This document specifies a protocol operating over STANAG 5066 to support TCP PEP (Performance Enhancing Proxy) based operation, to enable efficient operation of TCP based protocols over HF.
This document is part of the STANAG 5066 Application Protocol (S5066-APP) series. The complete set of documents in the series are:
End to end TCP using IP over an HF Subnet (following STANAG 5066 Annex F.12) often leads to poor or very poor performance. HF-PEP addresses this by using a PEP (Performance Enhancing Proxy) architecture outlined in RFC 3135 “Performance Enhancing Proxies Intended to Mitigate Link-Related Degradations”. The overall architecture is shown in the following diagram.
In this TCP Proxy architecture, an application is communicating over TCP, running over IP in the normal manner. The TCP connection from each application is peered with a proxy, rather than the other application. The proxies communicate using the HF-PEP protocol specified here.
HF-PEP operates over SLEP (SIS Layer Extension Protocol), specified in S5066-APP3. SLEP provides the Stream Services used by HF-PEP. SLEP communicates over STANAG 5066, using the local STANAG 5066 SIS (Subnet Interface Service) to connect. STANAG 5066 peers communicate over an HF network, as shown.
The Proxy can multiplex TCP connections over a single HF link, so that a single STANAG 5066 SAP can be shared by multiple TCP connections and multiple applications running over TCP.
The proxy may control TCP applications based on port including:
A simple proxy may connect to just one peer and route all traffic to that peer. A proxy may connect to multiple peers and choose the peer proxy based on destination IP address of the destination specified in an inbound TCP connection.
This section defines the service provided by the HF-PEP layer, which is based on the SLEP Streaming Service.
Proxy -> HF-PEP.
Arguments:
HF-PEP -> Proxy.
No arguments.
HF-PEP -> Proxy.
Arguments:
Proxy -> HF-PEP
No arguments.
HF-PEP -> Proxy.
Arguments:
The HF-PEP service provides a stream service based on the service provided by SLEP. A proxy initiating a connection using HF-PEP needs to communicate information to the peer proxy needed to initiate the second TCP connection.
Proxy -> HF-PEP. Starts a new stream.
Arguments:
HF-PEP -> Proxy.
Arguments:
HF-PEP -> Proxy.
Arguments:
HF-PEP -> Proxy. Incoming stream being offered to responder.
Arguments:
Proxy -> HF-PEP. Accept or reject incoming stream.
Arguments:
Proxy -> HF-PEP. Initiator or responder sends a block of data.
Arguments:
HF-PEP -> Proxy
Argument:
This confirms data is accepted and allows client to send another data block. This reflects the SLEP mechanism to flow control the application.
HF-PEP -> Proxy.
Arguments:
Proxy must accept the data.
This may be a zero-length block of data, which indicates that the stream is active. This may be helpful for controlling application timers.
Proxy -> HF-PEP.
Arguments:
Initiator or Responder requests SLEP to close stream. There is no confirmation.
HF-PEP -> Proxy.
Arguments:
HF-PEP tells responder that stream is closed. Note that this close is handled at the SLEP layer, so there are no HF-PEP specific errors.
This section summarizes how a proxy will make use of the HF-PEP service and how it interacts with TCP. A proxy will provide both initiating and responding services.
An HF-PEP proxy (“proxy”) will bind to one or more STANAG 5066 servers using HFPEP_BIND. A proxy will typically bind on a single SAP to a given STANAG 5066 server, but may bind on multiple SAPs.
A proxy will handle all or selected TCP ports for selected IP addresses or ranges. These IP addresses will usually be the IP addresses of the target applications on the other side of the proxy pair. To achieve this, a proxy will generally need to operate at the IP router level.
An initiating proxy will work as follows:
An responding proxy will work as follows:
An HF-PEP proxy maps between a stream protocol and a PDU based service.
When a HFPEP_STREAM_DATA_INDICATION provides a block of data it is sent to TCP and an TCP Push should be used at the end of writing this block of data to TCP.
When data arrives from TCP, a series of data blocks will be written using HFPEP_STREAM_DATA_REQUEST. Where there is a large stream of data, blocks of maximum data block size can be written. When some data arrives over TCP a decision has to be made as to how long to wait for more data. There is a trade-off:
It is anticipated that the TCP side will generally be fast, so that a wait of a few hundred milliseconds will often be appropriate. This will be sufficient for many applications and will not have significant HF impact. It may be appropriate to configure this for different applications and different TCP peers.
MSB 7 |
6 | 5 | 4 | 3 | 2 | 1 | LSB 0 |
---|---|---|---|---|---|---|---|
Magic Number (4 bytes) |
|||||||
Source Port (2 bytes)
|
|||||||
Destination Port (2 bytes)
|
|||||||
Source IP Address (4 or 8 bytes)
|
|||||||
Destination IP Address (4 or 8 bytes)
|
The HF-PEP stream is encoded as follows:
SLEP applications can define reason codes to be carried in SLEP. HF-PEP defines a number of SLEP codes to communicate error information between a pair of HF-PEP proxies. In some cases, these errors can be used to communicate information back to the TCP peer.
Code | Description |
---|---|
1000 | TCP general error. To cover generic failures not covered by specific subsequent codes |
1001 | Return IP is not routable. Used by a proxy when the source IP address is not locally routable, which would mean that no return IP traffic is possible. |
1002 | HF-PEP Magic Number not known or not supported. |
1003 | SLEP final-data failure. The final data of the stream failed to arrive after the close, so some data for the TCP stream may be missing. |
1004 | Return STANAG 5066 address not routable. The receiving proxy is not able to route IP traffic correctly back to the sender. A routing table error similar to 1001. |
1005 | HF-PEP Stream Header invalid. |
1006 | HF-PEP Capability not supported. Valid HF-PEP PDU requesting a capability not supported by receiver.; |
1007 | Invalid destination IP address. IP address rejected (e.g., routing error) |
1008 | Connection refused. TCP rejection of requested connection. |
1009 | Connection time out. |
The HF-PEP service maps very closely onto the SLEP Stream Service. Each HF-PEP service maps onto the equivalent SLEP service.
The additional parameters in SLEP_STREAM_INIT_REQUEST are sent as the HF-PEP stream header which is sent on the stream prior to data. This is decoded by the responder and provided in SLEP_STREAM_INIT_INDICATION.
It is recommended that SAP 13 is used as the default SAP for HF-PEP.