TCP Usage Guidance in the Internet of Things (IoT)
UPCC/Esteve Terradas, 7Castelldefels08860Spaincarlesgo@entel.upc.eduUniversity of CambridgeJJ Thomson AvenueCambridgeCB3 0FDUnited Kingdomjon.crowcroft@cl.cam.ac.ukHochschule Esslingen University of Applied SciencesFlandernstr. 101Esslingen am Neckar73732Germanymichael.scharf@hs-esslingen.de
APP
LWIG Working Group This document provides guidance on how to implement and use the Transmission Control Protocol (TCP) in Constrained-Node Networks (CNNs), which are a characteristic of the Internet of Things (IoT). Such environments require a lightweight TCP implementation and may not make use of optional functionality. This document explains a number of known and deployed techniques to simplify a TCP stack as well as corresponding trade-offs. The objective is to help embedded developers with decisions on which TCP features to use.IntroductionThe Internet Protocol suite is being used for connecting Constrained-Node Networks (CNNs) to the Internet, enabling the so-called Internet of Things (IoT) . In order to meet the requirements that stem from CNNs, the IETF has produced a suite of new protocols specifically designed for such environments (see, e.g., ).
New IETF protocol stack components include the IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) adaptation layer
, the IPv6 Routing Protocol for Low-Power and Lossy Networks (RPL)
, and the Constrained Application Protocol (CoAP) .As of this writing, the main transport-layer protocols in IP-based IoT scenarios are UDP and TCP. TCP has been
criticized, often unfairly, as a protocol that is unsuitable for the IoT. It is true that some TCP features, such as relatively long header size,
unsuitability for multicast, and always-confirmed data delivery, are not optimal for IoT scenarios. However,
many typical claims on TCP unsuitability for IoT (e.g., a high complexity, connection-oriented approach incompatibility with radio duty-cycling and spurious congestion control activation
in wireless links) are not valid, can be solved, or are also found in well-accepted IoT end-to-end reliability mechanisms (see a detailed analysis in ).
At the application layer, CoAP was developed over UDP . However, the integration of some
CoAP deployments with existing infrastructure is being challenged by
middleboxes such as firewalls, which may limit and even block UDP-based
communications. This is the main reason why a CoAP over TCP
specification has been developed .Other application-layer protocols not specifically
designed for CNNs are also being considered for the IoT space. Some
examples include HTTP/2 and even HTTP/1.1, both of which run over TCP
by default , and the Extensible Messaging and Presence Protocol (XMPP) . TCP is also used by non-IETF
application-layer protocols in the IoT space such as the Message Queuing Telemetry Transport (MQTT) and its
lightweight variants.TCP is a sophisticated transport protocol that includes optional
functionality (e.g., TCP options) that may improve performance in some environments. However, many
optional TCP extensions require complex logic inside the TCP stack
and increase the code size and the memory requirements. Many
TCP extensions are not required for interoperability with other
standard-compliant TCP endpoints. Given
the limited resources on constrained devices, careful selection of optional TCP features can make an implementation more lightweight.
This document provides guidance on how to implement and configure TCP
and guidance on how applications should use TCP in CNNs. The overarching goal is to offer simple measures to allow for lightweight TCP implementation and suitable operation in such environments. A TCP implementation following the guidance in this document is intended to be compatible with a TCP endpoint that is compliant to the TCP standards, albeit possibly with a lower performance. This implies that such a TCP client would always be able to connect with a standard-compliant TCP server, and a corresponding TCP server would always be able to connect with a standard-compliant TCP client.This document assumes that the reader is familiar with TCP. A comprehensive survey of the TCP standards can be found in RFC 7414 . Similar guidance regarding the use of TCP in special environments has been published before, e.g., for cellular wireless networks .
Characteristics of CNNs Relevant for TCPNetwork and Link PropertiesCNNs are defined in as networks whose characteristics are influenced by being composed of a significant portion of constrained nodes.
The latter are characterized by significant limitations on processing, memory, and energy resources, among others .
The first two dimensions pose constraints on the complexity and memory footprint of the protocols that constrained nodes can support. The latter requires techniques to save energy, such as radio duty-cycling in wireless devices and the minimization of the number of messages transmitted/received (and their size). lists typical network constraints in CNNs, including low achievable bitrate/throughput, high packet loss and high variability of packet loss, highly asymmetric link characteristics, severe penalties for using larger packets, limits on reachability over time, etc. CNNs may use wireless or wired technologies (e.g., Power Line Communication), and the transmission rates are typically low (e.g., below 1 Mbps).For use of TCP, one challenge is that not all technologies in a CNN may be aligned with typical Internet subnetwork design principles . For instance, constrained nodes often use physical- / link-layer technologies that
have been characterized as 'lossy', i.e., exhibit a relatively high bit error rate. Dealing with corruption loss is one of the open issues in the Internet .
Usage ScenariosThere are different deployment and usage scenarios for CNNs. Some CNNs follow the star topology, whereby one or several hosts are linked to a central
device that acts as a router connecting the CNN to the Internet. Alternatively, CNNs may also follow the multihop topology .
In constrained environments, there can be different types of devices .
For example, there can be devices with a single combined send/receive buffer, a separate send and receive buffer, or a pool
of multiple send/receive buffers. In the latter case, it is possible that buffers are also shared for other protocols.
One key use case for TCP in CNNs is a model where
constrained devices connect to unconstrained servers in the Internet.
But it is also possible that both TCP endpoints run on constrained
devices.
In the first case,
communication will possibly traverse a middlebox (e.g., a firewall,
NAT, etc.). Figure 1 illustrates such a scenario. Note that the
scenario is asymmetric, as the unconstrained device will typically
not suffer the severe constraints of the constrained device. The
unconstrained device is expected to be mains-powered, have a high
amount of memory and processing power, and be connected to a
resource-rich network.
Assuming that a majority of constrained devices will correspond to
sensor nodes, the amount of data traffic sent by constrained devices
(e.g., sensor node measurements) is expected to be higher than the
amount of data traffic in the opposite direction. Nevertheless,
constrained devices may receive requests (to which they may
respond), commands (for configuration purposes and for constrained
devices including actuators), and relatively infrequent
firmware/software updates.
Communication and Traffic PatternsIoT applications are characterized by a number of different communication patterns. The following non-comprehensive list explains some typical examples:
Unidirectional transfers:
An IoT device (e.g., a sensor) can (repeatedly) send updates to the other endpoint. There is not always a need for an application response back to the IoT device.
Request-response patterns:
An IoT device receiving a request from the other endpoint, which triggers a response from the IoT device.
Bulk data transfers:
A typical example for a long file transfer would be an IoT device firmware update.
A typical communication pattern is that a constrained device communicates with an unconstrained device (cf. ). But it is also possible that constrained devices communicate amongst themselves.TCP Implementation and Configuration in CNNsThis section explains how a TCP stack can deal with typical constraints in CNN. The guidance in this section relates to the TCP implementation and its configuration.
Addressing Path PropertiesMaximum Segment Size (MSS)Assuming that IPv6 is used, and for the sake of lightweight implementation and operation, unless applications
require handling large data units (i.e., leading to an IPv6 datagram
size greater than 1280 bytes), it may be desirable to limit the IP datagram size to
1280 bytes in order to avoid the need to support Path MTU Discovery .
In addition, an IP datagram size of 1280 bytes avoids incurring IPv6-layer fragmentation .
An IPv6 datagram size exceeding 1280 bytes can be avoided by setting the TCP MSS to 1220 bytes or less. Note that
it is already a requirement for TCP implementations to consume payload space instead of increasing datagram size when including IP or TCP options
in an IP packet to be sent . Therefore, it is not required to advertise an MSS smaller than 1220 bytes in order to accommodate TCP options.
Note that setting the MTU to 1280 bytes is possible for link-layer technologies in the CNN space, even if some of them are characterized by a short data unit payload size, e.g., up to a few tens or hundreds of bytes.
For example, the maximum frame size in IEEE 802.15.4 is 127 bytes.
6LoWPAN defined an adaptation layer to support IPv6 over IEEE 802.15.4 networks. The adaptation layer includes a fragmentation mechanism,
since IPv6 requires the layer below to support an MTU of 1280 bytes , while IEEE 802.15.4 lacks fragmentation mechanisms.
6LoWPAN defines an IEEE 802.15.4 link MTU of 1280 bytes . Other technologies, such as Bluetooth low energy ,
ITU-T G.9959 , or Digital Enhanced Cordless
Telecommunications (DECT) Ultra Low Energy (ULE) , also use 6LoWPAN-based adaptation layers in order to enable
IPv6 support. These technologies do support link-layer fragmentation. By exploiting this
functionality, the adaptation layers that enable IPv6 over such technologies also define an MTU of 1280 bytes.
On the other hand, there exist technologies also used in the CNN space, such as Master Slave (MS) / Token Passing (TP) ,
Narrowband IoT (NB-IoT) , or IEEE 802.11ah ,
that do not suffer the same degree of frame size limitations as the technologies mentioned above.
It is recommended that the MTU for MS/TP be 1500 bytes ;
the MTU in NB-IoT is 1600 bytes, and the maximum frame payload size for IEEE 802.11ah is 7991 bytes.
Using a larger MSS (to a suitable extent) may be beneficial in some scenarios,
especially when transferring large payloads, as it reduces the number of packets (and packet headers)
required for a given payload. However, the characteristics of the constrained network need to be considered.
In particular, in a lossy network where unreliable fragment delivery is used, the amount of data that TCP unnecessarily
retransmits due to fragment loss increases (and throughput decreases) quickly with the MSS. This happens because the loss of a fragment leads to the
loss of the whole fragmented packet being transmitted. Unnecessary data retransmission is particularly
harmful in CNNs due to the resource constraints of such environments.
Note that, while the original 6LoWPAN fragmentation
mechanism does not offer reliable fragment delivery, fragment recovery functionality for 6LoWPAN or 6Lo environments
has been standardized .
Explicit Congestion Notification (ECN)ECN allows a router to signal
in the IP header of a packet that congestion is rising, for example,
when a queue size reaches a certain threshold. An ECN-enabled TCP
receiver will echo back the congestion signal to the TCP sender by
setting a flag in its next TCP Acknowledgment (ACK). The sender triggers congestion
control measures as if a packet loss had happened.
RFC 8087 outlines the principal gains in terms of increased throughput,
reduced delay, and other benefits when ECN is used over a network path that includes equipment that supports Congestion Experienced
(CE) marking. In the context of CNNs, a remarkable feature of ECN is that congestion can be signaled without incurring packet drops (which will lead to retransmissions and consumption of limited resources such as energy and bandwidth).
ECN can further reduce packet losses since congestion control
measures can be applied earlier . Fewer lost packets implies
that the number of retransmitted segments decreases, which is
particularly beneficial in CNNs, where energy and bandwidth resources
are typically limited. Also, it makes sense to try to avoid packet
drops for transactional workloads with small data sizes, which are
typical for CNNs. In such traffic patterns, it is more difficult and often impossible to
detect packet loss without retransmission timeouts (e.g., as there
may not be three duplicate ACKs). Any retransmission timeout slows
down the data transfer significantly. In addition, if the
constrained device uses power-saving techniques, a retransmission
timeout will incur a wake-up action, in contrast to ACK
clock-triggered sending. When the congestion window of a TCP sender has a
size of one segment and a TCP ACK with an ECN signal (ECN-Echo (ECE) flag) arrives
at the TCP sender, the TCP sender resets the retransmit timer, and
the sender will only be able to send a new packet when the retransmit
timer expires. Effectively, at that moment, the TCP sender reduces its
sending rate from 1 segment per Round-Trip Time (RTT) to 1
segment per Retransmission Timeout (RTO) and reduces the sending rate further on each ECN signal
received in subsequent TCP ACKs. Otherwise, if an ECN signal is not
present in a subsequent TCP ACK, the TCP sender resumes the normal
ACK-clocked transmission of segments .
ECN can be
incrementally deployed in the Internet. Guidance on configuration and usage of ECN is provided in RFC 7567 .
Given the benefits, more and more TCP stacks in the Internet support ECN, and it makes sense to specifically leverage ECN in controlled
environments such as CNNs. As of this writing, there is ongoing work to extend the types of TCP packets that are ECN capable, including pure ACKs .
Such a feature may further increase the benefits of ECN in CNN environments. Note, however, that supporting ECN increases implementation complexity.
Explicit Loss NotificationsThere has been a significant body of research on solutions capable of explicitly indicating whether a TCP segment loss is due to corruption, in order to avoid activation of congestion control mechanisms . While such solutions may provide significant improvement, they have not been widely deployed and remain as experimental work. In fact, as of today, the IETF has not standardized any such solution.
TCP Guidance for Single-MSS StacksThis section discusses TCP stacks that allow transferring a single MSS. More general guidance is provided in .
Single-MSS Stacks -- Benefits and Issues A TCP stack can reduce the memory requirements by advertising a TCP window size of 1 MSS and also transmit, at most, 1 MSS of
unacknowledged data. In that case, both congestion and flow control implementation are quite simple. Such a small receive and send window
may be sufficient for simple message exchanges in the CNN space. However, only using a window of 1 MSS can significantly affect
performance. A stop-and-wait operation results in low throughput for transfers that exceed the length of 1 MSS, e.g., a firmware
download. Furthermore, a single-MSS solution relies solely on timer-based loss recovery, therefore missing the performance gain of Fast
Retransmit and Fast Recovery (which requires a larger window size; see ).
If CoAP is used over TCP with the default setting for NSTART in RFC 7252 , a CoAP endpoint is not allowed to send
a new message to a destination until a response for the previous message sent to that destination has been received. This is equivalent to an
application-layer window size of 1 data unit. For this use of CoAP, a maximum TCP window of 1 MSS may be sufficient, as long as the
CoAP message size does not exceed 1 MSS. An exception in CoAP over TCP, though, is the Capabilities and Settings Message (CSM) that must be sent at the
start of the TCP connection. The first application message carrying user data is allowed to be sent immediately after the CSM message.
If the sum of the CSM size plus the application message size exceeds the MSS, a sender using a single-MSS stack will need to wait for the ACK confirming
the CSM before sending the application message.
TCP Options for Single-MSS StacksA TCP implementation needs to support, at a minimum, TCP options 2, 1, and 0. These are, respectively, the MSS option,
the No-Operation option, and the End Of Option List marker . None of these are a substantial burden to support.
These options are sufficient for interoperability with a standard-compliant TCP endpoint, albeit many TCP stacks support additional options
and can negotiate their use. A TCP implementation is permitted to silently ignore all other TCP options.
A TCP implementation for a constrained device that uses a single-MSS TCP receive or transmit window size may not benefit from supporting the following TCP options: Window Scale , TCP Timestamps , Selective Acknowledgment (SACK) , and SACK-Permitted . Also, other TCP options may not be required on a constrained device with a very lightweight implementation. With regard to
the Window Scale option, note that it is only useful if a window size greater than 64 kB is needed.
Note that a TCP sender can benefit from the TCP Timestamps option in detecting spurious RTOs. The latter are quite likely to occur
in CNN scenarios due to a number of reasons (e.g., route changes in a multihop scenario, link-layer retries, etc.). The header overhead incurred
by the Timestamps option (of up to 12 bytes) needs to be taken into account.
Delayed Acknowledgments for Single-MSS StacksTCP Delayed Acknowledgments are meant to reduce the number of ACKs sent within a TCP connection, thus reducing network overhead, but
they may increase the time until a sender may receive an ACK. In general, usefulness of Delayed ACKs depends heavily on the usage
scenario (see ). There can be interactions with single-MSS stacks.
When traffic is unidirectional, if the sender can send at most 1 MSS of data or the receiver advertises a receive window not greater than the MSS, Delayed ACKs may unnecessarily contribute delay (up to 500 ms) to the RTT , which limits the throughput and can increase data delivery time. Note that, in some cases, it may not be possible to disable Delayed ACKs. One known workaround is to split the
data to be sent into two segments of smaller size. A standard-compliant TCP receiver may immediately acknowledge the second MSS of data, which
can improve throughput. However, this "split hack" may not always work since a TCP receiver is required to acknowledge every second full-sized segment, but not two consecutive small segments. The overhead of sending two IP
packets instead of one is another downside of the "split hack".
Similar issues may happen when the sender uses the Nagle algorithm, since the sender may need to wait for an unnecessarily Delayed ACK
to send a new segment. Disabling the algorithm will not have impact if the sender can only handle stop-and-wait operation
at the TCP level.
For request-response traffic, when the receiver uses Delayed ACKs, a response to a data message can piggyback an ACK, as long as the latter is sent before the Delayed ACK timer expires, thus avoiding unnecessary ACKs without payload.
Disabling Delayed ACKs at the request sender allows an immediate ACK for the data segment carrying the response.
RTO Calculation for Single-MSS StacksThe RTO calculation is one of the fundamental TCP algorithms . There is a fundamental trade-off:
a short, aggressive RTO behavior reduces wait time before retransmissions, but it also increases the probability of spurious timeouts.
The latter leads to unnecessary waste of potentially scarce resources in CNNs such as energy and bandwidth. In contrast,
a conservative timeout can result in long error recovery times and, thus, needlessly delay data delivery.
If a TCP sender uses a very small window size, and it cannot benefit from Fast Retransmit and Fast Recovery or SACK, the RTO algorithm has a
large impact on performance. In that case, RTO algorithm tuning may be considered, although careful
assessment of possible drawbacks is recommended .
As an example, adaptive RTO algorithms defined for CoAP over UDP have been found to perform well in CNN scenarios .
General Recommendations for TCP in CNNsThis section summarizes some widely used techniques to improve TCP, with a focus on their use in CNNs. The TCP extensions discussed here are useful in a wide range of network scenarios, including CNNs. This section is not comprehensive. A comprehensive survey of TCP extensions is published in RFC 7414 .Loss Recovery and Congestion/Flow ControlDevices that have enough memory to allow a larger (i.e., more than 3 MSS of data) TCP window size can leverage a more efficient loss recovery
than the timer-based approach used for a smaller TCP window size (see ) by
using Fast Retransmit and Fast Recovery , at the expense of slightly greater complexity and Transmission Control Block (TCB) size.
Assuming that Delayed ACKs are used by the receiver, a window size of up to 5 MSS is required for Fast Retransmit and Fast Recovery
to work efficiently: in a given TCP transmission of full-sized segments 1, 2, 3, 4, and 5, if segment 2 gets lost, and the ACK for segment 1
is held by the Delayed ACK timer, then the sender should get an ACK for segment 1 when 3 arrives and duplicate ACKs when segments 4, 5, and 6
arrive. It will retransmit segment 2 when the third duplicate ACK arrives. In order to have segments 2, 3, 4, 5, and 6 sent, the window
has to be of at least 5 MSS. With an MSS of 1220 bytes, a buffer of a size of 5 MSS would require 6100 bytes.
The example in the previous paragraph did not use a further TCP improvement such as Limited Transmit . The latter
may also be useful for any transfer that has more than one segment in flight. Small transfers tend
to benefit more from Limited Transmit, because they are more likely to not receive enough duplicate ACKs. Assuming the example
in the previous paragraph, Limited Transmit allows sending 5 MSS with a congestion window (cwnd) of three segments, plus two additional
segments for the first two duplicate ACKs. With Limited Transmit, even a cwnd of two segments allows sending 5 MSS, at the expense of
additional delay contributed by the Delayed ACK timer for the ACK that confirms segment 1.
When a multiple-segment window is used, the receiver will need to manage the reception of possible out-of-order received segments,
requiring sufficient buffer space. Note that even when a window of 1 MSS is used, out-of-order arrival should also be managed, as the sender may send multiple sub-MSS packets that fit in the window. (On the other hand, the receiver is free to simply drop out-of-order segments, thus forcing retransmissions.)
Selective Acknowledgments (SACKs)
If a device with less severe memory and processing constraints can
afford advertising a TCP window size of several MSSs, it makes sense
to support the SACK option to improve performance. SACK allows a
data receiver to inform the data sender of non-contiguous data blocks
received, thus a sender (having previously sent the SACK-Permitted
option) can avoid performing unnecessary retransmissions, saving
energy and bandwidth, as well as reducing latency. In addition, SACK often allows for faster loss recovery when there is more than one lost segment in a window of data, since SACK recovery may complete with less RTTs. SACK is
particularly useful for bulk data transfers. A receiver supporting SACK will need to keep track of the data blocks that need to be received. The sender will also need to keep track of which data segments need to be resent after learning which data blocks are missing at the receiver. SACK adds
8*n+2 bytes to the TCP header, where n denotes the number of data
blocks received, up to four blocks. For a low number of out-of-order
segments, the header overhead penalty of SACK is compensated by
avoiding unnecessary retransmissions. When the sender discovers the data blocks that have already been received, it needs to also
store the necessary state to avoid unnecessary retransmission of data segments that have already been received.
Delayed AcknowledgmentsFor certain traffic patterns, Delayed ACKs may have a detrimental effect, as already noted in . Advanced TCP stacks may use heuristics to determine the maximum delay for an ACK. For CNNs, the recommendation depends on the expected communication patterns.
When traffic over a CNN is expected mostly to be unidirectional messages with a size typically up to 1 MSS, and the time between two
consecutive message transmissions is greater than the Delayed ACK timeout, it may make sense to use a smaller timeout or disable Delayed ACKs
at the receiver. This avoids incurring additional delay, as well as the energy consumption of the sender (which might, e.g., keep its radio
interface in receive mode) during that time. Note that disabling Delayed ACKs may only be possible if the peer device is administered
by the same entity managing the constrained device. For request-response traffic, enabling Delayed ACKs is recommended at
the server end, in order to allow combining a response with the ACK into a single segment, thus increasing efficiency. In addition, if
a client issues requests infrequently, disabling Delayed ACKs at the client allows an immediate ACK for the data segment
carrying the response.
In contrast, Delayed ACKs allow for a reduced number of ACKs in bulk transfer types of traffic, e.g., for firmware/software updates or for transferring larger data units containing a batch of sensor readings.
Note that, in many scenarios, the peer that a constrained device communicates with will be a general purpose system that communicates with both constrained and unconstrained devices. Since Delayed ACKs are often configured through system-wide parameters, the behavior of Delayed ACKs at the peer will be the same regardless of the nature of the endpoints it talks to. Such a peer will typically have Delayed ACKs enabled.
Initial Window specifies a TCP Initial Window (IW) of roughly 4 kB. Subsequently, RFC 6928 defines an experimental new value for the IW,
which in practice will result in an IW of 10 MSS. Nowadays, the latter is used in many TCP implementations.
Note that a 10-MSS IW was recommended for resource-rich environments (e.g., broadband environments), which are significantly different from CNNs.
In CNNs, many application-layer data units are relatively small (e.g., below 1 MSS). However, larger objects (e.g., large files containing
sensor readings, firmware updates, etc.) may also need to be transferred in CNNs. If such a large object is transferred in CNNs, with an IW
setting of 10 MSS, there is significant buffer overflow risk, since many CNN devices support network or radio buffers of a size smaller than 10 MSS.
In order to avoid such a problem, the IW needs to be carefully set in CNNs, based
on device and network resource constraints. In many cases, a safe IW setting will be smaller than 10 MSS.
TCP Usage Recommendations in CNNsThis section discusses how TCP can be used by applications that are developed for CNN scenarios. These remarks are by and large independent of how TCP is exactly implemented.
TCP Connection InitiationIn the scenario of a constrained device to an unconstrained device illustrated
above, a TCP connection is typically initiated by the constrained
device, in order for the device to support possible sleep periods to
save energy.
Number of Concurrent ConnectionsTCP endpoints with a small amount of memory may only support a small
number of connections. Each TCP connection requires storing a number
of variables in the TCB. Depending on
the internal TCP implementation, each connection may result in
further memory overhead, and connections may compete for scarce resources (e.g., further memory overhead for send and receive buffers, etc.).
A careful application design may try to keep the number of concurrent connections as small as possible. A client can, for instance, limit the number of simultaneous open connections that it maintains to a given server. Multiple connections could, for instance, be used to avoid the "head-of-line blocking" problem in an application transfer. However, in addition to consuming resources, using multiple connections can also cause undesirable side effects in congested networks.
For example, the HTTP/1.1 specification encourages clients to be conservative when opening multiple connections .
Furthermore, each new connection will start with a three-way handshake, therefore increasing message overhead.
Being conservative when opening multiple TCP connections is of particular importance in Constrained-Node Networks.TCP Connection LifetimeIn order to minimize message overhead, it makes sense to keep a TCP connection
open as long as the two TCP endpoints have more data to send. If applications
exchange data rather infrequently, i.e., if TCP connections would stay idle for a long time,
the idle time can result in problems. For instance, certain middleboxes
such as firewalls or NAT devices are known to delete state records after an inactivity interval.
RFC 5382 specifies a minimum value for such an interval of 124 minutes. Measurement studies have reported that TCP NAT binding timeouts are highly
variable across devices,
with the median being around 60 minutes, the shortest timeout being around 2 minutes, and more than 50% of the devices with a timeout shorter than the
aforementioned minimum timeout of 124 minutes . The timeout duration used by a
middlebox implementation may not be known to the TCP endpoints.In CNNs, such middleboxes may, e.g., be present at the boundary between the CNN and other networks.
If the middlebox can be optimized for CNN use cases, it makes sense to increase the initial value
for filter state inactivity timers to avoid problems with idle connections. Apart from that,
this problem can be dealt with by different connection-handling strategies, each having pros and cons.One approach for infrequent data transfer is to use short-lived TCP connections.
Instead of trying to maintain a TCP connection for a long time, it is possible that short-lived
connections can be opened between two endpoints, which are closed if no more data needs
to be exchanged. For use cases that can cope with the additional messages and the latency
resulting from starting new connections, it is recommended to use a sequence of short-lived connections instead of maintaining a single long-lived connection.
The message and latency overhead that stems from using a sequence of short-lived connections could be reduced by TCP Fast Open (TFO) ,
which is an experimental TCP extension, at the expense of increased implementation complexity and increased TCB size. TFO allows data to be
carried in SYN (and SYN-ACK) segments and to be consumed immediately
by the receiving endpoint. This reduces the message and latency overhead compared to
the traditional three-way handshake to establish a TCP connection.
For security reasons, the connection initiator has to request a TFO
cookie from the other endpoint. The cookie, with a size of 4 or 16
bytes, is then included in SYN packets of subsequent connections.
The cookie needs to be refreshed (and obtained by the client) after a
certain amount of time. While a given cookie is used for multiple connections between the same two endpoints,
the latter may become vulnerable to privacy threats. In addition, a valid cookie may be stolen from a compromised host
and may be used to perform SYN flood attacks, as well as amplified reflection attacks to victim hosts (see ).
Nevertheless, TFO is more efficient than
frequently opening new TCP connections with the traditional three-way
handshake, as long as the cookie can be reused in subsequent
connections. However, as stated in , TFO deviates from the standard TCP semantics, since the data in the SYN could be replayed
to an application in some rare circumstances. Applications should not use TFO unless they can tolerate this issue, e.g., by using
TLS . A comprehensive discussion on TFO can be found in RFC 7413 .
Another approach is to use long-lived TCP connections with
application-layer heartbeat messages. Various application protocols
support such heartbeat messages (e.g., CoAP over TCP ).
Periodic application-layer heartbeats can prevent early filter state record deletion in middleboxes.
If the TCP binding timeout for a middlebox to be traversed by a given connection is known, middlebox filter
state deletion will be avoided if the heartbeat period is lower than the middlebox TCP binding timeout.
Otherwise, the implementer needs to take into account that middlebox TCP binding timeouts fall in a wide range
of possible values , and it may be hard to find a proper heartbeat period for application-layer heartbeat messages.
One specific advantage of heartbeat messages is that they also allow liveness checks at the
application level. In general, it makes sense to realize
liveness checks at the highest protocol layer possible that is
meaningful to the application, in order to maximize the depth of the
liveness check. In addition, timely detection of a dead peer may
allow savings in terms of TCB memory use. However, the transmission of
heartbeat messages consumes resources. This aspect needs to be assessed carefully, considering the characteristics of each specific CNN.
A TCP implementation may also be able to send "keep-alive" segments to test a TCP connection.
According to , keep-alives are an optional TCP mechanism that is
turned off by default, i.e., an application must explicitly enable it for a TCP connection.
The interval between keep-alive messages must be configurable, and it must default to no less
than two hours. With this large timeout, TCP keep-alive messages might not always be useful to avoid deletion of
filter state records in some middleboxes. However, sending TCP keep-alive probes more frequently risks draining power on energy-
constrained devices.
Security ConsiderationsBest current practices for securing TCP and TCP-based communication also applies to CNN. As an example, use of TLS is strongly recommended if it is applicable.
However, note that TLS protects only the contents of the data segments.
There are TCP options that can actually protect the transport layer. One example is the TCP Authentication Option (TCP-AO) .
However, this option adds overhead and complexity. TCP-AO typically has a size of 16-20 bytes.
An implementer needs to asses the trade-off between security and performance when using TCP-AO, considering the characteristics (in terms of energy, bandwidth, and computational power)
of the environment where TCP will be used.
For the mechanisms discussed in this document, the corresponding considerations apply. For instance, if TFO is used, the security considerations of RFC 7413 apply.Constrained devices are expected to support smaller TCP window sizes than less-limited devices. In such conditions, segment retransmission
triggered by RTO expiration is expected to be relatively frequent, due to lack of (enough) duplicate ACKs, especially when a constrained device
uses a single-MSS implementation. For this reason, constrained devices running TCP may appear as particularly appealing victims of the so-called
"shrew" Denial-of-Service (DoS) attack , whereby one or more sources generate a packet spike targeted to coincide with consecutive
RTO-expiration-triggered retry attempts of a victim node. Note that the attack may be performed by Internet-connected devices,
including constrained devices in the same CNN as the victim, as well as remote ones. Mitigation techniques include RTO randomization and attack blocking by routers able to detect
shrew attacks based on their traffic pattern. IANA ConsiderationsThis document has no IANA actions.ReferencesNormative ReferencesInformative ReferencesIPv6 over 802.11ahCoAP Congestion Control for the Internet of ThingsIEEE Communications Magazine, Vol. 54, Issue 7, pp. 154-160TCP in the Internet of Things: from Ostracism to ProminenceIEEE Internet Computing, Vol. 22, Issue 1, pp. 29-41Information technology -- Message Queuing Telemetry Transport (MQTT) v3.1.1ISO/IECISO/IEC 20922:2016An Experimental Study of Home Gateway CharacteristicsProceedings of the 10th ACM SIGCOMM conference on Internet measurement, pp. 260-266Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants)SIGCOMM'03Explicit transport error notification (ETEN) for error-prone wireless and satellite networksComputer NetworksFull TCP/IP for 8-Bit ArchitecturesMobiSys '03, pp. 85-98RIOT: An Open Source Operating System for Low-End Embedded Devices in the IoTIEEE Internet of Things Journal, Vol. 5, Issue 6Connecting the World of Embedded Mobiles: The RIOT Approach to Ubiquitous Networking for the IoTarXiv:1801.02833v1 [cs.NI]TCP Implementations for Constrained DevicesThis section overviews the main features of TCP implementations for constrained devices. The survey is limited to open-source stacks with a small footprint. It is not meant to be all-encompassing. For more powerful embedded systems (e.g., with 32-bit processors), there are further stacks that comprehensively implement TCP. On the other hand, please be aware that this Annex is based on information available as of the writing.uIPuIP is a TCP/IP stack, targeted for 8- and 16-bit microcontrollers, which pioneered TCP/IP implementations for constrained devices.
uIP has been deployed with Contiki and the Arduino Ethernet shield. A code size of ~5 kB (which comprises checksumming, IPv4, ICMP, and TCP)
has been reported for uIP . Later versions of uIP implement IPv6 as well.uIP uses the same global buffer for both incoming and outgoing traffic, which has a
size of a single packet. In case of a retransmission, an application must be able to reproduce the same user data that had been
transmitted. Multiple connections are supported but need to share the global buffer.
The MSS is announced via the MSS option on connection establishment, and the receive window size (of 1 MSS) is not modified during a connection. Stop-and-wait operation is used for sending data. Among other optimizations, this allows for the avoidance of sliding window operations, which use 32-bit arithmetic extensively and are expensive on 8-bit CPUs.Contiki uses the "split hack" technique (see ) to avoid Delayed ACKs for senders using a single segment.The code size of the TCP implementation in Contiki-NG has been measured to be 3.2 kB on CC2538DK, cross-compiling on Linux.lwIPlwIP is a TCP/IP stack, targeted for 8- and 16-bit microcontrollers. lwIP has a total code size of ~14 kB to ~22 kB
(which comprises memory management, checksumming, network interfaces, IPv4, ICMP, and TCP) and a TCP code size of ~9 kB to ~14 kB .
Both IPv4 and IPv6 are supported in lwIP since v2.0.0.In contrast with uIP, lwIP decouples applications from the network stack. lwIP supports a TCP transmission window greater than a single segment, as well as the buffering of incoming and outgoing data. Other implemented mechanisms comprise slow start, congestion avoidance, fast retransmit, and fast recovery.
SACK and Window Scale support has been recently added to lwIP.RIOT The RIOT TCP implementation (called "GNRC TCP") has been designed for Class 1 devices . The main target platforms are 8- and 16-bit microcontrollers, with 32-bit platforms also supported. GNRC TCP
offers a similar function set as uIP, but it provides and maintains an independent receive buffer for each connection. In contrast to uIP, retransmission is also handled by GNRC TCP. For simplicity, GNRC TCP uses a single-MSS implementation. The application programmer does not need to know anything about the TCP internals; therefore, GNRC TCP can be seen as a user-friendly uIP TCP implementation.
The MSS is set on connections establishment and cannot be changed during connection lifetime. GNRC TCP allows multiple connections in parallel, but each TCB must
be allocated somewhere in the system. By default, there is only enough memory allocated for a single TCP connection, but it can be increased at compile time if the user needs multiple parallel connections.
The RIOT TCP implementation offers an optional Portable Operating System Interface (POSIX) socket wrapper that enables POSIX compliance, if needed.
Further details on RIOT and GNRC can be found in and .
TinyOSTinyOS was important as a platform for early constrained devices. TinyOS has an experimental TCP stack that uses a simple non-blocking library-based implementation of TCP, which provides a subset of the socket interface primitives. The application is responsible for buffering. The TCP library does not do any receive-side buffering. Instead, it will immediately dispatch new, in-order data to the application or otherwise drop the segment. A send buffer is provided by the application. Multiple TCP connections are possible. Recently, there has been little work on the stack.FreeRTOSFreeRTOS is a real-time operating system kernel for embedded devices that
is supported by 16- and 32-bit microprocessors. Its TCP implementation is based on multiple-segment window size, although a "Tiny-TCP" option, which is a single-MSS variant, can be enabled. Delayed ACKs are supported, with a 20 ms Delayed ACK timer as a technique intended "to gain performance".
uC/OSuC/OS is a real-time operating system kernel for embedded devices, which is maintained by Micrium. uC/OS is intended for 8-, 16-, and 32-bit microprocessors. The uC/OS TCP implementation supports a multiple-segment window size.
SummaryNone of the implementations considered in this Annex support ECN or TFO.
Summary of TCP Features for Different Lightweight TCP Implementations
uIP
lwIP orig
lwIP 2.1
RIOT
TinyOS
FreeRTOS
uC/OS
Code Size (kB)
<5
~9 to ~14
38
<7
N/A
<9.2
N/A
Memory
(a)
(T1)
(T4)
(T3)
N/A
(T2)
N/A
TCP Features
Single-Segm.
Yes
No
No
Yes
No
No
No
Slow start
No
Yes
Yes
No
Yes
No
Yes
Fast rec/retx
No
Yes
Yes
No
Yes
No
Yes
Keep-alive
No
No
Yes
No
No
Yes
Yes
Win. Scale
No
No
Yes
No
No
Yes
No
TCP timest.
No
No
Yes
No
No
Yes
No
SACK
No
No
Yes
No
No
Yes
No
Del. ACKs
No
Yes
Yes
No
No
Yes
Yes
Socket
No
No
Optional
(I)
Subset
Yes
Yes
Concur. Conn.
Yes
Yes
Yes
Yes
Yes
Yes
Yes
TLS supported
No
No
Yes
Yes
Yes
Yes
Yes
Legend:
(T1):
TCP-only, on x86 and AVR platforms
(T2):
TCP-only, on ARM Cortex-M platform
(T3):
TCP-only, on ARM Cortex-M0+ platform (NOTE: RAM usage for the same platform
is ~2.5 kB for one TCP connection plus ~1.2 kB for each additional connection)
(T4):
TCP-only, on CC2538DK, cross-compiling on Linux
(a):
Includes IP, ICMP, and TCP on x86 and AVR platforms. The Contiki-NG TCP implementation has a code size of 3.2 kB on CC2538DK, cross-compiling on Linux
(I):
Optional POSIX socket wrapper that enables POSIX compliance if needed
Mult.:
Multiple
N/A:
Not Available
AcknowledgmentsThe work of has been funded in part by the Spanish Government (Ministerio de Educacion, Cultura y Deporte) through Jose Castillejo grants CAS15/00336
and CAS18/00170; the European Regional Development Fund (ERDF); the Spanish Government through projects TEC2016-79988-P, PID2019-106808RA-I00, AEI/FEDER, and UE; and
the Generalitat de Catalunya Grant 2017 SGR 376.
Part of his contribution to this work has been carried out during his stays as a visiting scholar at the Computer Laboratory of the University of Cambridge. The authors appreciate the feedback received for this document. The
following folks provided comments that helped improve the document:
, , , , , , , , , , , , , , , ,
, , , , , and .
provided details and kindly performed Random Access Memory (RAM) and Read-Only Memory (ROM) usage measurements on the RIOT TCP implementation. provided details on the OpenWSN TCP implementation.
kindly performed code size measurements on the Contiki-NG and lwIP 2.1.2 TCP implementations. He also provided details on the uIP TCP implementation.