IETF Logo Mail Archive

Re: [multipathtcp] MPTCP backup flag attack via MP_PRIO message

Alan Ford <alan.ford@gmail.com> Thu, 20 July 2017 15:00 UTC

Return-Path: <alan.ford@gmail.com>
X-Original-To: multipathtcp@ietfa.amsl.com
Delivered-To: multipathtcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41427131891 for <multipathtcp@ietfa.amsl.com>; Thu, 20 Jul 2017 08:00:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Bw9e_aqgk8d for <multipathtcp@ietfa.amsl.com>; Thu, 20 Jul 2017 08:00:30 -0700 (PDT)
Received: from mail-wm0-x242.google.com (mail-wm0-x242.google.com [IPv6:2a00:1450:400c:c09::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3405A12EC46 for <multipathtcp@ietf.org>; Thu, 20 Jul 2017 08:00:29 -0700 (PDT)
Received: by mail-wm0-x242.google.com with SMTP id t3so2869778wme.2 for <multipathtcp@ietf.org>; Thu, 20 Jul 2017 08:00:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:mime-version:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=yoEWzaGVwg/YVTk+oGB2ZTp33GfE8gNNlqDq9kJkCyE=; b=ETzjx81+q2jgRFzt6QLvR+pKValB6DII9oWoaM2BCkTgz5UgUcQUQQXspy4V+i2eD1 BZiMt7ex+sGnHBD8M3HI7VRaB2/Y0g2f5enSuRIzVJsCGMPih6aAaB2LNA100M7NriP3 f8TYjdI1sObJ9Q//J48Jg4D7UIrZ9LxTSFK6bTxxx9X9MGi1S/yc4ABcq1S+Miqnkwr4 GBUpoyk/qk/mG/8GNbm9JFKsO8V1fY2OQD6iVuKBUzGObs5pT4BdQhFctI6Ya7HvFCkM bbGFCoPFQjiYG7N5K3wGnu3Z0J2BtSSskZxd+jED6pJLM9rhoSrrK1B0VxuMaNoPqX8m 11Ow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=yoEWzaGVwg/YVTk+oGB2ZTp33GfE8gNNlqDq9kJkCyE=; b=ovGzBa+PYfKK7VF5kHxJW3weokUgIppWWjyoCaj9fyc3CglJIbLacNGgqhSbeG1SPp lYv9aMr0mPH1x31iXeoOF/x0auMmT9WZ/HYJ05PlMDExF1m8YGZXkV4LbZ3RLLC/GEXE vYycQm4M/Ws6wHFBv7jDcgNFL6qJuxYPDn9vpNwCVLA6Mbfc0f4s8dfoISuXFTGFGYzT cZVC5PW3mJ+EFu8Ycnrf0dKH7LRTSCcQms7tj4doFemygzApbZRrAt0E5cXDeJvrNqQ+ YHxWqAd+28DNATQRai3ZIE6pzVCaj+FLCY+apdZyFflRF8uuHGAy1RvbLUve/E9DdVxN Hctg==
X-Gm-Message-State: AIVw110Fg715teiCO5PXO2A7Fw6aHoz7J2pm/hiF6Wk0tvoRuK/NgvT9 SGsnIGstnvgjcHMKsiE7uA==
X-Received: by 10.28.125.195 with SMTP id y186mr2728642wmc.37.1500562827635; Thu, 20 Jul 2017 08:00:27 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:128:a890:6285:c91d:ca3e? ([2001:67c:370:128:a890:6285:c91d:ca3e]) by smtp.gmail.com with ESMTPSA id i136sm2338850wmf.33.2017.07.20.08.00.26 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 20 Jul 2017 08:00:26 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: text/plain; charset="iso-8859-1"
From: Alan Ford <alan.ford@gmail.com>
X-Priority: 3 (Normal)
In-Reply-To: <800c331f808d608354fc00be24283cb6.squirrel@webmail.cs.ucr.edu>
Date: Thu, 20 Jul 2017 16:00:25 +0100
Cc: multipathtcp@ietf.org, Zubair <zubair-shafiq@uiowa.edu>, Franck Le <fle@us.ibm.com>, Alex Liu <alexliu@cse.msu.edu>, Ali Munir <munirali@msu.edu>
Content-Transfer-Encoding: quoted-printable
Message-Id: <742E211F-F754-4149-88E2-3BE51645F49D@gmail.com>
References: <800c331f808d608354fc00be24283cb6.squirrel@webmail.cs.ucr.edu>
To: Zhiyun Qian <zhiyunq@cs.ucr.edu>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/multipathtcp/1d80SWLGD4SeyIrbKr6r6tY8CDY>
Subject: Re: [multipathtcp] MPTCP backup flag attack via MP_PRIO message
X-BeenThere: multipathtcp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multi-path extensions for TCP <multipathtcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/multipathtcp/>
List-Post: <mailto:multipathtcp@ietf.org>
List-Help: <mailto:multipathtcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 15:00:32 -0000

Hi Zhiyun,

Please bear in mind that the goal of MPTCP with respect to security, as discussed in the original architectural design in RFC6182, is to provide a security model no worse than TCP. So whilst this attack would be possible, it can only be done by an on-path attacker, and if succeeded would allow the on-path attacker to intercept all traffic. Which would be the same for a single-path TCP connection on the same path.

As a side point, the same kind of attack could be launched via REMOVE_ADDR messages, but this would not succeed since this is specified with some protection - ensuring the subflow is really unavailable through the use of TCP keepalive signals. This same protection cannot be used against the MP_PRIO since the referenced subflow is not unavailable.

If the WG considered this risk worth addressing, we could look at adding a nonce + signature to MP_PRIO.

Regards,
Alan

> On 20 Jul 2017, at 08:28, Zhiyun Qian <zhiyunq@cs.ucr.edu> wrote:
> 
> Dear all,
> 
> We are a group of researchers (cc:ed on the email) who recently
> discovered a security flaw in the MP_PRIO messge that allows a
> man-in-the-middle attacker on a single path to divert all traffic to
> its own path, effectively hijacking the entire MPTCP connection. Below
> we describe the problem in brief (more details will be found in our
> upcoming ICNP paper. We also hope to submit an Internet draft soon).
> We thank Olivier Bonaventure for his valuable feedback.
> 
> ---------------------------------------------------------------
> 
> MPTCP supports using sub-connections as backup – i.e., using a
> sub-connection to send data only if there is no other sub-connection
> available. Specifically, an MPTCP host can send a request to the other
> host to set any sub-connection as a backup by using the MPTCP MP_PRIO
> option. Hosts can request change in the priority to use a
> subconnection as regular or backup.  To set a sub-connection as
> backup, a host can request a change in the sub-connection priority by
> sending MPTCP MP_PRIO option to the other host with the corresponding
> address identifier. The key property of MP_PRIO messages is that they
> can be sent on any sub-connection. The reason is that if a
> sub-connection is already congested, it may not be possible to deliver
> the message to pause itself. After receiving such a control packet,
> the sender will stop sending data and the corresponding
> sub-connection’s throughput will drop to zero.
> 
> Unfortunately, unlike MP_JOIN, such a MP_PRIO option has no
> authentication required by the specification whatsoever, allowing an
> attacker controlling only one path to set any sub-connection as backup
> and launch traffic divergence and connection hijack attacks. The
> backup flag vulnerability allows an attacker to divert traffic among
> MPTCP sub-connections. An attacker can offload traffic from the
> eavesdropped sub-connection to other MPTCP sub-connections by sending
> forged packets with the MP_PRIO option to set the eavesdropped
> sub-connection as a backup. An attacker can also onload traffic from
> non-eavesdropped sub-connections to the eavesdropped sub-connection by
> sending forged packets with the MP_PRIO option to set all other
> sub-connections as backup. This attack is similar to connection hijack
> attack, where an attacker diverts all the traffic to pass through the
> sub-connection on the eavesdropped path.
> 
> 
> Connection Hijack Example:
> 
> Consider a scenario where two sub-connections of an MPTCP connection
> pass through paths p1 and p2. An attacker can hijack the
> non-eavesdropped subconnection on p2 by dynamically changing the
> priority of a sub-connection and declaring it as backup.
> 
> To launch this attack an attacker only needs to know the address
> identifier of the host , which can be obtained by eavesdropping other
> paths or easily guessed as they are set incrementally in current Linux
> implementation of MPTCP. Since the identifier has only 8 bits, it can
> even be brute forced. To set a non-eavesdropped sub-connection as
> backup between hosts A and B, an attacker can request a change in the
> sub-connection priority by sending MPTCP MP_PRIO option to host B with
> the address identifier of host A. Since by design the MP_PRIO messages
> can be sent on any sub-connection, the attacker eavesdropping on any
> path capable of sending such a forged backup message can pause any
> other path. Note that a backup MPTCP sub-connection may still be used
> for data transmission later, which can be detected by the attacker by
> observing the overall MPTCP throughput.
> 
> Effectively, this attack degrades an MPTCP connection to a regular TCP
> connection as all traffic will be routed through the
> attacker-controlled path. We argue that this vulnerability makes MPTCP
> less secure than TCP, because the entire MPTCP connection can be
> compromised (fully controlled by an attacker) as long as any one of
> the communication paths is compromised. Unfortunately, MPTCP
> specification does not include any authentication mechanism whatsoever
> regarding the MP_PRIO message.
> 
> We discuss several solutions in a forthcoming paper [ICNP2017], but a
> simple approach to cope with this attack would be to reconsider the
> utilisation of the address identifier in the MP_PRIO option. This
> option allows a host to set/change the priority of all the subflows
> associated to a given address identifier on another subflow. It could
> have use cases, such as sending MP_PRIO over a WiFi subflow to put the
> cellular subflow in backup mode without sending a packet over the
> cellular interface, but this looks like an edge case. Looking at the
> attack that we have identified, the working group should evaluate the
> removal of the address identifier in rfc6824bis. If the MP_PRIO option
> does not include an address identifier, then it becomes impossible for
> an attacker who is on-path of a given subflow to change the priority
> of the other subflows.
> 
> Best,
> -Zhiyun
> 
> _______________________________________________
> multipathtcp mailing list
> multipathtcp@ietf.org
> https://www.ietf.org/mailman/listinfo/multipathtcp

v2.23.0 | Report a Bug | By Email