The days when you used a horse and buggy to travel to town along a dusty, wheel-rutted path are gone. Today’s roadways are complex, offering you many routes to the office, with High Occupancy Vehicle (HOV) lanes to help make your commute quicker. The evolution of networking is a bit like the explosive growth of our roadway systems. In the “olden” days of networking, connectivity was achieved using Transmission Control Protocol (TCP), a single path protocol much like that old bridleway that had grass poking up in the center. While today’s networks have multipath, super-highway, requirements—with mobile devices using multiple radio interfaces and datacenters and cloud deployments using redundant paths—these networks still primarily use single-path TCP as a transmission mechanism.
But Multipath TCP (MPTCP) is zooming up the right lane and merging onto the scene. MPTCP is the highway of the future, offering you a way to supercharge your wireless, internet, and datacenter networks. However, the same features that make MPTCP so powerful also create some security challenges.
On-ramping to the highway
MPTCP is an evolutionary step forward for the TCP protocol to enable redundancy for multiple network connections for any device. It is like merging from a lane under construction to one that has no obstruction for miles ahead. While this has been a feature available on WAN, LAN, and datacenter networks for some time via device bonding, it has been limited to these deployments and not available to user endpoint devices like laptops and smartphones.
MPTCP can effectively use multiple paths within a single transport connection and keep a logical connection established when the endpoint’s address changes. By bringing redundancy to user endpoint devices, MPTCP is feeding the thirst for users who want to be connected all the time and every time they pick up their device—just like people have come to expect gas stations to be near them whenever they need to fuel up.
The redundancy offered by MPTCP enables inverse multiplexing of resources. Originally, networks were designed a bit like older cities with travel facilitated via single-path surface streets. But MPTCP offers a modern, streamlined multi-lane approach to networking, which increases TCP throughput to the sum of all available link-level channels—just like traffic throughput is increased by adding lanes to a highway. Additionally, MPTCP is backward compatible with standard TCP.
MPTCP really pulls ahead of the pack in the context of wireless networks; with both Wi-Fi and mobile networks being typical use cases. In addition to the throughput gains from inverse multiplexing, links may be added or dropped as the user moves in or out of coverage without disrupting the end-to-end TCP connection.
This streamlined link handover is handled by abstraction in the transport layer, without any special mechanisms at the network or link level. Picture driving across the United States. You can traverse from Chicago to San Francisco, and visit the Grand Canyon or the World’s Second Largest Rocking Chair unencumbered. Like that cross-country adventure, handover functionality is implemented at the endpoints without requiring any special functionality in the subnetworks (in accordance with the Internet's end-to-end principle).
Merging into the passing lane
Streamlined link handover empowers MPTCP to automatically change to the fastest moving route that is available. This is important to users who are so dependent on their devices to be always on the internet, feeding their bandwidth-hungry appetite for the highest speed. Mobile devices such as smartphones, internet connected cars and laptops are moving, which means their available networks and each of their speeds can vary substantially over a brief period of time—and not just between cellular towers, but Wi-Fi hopping as well.
Just think how nice it is to take a detour from the highway to some back roads when there is a bad accident that backs up traffic for miles. Consider the traditional TCP network model. TCP traffic is routed from point A to point B and back again. But MPTCP opens up multiple subflows and can choose which subflow has the best connection to use at a given point in time.
Releasing the nitrous on the expressway
MPTCP’s biggest boost is its ability to increase bandwidth by utilizing multiple TCP network connections—like adding lanes to a thruway—as compared to using what we refer to as the least cost route.
Least cost routing is like driving a back road along the riverside to work every day. The landscape is beautiful and you won’t have to pay a toll, but what happens if you get stuck behind a farm tractor, or traffic dramatically increases because everyone decides to take the scenic route? With networking, least cost routing is efficient for a single path, but like roadways, internet traffic is not evenly distributed across connections and routers. The byways of the internet make up a meshed network of connections that holds lots of under-utlized capacity at different times and locations.
As an ongoing effort of the Internet Engineering Task Force’s (IETF) MPTCP Working Group, MPTCP is a TCP extension specified in RFC 8684 that allows endpoints to efficiently use multiple interfaces for a single TCP connection to maximize resource usage and increase redundancy. The MPTCP solution allows simultaneous use of multiple network connections for a single data-stream, while still presenting a standard TCP socket application programming interface (API) to the application. With MPTCP, your commute is faster because it allows increasing the download speed by aggregating the bandwidth of all interfaces.
Additionally, just like a highway clover-leaf interchange where traffic from one highway can merge onto the other with ease, MPTCP allows mobile hosts to hand over traffic from Wi-Fi to cellular, without disrupting the application. This is especially important as available bandwidth for wireless connections vary over time and while in motion. And because MPTCP is part of the networking stack, it is transparent to the application. MPTCP also dramatically reduces the number of network collisions, which is why you never achieve the full speed of any connection.
MPTCP also brings performance benefits in datacenter environments. In contrast to Ethernet channel bonding using 802.3ad link aggregation that bonds up to eight ports of the same type and speed, MPTCP can balance a single socket across multiple interfaces of varying port and transport types to reach very high throughput.
Sightseeing along to the highway
Because we are creatures of movement, zooming around town in our cars to the grocery store or post office, so too are our devices. When smartphones and mobile cellular devices travel to the shopping center from your home, they move their connection between different cellular towers, sometimes networks, and are aware of available Wi-Fi networks, such as those at the nearest coffee shop. Failing over from one network connection (or tower) to another or from Wi-Fi to cellular (or vice versa) is really important, and doing this exceptionally fast provides a seamless user experience. Like when you burst through a traffic jam and find yourself at the front of the pack on the highway with nothing but an open road and room to speed, users sometimes need a burst of traffic, and the larger the bandwidth, the better.
Residential gateways can also benefit from aggregated bandwidth from multiple TCP connections as well as the benefit of high-availability when one connection is interrupted. Imagine how nice it would be when you have deprecated internet speeds, to still be connected the next time you have to reboot your gateway or when the utility company is digging up fiber cables down the street.
MPTCP is part of the 5G wireless standardization that is beginning to roll out the core network function to allow Access Traffic Steering, Switching, and Splitting (ATSSS). Think of steering like the advanced GPS apps that warn you of construction zones or car accidents along your intended route and then “detours'' you toward a better path.
With networking, steering selects the best network connection available. Switching, like an efficient highway interchange, enables the seamless handover of traffic from one connection to another. Splitting allows for multiple networks to be aggregated in a manner similar to the large super highways that aggregate both express lanes and local or collector lanes.
Breaking past the firewall and perimeter
While MPTCP offers many benefits, it also causes a few new issues. Picture a major metropolitan city at the height of construction season. Several roads are being paved, resulting in several detours. There are so many detours that some of the detours are overlapping, with paths from your home (point A) to the office (point B) becoming disjointed. The same type of situation can occur with MPTCP.
Multipath routing causes cross-path data fragmentation. From a security perspective that challenges in-line security solutions (e.g., firewalls, IDSs, and malware scanners) which only "see" one path's traffic. Without being able to see all paths, these devices may miss activity that they're meant to be monitoring for. These intermediary devices act a bit like an airport body scanner for the passengers wanting to enter the airport gate area.
In an office or building with a single internet connection, these solutions provided great security. However, in today's world, there are often multiple physical internet connections to every building from various ISPs, but every person in that building is carrying around a smartphone each with their own wireless connectivity to the internet.
While the inline security solutions can monitor traffic on a single physical so long as all of the traffic from a single device is sent and received through the same internet connection, if any traffic flows or packets get distributed across multiple connections, any of these devices will lack a complete understanding of any conversation that an endpoint device might be having. Think of an airport scanner only scanning a small fraction of your body and the friendly airport security staff waving all the passengers through. Would you feel less safe if they only scanned every passenger's right-hand next time you board a plane?
It’s easy to find contraband on a person's body if the entire body is scanned. Secure networking is a bit like those scanners. When devices are able to see all bi-directional traffic along with a single path route, such as a perimeter device like a firewall, or intrusion detection system (IDS), then there are more options on what can be done with that traffic and its metadata.
But what if there are many entrances to the airport terminal and a limited number of staffed airport security scanners? In that situation, a group of passengers could split up and enter different security lines, as each security checkpoint or staffer would not know which other passengers were traveling with any other passengers. Similarly, if the device in the middle is only seeing one of multiple data paths (or flows), that device’s ability to analyze or spy on the data is deprecated.
So does that make Firewalls useless? No, of course not. Perimeter and inline security solutions, like Firewalls and Intrusion Detection Systems, are not dead. They have and always will perform important duties for protecting perimeters. Perimeters are more numerous and now include an organization's cloud infrastructure. But, security approaches like Zero Trust and the Cloud Security Alliance's Software Defined Perimeter (SDP) provide a new approach that applies to the world where end-user devices are everywhere and not restricted to office only use and applications that are also everywhere, ranging from on-premise to private cloud and public cloud.
Where will this highway go?
A future with MPTCP means more pure raw network bandwidth. If the rapid expansion of work from home due to COVID has taught us anything, it is that everyone needs more bandwidth. A household with four video conferences occurring simultaneously, along with multiple smartphones, tablets, and home IoT devices all adds up to a significant demand on your broadband network connection. And while your home or office might have enough bandwidth to your telco’s front door, the telco aggregates these connections to oversubscribed uplink connections. Aggregating many relatively cheap links MPTCP can reach more than 58.1 Gbps on a single data-stream, which is the per second equivalent to a DVD.
Other deployments use MPTCP to aggregate the bandwidth of different networks. For several types of smartphones, notably in Korea, MPTCP has been used to bond Wi-Fi and 4G through SOCKS proxies. Another example is the Hybrid Access Networks that are deployed by network operators willing to combine xDSL and LTE networks. In this deployment, MPTCP is used to efficiently balance the traffic over the xDSL and the LTE network.
What’s under the hood?
Here’s how it works. One MPTCP connection manages a set subflows, each of them is a TCP socket carrying some synchronization metadata. At any given time, the MPTCP connection can use one or more of the available subflows. Consider the example of a mobile device moving from your car to the coffee shop. In this situation, a subflow for the cellular network connection is stopped once the cafe’s Wi-Fi connection is detected and started.
The MPTCP protocol defines how these flows are established and how the data-loading side is synchronized for each of these flows so that the presence of many sub-flows is completely transparent to the end user application. Better yet, MPTCP can keep its “wheels on the ground” and maintain an active connection even when there are no connected subflows.
Bear in mind that MPTCP is implemented in the endpoints only. If MPTCP negotiation is not possible bi-directionally, then it falls back to TCP.
Cross the finish line
As Domiinic Toretto, said in the Fast & Furious, “It doesn’t matter whether you win by an inch or a mile, winning is winning." With MPTCP running on your servers and endpoints, you'll be winning as MPTCP enables endpoints to manage High Availability (HA) and reliability even while moving—better than traditional TCP. HA has historically been a feature of enterprise-class routers and servers, while MPTCP brings this capability to endpoints. MPTCP is the turbo charger for your network and applications that you have been looking for as it provides resiliency for your applications and unlocks more bandwidth as it is available to us.
Check out how to enable MPTCP in Red Hat Enterprise Linux (RHEL) 8.3 and how to enable MPTCP.