TAPS M. Welzl Internet-Draft S. Gjessing Intended status: Informational University of Oslo Expires: March9,17, 2019 September5,13, 2018 A Minimal Set of Transport Services for End Systemsdraft-ietf-taps-minset-08draft-ietf-taps-minset-09 Abstract This draft recommends a minimal set of Transport Services offered by end systems, and gives guidance on choosing among the available mechanisms and protocols. It is based on the set of transport features in RFC 8303. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on March9,17, 2019. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Deriving the minimal set . . . . . . . . . . . . . . . . . . 5 4. TheMinimalReduced Set of Transport Features . . . . . . . . . . . .5 3.1. ESTABLISHMENT, AVAILABILITY and TERMINATION6 4.1. CONNECTION Related Transport Features . . . . . . .5 3.2. MAINTENANCE. . . 7 4.2. DATA Transfer Related Transport Features . . . . . . . . 8 4.2.1. Sending Data . . . . . . . . . . . .8 3.2.1. Connection groups. . . . . . . . 8 4.2.2. Receiving Data . . . . . . . . . .8 3.2.2. Individual connections. . . . . . . . . 9 4.2.3. Errors . . . . . .10 3.3. DATA Transfer. . . . . . . . . . . . . . . . . 9 5. Discussion . . . . .10 3.3.1. Sending Data. . . . . . . . . . . . . . . . . . . .10 3.3.2.9 5.1. Sending Messages, ReceivingData . .Bytes . . . . . . . . . . . . 9 5.2. Stream Schedulers Without Streams . . . . .11 4. Acknowledgements. . . . . . . 10 5.3. Early Data Transmission . . . . . . . . . . . . . . .12 5. IANA Considerations. . 11 5.4. Sender Running Dry . . . . . . . . . . . . . . . . . . . 126. Security Considerations5.5. Capacity Profile . . . . . . . . . . . . . . . . . . . . 127. References5.6. Security . . . . . . . . . . . . . . . . . . . . . . . . 13 5.7. Packet Size . .12 7.1. Normative References. . . . . . . . . . . . . . . . . .12 7.2. Informative References. . . 13 6. The Minimal Set of Transport Features . . . . . . . . . . . . 14 6.1. ESTABLISHMENT, AVAILABILITY and TERMINATION . .13 Appendix A. Deriving the minimal set. . . . . 14 6.2. MAINTENANCE . . . . . . . . .14 A.1. Step 1: Categorization -- The Superset of Transport Features. . . . . . . . . . . . . . 17 6.2.1. Connection groups . . . . . . . . . .15 A.1.1. CONNECTION Related Transport Features. . . . . . . .17 A.1.2.18 6.2.2. Individual connections . . . . . . . . . . . . . . . 19 6.3. DATA TransferRelated Transport Features. . . . . .33 A.2. Step 2: Reduction -- The Reduced Set of Transport Features. . . . . . . . . . . . . . . . 20 6.3.1. Sending Data . . . . . . . .38 A.2.1. CONNECTION Related Transport Features. . . . . . . .39 A.2.2. DATA Transfer Related Transport Features. . . . 20 6.3.2. Receiving Data . .40 A.3. Step 3: Discussion. . . . . . . . . . . . . . . . . 21 7. Acknowledgements . .41 A.3.1. Sending Messages, Receiving Bytes. . . . . . . . . .41 A.3.2. Stream Schedulers Without Streams. . . . . . . . . .42 A.3.3. Early Data Transmission21 8. IANA Considerations . . . . . . . . . . . . . . .43 A.3.4. Sender Running Dry. . . . . . 21 9. Security Considerations . . . . . . . . . . .44 A.3.5. Capacity Profile. . . . . . . . 21 10. References . . . . . . . . . .44 A.3.6. Security. . . . . . . . . . . . . . . 22 10.1. Normative References . . . . . . .45 A.3.7. Packet Size. . . . . . . . . . . 22 10.2. Informative References . . . . . . . . . .45 Appendix B. Revision information. . . . . . . 22 Appendix A. The Superset of Transport Features . . . . . . . . .46 Authors' Addresses24 A.1. CONNECTION Related Transport Features . . . . . . . . . . 25 A.2. DATA Transfer Related Transport Features . . . . . . . . 41 A.2.1. Sending Data . . . . .47. . . . . . . . . . . . . . . 41 A.2.2. Receiving Data . . . . . . . . . . . . . . . . . . . 45 A.2.3. Errors . . . . . . . . . . . . . . . . . . . . . . . 46 Appendix B. Revision information . . . . . . . . . . . . . . . . 47 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 48 1. Introduction Currently, the set of transport services that most applications use is based on TCP and UDP (and protocols that are layered on top of them); this limits the ability for the network stack to make use of features of other transport protocols. For example, if a protocol supports out-of-order message delivery but applications always assume that the network provides an ordered bytestream, then the network stack can not immediately deliver a message that arrives out-of- order: doing so would break a fundamental assumption of the application. The net result is unnecessary head-of-line blocking delay. By exposing the transport services of multiple transport protocols, a transport system can make it possible for applications to use these services without being statically bound to a specific transport protocol. The first step towards the design of such a system was taken by [RFC8095], which surveys a large number of transports, and [RFC8303] as well as [RFC8304], which identify the specific transport features that are exposed to applications by the protocols TCP, MPTCP, UDP(-Lite) and SCTP as well as the LEDBAT congestion control mechanism. LEDBAT was included as the only congestion control mechanism in this list because the "low extra delay background transport" service that it offers is significantly different from the typical service provided by other congestion control mechanisms. This memo is based on these documents and follows the same terminology (also listed below). Because the considered transport protocols conjointly cover a wide range of transport features, there is reason to hope that the resulting set (and the reasoning that led to it) will also apply to many aspects of other transport protocols that may be in use today, or may be designed in the future. By decoupling applications from transport protocols, a transport system provides a different abstraction level than the Berkeley socketsinterface.interface [POSIX]. As with high- vs. low-level programming languages, a higher abstraction level allows more freedom for automation below the interface, yet it takes some control away from the application programmer. This is the design trade-off that a transport system developer is facing, and this document provides guidance on the design of this abstraction level. Some transport features are currently rarely offered by APIs, yet they must be offered or they can never be used. Other transport features are offered by the APIs of the protocols covered here, but not exposing them in an API would allow for more freedom to automate protocol usage in a transport system. The minimal set presentedin this documenthere is an effort to find a middle ground that can be recommended for transport systems to implement, on the basis of the transport features discussed in [RFC8303]. Applications use a wide variety of APIs today. The transport features in the minimal set in this document must be reflected in *all* network APIs in order for the underlying functionality to become usable everywhere. For example, it does not help an application that talks to a library which offers its own communication interface if the underlying Berkeley Sockets API is extended to offer "unordered message delivery", but the library only exposes an ordered bytestream. Both the Berkeley Sockets API and the library would have to expose the "unordered message delivery" transport feature (alternatively, there may be ways for certain types of libraries to use this transport feature without exposing it, based on knowledge about the applications -- but this is not the general case). Similarly, transport protocols such as SCTP offer multi- streaming, which cannot be utilized, e.g., to prioritize messages between streams, unless applications communicate the priorities and the group of connections upon which these priorities should be applied. In most situations, in the interest of being as flexible and efficient as possible, the best choice will be for a library to expose at least all of the transport features that are recommended as a "minimal set" here. This "minimal set" can be implemented "one-sided" over TCP. This means that a sender-side transport system can talk to a standard TCP receiver, and a receiver-side transport system can talk to a standard TCP sender. If certain limitations are put in place, the "minimal set" can also be implemented "one-sided" over UDP.2. Terminology Transport Feature: a specific end-to-end feature thatWhile thetransport layer provides to an application. Examples include confidentiality, reliable delivery, ordered delivery, message- versus-stream orientation, etc. Transport Service: a setpossibility ofTransport Features, without an association to any given framing protocol, which provides a complete service to an application. Transport Protocol: ansuch "one-sided" implementationthat provides one or more different transport services using a specific framing and header format onmay help deployment, it comes at thewire. Transport Service Instance: an arrangementcost oftransport protocols with a selectedlimiting the set to services that can also be provided by TCP (or, with further limitations, UDP). Thus, the minimal set of transport featuresand configuration parametershere is applicable for many, but not all, applications: some application protocols have requirements thatimplementsare not met by this "minimal set". Note that, throughout this document, protocols are meant to be used natively. For example, when transport features of UDP, or "implementation over" UDP is discussed, this refers to native usage of UDP. 2. Terminology Transport Feature: asinglespecific end-to-end feature that the transportservice, e.g.,layer provides to an application. Examples include confidentiality, reliable delivery, ordered delivery, message- versus-stream orientation, etc. Transport Service: aprotocol stack (RTP over UDP).set of Transport Features, without an association to any given framing protocol, which provides a complete service to an application. Transport Protocol: an implementation that provides one or more different transport services using a specific framing and header format on the wire. Application: an entity that usesthea transport layer interface for end-to-end delivery of data across the network (this may also be an upper layer protocol or tunnel encapsulation). Application-specific knowledge: knowledge that only applications have.Endpoint:End system: an entity that communicates with one or more otherendpointsend systems using a transport protocol. An end system provides a transport layer interface to applications. Connection: shared state of two or moreendpointsend systems that persists across messages that are transmitted between theseendpoints.end systems. Connection Group: a set of connections which share the same configuration (configuring one of them causes all other connections in the same group to be configured in the same way). We call connections that belong to a connection group "grouped", while "ungrouped" connections are not a part of a connection group. Socket: the combination of a destination IP address and a destination port number. Moreover, throughout the document, the protocol name "UDP(-Lite)" is used when discussing transport features that are equivalent for UDP and UDP-Lite; similarly, the protocol name "TCP" refers to both TCP and MPTCP. 3.The Minimal Set of Transport Features Based onDeriving thecategorization, reduction, and discussion in Appendix A, this section describes aminimal setof transport featuresWe assume thatend systems should offer. The described transport system can be implemented over TCP. Elementsapplications have no specific requirements that need knowledge about the network, e.g. regarding the choice of network interface or thesystemend-to-end path. Even with these assumptions, there are certain requirements that arenot marked with "!UDP" canstrictly kept by transport protocols today, and these must also beimplemented over UDP. The arguments laid out in Appendix A.3 ("discussion") were used to make the final representationkept by a transport system. Some ofthe minimal set as short, simple and general as possible. There may be situations wherethesearguments do not apply -- e.g., implementers may have specific reasonsrequirements relate toexpose multi-streaming as a visibletransport features that we call "Functional". Functional transport features provide functionalityto applications,that cannot be used without the application knowing about them, or else they violate assumptions that might cause therestrictive open / close semantics mayapplication to fail. For example, ordered message delivery is a functional transport feature: it cannot beproblematic under some circumstances. In such cases,configured without therepresentation in Appendix A.2 ("reduction") shouldapplication knowing about it because the application's assumption could beconsidered. Asthat messages always arrive inAppendix A, Appendix A.2 and [RFC8303], we categorizeorder. Failure includes any change of theminimal setapplication behavior that is not performance oriented, e.g. security. "Change DSCP" and "Disable Nagle algorithm" are examples of transport featuresas 1) CONNECTION related (ESTABLISHMENT, AVAILABILITY, MAINTENANCE, TERMINATION) and 2) DATA Transfer related (Sending Data, Receiving Data, Errors). Here, the focus is on connectionsthatthewe call "Optimizing": if a transport systemoffers asautonomously decides to enable or disable them, anabstractionapplication will not fail, but a transport system may be able to communicate more efficiently if theapplication, as opposedapplication is in control of this optimizing transport feature. These transport features require application- specific knowledge (e.g., about delay/bandwidth requirements or the length of future data blocks that are toconnectionsbe transmitted). The transport features of IETF transport protocols thatthe transport system uses. 3.1. ESTABLISHMENT, AVAILABILITYdo not require application-specific knowledge andTERMINATION A connection must first be "created" to allow for some initial configuration tocould therefore becarried out before theutilized by a transport systemcan actively or passively establish communication with a remote endpoint. All configuration parameters in Section 3.2 can be used initially, although someon its own without involving the application are called "Automatable". We approach the construction ofthem may only take effect when a connection has been established with a chosen transport protocol. Configuring a connection early helpsa minimal set of transportsystem makefeatures in theright decisions. For example, grouping information can influencefollowing way: 1. Categorization (Appendix A): the superset of transportsystem to implement a connectionfeatures from [RFC8303] is presented, and transport features are categorized as Functional, Optimizing or Automatable for later reduction. 2. Reduction (Section 4): astreamshorter list ofa multi-streaming protocol's existing association or not. For ungrouped connections, early configurationtransport features isnecessary because it allowsderived from the categorization in the first step. This removes all transportsystem to know which protocols it should try to use. In particular, a transport system that only makes a one-time choice for a particular protocol must know early about strict requirementsfeatures thatmust be kept,do not require application-specific knowledge orit can end upwould result in semantically incorrect behavior if they were implemented over TCP or UDP. 3. Discussion (Section 5): the resulting list shows adeadlock situation (e.g., having chosen UDP and later be asked to support reliable transfer). As an example descriptionnumber ofhowpeculiarities that are discussed, tocorrectly handle these cases, weprovidethe following decision tree (thisa basis for constructing the minimal set. 4. Construction (Section 6): Based on the reduced set and the discussion of the transport features therein, a minimal set isderived from Appendix A.2.1 excluding authentication,constructed. Following [RFC8303] and retaining its terminology, we divide the transport features into two main groups asexplained in Section 6):follows: 1. CONNECTION related transport features -Will it ever be necessaryESTABLISHMENT - AVAILABILITY - MAINTENANCE - TERMINATION 2. DATA Transfer related transport features - Sending Data - Receiving Data - Errors 4. The Reduced Set of Transport Features By hiding automatable transport features from the application, a transport system can gain opportunities tooffer anyautomate the usage of network-related functionality. This can facilitate using thefollowing? * Reliably transfer data * Notifytransport system for thepeerapplication programmer and it allows for optimizations that may not be possible for an application. For instance, system-wide configurations regarding the usage ofclosing/aborting * Preserve data ordering Yes: SCTP or TCPmultiple interfaces can better beused. - Is anyexploited if the choice of thefollowing usefulinterface is not entirely up to theapplication? * Choosing a schedulerapplication. Therefore, since they are not strictly necessary tooperate between connectionsexpose in agroup,transport system, we do not include automatable transport features in the reduced set of transport features. This leaves us with only thepossibilitytransport features that are either optimizing or functional. A transport system should be able toconfigure a prioritycommunicate via TCP orweight per connection * Configurable message reliability * Unordered message delivery * RequestUDP if alternative transport protocols are found not todelay the acknowledgement (SACK) ofwork. For many transport features, this is possible -- often by simply not doing anything when amessage Yes: SCTPspecific request ispreferred. No: - Is anymade. For some transport features, however, it was identified that direct usage of neither TCP nor UDP is possible: in these cases, even not doing anything would incur semantically incorrect behavior. Whenever an application would make use of one of these transport features, this would eliminate the possibility to use TCP or UDP. Thus, we only keep the functional and optimizing transport features for which an implementation over either TCP or UDP is possible in our reduced set. The followingusefullist contains the transport features from Appendix A, reduced using these rules. The "minimal set" derived in this document is meant to be implementable "one-sided" over TCP, and, with limitations, UDP. In theapplication? *list, we therefore precede a transport feature with "T:" if an implementation over TCP is possible, "U:" if an implementation over UDP is possible, and "T,U:" if an implementation over either TCP or UDP is possible. 4.1. CONNECTION Related Transport Features ESTABLISHMENT: o T,U: Connect o T,U: Specify number of attempts and/or timeout for the first establishment message o T: Configure authentication o T: Hand over a message to reliably transfer (possibly multiple times) before connection establishment*o T: Hand over a message to reliably transfer during connection establishment AVAILABILITY: o T,U: Listen o T: Configure authentication MAINTENANCE: o T: Change timeout for aborting connection (using retransmit limit or time value) o T: Suggest timeout to the peer*o T,U: Disable Nagle algorithm o T,U: Notification of Excessive Retransmissions (early warning below abortion threshold)*o T,U: Specify DSCP field o T,U: Notification of ICMP error message arrivalYes: TCP is preferred. No: SCTP and TCP are equally preferable. No: all protocols can be used. - Is any of the following usefulo T: Change authentication parameters o T: Obtain authentication information o T,U: Set Cookie life value o T,U: Choose a scheduler tothe application? *operate between streams of an association o T,U: Configure priority or weight for a scheduler o T,U: Disable checksum when sending o T,U: Disable checksum requirement when receiving o T,U: Specify checksum coverage used by the sender*o T,U: Specify minimum checksum coverage required by receiverYes: UDP-Lite is preferred. No: UDP is preferred. Noteo T,U: Specify DF field o T,U: Get max. transport-message size thatthis decision tree is not optimal for all cases. For example, if an application wants to use "Specify checksum coverage used by the sender", which is only offered by UDP-Lite, and "Configure priority or weight for a scheduler", which is only offered by SCTP, the above decision tree will always choose UDP-Lite, making it impossible to use SCTP's schedulers with priorities between grouped connections. We caution implementers tomay beaware of the full set of trade-offs, for which we recommend consulting the list in Appendix A.2.1 when deciding how to initializesent using aconnection. To summarize,non- fragmented IP packet from thefollowing parameters serve as input forconfigured interface o T,U: Get max. transport-message size that may be received from thetransport system to help it chooseconfigured interface o T,U: Obtain ECN field o T,U: Enable and configure asuitable protocol:"Low Extra Delay Background Transfer" TERMINATION: oReliability: a boolean that should be set to true when any of the following will be useful to the application:T: Close after reliablytransfer data; notifydelivering all remaining data, causing an event informing thepeer of closing/aborting; preserve data ordering.application on the other side oChecksum coverage: a boolean to specify whether it will be useful toT: Abort without delivering remaining data, causing an event informing the applicationto specify checksum coverage when sending or receiving.on the other side oConfigure message priority: a boolean that should be set to true when any ofT,U: Abort without delivering remaining data, not causing an event informing thefollowing per-message configuration or prioritization mechanisms willapplication on the other side o T,U: Timeout event when data could not beusefuldelivered for too long 4.2. DATA Transfer Related Transport Features 4.2.1. Sending Data o T: Reliably transfer data, with congestion control o T: Reliably transfer a message, with congestion control o T,U: Unreliably transfer a message o T: Configurable Message Reliability o T: Ordered message delivery (potentially slower than unordered) o T,U: Unordered message delivery (potentially faster than ordered) o T,U: Request not tothe application: choosingbundle messages o T: Specifying aschedulerkey id tooperate between grouped connections, with the possibilitybe used toconfigureauthenticate apriority or weight per connection; configurablemessagereliability; unordered message delivery; requestingo T,U: Request not to delay the acknowledgement (SACK) of amessage.message 4.2.2. Receiving Data oEarlyT,U: Receive data (with no messagetimeout notifications:delimiting) o U: Receive abooleanmessage o T,U: Information about partial message arrival 4.2.3. Errors This section describes sending failures thatshould be setare associated with a specific call totrue when any ofin thefollowing will be useful to"Sending Data" category (Appendix A.2.1). o T,U: Notification of send failures o T,U: Notification that theapplication: hand over a messagestack has no more user data toreliably transfer (possibly multiple times) before connection establishment; suggest timeoutsend o T,U: Notification tothe peer; notification of excessive retransmissions (early warning below abortion threshold); notification of ICMP errora receiver that a partial messagearrival. Oncedelivery has been aborted 5. Discussion The reduced set in the previous section exhibits aconnection is created, it can be queried fornumber of peculiarities, which we will discuss in themaximum amountfollowing. This section focuses on TCP because, with the exception ofdata that an application can possibly expect to have reliably transmitted before or duringone particular transportconnection establishment (with zero beingfeature ("Receive apossible answer) (seemessage" -- we will discuss this in Section3.2.1). An application can also give5.1), theconnectionlist shows that UDP is strictly amessage for reliable transmission before or during connection establishment (!UDP); the transport system will thensubset of TCP. We can first try totransmit it as early as possible. An application can facilitate sendingunderstand how to build amessage particularly early by marking it as "idempotent" (see Section 3.3.1); in this case,transport system that can run over TCP, and then narrow down thereceiving application must be preparedresult further topotentially receive multiple copies of the message (because idempotent messages are reliably transferred, asking for idempotence is not necessary for systemsallow thatsupport UDP). After creation, a transportthe system canactively establish communication with a peer,always run over either TCP orit can passively listen for incoming connection requests. Note that active establishment may or may not triggerUDP (which effectively means removing everything related to reliability, ordering, authentication and closing/aborting with a notificationon the listening side. It is possible that the first notification onto thelistening side ispeer). Note that, because thearrivalfunctional transport features of UDP are -- with thefirst data that the active side sends (a receiver-side transport system could handle this by continuing to blockexception of "Receive a"Listen" call, immediately followed by issuing "Receive",message" -- a subset of TCP, TCP can be used as a replacement forexample; callback- based implementations could simply skipUDP whenever an application does not need message delimiting (e.g., because theequivalent of "Listen").application-layer protocol already does it). Thisalso meanshas been recognized by many applications thatthe active opening side is assumedalready do this in practice, by trying tobe the first side sending data. Acommunicate with UDP at first, and falling back to TCP in case of a connection failure. 5.1. Sending Messages, Receiving Bytes For implementing a transport systemcan actively closeover TCP, there are several transport features related to sending, but only aconnection, i.e. terminate it after reliably delivering all remaining datasingle transport feature related tothe peer (if reliablereceiving: "Receive datadelivery was requested earlier (!UDP)), in which case(with no message delimiting)" (and, strangely, "information about partial message arrival"). Notably, thepeertransport feature "Receive a message" isnotified thatalso theconnectiononly non-automatable transport feature of UDP(-Lite) for which no implementation over TCP isclosed. Alternatively, a connection can be aborted without delivering outstanding datapossible. To support these TCP receiver semantics, we define an "Application- Framed Bytestream" (AFra-Bytestream). AFra-Bytestreams allow senders to operate on messages while minimizing changes to thepeer.TCP socket API. Incase reliable or partially reliable data delivery was requested earlier (!UDP), the peer is notified thatparticular, nothing changes on theconnection is aborted. A timeoutreceiver side - data can beconfigured to abortaccepted via aconnection when data could not be delivered for too long (!UDP); however, timeout-based abortion does not notifynormal TCP socket. In an AFra-Bytestream, thepeersending applicationthatcan optionally inform theconnection has been aborted. Because half-closed connections are not supported, when a host implementing atransportsystem receives a notification that the peer is closingabout message boundaries and required properties per message (configurable order and reliability, oraborting the connection (!UDP), its peer may not be able to read outstanding data. This means that unacknowledged data residingembedding atransport system's send buffer may haverequest not tobe dropped from that buffer upon arrivaldelay the acknowledgement of a"close" or "abort" notification from the peer. 3.2. MAINTENANCE A transport system must offer means to group connections, but it cannot guarantee truly grouping them usingmessage). Whenever thetransport protocolssending application specifies per-message properties that relax the notion of reliable in-order delivery of bytes, ituses (e.g., it cannot be guaranteed that connections become multiplexed as streams on a single SCTP association when SCTP may not be available). The transport systemmusttherefore ensureassume thatgroup- versus non-group-configurations are handled correctly in some way (e.g., by applying the configuration to all grouped connections even when they are not multiplexed, or informingthe receiving applicationabout grouping success or failure). As a general rule, any configuration described below should be carried out as early as possibleis 1) able toaid the transport system's decision making. 3.2.1. Connection groups The following transport featuresdetermine message boundaries, provided that messages are always kept intact, andnotifications (some directly from Appendix A.2, some new or changed, based on2) able to accept these relaxed per-message properties. Any signaling of such information to thediscussion in Appendix A.3) automatically applypeer is up toall grouped connections: (!UDP) Configure a timeout:an application-layer protocol and considered out of scope of thiscan be donedocument. For example, if an application requests to transfer fixed-size messages of 100 bytes with partial reliability, this needs thefollowing parameters: o A timeout value for aborting connections, in seconds o A timeout valuereceiving application to besuggestedprepared tothe peer (if possible),accept data inseconds o The numberchunks ofretransmissions after which100 bytes. If, then, some of these 100-byte messages are missing (e.g., if SCTP with Configurable Reliability is used), this is the expected applicationshouldbehavior. With TCP, no messages would benotifed of "Excessive Retransmissions" Configure urgency:missing, but thiscan be done withis also correct for thefollowing parameters: o A number to identifyapplication, and thetype of schedulerpossible retransmission delay is acceptable within the best-effort service model (see [RFC7305], Section 3.5). Still, the receiving application would separate the byte stream into 100-byte chunks. Note thatshouldthis usage of messages does not require all messages to beused to operate between connectionsequal in size. Many application protocols use some form of Type- Length-Value (TLV) encoding, e.g. by defining a header including length fields; another alternative is thegroup (no guarantees given). Schedulers are defined in [RFC8260]. o A "capacity profile" number to identify howuse of byte stuffing methods such as COBS [COBS]. If an applicationwantsneeds message numbers, e.g. touse its available capacity. Choices can be "lowest possible latency atrestore theexpensecorrect sequence ofoverhead" (which would disable any Nagle-like algorithm), "scavenger", or values that help determine the DSCP value for a connection (e.g. similar to table 1 in [I-D.ietf-tsvwg-rtcweb-qos]). o A buffer limit (in bytes); whenmessages, these must also be encoded by thesender has less thanapplication itself, as theprovided limitsequence number related transport features ofbytes inSCTP are not provided by thebuffer,"minimum set" (in theapplication may be notified. Notifications areinterest of enabling usage of TCP). 5.2. Stream Schedulers Without Streams We have already stated that multi-streaming does notguaranteed, and it is optional for a transport systemrequire application-specific knowledge. Potential benefits or disadvantages of, e.g., using two streams of an SCTP association versus using two separate SCTP associations or TCP connections are related tosupport buffer limit values greater than 0. Note that this limit and its notification should operate acrossknowledge about thebuffers ofnetwork and thewholeparticular transportsystem, i.e. also any potential buffers thatprotocol in use, not the application. However, the transportsystem itself may use on topfeatures "Choose a scheduler to operate between streams ofthe transport's send buffer. Following Appendix A.3.7, these propertiesan association" and "Configure priority or weight for a scheduler" operate on streams. Here, streams identify communication channels between which a scheduler operates, and they can bequeried: o The maximum message sizeassigned a priority. Moreover, the transport features in the MAINTENANCE category all operate on assocations in case of SCTP, i.e. they apply to all streams in thatmay be sent without fragmentation viaassocation. With only these semantics necessary to represent, theconfigured interface. This is optional forinterface to a transport systemto offer, andbecomes easier if we assume that connections mayreturn an error ("not available"). It can aid applications implementing Path MTU Discovery. o The maximumbe not only a transportmessage size that canprotocol's connection or association, but could also besent, in bytes. Irrespective of fragmentation, there isasize limitstream of an existing SCTP association, forthe messages thatexample. We only need to allow for a way to define a possible grouping of connections. Then, all MAINTENANCE transport features can behanded oversaid toSCTP or UDP(-Lite); becauseoperate on connection groups, not connections, and a scheduler operates on theservice provided byconnections within a group. To be compatible with multiple transportsystem is independent of theprotocols and uniformly allow access to both transport connections and streams of a multi- streaming protocol,it must allow an applicationthe semantics of opening and closing need toquery this value --be themaximum sizemost restrictive subset of all of the underlying options. For example, TCP's support of half-closed connections can be seen as amessage in an Application-Framed- Bytestream (see Appendix A.3.1). This may also return an error when data isfeature on top of the more restrictive "ABORT"; this feature cannot be supported because notdelimited ("not available"). o The maximumall protocols used by a transportmessage size that can be received from the configured interface, in bytes (or "not available"). o The maximum amountsystem (including streams ofdata that can possibly be sentan association) support half-closed connections. 5.3. Early Data Transmission There are two transport features related to transferring a message early: "Hand over a message to reliably transfer (possibly multiple times) beforeor duringconnectionestablishment, in bytes. In additionestablishment", which relates tothe already mentioned closing / aborting notificationsTCP Fast Open [RFC7413], andpossible send errors,"Hand over a message to reliably transfer during connection establishment", which relates to SCTP's ability to transfer data together with thefollowing notificationsCOOKIE-Echo chunk. Also without TCP Fast Open, TCP canoccur: o Excessive Retransmissions:transfer data during theconfigured (or a default) number of retransmissions has been reached, yielding this early warning below an abortion threshold. o ICMP Arrival (parameter: ICMP message): an ICMP packet carryinghandshake, together with theconveyed ICMP message has arrived. o ECN Arrival (parameter: ECN value): aSYN packetcarrying-- however, theconveyed ECN value has arrived. This can be useful for applications implementing congestion control. o Timeout (parameter: s seconds):receiver of this datacouldmay notbe delivered for s seconds. o Drain:hand it over to thesend buffer has either drained belowapplication until theconfigured buffer limit or ithandshake hasbecome completely empty. This is a generic notification that tries to enable uniform access to "TCP_NOTSENT_LOWAT"completed. Also, different from TCP Fast Open, this data is not delimited aswella message by TCP (thus, not visible asthe "SENDER DRY" notification (as discussed in Appendix A.3.4 -- SCTP's "SENDER DRY" isaspecial case where the threshold (for unsent data)``message''). This functionality is0commonly available in TCP andthere is also no more unacknowledged datasupported in several implementations, even though thesend buffer). 3.2.2. Individual connections Configure priorityTCP specification does not explain how to provide it to applications. A transport system could differentiate between the cases of transmitting data "before" (possibly multiple times) orweight for a scheduler, as described in [RFC8260]. Configure checksum usage: this can be done with"during" thefollowing parameters, but there is no guaranteehandshake. Alternatively, it could also assume thatany checksum limitationsdata that are handed over early willindeedbeenforced (the default behavior is "full coverage, checksum enabled"): o A boolean to enable / disable usage of a checksum when sending o The desired coverage (in bytes) oftransmitted as early as possible, and "before" thechecksumhandshake would only be usedwhen sending o A booleanfor messages that are explicitly marked as "idempotent" (i.e., it would be acceptable toenable / disable requiring a checksum when receiving otransfer them multiple times). Therequired minimum coverage (in bytes)amount of data that can successfully be transmitted before or during thechecksum when receiving 3.3. DATA Transfer 3.3.1. Sending Data When sending a message, no guarantees are given abouthandshake depends on various factors: thepreservationtransport protocol, the use ofmessage boundaries to the peer; if message boundaries are needed, the receiving application atheader options, thepeer must know about them beforehand (orchoice of IPv4 and IPv6 and the Path MTU. A transport systemcannot use TCP). Note that an applicationshouldalready be abletherefore allow a sending application tohand overquery the maximum amount of data it can possibly transmit beforethe transport system establishes a(or, if exposed, during) connectionwith a chosenestablishment. 5.4. Sender Running Dry The transportprotocol. Regarding the messagefeature "Notification thatis being handed over,thefollowing parameters canstack has no more user data to send" relates to SCTP's "SENDER DRY" notification. Such notifications can, in principle, beused: o Reliability: this parameter isused toconvey a choice of: fully reliable with congestion control (!UDP), unreliable without congestion control, unreliable with congestion control (!UDP), partially reliable with congestion control (see [RFC3758] and [RFC7496] for details on howavoid having an unnecessarily large send buffer, yet ensure that the transport sender always has data available when it has an opportunity tospecify partial reliability) (!UDP). The latter two choices are optionaltransmit it. This has been found to be very beneficial forasome applications [WWDC2015]. However, "SENDER DRY" truly means that the entire send buffer (including both unsent and unacknowledged data) has emptied -- i.e., when it notifies the sender, it is already too late, the transportsystemprotocol already missed an opportunity tooffer and may resultsend data. Some modern TCP implementations now include the unspecified "TCP_NOTSENT_LOWAT" socket option that was proposed infull reliability. Note[WWDC2015], which limits the amount of unsent data thatapplications sending unreliable data without congestion control should themselves perform congestion controlTCP can keep inaccordance with [RFC2914]. o (!UDP) Ordered:the socket buffer; thisboolean parameter lets an application choose between ordered message delivery (true) and possibly unordered, potentially faster message delivery (false). o Bundle: a boolean that expresses a preferenceallows to specify at which buffer filling level the socket becomes writable, rather than waiting forallowingthe buffer tobundle messages (true) or not (false). No guarantees are given. o DelAck: a boolean that, if false, lets an application request thatrun empty. SCTP allows to configure thepeer would not delaysender-side buffer too: theacknowledgement forautomatable Transport Feature "Configure send buffer size" provides thismessage. o Fragment: a boolean that expressesfunctionality, but only for the complete buffer, which includes both unsent and unacknowledged data. SCTP does not allow to control these two sizes separately. It therefore makes sense for apreferencetransport system to allow forallowinguniform access tofragment messages (true) or not (false), at"TCP_NOTSENT_LOWAT" as well as theIP level. No guarantees are given."SENDER DRY" notification. 5.5. Capacity Profile The transport features: o(!UDP) Idempotent:Disable Nagle algorithm o Enable and configure aboolean that expresses whether"Low Extra Delay Background Transfer" o Specify DSCP field all relate to amessage is idempotent (true)QoS-like application need such as "low latency" ornot (false). Idempotent messages may arrive multiple times at"scavenger". In thereceiver (butinterest of flexibility of a transport system, theywill arrive at least once). When data is idempotent it cancould therefore beused by the receiver immediately on a connection establishment attempt. Thus, if data is handed over before the transport system establishesoffered in aconnection withuniform, more abstract way, where achosentransportprotocol, stating thatsystem could e.g. decide by itself how to use combinations of LEDBAT-like congestion control and certain DSCP values, and an application would only specify amessage is idempotent facilitates transmittinggeneral "capacity profile" (a description of how it wants to use thepeer application particularly early. An application can be notifiedavailable capacity). A need for "lowest possible latency at the expense ofa failureoverhead" could then translate into automatically disabling the Nagle algorithm. In some cases, the Nagle algorithm is best controlled directly by the application because it is not only related tosendaspecific message. Theregeneral profile but also to knowledge about the size of future messages. For fine-grain control over Nagle-like functionality, the "Request not to bundle messages" isno guaranteeavailable. 5.6. Security Both TCP and SCTP offer authentication. TCP authenticates complete segments. SCTP allows to configure which ofsuch notifications, i.e. send failures can also silently occur. 3.3.2. Receiving Data A receiving application obtains an "Application-Framed Bytestream" (AFra-Bytestream);SCTP's chunk types must always be authenticated -- if thisconceptisfurther described in Appendix A.3.1). In line with TCP's receiver semantics,exposed as such, it creates anAFra- Bytestream is just a stream of bytes to the receiver. If message boundaries were specified byundesirable dependency on thesender,transport protocol. For compatibility with TCP, areceiver-sidetransport systemimplementingshould onlythe minimum set ofallow to configure complete transportservices defined here will still not inform the receiving application about them (this limitationlayer packets, including headers, IP pseudo-header (if any) and payload. Security isonly needed fordiscussed in a separate document [I-D.ietf-taps-transport-security]. The minimal set presented in the present document excludes all security related transportsystems that are implemented to directly use TCP). Differentfeatures fromTCP's semantics, if the sending application has allowed that messages are not fully reliably transferred, or delivered out of order, then such re-ordering or unreliability mayAppendix A: "Configure authentication", "Change authentication parameters", "Obtain authentication information" and and "Set Cookie life value" as well as "Specifying a key id to bereflected per message in the arriving data. Messages will always stay intact - i.e. ifused to authenticate a message". 5.7. Packet Size UDP(-Lite) has a transport feature called "Specify DF field". This yields anincompleteerror messageis contained at the endin case ofthe arriving data block, thissending a message that exceeds the Path MTU, which isguaranteednecessary for a UDP-based application tocontinue in the next arriving data block. 4. Acknowledgements The authors would likebe able tothank allimplement Path MTU Discovery (a function that UDP-based applications must do by themselves). The "Get max. transport-message size that may be sent using a non-fragmented IP packet from theparticipants ofconfigured interface" transport feature yields an upper limit for theTAPS Working GroupPath MTU (minus headers) and can therefore help to implement Path MTU Discovery more efficiently. 6. The Minimal Set of Transport Features Based on theNEATcategorization, reduction, andMAMI research projects for valuable input todiscussion in Section 3, thisdocument. We especially thank Michael Tuexen for help with connection connection establishment/teardown, Gorry Fairhurst for his suggestions regarding fragmentation and packet sizes, and Spencer Dawkins for his extremely detailed and constructive review. This work has received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No. 644334 (NEAT). 5. IANA Considerations This memo includes no request to IANA. 6. Security Considerations Authentication, confidentiality protection, and integrity protection are identified assection describes a minimal set of transport featuresby [RFC8095]. As currently deployed inthat end systems should offer. Any configuration based theInternet, these features are generally provided by a protocol or layer on topdescribed minimum set of transport feature can always be realized over TCP but also gives the transportprotocol; no current full- featured standards-tracksystem flexibility to choose another transportprotocol provides allif implemented. In the text ofthese transport features on its own. Therefore, these transport features are not considered inthisdocument, with the exceptionsection, "not UDP" is used to indicate elements ofnative authentication capabilitiesthe system that cannot be implemented over UDP. Conversely, all elements ofTCP and SCTP for whichthesecurity considerations in [RFC5925] and [RFC4895] apply. The minimum requirements for a secure transportsystem that arediscussednot marked with "not UDP" can also be implemented over UDP. The arguments laid out ina separate document (SectionSection 5on Security Features and Transport Dependencies("discussion") were used to make the final representation of[I-D.ietf-taps-transport-security]). 7. References 7.1. Normative References [I-D.ietf-taps-transport-security] Pauly, T., Perkins, C., Rose, K.,the minimal set as short, simple andC. Wood, "A Survey of Transport Security Protocols", draft-ietf-taps- transport-security-02 (work in progress), June 2018. [RFC8095] Fairhurst, G., Ed., Trammell, B., Ed., and M. Kuehlewind, Ed., "Services Provided by IETF Transport Protocols and Congestion Control Mechanisms", RFC 8095, DOI 10.17487/RFC8095, March 2017, <https://www.rfc-editor.org/info/rfc8095>. [RFC8303] Welzl, M., Tuexen, M., and N. Khademi, "On the Usage of Transport Features Provided by IETF Transport Protocols", RFC 8303, DOI 10.17487/RFC8303, February 2018, <https://www.rfc-editor.org/info/rfc8303>. 7.2. Informative References [COBS] Cheshire, S. and M. Baker, "Consistent Overhead Byte Stuffing", IEEE/ACM Transactions on Networking Vol. 7, No. 2, April 1999. [I-D.ietf-tsvwg-rtcweb-qos] Jones, P., Dhesikan, S., Jennings, C., and D. Druta, "DSCP Packet Markings for WebRTC QoS", draft-ietf-tsvwg-rtcweb- qos-18 (work in progress), August 2016. [LBE-draft] Bless, R., "A Lower Effort Per-Hop Behavior (LE PHB)", Internet-draft draft-tsvwg-le-phb-03, February 2018. [RFC2914] Floyd, S., "Congestion Control Principles", BCP 41, RFC 2914, DOI 10.17487/RFC2914, September 2000, <https://www.rfc-editor.org/info/rfc2914>. [RFC3758] Stewart, R., Ramalho, M., Xie, Q., Tuexen, M., and P. Conrad, "Stream Control Transmission Protocol (SCTP) Partial Reliability Extension", RFC 3758, DOI 10.17487/RFC3758, May 2004, <https://www.rfc-editor.org/info/rfc3758>. [RFC4895] Tuexen, M., Stewart, R., Lei, P., and E. Rescorla, "Authenticated Chunks for the Stream Control Transmission Protocol (SCTP)", RFC 4895, DOI 10.17487/RFC4895, August 2007, <https://www.rfc-editor.org/info/rfc4895>. [RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common Mitigations", RFC 4987, DOI 10.17487/RFC4987, August 2007, <https://www.rfc-editor.org/info/rfc4987>. [RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP Authentication Option", RFC 5925, DOI 10.17487/RFC5925, June 2010, <https://www.rfc-editor.org/info/rfc5925>. [RFC7305] Lear, E., Ed., "Report from the IAB Workshop on Internet Technology Adoption and Transition (ITAT)", RFC 7305, DOI 10.17487/RFC7305, July 2014, <https://www.rfc-editor.org/info/rfc7305>. [RFC7413] Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP Fast Open", RFC 7413, DOI 10.17487/RFC7413, December 2014, <https://www.rfc-editor.org/info/rfc7413>. [RFC7496] Tuexen, M., Seggelmann, R., Stewart, R., and S. Loreto, "Additional Policies for the Partially Reliable Stream Control Transmission Protocol Extension", RFC 7496, DOI 10.17487/RFC7496, April 2015, <https://www.rfc-editor.org/info/rfc7496>. [RFC8260] Stewart, R., Tuexen, M., Loreto, S., and R. Seggelmann, "Stream Schedulers and User Message Interleaving for the Stream Control Transmission Protocol", RFC 8260, DOI 10.17487/RFC8260, November 2017, <https://www.rfc-editor.org/info/rfc8260>. [RFC8304] Fairhurst, G. and T. Jones, "Transport Features of the User Datagram Protocol (UDP) and Lightweight UDP (UDP- Lite)", RFC 8304, DOI 10.17487/RFC8304, February 2018, <https://www.rfc-editor.org/info/rfc8304>. [WWDC2015] Lakhera, P. and S. Cheshire, "Your App and Next Generation Networks", Apple Worldwide Developers Conference 2015, San Francisco, USA, June 2015, <https://developer.apple.com/videos/wwdc/2015/?id=719>. Appendix A. Deriving the minimal set We approach the construction of a minimal set of transport features in the following way: 1. Categorization (Appendix A.1): the superset of transport features from [RFC8303] is presented, and transport features are categorized for later reduction. 2. Reduction (Appendix A.2): a shorter list of transport features is derived from the categorization in the first step. This removes all transport features that do not require application-specific knowledge or would result in semantically incorrect behavior if they were implemented over TCP or UDP. 3. Discussion (Appendix A.3): the resulting list shows a number of peculiarities that are discussed, to provide a basis for constructing the minimal set. 4. Construction (Section 3): Based on the reduced set and the discussion of the transport features therein, a minimal set is constructed. A.1. Step 1: Categorization -- The Superset of Transport Features Following [RFC8303], we divide the transport features into two main groups as follows: 1. CONNECTION related transport features - ESTABLISHMENT - AVAILABILITY - MAINTENANCE - TERMINATION 2. DATA Transfer related transport features - Sending Data - Receiving Data - Errors We assume that applications have no specific requirements that need knowledge about the network, e.g. regarding the choice of network interface or the end-to-end path. Even with these assumptions, there are certain requirements that are strictly kept by transport protocols today, and these must also be kept by a transport system. Some of these requirements relate to transport features that we call "Functional". Functional transport features provide functionality that cannot be used without the application knowing about them, or else they violate assumptions that might cause the application to fail. For example, ordered message delivery is a functional transport feature: it cannot be configured without the application knowing about it because the application's assumption could be that messages always arrive in order. Failure includes any change of the application behavior that is not performance oriented, e.g. security. "Change DSCP" and "Disable Nagle algorithm" are examples of transport features that we call "Optimizing": if a transport system autonomously decides to enable or disable them, an application will not fail, but a transport systemgeneral as possible. There may beable to communicate more efficiently if the application is in control of this optimizing transport feature. These transport features require application- specific knowledge (e.g., about delay/bandwidth requirements or the length of future data blocks that are to be transmitted). The transport features of IETF transport protocols that do not require application-specific knowledge and could therefore be utilized by a transport system on its own without involving the application are called "Automatable". Finally, in three cases, transport features are aggregated and/or slightly changed from [RFC8303] in the description below. These transport features are marked as "ADDED". Thesesituations where these arguments do notadd any new functionality but just represent a simple refactoring step that helpsapply -- e.g., implementers may have specific reasons tostreamline the derivation process (e.g., by removing a choice ofexpose multi-streaming as aparameter forvisible functionality to applications, or thesake of applications thatrestrictive open / close semantics maynot care about this choice). The corresponding transport features are automatable, and they are listed immediately below the "ADDED" transport feature.be problematic under some circumstances. Inthis description, transport services are presented followingsuch cases, thenomenclature "CATEGORY.[SUBCATEGORY].SERVICENAME.PROTOCOL", equivalent to "pass 2"representation in[RFC8303]. We also sketch how functional or optimizing transport features canSection 4 ("reduction") should beimplemented by a transport system. The "minimal set" derivedconsidered. As inthis document is meant to be implementable "one-sided" over TCP, and, with limitations, UDP. Hence, for all transport features that are categorized as "functional" or "optimizing",Section 3, Section 4 andfor which no matching TCP and/or UDP primitive exists in "pass 2" of[RFC8303],a brief discussion on how to implement them over TCP and/or UDP is included. We designate somewe categorize the minimal set of transport features as"automatable" on1) CONNECTION related (ESTABLISHMENT, AVAILABILITY, MAINTENANCE, TERMINATION) and 2) DATA Transfer related (Sending Data, Receiving Data, Errors). Here, thebasis of a broader decisionfocus is on connections thataffects multiple transport features: o Mostthe transportfeatures that are related to multi-streaming were designatedsystem offers as"automatable". This was done becausean abstraction to thedecision on whetherapplication, as opposed touse multi-streaming or not does not depend on application-specific knowledge. This meansconnections of transport protocols thatathe transport system uses. 6.1. ESTABLISHMENT, AVAILABILITY and TERMINATION A connectionthat is exhibited to an application couldmust first beimplemented by using a single stream of an SCTP association instead of mapping it"created" toa complete SCTP associationallow for some initial configuration to be carried out before the transport system can actively orTCP connection. This couldpassively establish communication with a remote end system. All configuration parameters in Section 6.2 can beachieved by using more than one streamused initially, although some of them may only take effect whenan SCTP association is firsta connection has been established(CONNECT.SCTP parameter "outbound stream count"), maintaining an internal stream number, and using this stream number when sending data (SEND.SCTP parameter "stream number"). Closing or abortingwith a chosen transport protocol. Configuring a connectioncould then simply free the stream number for future use. This is discussed further in Appendix A.3.2. o Allearly helps a transportfeatures that are related to using multiple paths orsystem make thechoice ofright decisions. For example, grouping information can influence thenetwork interface were designatedtransport system to implement a connection as"automatable". Choosingapathstream of a multi- streaming protocol's existing association oran interface does not depend on application-specific knowledge.not. Forexample, "Listen" could always listen on all available interfaces and "Connect" could use the default interface for the destination IP address. A.1.1. CONNECTION Related Transport Features ESTABLISHMENT: o Connect Protocols: TCP, SCTP, UDP(-Lite) Functionalungrouped connections, early configuration is necessary because it allows thenotion of a connection is often reflected in applications as an expectationtransport system tobe ableknow which protocols it should try tocommunicate after a "Connect" succeeded, withuse. In particular, acommunication sequence relating to thistransportfeaturesystem that only makes a one-time choice for a particular protocol must know early about strict requirements that must be kept, or it can end up in a deadlock situation (e.g., having chosen UDP and later be asked to support reliable transfer). As an example description of how to correctly handle these cases, we provide the following decision tree (this isdefined byderived from Section 4.1 excluding authentication, as explained in Section 9): - Will it ever be necessary to offer any of theapplication protocol. Implementation: via CONNECT.TCP, CONNECT.SCTPfollowing? * Reliably transfer data * Notify the peer of closing/aborting * Preserve data ordering Yes: SCTP orCONNECT.UDP(- Lite). o Specify which IP Options must alwaysTCP can beused Protocols: TCP, UDP(-Lite) Automatable because IP Options relateused. - Is any of the following useful toknowledge aboutthenetwork, notapplication? * Choosing a scheduler to operate between connections in a group, with theapplication. opossibility to configure a priority or weight per connection * Configurable message reliability * Unordered message delivery * Requestmultiple streams Protocols: SCTP Automatable because using multi-streaming doesnotrequire application-specific knowledge. Implementation: see Appendix A.3.2. o Limitto delay thenumberacknowledgement (SACK) ofinbound streams Protocols:a message Yes: SCTPAutomatable because using multi-streaming does not require application-specific knowledge. Implementation: see Appendix A.3.2. o Specify numberis preferred. No: - Is any ofattempts and/orthe following useful to the application? * Hand over a message to reliably transfer (possibly multiple times) before connection establishment * Suggest timeoutforto thefirst establishmentpeer * Notification of Excessive Retransmissions (early warning below abortion threshold) * Notification of ICMP error messageProtocols: TCP,arrival Yes: TCP is preferred. No: SCTPFunctional becauseand TCP are equally preferable. No: all protocols can be used. - Is any of the following useful to the application? * Specify checksum coverage used by the sender * Specify minimum checksum coverage required by receiver Yes: UDP-Lite is preferred. No: UDP is preferred. Note that this decision tree isclosely related to potentially assumed reliable data deliverynot optimal fordata thatall cases. For example, if an application wants to use "Specify checksum coverage used by the sender", which issent beforeonly offered by UDP-Lite, and "Configure priority orduring connection establishment. Implementation: Usingweight for aparameter of CONNECT.TCP and CONNECT.SCTP. Implementation over UDP: Do nothing (this is irrelevant in case of UDP because there, reliable data deliveryscheduler", which isnot assumed). o Obtain multiple sockets Protocols: SCTP Automatable becauseonly offered by SCTP, theusage of multiple paths to communicateabove decision tree will always choose UDP-Lite, making it impossible to use SCTP's schedulers with priorities between grouped connections. Also, several other factors may influence thesame end host relatesdecisions for or against a protocol -- e.g. penetration rates, the ability toknowledge aboutwork through NATs, etc. We caution implementers to be aware of thenetwork, notfull set of trade-offs, for which we recommend consulting theapplication. o Disable MPTCP Protocols: MPTCP Automatable becauselist in Section 4.1 when deciding how to initialize a connection. To summarize, the following parameters serve as input for theusage of multiple pathstransport system tocommunicatehelp it choose and configure a suitable protocol: o Reliability: a boolean that should be set to true when any of thesame end host relatesfollowing will be useful toknowledge aboutthenetwork, notapplication: reliably transfer data; notify theapplication. Implementation: via a boolean parameter in CONNECT.MPTCP.peer of closing/aborting; preserve data ordering. oConfigure authentication Protocols: TCP, SCTP Functional because this hasChecksum coverage: adirect influence on security. Implementation: via parameters in CONNECT.TCP and CONNECT.SCTP. With TCP, this allowsboolean toconfigure Master Key Tuples (MKTs)specify whether it will be useful toauthenticate complete segments (includingtheTCP IPv4 pseudoheader, TCP header, and TCP data). With SCTP, this allowsapplication to specifywhich chunk types must always be authenticated. Authenticating only certain chunk types createschecksum coverage when sending or receiving. o Configure message priority: areduced level of securityboolean thatis not supported by TCP; to be compatible, thisshouldtherefore only allowbe set toauthenticate all chunk types. Key material musttrue when any of the following per-message configuration or prioritization mechanisms will beprovided inuseful to the application: choosing away that is compatiblescheduler to operate between grouped connections, withboth [RFC4895] and [RFC5925]. Implementation over UDP: Not possible (UDP doesthe possibility to configure a priority or weight per connection; configurable message reliability; unordered message delivery; requesting notoffer this functionality). o Indicate (and/or obtain upon completion) an Adaptation Layer via an adaptation code point Protocols: SCTP Functional because it allowstosend extra data fordelay thesakeacknowledgement (SACK) ofidentifying an adaptation layer, which by itself is application- specific. Implementation: viaaparameter in CONNECT.SCTP. Implementation over TCP: not possible (TCP does not offer this functionality). Implementation over UDP: not possible (UDP does not offer this functionality).message. oRequestEarly message timeout notifications: a boolean that should be set tonegotiate interleavingtrue when any ofuser messages Protocols: SCTP Automatable because it requires using multiple streams, but requesting multiple streams intheCONNECTION.ESTABLISHMENT category is automatable. Implementation: via a parameter in CONNECT.SCTP. o Handfollowing will be useful to the application: hand over a message to reliably transfer (possibly multiple times) before connection establishment; suggest timeout to the peer; notification of excessive retransmissions (early warning below abortion threshold); notification of ICMP error message arrival. Once a connection is created, it can be queried for the maximum amount of data that an application can possibly expect to have reliably transmitted before or during transport connection establishmentProtocols: TCP Functional because(with zero being a possible answer) (see Section 6.2.1). An application can also give the connection a message for reliable transmission before or during connection establishment (not UDP); the transport system will then try to transmit it as early as possible. An application can facilitate sending a message particularly early by marking it as "idempotent" (see Section 6.3.1); in thisis closely tiedcase, the receiving application must be prepared topropertiespotentially receive multiple copies of thedatamessage (because idempotent messages are reliably transferred, asking for idempotence is not necessary for systems that support UDP). After creation, a transport system can actively establish communication with a peer, or it can passively listen for incoming connection requests. Note thatan application sendsactive establishment may orexpects to receive. Implementation: via a parameter in CONNECT.TCP. Implementation over UDP: not possible (UDP doesmay notprovide reliability). o Hand overtrigger amessage to reliably transfer during connection establishment Protocols: SCTP Functional because this can only work ifnotification on themessagelistening side. It islimited in size, making it closely tied to propertiespossible that the first notification on the listening side is the arrival of the first data thatan applicationthe active side sendsor expects(a receiver-side transport system could handle this by continuing toreceive. Implementation: viablock aparameter in CONNECT.SCTP. Implementation over TCP: not possible (TCP does not allow identification"Listen" call, immediately followed by issuing "Receive", for example; callback- based implementations could simply skip the equivalent ofmessage boundaries because it provides"Listen"). This also means that the active opening side is assumed to be the first side sending data. A transport system can actively close abyte stream service) Implementation over UDP: not possible (UDPconnection, i.e. terminate it after reliably delivering all remaining data to the peer (if reliable data delivery was requested earlier (not UDP)), in which case the peer isunreliable). o Enable UDP encapsulation withnotified that the connection is closed. Alternatively, aspecified remote UDP port number Protocols: SCTP Automatable because UDP encapsulation relatesconnection can be aborted without delivering outstanding data toknowledge aboutthenetwork, notpeer. In case reliable or partially reliable data delivery was requested earlier (not UDP), theapplication. AVAILABILITY: o Listen Protocols: TCP, SCTP, UDP(-Lite) Functional becausepeer is notified that thenotion of acceptingconnectionrequestsisoften reflected in applications as an expectation toaborted. A timeout can beableconfigured tocommunicate after a "Listen" succeeded, withabort acommunication sequence relating to this transport feature that is defined byconnection when data could not be delivered for too long (not UDP); however, timeout- based abortion does not notify the peer applicationprotocol. ADDED. This differs fromthat the3 automatableconnection has been aborted. Because half-closed connections are not supported, when a host implementing a transportfeatures below insystem receives a notification thatit leavesthechoice of interfaces for listening open. Implementation: by listening on all interfaces via LISTEN.TCP (not providing a local IP address)peer is closing orLISTEN.SCTP (providing SCTP port number / address pairs for all local IP addresses). LISTEN.UDP(- Lite) supports both methods. o Listen, 1 specified local interface Protocols: TCP, SCTP, UDP(-Lite) Automatable because decisions about local interfaces relate to knowledge about the network andaborting theOperating System,connection (not UDP), its peer may notthe application. o Listen, N specified local interfaces Protocols: SCTP Automatable because decisions about local interfaces relatebe able toknowledge about the network and the Operating System, not the application. o Listen, all local interfaces Protocols: TCP, SCTP, UDP(-Lite) Automatable because decisions about local interfaces relateread outstanding data. This means that unacknowledged data residing in a transport system's send buffer may have toknowledge about the network and the Operating System, not the application. o Specify which IP Options must alwaysbeused Protocols: TCP, UDP(-Lite) Automatable because IP Options relatedropped from that buffer upon arrival of a "close" or "abort" notification from the peer. 6.2. MAINTENANCE A transport system must offer means toknowledge aboutgroup connections, but it cannot guarantee truly grouping them using thenetwork,transport protocols that it uses (e.g., it cannot be guaranteed that connections become multiplexed as streams on a single SCTP association when SCTP may not be available). The transport system must therefore ensure that group- versus non-group-configurations are handled correctly in some way (e.g., by applying theapplication. o Disable MPTCP Protocols: MPTCP Automatable because the usage of multiple paths to communicate to the same end host relatesconfiguration toknowledge about the network,all grouped connections even when they are not multiplexed, or informing theapplication. o Configure authentication Protocols: TCP, SCTP Functional because this hasapplication about grouping success or failure). As adirect influence on security. Implementation: via parameters in LISTEN.TCP and LISTEN.SCTP. Implementation over TCP: With TCP, this allows to configure Master Key Tuples (MKTs)general rule, any configuration described below should be carried out as early as possible toauthenticate complete segments (includingaid theTCP IPv4 pseudoheader, TCP header,transport system's decision making. 6.2.1. Connection groups The following transport features andTCP data). With SCTP, this allowsnotifications (some directly from Section 4, some new or changed, based on the discussion in Section 5) automatically apply tospecify which chunk types must always be authenticated. Authenticating only certain chunk types createsall grouped connections: (not UDP) Configure areduced level of security that is not supported by TCP; to be compatible,timeout: thisshould therefore only allowcan be done with the following parameters: o A timeout value for aborting connections, in seconds o A timeout value toauthenticate all chunk types. Key material mustbeprovidedsuggested to the peer (if possible), ina way that is compatible with both [RFC4895] and [RFC5925]. Implementation over UDP: not possible (UDP does not offer authentication).seconds oObtain requestedThe number ofstreams Protocols: SCTP Automatable because using multi-streaming does not require application-specific knowledge. Implementation: see Appendix A.3.2. o Limitretransmissions after which thenumberapplication should be notifed ofinbound streams Protocols: SCTP Automatable because using multi-streaming does not require application-specific knowledge. Implementation: see Appendix A.3.2."Excessive Retransmissions" Configure urgency: this can be done with the following parameters: oIndicate (and/or obtain upon completion) an Adaptation Layer via an adaptation code point Protocols: SCTP Functional because it allowsA number tosend extra data foridentify thesaketype ofidentifying an adaptation layer, which by itself is application- specific. Implementation: via a parameter in LISTEN.SCTP. Implementation over TCP: not possible (TCP does not offer this functionality). Implementation over UDP: not possible (UDP does not offer this functionality). o Requestscheduler that should be used tonegotiate interleaving of user messages Protocols: SCTP Automatable because it requires using multiple streams, but requesting multiple streamsoperate between connections in theCONNECTION.ESTABLISHMENT category is automatable. Implementation: via a parametergroup (no guarantees given). Schedulers are defined inLISTEN.SCTP. MAINTENANCE:[RFC8260]. oChange timeout for aborting connection (using retransmit limit or time value) Protocols: TCP, SCTP Functional because this is closely relatedA "capacity profile" number topotentially assumed reliable data delivery. Implementation: via CHANGE_TIMEOUT.TCP or CHANGE_TIMEOUT.SCTP. Implementation over UDP: notidentify how an application wants to use its available capacity. Choices can be "lowest possible(UDP is unreliable and there is nolatency at the expense of overhead" (which would disable any Nagle-like algorithm), "scavenger", or values that help determine the DSCP value for a connectiontimeout). o Suggest timeout(e.g. similar to table 1 in [I-D.ietf-tsvwg-rtcweb-qos]). o A buffer limit (in bytes); when thepeer Protocols: TCP Functional because this is closely related to potentially assumed reliable data delivery. Implementation: via CHANGE_TIMEOUT.TCP. Implementation over UDP:sender has less than the provided limit of bytes in the buffer, the application may be notified. Notifications are notpossible (UDP is unreliableguaranteed, andthereit isno connection timeout). o Disable Nagle algorithm Protocols: TCP, SCTP Optimizing becauseoptional for a transport system to support buffer limit values greater than 0. Note that thisdecision depends on knowledge aboutlimit and its notification should operate across thesizebuffers offuture data blocks andthedelay between them. Implementation: via DISABLE_NAGLE.TCP and DISABLE_NAGLE.SCTP. Implementation over UDP: do nothing (UDP does not implementwhole transport system, i.e. also any potential buffers that theNagle algorithm).transport system itself may use on top of the transport's send buffer. Following Section 5.7, these properties can be queried: oRequestThe maximum message size that may be sent without fragmentation via the configured interface. This is optional for a transport system to offer, and may return animmediate heartbeat, returning success/failure Protocols: SCTP Automatable because this informs about network-specific knowledge.error ("not available"). It can aid applications implementing Path MTU Discovery. oNotification of Excessive Retransmissions (early warning below abortion threshold) Protocols: TCP Optimizing because itThe maximum transport message size that can be sent, in bytes. Irrespective of fragmentation, there isan early warning toa size limit for theapplication, informing it of an impending functional event. Implementation: via ERROR.TCP. Implementationmessages that can be handed overUDP: do nothing (there is no abortion threshold). o Add path Protocols: MPTCP, SCTP MPTCP Parameters: source-IP; source-Port; destination-IP; destination-Portto SCTPParameters: local IP address Automatableor UDP(-Lite); because theusageservice provided by a transport system is independent ofmultiple paths to communicate tothesame end host relatestransport protocol, it must allow an application toknowledge aboutquery this value -- thenetwork,maximum size of a message in an Application-Framed- Bytestream (see Section 5.1). This may also return an error when data is notthe application.delimited ("not available"). oRemove path Protocols: MPTCP, SCTP MPTCP Parameters: source-IP; source-Port; destination-IP; destination-Port SCTP Parameters: local IP address Automatable becauseThe maximum transport message size that can be received from theusageconfigured interface, in bytes (or "not available"). o The maximum amount ofmultiple paths to communicate to the same end host relatesdata that can possibly be sent before or during connection establishment, in bytes. In addition toknowledge aboutthenetwork, notalready mentioned closing / aborting notifications and possible send errors, theapplication.following notifications can occur: oSet primary path Protocols: SCTP Automatable becauseExcessive Retransmissions: theusageconfigured (or a default) number ofmultiple paths to communicate to the same end host relates to knowledge about the network, notretransmissions has been reached, yielding this early warning below an abortion threshold. o ICMP Arrival (parameter: ICMP message): an ICMP packet carrying theapplication.conveyed ICMP message has arrived. oSuggest primary path to the peer Protocols: SCTP Automatable because the usage of multiple paths to communicate to the same end host relates to knowledge aboutECN Arrival (parameter: ECN value): a packet carrying thenetwork,conveyed ECN value has arrived. This can be useful for applications implementing congestion control. o Timeout (parameter: s seconds): data could notthe application.be delivered for s seconds. oConfigure Path Switchover Protocols: SCTP Automatable becauseDrain: theusage of multiple paths to communicate tosend buffer has either drained below thesame end host relatesconfigured buffer limit or it has become completely empty. This is a generic notification that tries toknowledge aboutenable uniform access to "TCP_NOTSENT_LOWAT" as well as thenetwork, not"SENDER DRY" notification (as discussed in Section 5.4 -- SCTP's "SENDER DRY" is a special case where theapplication. o Obtain status (query or notification) Protocols: SCTP, MPTCP SCTP parameters: association connection state; destination transport address list; destination transport address reachability states; current localthreshold (for unsent data) is 0 andpeer receiver window size; current local congestion window sizes; number ofthere is also no more unacknowledgedDATA chunks; number of DATA chunks pending receipt; primary path; most recent SRTT on primary path; RTO on primary path; SRTT and RTO on other destination addresses; MTU per path; interleaving supported yes/no MPTCP parameters: subflow-list (identified by source-IP; source- Port; destination-IP; destination-Port) Automatable because these parameters relate to knowledge aboutdata in thenetwork, notsend buffer). 6.2.2. Individual connections Configure priority or weight for a scheduler, as described in [RFC8260]. Configure checksum usage: this can be done with theapplication.following parameters, but there is no guarantee that any checksum limitations will indeed be enforced (the default behavior is "full coverage, checksum enabled"): oSpecify DSCP field Protocols: TCP, SCTP, UDP(-Lite) Optimizing because choosing a suitable DSCP value requires application-specific knowledge. Implementation: via SET_DSCP.TCPA boolean to enable /SET_DSCP.SCTPdisable usage of a checksum when sending o The desired coverage (in bytes) of the checksum used when sending o A boolean to enable /SET_DSCP.UDP(- Lite)disable requiring a checksum when receiving oNotificationThe required minimum coverage (in bytes) ofICMP error message arrival Protocols: TCP, UDP(-Lite) Optimizing because these messages can informthe checksum when receiving 6.3. DATA Transfer 6.3.1. Sending Data When sending a message, no guarantees are given aboutsuccess or failurethe preservation offunctional transport features (e.g., host unreachable relatesmessage boundaries to"Connect") Implementation: via ERROR.TCP or ERROR.UDP(-Lite). o Obtain informationthe peer; if message boundaries are needed, the receiving application at the peer must know aboutinterleaving support Protocols: SCTP Automatable because it requires using multiple streams, but requesting multiple streams inthem beforehand (or theCONNECTION.ESTABLISHMENT categorytransport system cannot use TCP). Note that an application should already be able to hand over data before the transport system establishes a connection with a chosen transport protocol. Regarding the message that isautomatable. Implementation: via STATUS.SCTP. o Change authenticationbeing handed over, the following parametersProtocols: TCP, SCTP Functional because this has a direct influence on security. Implementation: via SET_AUTH.TCP and SET_AUTH.SCTP. Implementation over TCP: With SCTP,can be used: o Reliability: thisallowsparameter is used toadjust key_id, key,convey a choice of: fully reliable with congestion control (not UDP), unreliable without congestion control, unreliable with congestion control (not UDP), partially reliable with congestion control (see [RFC3758] andhmac_id. With TCP,[RFC7496] for details on how to specify partial reliability) (not UDP). The latter two choices are optional for a transport system to offer and may result in full reliability. Note that applications sending unreliable data without congestion control should themselves perform congestion control in accordance with [RFC8085]. o (not UDP) Ordered: thisallowsboolean parameter lets an application choose between ordered message delivery (true) and possibly unordered, potentially faster message delivery (false). o Bundle: a boolean that expresses a preference for allowing tochangebundle messages (true) or not (false). No guarantees are given. o DelAck: a boolean that, if false, lets an application request that thepreferred outgoing MKT (current_key) andpeer would not delay thepreferred incoming MKT (rnext_key), respectively,acknowledgement for this message. o Fragment: asegmentboolean thatis sent onexpresses a preference for allowing to fragment messages (true) or not (false), at theconnection. Key material must be provided inIP level. No guarantees are given. o (not UDP) Idempotent: awayboolean that expresses whether a message iscompatible with both [RFC4895] and [RFC5925]. Implementation over UDP: not possible (UDP doesidempotent (true) or notoffer authentication). o Obtain authentication information Protocols: SCTP Functional because authentication decisions(false). Idempotent messages mayhave been madearrive multiple times at the receiver (but they will arrive at least once). When data is idempotent it can be used by thepeer, and this has an influencereceiver immediately onthe necessary application- level measures to provideacertain level of security. Implementation: via GET_AUTH.SCTP. Implementationconnection establishment attempt. Thus, if data is handed overTCP: With SCTP, this allows to obtain key_id and a chunk list. With TCP, this allows to obtain current_key and rnext_key frombefore the transport system establishes apreviously received segment. Key material must be provided inconnection with awaychosen transport protocol, stating that a message iscompatible with both [RFC4895] and [RFC5925]. Implementation over UDP: not possible (UDP does not offer authentication). o Reset Stream Protocols: SCTP Automatable because using multi-streaming does not require application-specific knowledge. Implementation: see Appendix A.3.2. o Notification of Stream Reset Protocols: STCP Automatable because using multi-streaming does not require application-specific knowledge. Implementation: see Appendix A.3.2. o Reset Association Protocols: SCTP Automatable because decidingidempotent facilitates transmitting it toreset an association does not require application-specific knowledge. Implementation: via RESET_ASSOC.SCTP. o Notificationthe peer application particularly early. An application can be notified ofAssociation Reset Protocols: STCP Automatable because this notification does not relatea failure toapplication-specific knowledge. o Add Streams Protocols: SCTP Automatable because using multi-streaming does not require application-specific knowledge. Implementation: see Appendix A.3.2. o Notificationsend a specific message. There is no guarantee ofAdded Stream Protocols: STCP Automatable because using multi-streaming does not require application-specific knowledge. Implementation: see Appendix A.3.2. o Choosesuch notifications, i.e. send failures can also silently occur. 6.3.2. Receiving Data A receiving application obtains an "Application-Framed Bytestream" (AFra-Bytestream); this concept is further described in Section 5.1). In line with TCP's receiver semantics, an AFra-Bytestream is just ascheduler to operate between streamsstream ofan association Protocols: SCTP Optimizing becausebytes to thescheduling decision requires application- specific knowledge. However, ifreceiver. If message boundaries were specified by the sender, a receiver-side transport systemwouldimplementing only the minimum set of transport services defined here will still not inform the receiving application about them (this limitation is only needed for transport systems that are implemented to directly usethis,TCP). Different from TCP's semantics, if the sending application has allowed that messages are not fully reliably transferred, or delivered out of order, then such re-ordering or unreliability may be reflected per message in the arriving data. Messages will always stay intact - i.e. if an incomplete message is contained at the end of the arriving data block, this message is guaranteed to continue in the next arriving data block. 7. Acknowledgements The authors would like to thank all the participants of the TAPS Working Group and the NEAT and MAMI research projects for valuable input to this document. We especially thank Michael Tuexen for help with connection connection establishment/teardown, Gorry Fairhurst for his suggestions regarding fragmentation and packet sizes, and Spencer Dawkins for his extremely detailed and constructive review. This work has received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No. 644334 (NEAT). 8. IANA Considerations This memo includes no request to IANA. 9. Security Considerations Authentication, confidentiality protection, and integrity protection are identified as transport features by [RFC8095]. As currently deployed in the Internet, these features are generally provided by a protocol orwrongly configure itlayer onits own, this would only affect the performancetop ofdata transfers; the outcome would still be correct withinthe"best effort" service model. Implementation: using SET_STREAM_SCHEDULER.SCTP. Implementation over TCP: do nothing (streams are not available in TCP, but no guarantee is given that thistransportfeature has any effect). Implementation over UDP: do nothing (streams are not available in UDP, butprotocol; noguarantee is given that thiscurrent full- featured standards-track transportfeature has any effect). o Configure priority or weight for a scheduler Protocols: SCTP Optimizing because the priority or weight requires application- specific knowledge. However, if aprotocol provides all of these transportsystem would not use this, or wrongly configure itfeatures on itsown,own. Therefore, these transport features are not considered in thiswould only affectdocument, with theperformanceexception ofdata transfers; the outcome would still be correct withinnative authentication capabilities of TCP and SCTP for which the"best effort" service model. Implementation: using CONFIGURE_STREAM_SCHEDULER.SCTP. Implementation over TCP: do nothing (streams are not availablesecurity considerations inTCP, but no guarantee is given that this[RFC5925] and [RFC4895] apply. The minimum requirements for a secure transportfeature has any effect). Implementation over UDP: do nothing (streamssystem arenot availablediscussed inUDP, but no guarantee is given that this transport feature has any effect). o Configure send buffer size Protocols: SCTP Automatable because this decision relates to knowledge about the networka separate document (Section 5 on Security Features andthe Operating System, not the application (see also the discussionTransport Dependencies of [I-D.ietf-taps-transport-security]). 10. References 10.1. Normative References [I-D.ietf-taps-transport-security] Pauly, T., Perkins, C., Rose, K., and C. Wood, "A Survey of Transport Security Protocols", draft-ietf-taps- transport-security-02 (work inAppendix A.3.4). o Configure receive buffer (and rwnd) size Protocols: SCTP Automatable because this decision relates to knowledge about the networkprogress), June 2018. [RFC8095] Fairhurst, G., Ed., Trammell, B., Ed., andthe Operating System, not the application. o Configure message fragmentation Protocols: SCTP Automatable because fragmentation relates to knowledge about the networkM. Kuehlewind, Ed., "Services Provided by IETF Transport Protocols and Congestion Control Mechanisms", RFC 8095, DOI 10.17487/RFC8095, March 2017, <https://www.rfc-editor.org/info/rfc8095>. [RFC8303] Welzl, M., Tuexen, M., and N. Khademi, "On theOperating System, not the application. Implementation:Usage of Transport Features Provided byalways enabling it with CONFIG_FRAGMENTATION.SCTPIETF Transport Protocols", RFC 8303, DOI 10.17487/RFC8303, February 2018, <https://www.rfc-editor.org/info/rfc8303>. 10.2. Informative References [COBS] Cheshire, S. andauto-setting the fragmentation size basedM. Baker, "Consistent Overhead Byte Stuffing", IEEE/ACM Transactions onnetwork orNetworking Vol. 7, No. 2, April 1999. [I-D.ietf-tsvwg-rtcweb-qos] Jones, P., Dhesikan, S., Jennings, C., and D. Druta, "DSCP Packet Markings for WebRTC QoS", draft-ietf-tsvwg-rtcweb- qos-18 (work in progress), August 2016. [LBE-draft] Bless, R., "A Lower Effort Per-Hop Behavior (LE PHB)", Internet-draft draft-tsvwg-le-phb-03, February 2018. [POSIX] "IEEE Standard for Information Technology--Portable Operating Systemconditions. o Configure PMTUD Protocols: SCTP Automatable because Path MTU Discovery relates to knowledge about the network, not the application. o Configure delayed SACK timer Protocols: SCTP Automatable because the receiver-side decision to delay sending SACKs relates to knowledge about the network, not the application (it can be relevantInterface (POSIX(R)) Base Specifications, Issue 7", IEEE Std 1003.1-2017 (Revision of IEEE Std 1003.1-2008), January 2018, <http://www.opengroup.org/onlinepubs/9699919799/functions/ contents.html>. [RFC3758] Stewart, R., Ramalho, M., Xie, Q., Tuexen, M., and P. Conrad, "Stream Control Transmission Protocol (SCTP) Partial Reliability Extension", RFC 3758, DOI 10.17487/RFC3758, May 2004, <https://www.rfc-editor.org/info/rfc3758>. [RFC4895] Tuexen, M., Stewart, R., Lei, P., and E. Rescorla, "Authenticated Chunks fora sending application to request not to delay the SACK of a message, but this is a different transport feature). o Set Cookie life value Protocols: SCTP Functional because it relates to security (possibly weakened by keeping a cookie very long) versus the time between connection establishment attempts. Knowledge about both issues can be application-specific. Implementation over TCP:theclosest specifiedStream Control Transmission Protocol (SCTP)", RFC 4895, DOI 10.17487/RFC4895, August 2007, <https://www.rfc-editor.org/info/rfc4895>. [RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common Mitigations", RFC 4987, DOI 10.17487/RFC4987, August 2007, <https://www.rfc-editor.org/info/rfc4987>. [RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCPfunctionality isAuthentication Option", RFC 5925, DOI 10.17487/RFC5925, June 2010, <https://www.rfc-editor.org/info/rfc5925>. [RFC7305] Lear, E., Ed., "Report from thecookie in TCPIAB Workshop on Internet Technology Adoption and Transition (ITAT)", RFC 7305, DOI 10.17487/RFC7305, July 2014, <https://www.rfc-editor.org/info/rfc7305>. [RFC7413] Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP FastOpen;Open", RFC 7413, DOI 10.17487/RFC7413, December 2014, <https://www.rfc-editor.org/info/rfc7413>. [RFC7496] Tuexen, M., Seggelmann, R., Stewart, R., and S. Loreto, "Additional Policies forthis, [RFC7413] states thattheserver "can expirePartially Reliable Stream Control Transmission Protocol Extension", RFC 7496, DOI 10.17487/RFC7496, April 2015, <https://www.rfc-editor.org/info/rfc7496>. [RFC8085] Eggert, L., Fairhurst, G., and G. Shepherd, "UDP Usage Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085, March 2017, <https://www.rfc-editor.org/info/rfc8085>. [RFC8260] Stewart, R., Tuexen, M., Loreto, S., and R. Seggelmann, "Stream Schedulers and User Message Interleaving for thecookie at any time to enhance security"Stream Control Transmission Protocol", RFC 8260, DOI 10.17487/RFC8260, November 2017, <https://www.rfc-editor.org/info/rfc8260>. [RFC8304] Fairhurst, G. andsection 4.1.2 describes an example implementation where updatingT. Jones, "Transport Features of thekeyUser Datagram Protocol (UDP) and Lightweight UDP (UDP- Lite)", RFC 8304, DOI 10.17487/RFC8304, February 2018, <https://www.rfc-editor.org/info/rfc8304>. [SCTP-stream-1] Weinrank, F. and M. Tuexen, "Transparent Flow Mapping for NEAT", IFIP NETWORKING Workshop onthe server side causes the cookie to expire. Alternatively, for implementations that do not support TCP Fast Open, this transport feature could also affect the validityFuture ofSYN cookies (see Section 3.6Internet Transport (FIT 2017), June 2017. [SCTP-stream-2] Welzl, M., Niederbacher, F., and S. Gjessing, "Beneficial Transparent Deployment of SCTP", IEEE GlobeCom 2011, December 2011. [WWDC2015] Lakhera, P. and S. Cheshire, "Your App and Next Generation Networks", Apple Worldwide Developers Conference 2015, San Francisco, USA, June 2015, <https://developer.apple.com/videos/wwdc/2015/?id=719>. Appendix A. The Superset of[RFC4987]). Implementation over UDP: not possible (UDP does not offerTransport Features In thisfunctionality). o Set maximum burst Protocols: SCTP Automatable because it relates to knowledge about the network, not the application. o Configure size where messagesdescription, transport features arebroken up for partial delivery Protocols: SCTP Functional because this is closely tied to properties ofpresented following thedata that an application sends or expectsnomenclature "CATEGORY.[SUBCATEGORY].FEATURENAME.PROTOCOL", equivalent toreceive. Implementation over TCP: not possible (TCP does not offer identification of message boundaries). Implementation over UDP: not possible (UDP does not fragment messages). o Disable checksum when sending Protocols: UDP Functional because application-specific knowledge"pass 2" in [RFC8303]. We also sketch how functional or optimizing transport features can be implemented by a transport system. The "minimal set" derived in this document isnecessarymeant todecide whether it canbeacceptableimplementable "one-sided" over TCP, and, with limitations, UDP. Hence, for all transport features that are categorized as "functional" or "optimizing", and for which no matching TCP and/or UDP primitive exists in "pass 2" of [RFC8303], a brief discussion on how tolose data integrity. Implementation: via SET_CHECKSUM_ENABLED.UDP. Implementationimplement them overTCP: do nothing (TCP does not offer to disableTCP and/or UDP is included. We designate some transport features as "automatable" on thechecksum, but transmitting data with an intact checksum will not yieldbasis of asemantically wrong result).broader decision that affects multiple transport features: oDisable checksum requirement when receiving Protocols: UDP Functional because application-specific knowledge is necessaryMost transport features that are related todecidemulti-streaming were designated as "automatable". This was done because the decision on whetherit can be acceptabletolose data integrity. Implementation: via SET_CHECKSUM_REQUIRED.UDP. Implementation over TCP: do nothing (TCP doesuse multi-streaming or notoffer to disable the checksum, but transmitting data with an intact checksum willdoes notyield a semantically wrong result). o Specify checksum coverage used by the sender Protocols: UDP-Lite Functional becausedepend on application-specificknowledgeknowledge. This means that a connection that isnecessaryexhibited todecide for which partsan application could be implemented by using a single stream ofthe dataan SCTP association instead of mapping itcan be acceptable to lose data integrity. Implementation: via SET_CHECKSUM_COVERAGE.UDP-Lite. Implementation over TCP: do nothing (TCP does not offertolimit the checksum length, but transmittinga complete SCTP association or TCP connection. This could be achieved by using more than one stream when an SCTP association is first established (CONNECT.SCTP parameter "outbound stream count"), maintaining an internal stream number, and using this stream number when sending datawith an intact checksum will not yield(SEND.SCTP parameter "stream number"). Closing or aborting asemantically wrong result). Implementation over UDP: if checksum coverageconnection could then simply free the stream number for future use. This issetdiscussed further in Section 5.2. o All transport features that are related tocover payload data, do nothing. Else, either do nothing (transmitting data with an intact checksum will not yieldusing multiple paths or the choice of the network interface were designated as "automatable". Choosing asemantically wrong result),path or an interface does not depend on application-specific knowledge. For example, "Listen" could always listen on all available interfaces and "Connect" could use thetransport feature "Disable checksum when sending". o Specify minimum checksum coverage required by receiver Protocols: UDP-Lite Functional because application-specific knowledge is necessary to decidedefault interface forwhich parts ofthedata it can be acceptable to lose data integrity. Implementation: via SET_MIN_CHECKSUM_COVERAGE.UDP-Lite. Implementation over TCP:destination IP address. Finally, in three cases, transport features are aggregated and/or slightly changed from [RFC8303] in the description below. These transport features are marked as "CHANGED FROM RFC8303". These donothing (TCP doesnotoffer to limit the checksum length,add any new functionality buttransmitting data with an intact checksum will not yieldjust represent asemantically wrong result). Implementation over UDP: if checksum coverage is setsimple refactoring step that helps tocover payload data, do nothing. Else, either do nothing (transmitting data with an intact checksum will not yieldstreamline the derivation process (e.g., by removing asemantically wrong result), or usechoice of a parameter for the sake of applications that may not care about this choice). The corresponding transport features are automatable, and they are listed immediately below the "CHANGED FROM RFC8303" transportfeature "Disable checksum requirement when receiving".feature. A.1. CONNECTION Related Transport Features ESTABLISHMENT: oSpecify DF fieldConnect Protocols: TCP, SCTP, UDP(-Lite)OptimizingFunctional because theDF field cannotion of a connection is often reflected in applications as an expectation to beusedable tocarry out Path MTU Discovery, which can lead an applicationcommunicate after a "Connect" succeeded, with a communication sequence relating tochoose message sizesthis transport feature thatcan be transmitted more efficiently.is defined by the application protocol. Implementation: viaMAINTENANCE.SET_DF.UDP(-Lite) and SEND_FAILURE.UDP(-Lite). Implementation over TCP: do nothing (withCONNECT.TCP, CONNECT.SCTP or CONNECT.UDP(- Lite). o Specify which IP Options must always be used Protocols: TCP, UDP(-Lite) Automatable because IP Options relate to knowledge about thesending application isnetwork, notin control of transport message sizes, making this functionality irrelevant).the application. oGet max. transport-message size that may be sentRequest multiple streams Protocols: SCTP Automatable because usinga non- fragmented IP packet frommulti-streaming does not require application-specific knowledge (example implementations of using multi-streaming without involving theconfigured interfaceapplication are described in [SCTP-stream-1] and [SCTP-stream-2]). Implementation: see Section 5.2. o Limit the number of inbound streams Protocols:UDP(-Lite) OptimizingSCTP Automatable becausethis can lead an application to choose message sizes that can be transmitted more efficiently. Implementation over TCP: do nothing (this information isusing multi-streaming does notavailable with TCP).require application-specific knowledge. Implementation: see Section 5.2. oGet max. transport-message size that may be received fromSpecify number of attempts and/or timeout for theconfigured interface Protocols: UDP(-Lite) Optimizingfirst establishment message Protocols: TCP, SCTP Functional because thiscan,is closely related to potentially assumed reliable data delivery forexample, influence an application's memory management.data that is sent before or during connection establishment. Implementation: Using a parameter of CONNECT.TCP and CONNECT.SCTP. Implementation overTCP: doUDP: Do nothing (thisinformationis irrelevant in case of UDP because there, reliable data delivery is notavailable with TCP).assumed). oSpecify TTL/Hop count fieldObtain multiple sockets Protocols:UDP(-Lite)SCTP Automatable becausea transport system can use a large enough system defaultthe usage of multiple paths toavoid communication failures. Allowing an applicationcommunicate toconfigure it differently can produce notifications of ICMP error message arrivals that yield information which onlythe same end host relates to knowledge about the network, not the application. oObtain TTL/Hop count fieldDisable MPTCP Protocols:UDP(-Lite)MPTCP Automatable because theTTL/Hop count field relatesusage of multiple paths to communicate toknowledge about the network, not the application. o Specify ECN field Protocols: UDP(-Lite) Automatable becausetheECN fieldsame end host relates to knowledge about the network, not the application. Implementation: via a boolean parameter in CONNECT.MPTCP. oObtain ECN fieldConfigure authentication Protocols:UDP(-Lite) OptimizingTCP, SCTP Functional because thisinformation canhas a direct influence on security. Implementation: via parameters in CONNECT.TCP and CONNECT.SCTP. With TCP, this allows to configure Master Key Tuples (MKTs) to authenticate complete segments (including the TCP IPv4 pseudoheader, TCP header, and TCP data). With SCTP, this allows to specify which chunk types must always beusedauthenticated. Authenticating only certain chunk types creates a reduced level of security that is not supported byan applicationTCP; tobetter carry out congestion control (this is relevant when choosingbe compatible, this should therefore only allow to authenticate all chunk types. Key material must be provided in adata transmission transport serviceway thatdoes not already do congestion control). Implementation over TCP: do nothing (this informationisnot availablecompatible withTCP). o Specify IP Options Protocols: UDP(-Lite) Automatable because IP Options relate to knowledge about the network,both [RFC4895] and [RFC5925]. Implementation over UDP: Not possible (UDP does notthe application.offer this functionality). oObtain IP OptionsIndicate (and/or obtain upon completion) an Adaptation Layer via an adaptation code point Protocols:UDP(-Lite) AutomatableSCTP Functional becauseIP Options relateit allows toknowledge about the network, not the application. o Enable and configure a "Low Extra Delay Background Transfer" Protocols: A protocol implementing the LEDBAT congestion control mechanism Optimizing because whether this service is appropriate or not depends on application-specific knowledge. However, wrongly using this will only affect the speed ofsend extra datatransfers (albeit including other transfers that may compete with the transport system's transfer infor thenetwork), so itsake of identifying an adaptation layer, which by itself isstill correct within the "best effort" service model.application- specific. Implementation: viaCONFIGURE.LEDBAT and/or SET_DSCP.TCP / SET_DSCP.SCTP / SET_DSCP.UDP(-Lite) [LBE-draft].a parameter in CONNECT.SCTP. Implementation over TCP:do nothingnot possible (TCP does notsupport LEDBAT congestion control, but not implementingoffer thisfunctionality will not yield a semantically wrong behavior).functionality). Implementation over UDP:do nothingnot possible (UDP does not offercongestion control). TERMINATION:this functionality). oClose after reliably delivering all remaining data, causing an event informing the application on the other sideRequest to negotiate interleaving of user messages Protocols:TCP,SCTPFunctionalAutomatable because it requires using multiple streams, but requesting multiple streams in thenotion of a connectionCONNECTION.ESTABLISHMENT category isoften reflectedautomatable. Implementation: controlled via a parameter inapplications as an expectationCONNECT.SCTP. One possible implementation is tohave all outstanding data delivered and no longer be ablealways try tocommunicate after a "Close" succeeded, withenable interleaving. o Hand over acommunication sequence relatingmessage to reliably transfer (possibly multiple times) before connection establishment Protocols: TCP Functional because thistransport feature thatisdefined byclosely tied to properties of the data that an applicationprotocol.sends or expects to receive. Implementation: viaCLOSE.TCP and CLOSE.SCTP.a parameter in CONNECT.TCP. Implementation over UDP: not possible (UDPis unreliable and hence does not know when all remaining data is delivered; itdoesalsonotoffer to cause an event related to closing at the peer).provide reliability). oAbort without delivering remaining data, causing an event informing the application on the other sideHand over a message to reliably transfer during connection establishment Protocols:TCP,SCTP Functional because this can only work if thenotion of a connectionmessage isoften reflectedlimited inapplications as an expectation to potentially not have all outstanding data delivered and no longer be ablesize, making it closely tied tocommunicate after an "Abort" succeeded. On both sidesproperties ofa connection,the data that an applicationprotocol may define a communication sequence relatingsends or expects tothis transport feature.receive. Implementation: viaABORT.TCP and ABORT.SCTP.a parameter in CONNECT.SCTP. Implementation overUDP:TCP: not possible(UDP(TCP does notoffer to cause an event related to aborting atallow identification of message boundaries because it provides a byte stream service) Implementation over UDP: not possible (UDP is unreliable). o Enable UDP encapsulation with a specified remote UDP port number Protocols: SCTP Automatable because UDP encapsulation relates to knowledge about thepeer). o Abort without delivering remaining data,network, notcausing an event informing the application ontheother sideapplication. AVAILABILITY: o Listen Protocols: TCP, SCTP, UDP(-Lite) Functional because the notion ofaaccepting connection requests is often reflected in applications as an expectation topotentially not have all outstanding data delivered and no longerbe able to communicate afteran "Abort" succeeded. On both sides ofaconnection, an application protocol may define"Listen" succeeded, with a communication sequence relating to this transportfeature. Implementation: via ABORT.UDP(-Lite). Implementation over TCP: stop usingfeature that is defined by theconnection, waitapplication protocol. CHANGED FROM RFC8303. This differs from the 3 automatable transport features below in that it leaves the choice of interfaces for listening open. Implementation: by listening on all interfaces via LISTEN.TCP (not providing atimeout. o Timeout event when data could not be deliveredlocal IP address) or LISTEN.SCTP (providing SCTP port number / address pairs fortoo longall local IP addresses). LISTEN.UDP(- Lite) supports both methods. o Listen, 1 specified local interface Protocols: TCP, SCTP, UDP(-Lite) Automatable because decisions about local interfaces relate to knowledge about the network and the Operating System, not the application. o Listen, N specified local interfaces Protocols: SCTPFunctionalAutomatable becausethis notifies that potentially assumed reliable data delivery is no longer provided. Implementation: via TIMEOUT.TCPdecisions about local interfaces relate to knowledge about the network andTIMEOUT.SCTP. Implementation over UDP: do nothing (this event willthe Operating System, notoccur with UDP). A.1.2. DATA Transfer Related Transport Features A.1.2.1. Sending Datathe application. oReliably transfer data, with congestion controlListen, all local interfaces Protocols: TCP, SCTP, UDP(-Lite) Automatable because decisions about local interfaces relate to knowledge about the network and the Operating System, not the application. o Specify which IP Options must always be used Protocols: TCP,SCTP FunctionalUDP(-Lite) Automatable becausethis is closely tiedIP Options relate topropertiesknowledge about the network, not the application. o Disable MPTCP Protocols: MPTCP Automatable because the usage of multiple paths to communicate to thedata that an application sends or expectssame end host relates toreceive. Implementation: via SEND.TCP and SEND.SCTP. Implementation over UDP:knowledge about the network, notpossible (UDP is unreliable).the application. oReliably transfer a message, with congestion controlConfigure authentication Protocols: TCP, SCTP Functional because thisis closely tied to properties of the data that an application sends or expects to receive.has a direct influence on security. Implementation: viaSEND.SCTP.parameters in LISTEN.TCP and LISTEN.SCTP. Implementation over TCP:via SEND.TCP.WithSEND.TCP, message boundaries will not be identifiable byTCP, this allows to configure Master Key Tuples (MKTs) to authenticate complete segments (including thereceiver, becauseTCPprovides a byte stream service. Implementation over UDP: not possible (UDP is unreliable). o Unreliably transfer a message Protocols:IPv4 pseudoheader, TCP header, and TCP data). With SCTP,UDP(-Lite) Optimizing becausethis allows to specify which chunk types must always be authenticated. Authenticating onlyapplications know about the time criticality of their communication, and reliably transferingcertain chunk types creates amessage is never incorrect for the receiverreduced level ofa potentially unreliable data transfer, it is just slower. ADDED. This differs from the 2 automatable transport features below insecurity thatit leaves the choice of congestion control open. Implementation: via SEND.SCTP or SEND.UDP(-Lite). Implementation over TCP: use SEND.TCP. With SEND.TCP, messages willis not supported by TCP; to be compatible, this should therefore only allow to authenticate all chunk types. Key material must besent reliably,provided in a way that is compatible with both [RFC4895] andmessage boundaries will[RFC5925]. Implementation over UDP: notbe identifiable by the receiver.possible (UDP does not offer authentication). oUnreliably transfer a message, with congestion controlObtain requested number of streams Protocols: SCTP Automatable becausecongestion control relates to knowledge about the network,using multi-streaming does notthe application.require application-specific knowledge. Implementation: see Section 5.2. oUnreliably transfer a message, without congestion controlLimit the number of inbound streams Protocols:UDP(-Lite)SCTP Automatable becausecongestion control relates to knowledge about the network,using multi-streaming does notthe application.require application-specific knowledge. Implementation: see Section 5.2. oConfigurable Message ReliabilityIndicate (and/or obtain upon completion) an Adaptation Layer via an adaptation code point Protocols: SCTPOptimizingFunctional becauseonly applications know about the time criticality of their communication, and reliably transfering a message is never incorrectit allows to send extra data for thereceiversake ofa potentially unreliable data transfer, itidentifying an adaptation layer, which by itself isjust slower.application- specific. Implementation: viaSEND.SCTP.a parameter in LISTEN.SCTP. Implementation over TCP:By using SEND.TCP and ignoring this configuration: based on the assumption of the best-effort service model, unnecessarily delivering data does not violate application expectations. Moreover, it isnot possibleto associate the requested reliability to a "message" in TCP anyway.(TCP does not offer this functionality). Implementation over UDP: not possible (UDPis unreliable). o Choice of stream Protocols: SCTP Automatable because it requires using multiple streams, but requesting multiple streams in the CONNECTION.ESTABLISHMENT category is automatable. Implementation: see Appendix A.3.2.does not offer this functionality). oChoiceRequest to negotiate interleaving ofpath (destination address)user messages Protocols: SCTP Automatable because it requires using multiplesockets,streams, butobtainingrequesting multiplesocketsstreams in the CONNECTION.ESTABLISHMENT category is automatable. Implementation: via a parameter in LISTEN.SCTP. MAINTENANCE: oOrdered message delivery (potentially slower than unordered)Change timeout for aborting connection (using retransmit limit or time value) Protocols: TCP, SCTP Functional because this is closelytiedrelated toproperties of thepotentially assumed reliable datathat an application sends or expects to receive.delivery. Implementation: viaSEND.SCTP. Implementation over TCP: By using SEND.TCP. With SEND.TCP, messages will not be identifiable by the receiver.CHANGE_TIMEOUT.TCP or CHANGE_TIMEOUT.SCTP. Implementation over UDP: not possible (UDPdoes not offer any guarantees regarding ordering).is unreliable and there is no connection timeout). oUnordered message delivery (potentially faster than ordered)Suggest timeout to the peer Protocols:SCTP, UDP(-Lite)TCP Functional because this is closelytiedrelated toproperties of thepotentially assumed reliable datathat an application sends or expects to receive.delivery. Implementation: viaSEND.SCTP.CHANGE_TIMEOUT.TCP. Implementation overTCP: By using SEND.TCP and always sending data ordered: based on the assumption of the best-effort service model, ordered delivery may just be slower and does not violate application expectations. Moreover, it isUDP: not possibleto associate the requested delivery order to a "message" in TCP anyway.(UDP is unreliable and there is no connection timeout). oRequest not to bundle messagesDisable Nagle algorithm Protocols: TCP, SCTP Optimizing because this decision depends on knowledge about the size of future data blocks and the delay between them. Implementation: viaSEND.SCTP.DISABLE_NAGLE.TCP and DISABLE_NAGLE.SCTP. Implementation overTCP: By using SEND.TCP and DISABLE_NAGLE.TCP to disableUDP: do nothing (UDP does not implement the Naglealgorithm when the request is made and enable it again when the request is no longer made. Note thatalgorithm). o Request an immediate heartbeat, returning success/failure Protocols: SCTP Automatable because thisis not fully equivalentinforms about network-specific knowledge. o Notification of Excessive Retransmissions (early warning below abortion threshold) Protocols: TCP Optimizing because itrelatesis an early warning to thetimeapplication, informing it ofissuing the request rather than a specific message.an impending functional event. Implementation: via ERROR.TCP. Implementation over UDP: do nothing(UDP never bundles messages).(there is no abortion threshold). oSpecifying a "payload protocol-id" (handed over as such by the receiver)Add path Protocols: MPTCP, SCTPFunctionalMPTCP Parameters: source-IP; source-Port; destination-IP; destination-Port SCTP Parameters: local IP address Automatable becauseit allows to send extra application data with every message, forthesake of identificationusage ofdata, which by itself is application-specific. Implementation: SEND.SCTP. Implementation over TCP: not possible (this functionality is not available in TCP). Implementation over UDP: not possible (this functionality is not available in UDP). o Specifying a key idmultiple paths tobe usedcommunicate toauthenticate a messagethe same end host relates to knowledge about the network, not the application. o Remove path Protocols: MPTCP, SCTPFunctionalMPTCP Parameters: source-IP; source-Port; destination-IP; destination-Port SCTP Parameters: local IP address Automatable becausethis has a direct influence on security. Implementation: via a parameter in SEND.SCTP. Implementation over TCP: This could be emulated by using SET_AUTH.TCP before and afterthemessage is sent. Note that this is not fully equivalent because itusage of multiple paths to communicate to the same end host relates to knowledge about thetimenetwork, not the application. o Set primary path Protocols: SCTP Automatable because the usage ofissuingmultiple paths to communicate to therequest rather than a specific message. Implementation over UDP: not possible (UDP doessame end host relates to knowledge about the network, notoffer authentication).the application. oRequest notSuggest primary path todelaytheacknowledgement (SACK)peer Protocols: SCTP Automatable because the usage ofa messagemultiple paths to communicate to the same end host relates to knowledge about the network, not the application. o Configure Path Switchover Protocols: SCTPOptimizingAutomatable becauseonly an application knows for which message it wantsthe usage of multiple paths toquickly be informedcommunicate to the same end host relates to knowledge aboutsuccess / failure of its delivery. Implementation over TCP: do nothing (TCP does not offer this functionality, but ignoring this request fromtheapplication will not yield a semantically wrong behavior). Implementation over UDP: do nothing (UDP doesnetwork, notoffer this functionality, but ignoring this request fromtheapplication will not yield a semantically wrong behavior). A.1.2.2. Receiving Dataapplication. oReceive data (with no message delimiting)Obtain status (query or notification) Protocols:TCP Functional because aSCTP, MPTCP SCTP parameters: association connection state; destination transportsystem must be able to sendaddress list; destination transport address reachability states; current local andreceive data. Implementation: via RECEIVE.TCP. Implementation over UDP: do nothing (UDP only workspeer receiver window size; current local congestion window sizes; number of unacknowledged DATA chunks; number of DATA chunks pending receipt; primary path; most recent SRTT onmessages;primary path; RTO on primary path; SRTT and RTO on other destination addresses; MTU per path; interleaving supported yes/no MPTCP parameters: subflow-list (identified by source-IP; source- Port; destination-IP; destination-Port) Automatable because thesecan be handed over,parameters relate to knowledge about theapplication can still ignorenetwork, not themessage boundaries).application. o Specify DSCP field Protocols: TCP, SCTP, UDP(-Lite) Optimizing because choosing a suitable DSCP value requires application-specific knowledge. Implementation: via SET_DSCP.TCP / SET_DSCP.SCTP / SET_DSCP.UDP(- Lite) oReceive aNotification of ICMP error message arrival Protocols:SCTP,TCP, UDP(-Lite)FunctionalOptimizing becausethis is closely tied to properties of the data that an application sendsthese messages can inform about success orexpectsfailure of functional transport features (e.g., host unreachable relates toreceive."Connect") Implementation: viaRECEIVE.SCTP and RECEIVE.UDP(-Lite). Implementation over TCP: not possible (TCP does not support identification of message boundaries).ERROR.TCP or ERROR.UDP(-Lite). oChoice of stream to receive fromObtain information about interleaving support Protocols: SCTP Automatable because it requires using multiple streams, but requesting multiple streams in the CONNECTION.ESTABLISHMENT category is automatable. Implementation:see Appendix A.3.2.via STATUS.SCTP. oInformation about partial message arrivalChange authentication parameters Protocols: TCP, SCTP Functional because thisis closely tied to properties of the data that an application sends or expects to receive.has a direct influence on security. Implementation: viaRECEIVE.SCTP.SET_AUTH.TCP and SET_AUTH.SCTP. Implementation over TCP:do nothing (this informationWith SCTP, this allows to adjust key_id, key, and hmac_id. With TCP, this allows to change the preferred outgoing MKT (current_key) and the preferred incoming MKT (rnext_key), respectively, for a segment that isnot availablesent on the connection. Key material must be provided in a way that is compatible withTCP).both [RFC4895] and [RFC5925]. Implementation over UDP:do nothing (this information isnotavailable with UDP). A.1.2.3. Errors This section describes sending failures that are associated with a specific call to in the "Sending Data" category (Appendix A.1.2.1).possible (UDP does not offer authentication). oNotification of send failuresObtain authentication information Protocols:SCTP, UDP(-Lite)SCTP Functional becausethis notifies that potentially assumed reliable data delivery is no longer provided. ADDED. This differs from the 2 automatable transport features below in that it does not distinugish between unsentauthentication decisions may have been made by the peer, andunacknowledged messages.this has an influence on the necessary application- level measures to provide a certain level of security. Implementation: viaSENDFAILURE-EVENT.SCTP and SEND_FAILURE.UDP(- Lite).GET_AUTH.SCTP. Implementation over TCP:do nothing (this notificationWith SCTP, this allows to obtain key_id and a chunk list. With TCP, this allows to obtain current_key and rnext_key from a previously received segment. Key material must be provided in a way that isnot availablecompatible with both [RFC4895] andwill therefore[RFC5925]. Implementation over UDP: notoccur with TCP).possible (UDP does not offer authentication). oNotification of an unsent (part of a) messageReset Stream Protocols:SCTP, UDP(-Lite)SCTP Automatable becausethe distinction between unsent and unacknowledged is network-specific.using multi-streaming does not require application-specific knowledge. Implementation: see Section 5.2. o Notification ofan unacknowledged (part of a) messageStream Reset Protocols:SCTPSTCP Automatable becausethe distinction between unsent and unacknowledged is network-specific.using multi-streaming does not require application-specific knowledge. Implementation: see Section 5.2. oNotification that the stack has no more user data to sendReset Association Protocols: SCTPOptimizingAutomatable becausereactingdeciding to reset an association does not require application-specific knowledge. Implementation: via RESET_ASSOC.SCTP. o Notification of Association Reset Protocols: STCP Automatable because this notificationrequires the applicationdoes not relate tobe involved, and ensuring that the stackapplication-specific knowledge. o Add Streams Protocols: SCTP Automatable because using multi-streaming does notrun dryrequire application-specific knowledge. Implementation: see Section 5.2. o Notification ofdata (for too long) can improve performance. Implementation over TCP: do nothing (see the discussion in Appendix A.3.4). Implementation over UDP: do nothing (this notification is not available and will thereforeAdded Stream Protocols: STCP Automatable because using multi-streaming does notoccur with UDP).require application-specific knowledge. Implementation: see Section 5.2. oNotification to a receiver thatChoose apartial message delivery has been abortedscheduler to operate between streams of an association Protocols: SCTPFunctionalOptimizing because the scheduling decision requires application- specific knowledge. However, if a transport system would not use this, or wrongly configure it on its own, thisis closely tied to properties ofwould only affect the performance of datathat an application sends or expects to receive.transfers; the outcome would still be correct within the "best effort" service model. Implementation: using SET_STREAM_SCHEDULER.SCTP. Implementation over TCP: do nothing(this notification is(streams are not availableand will therefore not occur with TCP).in TCP, but no guarantee is given that this transport feature has any effect). Implementation over UDP: do nothing(this notification is(streams are not availableand will therefore not occur with UDP). A.2. Step 2: Reduction -- The Reduced Set of Transport Features By hiding automatable transport features from the application, a transport system can gain opportunities to automate the usage of network-related functionality. This can facilitate using the transport system for the application programmer and it allows for optimizationsin UDP, but no guarantee is given thatmay not be possiblethis transport feature has any effect). o Configure priority or weight foran application. For instance, system-wide configurations regarding the usage of multiple interfaces can better be exploited if the choice of the interface is not entirely up to the application. Therefore, since they are not strictly necessary to expose inatransport system, we do not include automatable transport features in the reduced set of transport features. This leaves us with onlyscheduler Protocols: SCTP Optimizing because thetransport features that are either optimizingpriority orfunctional. Aweight requires application- specific knowledge. However, if a transport systemshould be able to communicate via TCPwould not use this, orUDP if alternative transport protocolswrongly configure it on its own, this would only affect the performance of data transfers; the outcome would still be correct within the "best effort" service model. Implementation: using CONFIGURE_STREAM_SCHEDULER.SCTP. Implementation over TCP: do nothing (streams arefoundnotto work. For many transport features, thisavailable in TCP, but no guarantee ispossible -- often by simplygiven that this transport feature has any effect). Implementation over UDP: do nothing (streams are notdoing anything when a specific requestavailable in UDP, but no guarantee ismade. For some transport features, however, it was identifiedgiven thatdirect usage of neither TCP nor UDP is possible: in these cases, even not doing anything would incur semantically incorrect behavior. Whenever an application would make use of one of thesethis transportfeatures,feature has any effect). o Configure send buffer size Protocols: SCTP Automatable because thiswould eliminate the possibilitydecision relates touse TCP or UDP. Thus, we only keepknowledge about thefunctionalnetwork andoptimizing transport features for which an implementation over either TCP or UDP is possible in our reduced set. The "minimal set" derivedthe Operating System, not the application (see also the discussion in Section 5.4). o Configure receive buffer (and rwnd) size Protocols: SCTP Automatable because this decision relates to knowledge about the network and the Operating System, not the application. o Configure message fragmentation Protocols: SCTP Automatable because thisdocument is meantrelates tobe implementable "one-sided" over TCP, and, with limitations, UDP. Inknowledge about thefollowing list, we therefore precede a transportnetwork and the Operating System, not the application. Note that this SCTP feature does not control IP-level fragmentation, but decides on fragmentation of messages by SCTP, in the end system. Implementation: by always enabling it with"T:" if an implementation over TCP is possible, "U:" if an implementation over UDP is possible,CONFIG_FRAGMENTATION.SCTP and"TU:" if an implementation over either TCPauto-setting the fragmentation size based on network orUDP is possible. A.2.1. CONNECTION Related Transport Features ESTABLISHMENT: o T,U: ConnectOperating System conditions. oT,U: Specify number of attempts and/or timeout forConfigure PMTUD Protocols: SCTP Automatable because Path MTU Discovery relates to knowledge about thefirst establishment messagenetwork, not the application. oT:Configureauthentication o T: Hand over a messagedelayed SACK timer Protocols: SCTP Automatable because the receiver-side decision toreliably transfer (possibly multiple times) before connection establishment o T: Hand over a messagedelay sending SACKs relates toreliably transfer during connection establishment AVAILABILITY: o T,U: Listen o T: Configure authentication MAINTENANCE: o T: Change timeoutknowledge about the network, not the application (it can be relevant foraborting connection (using retransmit limit or time value) o T: Suggest timeouta sending application to request not to delay thepeer o T,U: Disable Nagle algorithm o T,U: Notification of Excessive Retransmissions (early warning below abortion threshold) o T,U: Specify DSCP field o T,U: NotificationSACK ofICMP error message arrival o T: Change authentication parameters o T: Obtain authentication informationa message, but this is a different transport feature). oT,U:Set Cookie life valueo T,U: Choose a schedulerProtocols: SCTP Functional because it relates tooperate between streams of an association o T,U: Configure priority or weight for a scheduler o T,U: Disable checksum when sending o T,U: Disable checksum requirement when receiving o T,U: Specify checksum coverage usedsecurity (possibly weakened by keeping a cookie very long) versus thesender o T,U: Specify minimum checksum coverage required by receiver o T,U: Specify DF field o T,U: Get max. transport-message size that maytime between connection establishment attempts. Knowledge about both issues can besent using a non- fragmented IP packet fromapplication-specific. Implementation over TCP: theconfigured interface o T,U: Get max. transport-message sizeclosest specified TCP functionality is the cookie in TCP Fast Open; for this, [RFC7413] states thatmay be received fromtheconfigured interface o T,U: Obtain ECN field o T,U: Enableserver "can expire the cookie at any time to enhance security" andconfigure a "Low Extra Delay Background Transfer" TERMINATION: o T: Close after reliably delivering all remaining data, causingsection 4.1.2 describes anevent informingexample implementation where updating theapplicationkey on theotherserver sideo T: Abort without delivering remaining data, causing an event informingcauses theapplication oncookie to expire. Alternatively, for implementations that do not support TCP Fast Open, this transport feature could also affect theother side o T,U: Abort without delivering remaining data,validity of SYN cookies (see Section 3.6 of [RFC4987]). Implementation over UDP: notcausing an event informingpossible (UDP does not offer this functionality). o Set maximum burst Protocols: SCTP Automatable because it relates to knowledge about theapplication onnetwork, not theother sideapplication. oT,U: Timeout event when data could not be deliveredConfigure size where messages are broken up fortoo long A.2.2. DATA Transfer Related Transport Features A.2.2.1. Sending Data o T: Reliably transfer data, with congestion control o T: Reliably transfer a message, with congestion control o T,U: Unreliably transfer a message o T: Configurable Message Reliability o T: Ordered messagepartial delivery(potentially slower than unordered) o T,U: UnorderedProtocols: SCTP Functional because this is closely tied to properties of the data that an application sends or expects to receive. Implementation over TCP: not possible (TCP does not offer identification of messagedelivery (potentially faster than ordered) o T,U: Requestboundaries). Implementation over UDP: notto bundle messagespossible (UDP does not fragment messages). oT: Specifying a key idDisable checksum when sending Protocols: UDP Functional because application-specific knowledge is necessary to decide whether it can beusedacceptable toauthenticate a message o T,U: Requestlose data integrity with respect to random corruption. Implementation: via SET_CHECKSUM_ENABLED.UDP. Implementation over TCP: do nothing (TCP does not offer todelaydisable theacknowledgement (SACK) of a message A.2.2.2. Receiving Data o T,U: Receivechecksum, but transmitting data(with no message delimiting) o U: Receive a message o T,U: Information about partial message arrival A.2.2.3. Errors This section describes sending failures that are associatedwith an intact checksum will not yield aspecific call to in the "Sending Data" category (Appendix A.1.2.1). o T,U: Notification of send failuressemantically wrong result). oT,U: Notification that the stack has no more userDisable checksum requirement when receiving Protocols: UDP Functional because application-specific knowledge is necessary to decide whether it can be acceptable to lose data integrity with respect tosend o T,U: Notificationrandom corruption. Implementation: via SET_CHECKSUM_REQUIRED.UDP. Implementation over TCP: do nothing (TCP does not offer toa receiver that a partial message delivery has been aborted A.3. Step 3: Discussion The reduced set in the previous section exhibits a number of peculiarities, which we will discuss indisable thefollowing. This section focuses on TCP because,checksum, but transmitting data withthe exception of one particular transport feature ("Receive a message" -- wean intact checksum willdiscuss this in Appendix A.3.1),not yield a semantically wrong result). o Specify checksum coverage used by thelist shows that UDPsender Protocols: UDP-Lite Functional because application-specific knowledge isstrictly a subsetnecessary to decide for which parts ofTCP. Wethe data it canfirst trybe acceptable tounderstand howlose data integrity with respect tobuild a transport system that can runrandom corruption. Implementation: via SET_CHECKSUM_COVERAGE.UDP-Lite. Implementation overTCP, and then narrow down the result furtherTCP: do nothing (TCP does not offer toallow thatlimit thesystem can always runchecksum length, but transmitting data with an intact checksum will not yield a semantically wrong result). Implementation overeither TCP or UDP (which effectively means removing everything relatedUDP: if checksum coverage is set toreliability, ordering, authentication and closing/abortingcover payload data, do nothing. Else, either do nothing (transmitting data with an intact checksum will not yield anotification tosemantically wrong result), or use thepeer). Note that,transport feature "Disable checksum when sending". o Specify minimum checksum coverage required by receiver Protocols: UDP-Lite Functional becausethe functional transport featuresapplication-specific knowledge is necessary to decide for which parts ofUDP are -- withtheexception of "Receive a message" -- a subset of TCP, TCPdata it can beused as a replacement for UDP whenever an application does not need message delimiting (e.g., because the application-layer protocol already does it). This has been recognized by many applications that already do this in practice, by tryingacceptable tocommunicatelose data integrity withUDP at first, and falling backrespect toTCP in case of a connection failure. A.3.1. Sending Messages, Receiving Bytes For implementing a transport systemrandom corruption. Implementation: via SET_MIN_CHECKSUM_COVERAGE.UDP-Lite. Implementation overTCP, there are several transport features relatedTCP: do nothing (TCP does not offer tosending,limit the checksum length, butonlytransmitting data with an intact checksum will not yield asingle transport feature relatedsemantically wrong result). Implementation over UDP: if checksum coverage is set toreceiving: "Receivecover payload data, do nothing. Else, either do nothing (transmitting data(with no message delimiting)" (and, strangely, "information about partial message arrival"). Notably, the transport feature "Receivewith an intact checksum will not yield amessage" is alsosemantically wrong result), or use theonly non-automatabletransport featureof"Disable checksum requirement when receiving". o Specify DF field Protocols: UDP(-Lite)for which no implementation over TCP is possible. To support these TCP receiver semantics, we define an "Application- Framed Bytestream" (AFra-Bytestream). AFra-Bytestreams allow senders to operate on messages while minimizing changes to the TCP socket API. In particular, nothing changes onOptimizing because thereceiver side - dataDF field can be used to carry out Path MTU Discovery, which can lead an application to choose message sizes that can beacceptedtransmitted more efficiently. Implementation: viaa normal TCP socket. In an AFra-Bytestream,MAINTENANCE.SET_DF.UDP(-Lite) and SEND_FAILURE.UDP(-Lite). Implementation over TCP: do nothing (with TCP, the sending applicationcan optionally inform the transport about message boundaries and required properties per message (configurable order and reliability, or embedding a requestis notto delay the acknowledgementin control of transport message sizes, making this functionality irrelevant). o Get max. transport-message size that may be sent using amessage). Whenevernon- fragmented IP packet from thesendingconfigured interface Protocols: UDP(-Lite) Optimizing because this can lead an applicationspecifies per-message propertiesto choose message sizes thatrelax the notion of reliable in-order delivery of bytes, it must assumecan be transmitted more efficiently. Implementation over TCP: do nothing (this information is not available with TCP). o Get max. transport-message size that may be received from thereceiving applicationconfigured interface Protocols: UDP(-Lite) Optimizing because this can, for example, influence an application's memory management. Implementation over TCP: do nothing (this information is1) ablenot available with TCP). o Specify TTL/Hop count field Protocols: UDP(-Lite) Automatable because a transport system can use a large enough system default todetermine message boundaries, provided that messages are always kept intact, and 2) ableavoid communication failures. Allowing an application toaccept these relaxed per-message properties. Any signalingconfigure it differently can produce notifications ofsuchICMP error message arrivals that yield information which only relates to knowledge about the network, not the application. o Obtain TTL/Hop count field Protocols: UDP(-Lite) Automatable because the TTL/Hop count field relates to knowledge about thepeer is upnetwork, not the application. o Specify ECN field Protocols: UDP(-Lite) Automatable because the ECN field relates toan application-layer protocol and considered out of scope ofknowledge about the network, not the application. o Obtain ECN field Protocols: UDP(-Lite) Optimizing because thisdocument. For example, ifinformation can be used by an applicationrequeststotransfer fixed-size messages of 100 bytesbetter carry out congestion control (this is relevant when choosing a data transmission transport service that does not already do congestion control). Implementation over TCP: do nothing (this information is not available withpartial reliability, this needs the receiving applicationTCP). o Specify IP Options Protocols: UDP(-Lite) Automatable because IP Options relate tobe preparedknowledge about the network, not the application. o Obtain IP Options Protocols: UDP(-Lite) Automatable because IP Options relate toaccept data in chunks of 100 bytes. If, then, some of these 100-byte messages are missing (e.g., if SCTP with Configurable Reliability is used), this isknowledge about theexpected application behavior. With TCP, no messages would be missing, but this is also correct fornetwork, not theapplication,application. o Enable and configure a "Low Extra Delay Background Transfer" Protocols: A protocol implementing thepossible retransmission delayLEDBAT congestion control mechanism Optimizing because whether this feature isacceptable withinappropriate or not depends on application-specific knowledge. However, wrongly using this will only affect thebest effort service model (see [RFC7305], Section 3.5). Still,speed of data transfers (albeit including other transfers that may compete with thereceiving application would separatetransport system's transfer in the network), so it is still correct within thebyte stream into 100-byte chunks. Note that"best effort" service model. Implementation: via CONFIGURE.LEDBAT and/or SET_DSCP.TCP / SET_DSCP.SCTP / SET_DSCP.UDP(-Lite) [LBE-draft]. Implementation over TCP: do nothing (TCP does not support LEDBAT congestion control, but not implementing thisusage of messagesfunctionality will not yield a semantically wrong behavior). Implementation over UDP: do nothing (UDP does notrequireoffer congestion control). TERMINATION: o Close after reliably delivering allmessages to be equal in size. Manyremaining data, causing an event informing the applicationprotocols use some formon the other side Protocols: TCP, SCTP Functional because the notion ofType- Length-Value (TLV) encoding, e.g. by definingaheader including length fields; another alternativeconnection isthe use of byte stuffing methods suchoften reflected in applications asCOBS [COBS]. Ifanapplication needs message numbers, e.g.expectation torestore the correct sequence of messages, these must alsohave all outstanding data delivered and no longer beencoded by the application itself, as theable to communicate after a "Close" succeeded, with a communication sequencenumber relatedrelating to this transportfeatures of SCTP are not providedfeature that is defined by the"minimum set" (in the interest of enabling usage of TCP). A.3.2. Stream Schedulers Without Streams We have already stated that multi-streamingapplication protocol. Implementation: via CLOSE.TCP and CLOSE.SCTP. Implementation over UDP: not possible (UDP is unreliable and hence does notrequire application-specific knowledge. Potential benefits or disadvantages of, e.g., using two streams of an SCTP association versus using two separate SCTP associations or TCP connections areknow when all remaining data is delivered; it does also not offer to cause an event related toknowledge aboutclosing at thenetwork andpeer). o Abort without delivering remaining data, causing an event informing theparticular transport protocol in use, notapplication on theapplication. However,other side Protocols: TCP, SCTP Functional because thetransport features "Choosenotion of aschedulerconnection is often reflected in applications as an expectation tooperate between streamspotentially not have all outstanding data delivered and no longer be able to communicate after an "Abort" succeeded. On both sides of a connection, anassociation" and "Configure priority or weight forapplication protocol may define ascheduler" operate on streams. Here, streams identifycommunicationchannels between which a scheduler operates,sequence relating to this transport feature. Implementation: via ABORT.TCP andthey can be assigned a priority. Moreover,ABORT.SCTP. Implementation over UDP: not possible (UDP does not offer to cause an event related to aborting at thetransport features inpeer). o Abort without delivering remaining data, not causing an event informing theMAINTENANCE category all operateapplication onassocations in case of SCTP, i.e. they apply to all streams in that assocation. With only these semantics necessary to represent,theinterface to a transport system becomes easier if we assume that connections may beother side Protocols: UDP(-Lite) Functional because the notion of atransport protocol'sconnectionor association, but could also be a stream ofis often reflected in applications as anexisting SCTP association, for example. We only needexpectation toallow for a waypotentially not have all outstanding data delivered and no longer be able to communicate after an "Abort" succeeded. On both sides of a connection, an application protocol may define apossible grouping of connections. Then, all MAINTENANCE transport features can be saidcommunication sequence relating tooperate on connection groups, not connections, and a scheduler operates onthis transport feature. Implementation: via ABORT.UDP(-Lite). Implementation over TCP: stop using theconnections withinconnection, wait for agroup. Totimeout. o Timeout event when data could not becompatible with multiple transport protocolsdelivered for too long Protocols: TCP, SCTP Functional because this notifies that potentially assumed reliable data delivery is no longer provided. Implementation: via TIMEOUT.TCP anduniformly allow accessTIMEOUT.SCTP. Implementation over UDP: do nothing (this event will not occur with UDP). A.2. DATA Transfer Related Transport Features A.2.1. Sending Data o Reliably transfer data, with congestion control Protocols: TCP, SCTP Functional because this is closely tied toboth transport connections and streamsproperties ofa multi- streaming protocol,thesemantics of openingdata that an application sends or expects to receive. Implementation: via SEND.TCP andclosing needSEND.SCTP. Implementation over UDP: not possible (UDP is unreliable). o Reliably transfer a message, with congestion control Protocols: SCTP Functional because this is closely tied tobe the most restrictive subset of allproperties of theunderlying options. For example, TCP's support of half-closed connections candata that an application sends or expects to receive. Implementation: via SEND.SCTP. Implementation over TCP: via SEND.TCP. With SEND.TCP, message boundaries will not beseen as a feature on top ofidentifiable by themore restrictive "ABORT"; this feature cannot be supportedreceiver, because TCP provides a byte stream service. Implementation over UDP: not possible (UDP is unreliable). o Unreliably transfer a message Protocols: SCTP, UDP(-Lite) Optimizing becausenot all protocols used byonly applications know about the time criticality of their communication, and reliably transfering atransport system (including streamsmessage is never incorrect for the receiver ofan association) support half-closed connections. A.3.3. Early Data Transmission There are twoa potentially unreliable data transfer, it is just slower. CHANGED FROM RFC8303. This differs from the 2 automatable transport featuresrelated to transferring a message early: "Handbelow in that it leaves the choice of congestion control open. Implementation: via SEND.SCTP or SEND.UDP(-Lite). Implementation overaTCP: use SEND.TCP. With SEND.TCP, messages will be sent reliably, and messageto reliablyboundaries will not be identifiable by the receiver. o Unreliably transfer(possibly multiple times) before connection establishment", which relates to TCP Fast Open [RFC7413], and "Hand overamessagemessage, with congestion control Protocols: SCTP Automatable because congestion control relates toreliablyknowledge about the network, not the application. o Unreliably transferduring connection establishment", whicha message, without congestion control Protocols: UDP(-Lite) Automatable because congestion control relates toSCTP's ability to transfer data together withknowledge about theCOOKIE-Echo chunk. Also without TCP Fast Open, TCP can transfer data duringnetwork, not thehandshake, together withapplication. o Configurable Message Reliability Protocols: SCTP Optimizing because only applications know about theSYN packet -- however,time criticality of their communication, and reliably transfering a message is never incorrect for the receiver ofthisa potentially unreliable datamay not handtransfer, it is just slower. Implementation: via SEND.SCTP. Implementation overtoTCP: By using SEND.TCP and ignoring this configuration: based on theapplication untilassumption of thehandshake has completed. Also, different from TCP Fast Open, thisbest-effort service model, unnecessarily delivering data does not violate application expectations. Moreover, it is notdelimited aspossible to associate the requested reliability to amessage by"message" in TCP(thus,anyway. Implementation over UDP: notvisible as a ``message''). This functionalitypossible (UDP iscommonly available in TCP and supportedunreliable). o Choice of stream Protocols: SCTP Automatable because it requires using multiple streams, but requesting multiple streams inseveral implementations, even thoughtheTCP specification does not explain how to provideCONNECTION.ESTABLISHMENT category is automatable. Implementation: see Section 5.2. o Choice of path (destination address) Protocols: SCTP Automatable because itto applications. A transport system could differentiate betweenrequires using multiple sockets, but obtaining multiple sockets in thecasesCONNECTION.ESTABLISHMENT category is automatable. o Ordered message delivery (potentially slower than unordered) Protocols: SCTP Functional because this is closely tied to properties oftransmitting data "before" (possibly multiple times) or "during"thehandshake. Alternatively, it could also assume thatdata thatare handedan application sends or expects to receive. Implementation: via SEND.SCTP. Implementation overearlyTCP: By using SEND.TCP. With SEND.TCP, messages will not betransmitted as early as possible, and "before"identifiable by thehandshake would only be used for messages that are explicitly marked as "idempotent" (i.e., it would be acceptablereceiver. Implementation over UDP: not possible (UDP does not offer any guarantees regarding ordering). o Unordered message delivery (potentially faster than ordered) Protocols: SCTP, UDP(-Lite) Functional because this is closely tied totransfer them multiple times). The amountproperties of the data thatcan successfully be transmitted beforean application sends orduring the handshake dependsexpects to receive. Implementation: via SEND.SCTP. Implementation over TCP: By using SEND.TCP and always sending data ordered: based onvarious factors:thetransport protocol, the useassumption ofheader options,thechoice of IPv4 and IPv6best-effort service model, ordered delivery may just be slower and does not violate application expectations. Moreover, it is not possible to associate thePath MTU. A transport system should therefore allowrequested delivery order to asending application"message" in TCP anyway. o Request not toquerybundle messages Protocols: SCTP Optimizing because this decision depends on knowledge about themaximum amountsize of future data blocks and the delay between them. Implementation: via SEND.SCTP. Implementation over TCP: By using SEND.TCP and DISABLE_NAGLE.TCP to disable the Nagle algorithm when the request is made and enable itcan possibly transmit before (or, if exposed, during) connection establishment. A.3.4. Sender Running Dry The transport feature "Notification thatagain when thestack hasrequest is nomore user data to send"longer made. Note that this is not fully equivalent because it relates toSCTP's "SENDER DRY" notification. Such notifications can, in principle, be usedthe time of issuing the request rather than a specific message. Implementation over UDP: do nothing (UDP never bundles messages). o Specifying a "payload protocol-id" (handed over as such by the receiver) Protocols: SCTP Functional because it allows toavoid having an unnecessarily largesendbuffer, yet ensure that the transport sender always hasextra application data with every message, for the sake of identification of data, which by itself is application-specific. Implementation: SEND.SCTP. Implementation over TCP: not possible (this functionality is not availablewhen it has an opportunityin TCP). Implementation over UDP: not possible (this functionality is not available in UDP). o Specifying a key id totransmit it. This has been foundbe used to authenticate a message Protocols: SCTP Functional because this has a direct influence on security. Implementation: via a parameter in SEND.SCTP. Implementation over TCP: This could bevery beneficial for some applications [WWDC2015]. However, "SENDER DRY" truly means that the entire send buffer (including both unsentemulated by using SET_AUTH.TCP before andunacknowledged data) has emptied -- i.e., when it notifiesafter thesender, itmessage isalready too late, the transport protocol already missed an opportunity to send data. Some modern TCP implementations now include the unspecified "TCP_NOTSENT_LOWAT" socket option that was proposed in [WWDC2015], which limits the amount of unsent datasent. Note thatTCP can keep in the socket buffer;thisallowsis not fully equivalent because it relates tospecify at which buffer filling levelthesocket becomes writable,time of issuing the request rather thanwaiting for the buffera specific message. Implementation over UDP: not possible (UDP does not offer authentication). o Request not torun empty.delay the acknowledgement (SACK) of a message Protocols: SCTPallowsOptimizing because only an application knows for which message it wants toconfigure the sender-side buffer too: the automatable Transport Feature "Configure send buffer size" providesquickly be informed about success / failure of its delivery. Implementation over TCP: do nothing (TCP does not offer this functionality, butonly forignoring this request from thecomplete buffer, which includes both unsent and unacknowledged data. SCTPapplication will not yield a semantically wrong behavior). Implementation over UDP: do nothing (UDP does notallow to control these two sizes separately. It therefore makes sense foroffer this functionality, but ignoring this request from the application will not yield a semantically wrong behavior). A.2.2. Receiving Data o Receive data (with no message delimiting) Protocols: TCP Functional because a transport system must be able toallow for uniform access to "TCP_NOTSENT_LOWAT" as well as the "SENDER DRY" notification. A.3.5. Capacity Profile The transport features: o Disable Nagle algorithm o Enablesend andconfigure a "Low Extra Delay Background Transfer" o Specify DSCP field all relate to a QoS-likereceive data. Implementation: via RECEIVE.TCP. Implementation over UDP: do nothing (UDP only works on messages; these can be handed over, the applicationneed such as "low latency" or "scavenger". Incan still ignore theinterest of flexibility of a transport system, they could therefore be offered in a uniform, more abstract way, wheremessage boundaries). o Receive atransport system could e.g. decide by itself howmessage Protocols: SCTP, UDP(-Lite) Functional because this is closely tied touse combinationsproperties ofLEDBAT-like congestion control and certain DSCP values, andthe data that an applicationwould only specify a general "capacity profile" (a description of how it wantssends or expects touse the available capacity). A need for "lowestreceive. Implementation: via RECEIVE.SCTP and RECEIVE.UDP(-Lite). Implementation over TCP: not possiblelatency at the expense(TCP does not support identification ofoverhead" could then translate into automatically disabling the Nagle algorithm. In some cases, the Nagle algorithm is best controlled directly bymessage boundaries). o Choice of stream to receive from Protocols: SCTP Automatable because it requires using multiple streams, but requesting multiple streams in theapplicationCONNECTION.ESTABLISHMENT category is automatable. Implementation: see Section 5.2. o Information about partial message arrival Protocols: SCTP Functional becauseitthis isnot only related to a general profile but alsoclosely tied toknowledge about the sizeproperties offuture messages. For fine-grain control over Nagle-like functionality,the"Request notdata that an application sends or expects tobundle messages"receive. Implementation: via RECEIVE.SCTP. Implementation over TCP: do nothing (this information isavailable. A.3.6. Security Both TCP and SCTP offer authentication. TCP authenticates complete segments. SCTP allowsnot available with TCP). Implementation over UDP: do nothing (this information is not available with UDP). A.2.3. Errors This section describes sending failures that are associated with a specific call toconfigure whichin the "Sending Data" category (Appendix A.2.1). o Notification ofSCTP's chunk types must always be authenticated -- ifsend failures Protocols: SCTP, UDP(-Lite) Functional because this notifies that potentially assumed reliable data delivery isexposed as such, it creates an undesirable dependency onno longer provided. CHANGED FROM RFC8303. This differs from the 2 automatable transportprotocol. For compatibility with TCP, a transport system should only allow to configure complete transport layer packets, including headers, IP pseudo-header (if any)features below in that it does not distinugish between unsent andpayload. Securityunacknowledged messages. Implementation: via SENDFAILURE-EVENT.SCTP and SEND_FAILURE.UDP(- Lite). Implementation over TCP: do nothing (this notification isdiscussed in a separate document [I-D.ietf-taps-transport-security]. The minimal set presented in the present document excludes all security related transport features: "Configure authentication", "Change authentication parameters", "Obtain authentication information"not available and will therefore not occur with TCP). o Notification of an unsent (part of a) message Protocols: SCTP, UDP(-Lite) Automatable because the distinction between unsent and"Set Cookie life value" as well as "Specifying a key id to be usedunacknowledged does not relate toauthenticate a message". A.3.7. Packet Size UDP(-Lite) has a transport feature called "Specify DF field". This yieldsapplication-specific knowledge. o Notification of anerror message in caseunacknowledged (part ofsending aa) message Protocols: SCTP Automatable because the distinction between unsent and unacknowledged does not relate to application-specific knowledge. o Notification thatexceedsthePath MTU, which is necessary for a UDP-basedstack has no more user data to send Protocols: SCTP Optimizing because reacting to this notification requires the application to beable to implement Path MTU Discovery (a functioninvolved, and ensuring thatUDP-based applications mustthe stack does not run dry of data (for too long) can improve performance. Implementation over TCP: doby themselves). The "Get max. transport-message sizenothing (see the discussion in Section 5.4). Implementation over UDP: do nothing (this notification is not available and will therefore not occur with UDP). o Notification to a receiver thatmay be sent usinganon-fragmented IP packet frompartial message delivery has been aborted Protocols: SCTP Functional because this is closely tied to properties of theconfigured interface" transport feature yieldsdata that anupper limit for the Path MTU (minus headers)application sends or expects to receive. Implementation over TCP: do nothing (this notification is not available andcanwill thereforehelp to implement Path MTU Discovery more efficiently.not occur with TCP). Implementation over UDP: do nothing (this notification is not available and will therefore not occur with UDP). Appendix B. Revision information XXX RFC-Ed please remove this section prior to publication. -02: implementation suggestions added, discussion section added, terminology extended, DELETED category removed, various other fixes; list of Transport Features adjusted to -01 version of [RFC8303] except that MPTCP is not included. -03: updated to be consistent with -02 version of [RFC8303]. -04: updated to be consistent with -03 version of [RFC8303]. Reorganized document, rewrote intro and conclusion, and made a first stab at creating a real "minimal set". -05: updated to be consistent with -05 version of [RFC8303] (minor changes). Fixed a mistake regarding Cookie Life value. Exclusion of security related transport features (to be covered in a separate document). Reorganized the document (now begins with the minset, derivation is in the appendix). First stab at an abstract API for the minset. draft-ietf-taps-minset-00: updated to be consistent with -08 version of [RFC8303] ("obtain message delivery number" was removed, as this has also been removed in [RFC8303] because it was a mistake in RFC4960. This led to the removal of two more transport features that were only designated as functional because they affected "obtain message delivery number"). Fall-back to UDP incorporated (this was requested at IETF-99); this also affected the transport feature "Choice between unordered (potentially faster) or ordered delivery of messages" because this is a boolean which is always true for one fall-back protocol, and always false for the other one. This was therefore now divided into two features, one for ordered, one for unordered delivery. The word "reliably" was added to the transport features "Hand over a message to reliably transfer (possibly multiple times) before connection establishment" and "Hand over a message to reliably transfer during connection establishment" to make it clearer why this is not supported by UDP. Clarified that the "minset abstract interface" is not proposing a specific API for all TAPS systems to implement, but it is just a way to describe the minimum set. Author order changed. WG -01: "fall-back to" (TCP or UDP) replaced (mostly with "implementation over"). References to post-sockets removed (these were statments that assumed that post-sockets requires two-sided implementation). Replaced "flow" with "TAPS Connection" and "frame" with "message" to avoid introducing new terminology. Made sections 3 and 4 in line with the categorization that is already used in the appendix and [RFC8303], and changed style of section 4 to be even shorter and less interface-like. Updated reference draft-ietf-tsvwg- sctp-ndata to RFC8260. WG -02: rephrased "the TAPS system" and "TAPS connection" etc. to more generally talk about transport after the intro (mostly replacing "TAPS system" with "transport system" and "TAPS connection" with "connection". Merged sections 3 and 4 to form a new section 3. WG -03: updated sentence referencing [I-D.ietf-taps-transport-security] to say that "the minimum security requirements for a taps system are discussed in a separate security document", wrote "example" in the paragraph introducing the decision tree. Removed reference draft-grinnemo-taps-he-03 and the sentence that referred to it. WG -04: addressed comments from Theresa Enghardt and Tommy Pauly. As part of that, removed "TAPS" as a term everywhere (abstract, intro, ..). WG -05: addressed comments from Spencer Dawkins. WG -06: Fixed nits. WG -07: Addressed Genart comments from Robert Sparks. WG -08: Addressed one more Genart comment from Robert Sparks. WG -09: Addressed comments from Mirja Kuehlewind, Alvaro Retana, Ben Campbell, Benjamin Kaduk and Eric Rescorla. Authors' Addresses Michael Welzl University of Oslo PO Box 1080 Blindern Oslo N-0316 Norway Phone: +47 22 85 24 20 Email: michawe@ifi.uio.no Stein Gjessing University of Oslo PO Box 1080 Blindern Oslo N-0316 Norway Phone: +47 22 85 24 44 Email: steing@ifi.uio.no