Re: [multipathtcp] q about on-path proxy

Olivier Bonaventure <> Wed, 22 March 2017 09:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8F8221296B0 for <>; Wed, 22 Mar 2017 02:35:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bstRYUouuBbm for <>; Wed, 22 Mar 2017 02:35:22 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BD5161296B4 for <>; Wed, 22 Mar 2017 02:35:21 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id ED8F867DDDF; Wed, 22 Mar 2017 10:35:06 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.9.2 ED8F867DDDF
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=selucl; t=1490175307; bh=LH0GpogqnnV42FKC+4xkwQlA2r7l5Vdc8wFRSPGxVbU=; h=Reply-To:Subject:References:To:From:Date:In-Reply-To; b=ATVhaPcJj7/0CdS2zGK6PNXlgjhx0/LQ4FtZbSQAnc2o6FsgVMcYW5nFtAQXyXU9x Ql87pAkQ5pLRQ66oWQfcw/MNyr7aCDxJ5UcmknXbaSOaI7hgqIFKFhgkzCo6ewNmw4 w7XJgt1VLdpIACVhG7XIxM9zccCzXNZETfJEtg4o=
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.99.2 at smtp-5
References: <>
To: Yoshifumi Nishida <>, multipathtcp <>
From: Olivier Bonaventure <>
Message-ID: <>
Date: Wed, 22 Mar 2017 10:35:07 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Sgsi-Spamcheck: SASL authenticated,
X-SGSI-MailScanner-ID: ED8F867DDDF.A5CF5
X-SGSI-MailScanner: Found to be clean
X-SGSI-Spam-Status: No
Archived-At: <>
Subject: Re: [multipathtcp] q about on-path proxy
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multi-path extensions for TCP <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 22 Mar 2017 09:35:24 -0000

> I am trying to understand on-path proxy scenarios.
> (BTW, I'm referring draft-nam-mptcp-deployment-considerations-01
> and draft-boucadair-mptcp-plain-mode-10)
> In case of on-path proxy (implicit mode),the dest of the primary subflow
> will be the receiver. It's not very clear to me how MCP intercepts the
> packets in this subflow.

There are several techniques that can be deployed by operators to ensure 
that the transparent MCP is on-path for the initial subflow. All these 
techniques operate in the network layer or below and are thus 
transparent for TCP. Let me give an example based on source routing that 
does not match an actual deployment but would illustrate the main 
principle. With source routing, one can add inside the IP header a loose 

        +------- R4 ---- R5 --------+
C --- uMCP ---- R1 ---- R2 ------ dMCP ---- R6 --- R7 --- S

Consider a TCP connection created by client C towards server S. The uMCP 
is the first hop router for C. It intercepts the connection and 
transparently terminates it, acting as S. It then initiates a Multipath 
TCP connection towards S, acting as C. The packets for this connection 
are sent as IP packet that contain the IP address of the downstream MCP 
as a loose source routing hop. The dMCP removes the source routing 
option, transparently terminates the Multipath TCP connection and then 
initiates a connection towards S, acting as C.

Three connections exist to transfer data from C et S and vice-versa.

C<->uMCP  (source address C, destination address S)
uMCP<->dMCP (source address C, destination address S, using source 
routing to ensure that all downstream packets pass through dMCP, for 
upstream packets, source routing is usually not required because there 
is only one path to the uMCP that advertises C to R1 only )
dMCP<-> S (source address C, destination address S)

For the Multipath TCP connection between uMCP and dMCP, the second 
subflow is used without relying on source routing. The uMCP and the dMCP 
have addresses on the R4/R5 network and use the ADD_ADDR option to 
advertise those addresses and create the required subflows.

> The MCP splits the connection between two nodes and send forged packets
> to the sender?


> Also, in the two proxy scenario, does the downstream MCP have to be
> on-path?

If the downstream MCP is on path, then it does not have to include any 
NAT function which is beneficial from an operational viewpoint.