall for their inputs.

   Thanks also to Olaf Schleusing, Martin Gysi, Thomas Zasowski, Andreas
   Burkhard, Silka Simmen, Sandro Berger, Michael Melloul, Jean-Yves
   Flahaut, Adrien Desportes, Gregory Detal, Benjamin David, Arun
   Srinivasan, and Raghavendra Mallya for the
   Client can learn whether a given TCP extension is supported by discussion.

Contributors

   Bart Peirens contributed to an early version of the
   destination Server. document.

   As noted above, this document builds on two previous documents.

   The authors of [I-D.boucadair-mptcp-plain-mode] were:

   o  Mohamed Boucadair
   o  Christian Jacquenet

   o  Olivier Bonaventure

   o  Denis Behaghel

   o  Stefano Secci

   o  Wim Henderickx

   o  Robert Skog

   o  Suresh Vinapamula

   o  SungHoon Seo

   o  Wouter Cloetens

   o  Ullrich Meyer

   o  Luis M.  Contreras

   o  Bart Peirens

   The authors of [I-D.peirens-mptcp-transparent] were:

   o  Bart Peirens

   o  Gregory Detal

   o  Sebastien Barre

   o  Olivier Bonaventure

Change Log

   This enables the Client section to bypass the Transport
   Converter when the destination supports the required TCP extension.
   Neither SOCKS v5 [RFC1928] nor the proposed SOCKS v6
   [I-D.olteanu-intarea-socks-6] provide such a feature.

   A third difference is that a Transport Converter will be removed before publication.

   o  00 : initial version, designed to support Multipath TCP and TFO
      only accept the
   connection initiated by the Client provided that

   o  00 to -01 : added section Section 7 describing the downstream
   connection is accepted support of
      different standard tracks TCP options by the Server.  If the Server refuses the
   connection establishment attempt from the Transport Converter, then
   the upstream connection from Converters,
      clarification of the Client is rejected as well.  This
   feature is important for applications that check IANA section, moved the availability of
   a Server or use SOCKS comparison to
      the time appendix and various minor modifications

   o  01 to connect as -02: Minor modifications
   o  02 to -03: Minor modifications

   o  03 to -04: Minor modifications

   o  04 to -05: Integrate a hint lot of feedback from implementers who have
      worked on client and server side implementations.  The main
      modifications are the selection of a
   Server [RFC8305].

   A fourth difference following :

      *  TCP Fast Open is not strictly required anymore.  Several
         implementers expressed concerns about this requirement.  The
         TFO Cookie protects from some attack scenarios that the affect open
         servers like web servers.  The Convert Protocol only allows the
   client to specify the address/port of the destination server is different
         and not
   a DNS name.  We evaluated an alternate design for the Connect TLV
   that included the DNS name of the remote peer instead of its IP
   address as discussed in SOCKS [RFC1928].  However, that design was not adopted
   because it induces both an extra load and increased delays on the
   Transport Converter RFC7413, there are different ways to handle and manage DNS resolution requests.

Acknowledgments

   Although they could disagree with the contents
         protect from such attacks.  Instead of using a TFO cookie
         inside the document, we
   would like to thank Joe Touch and Juliusz Chroboczek whose comments
   on TCP options, which consumes precious space in the MPTCP mailing list have forced us to reconsider
         extended TCP header, this version supports the design utilization of
   the solution several times.

   We would like to thank Raphael Bauduin, Stefano Secci, Anandatirtha
   Nandugudi and Gregory Vander Schueren for their help a
         Cookie that is placed in preparing
   this document.  Nandini Ganesh provided valuable feedback about the
   handling SYN payload.  This provides the
         same level of protection as a TFO and the error codes.  Yuchung Cheng and Praveen
   Balasubramanian helped to clarify Cookie in environments were
         such protection is required.

      *  the discussion Bootstrap procedure has been simplified based on supplying data feedback
         from implementers

      *  Error messages are not included in RST segments anymore but
         sent in
   SYNs.  Phil Eardley and Michael Scharf's helped to clarify different
   parts of the text.

   This document builds upon earlier documents bytestream.  Implementers have indicated that proposed various
   forms of Multipath TCP proxies [I-D.boucadair-mptcp-plain-mode],
   [I-D.peirens-mptcp-transparent] and [HotMiddlebox13b].

   From [I-D.boucadair-mptcp-plain-mode]:
         processing such segments on clients was difficult on some
         platforms.  This change simplifies client implementations.

      *  Many thanks to Chi Dung Phung, Mingui Zhang, Rao Shoaib, Yoshifumi
   Nishida, and Christoph Paasch for their valuable comments.

   Thanks minor editorial changes to Ian Farrer, Mikael Abrahamsson, Alan Ford, Dan Wing, and
   Sri Gundavelli for clarify the fruitful discussions in IETF#95 (Buenos
   Aires).

   Special thanks text based on
         implementers feedback.

   o  05 to Pierrick Seite, Yannick Le Goff, Fred Klamm, and
   Xavier Grall for their inputs.

   Thanks also -06: Many clarifications to integrate the comments from the
      chairs in preparation to Olaf Schleusing, Martin Gysi, Thomas Zasowski, Andreas
   Burkhard, Silka Simmen, Sandro Berger, Michael Melloul, Jean-Yves
   Flahaut, Adrien Desportes, Gregory Detal, Benjamin David, Arun
   Srinivasan, and Raghavendra Mallya for the discussion.

Contributors

   Bart Peirens contributed WGLC:

      *  Updated IANA policy to an early version require "IETF Review" instead of
         "Standard Action"

      *  Call out explicitly that data in SYNs are relayed by the document.

   As noted above, this document builds on two previous documents.

   The authors of [I-D.boucadair-mptcp-plain-mode] were:

   o  Mohamed Boucadair

   o  Christian Jacquenet

   o  Olivier Bonaventure

   o  Denis Behaghel

   o  Stefano Secci

   o  Wim Henderickx

   o  Robert Skog

   o  Suresh Vinapamula

   o  SungHoon Seo

   o  Wouter Cloetens

   o  Ullrich Meyer
         Converter

      *  Reiterate the scope

      *  Hairpinning behavior can be disabled (policy-based)

      *  Fix nits

   o  Luis M.  Contreras  07:

      *  Update the text about supplying data in SYNs to make it clear
         that a constraint defined in RFC793 is relaxed following the
         same rationale as in RFC7413.

      *  Nits

      *  Added Appendix A on example Socket API changes

   o  Bart Peirens

   The authors  08:

      *  Added short discussion on the termination of [I-D.peirens-mptcp-transparent] were: connections

   o  Bart Peirens  09:

      *  Address various comments received during last call

   o  Gregory Detal  10-13:

      *  Changes to address the comments from Phil: Add a new section to
         group data plane considerations in one place + add a new
         appendix with more details on address modes + rearrange the
         MPTCP text.

   o  Sebastien Barre  14: fixed nits (the shepherd write-up)

   o  Olivier Bonaventure  15: Various clarifications in the text to address the detailed
      comments provided by Mirja Kuehlewind

Authors' Addresses

   Olivier Bonaventure (editor)
   Tessares

   Email: Olivier.Bonaventure@tessares.net

   Mohamed Boucadair (editor)
   Orange
   Clos Courtel
   Rennes  35000
   France

   Email: mohamed.boucadair@orange.com
   Sri Gundavelli
   Cisco

   Email: sgundave@cisco.com

   SungHoon Seo
   Korea Telecom

   Email: sh.seo@kt.com

   Benjamin Hesmans
   Tessares

   Email: Benjamin.Hesmans@tessares.net