Re: [multipathtcp] MPTCP backup flag attack via MP_PRIO message
Yoshifumi Nishida <nishida@sfc.wide.ad.jp> Mon, 24 July 2017 06:29 UTC
Return-Path: <nishida@sfc.wide.ad.jp>
X-Original-To: multipathtcp@ietfa.amsl.com
Delivered-To: multipathtcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 547D112EC55 for <multipathtcp@ietfa.amsl.com>; Sun, 23 Jul 2017 23:29:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.401
X-Spam-Level:
X-Spam-Status: No, score=-1.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BXQJAnc38iKK for <multipathtcp@ietfa.amsl.com>; Sun, 23 Jul 2017 23:29:36 -0700 (PDT)
Received: from mail.sfc.wide.ad.jp (shonan.sfc.wide.ad.jp [203.178.142.130]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3601512EC30 for <multipathtcp@ietf.org>; Sun, 23 Jul 2017 23:29:35 -0700 (PDT)
Received: from mail-io0-f169.google.com (mail-io0-f169.google.com [209.85.223.169]) by mail.sfc.wide.ad.jp (Postfix) with ESMTPSA id 994C0278406 for <multipathtcp@ietf.org>; Mon, 24 Jul 2017 15:29:33 +0900 (JST)
Received: by mail-io0-f169.google.com with SMTP id j32so18764183iod.0 for <multipathtcp@ietf.org>; Sun, 23 Jul 2017 23:29:33 -0700 (PDT)
X-Gm-Message-State: AIVw113A38vV3SGxFjDrwaVnv8IwxI2CQhTMBfzmpbaQ+JfA20N7mtCC 3cwFAQSXE3WRTqD4VQBHIXtvaIZSdw==
X-Received: by 10.107.36.136 with SMTP id k130mr14059379iok.7.1500877772315; Sun, 23 Jul 2017 23:29:32 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.167.19 with HTTP; Sun, 23 Jul 2017 23:29:31 -0700 (PDT)
In-Reply-To: <CAOs_kTYDuAQ-H2y9dEiOyhmqnGBrC5sTxh9d5PT-GW_qCUA_yg@mail.gmail.com>
References: <800c331f808d608354fc00be24283cb6.squirrel@webmail.cs.ucr.edu> <742E211F-F754-4149-88E2-3BE51645F49D@gmail.com> <c0929925-1b3a-e36c-511d-bda3da312a71@uclouvain.be> <20170720152058.GJ3049@Chimay.local> <D13C88F7-2CB6-4D84-9FAD-DA10FEE7546C@gmail.com> <CAO249ydZzvyigoZqUp=igH2aPGRZJVaerQvsoiTcOTiXpb7v3w@mail.gmail.com> <FD7F4B1C-A8F0-4A2E-A224-AF0F5CBCB815@gmail.com> <CAO249yeuMgbZJ5Pou7s+-NVLKm8bwE4YznSzniFSciRLU_MY0w@mail.gmail.com> <CAOs_kTYDuAQ-H2y9dEiOyhmqnGBrC5sTxh9d5PT-GW_qCUA_yg@mail.gmail.com>
From: Yoshifumi Nishida <nishida@sfc.wide.ad.jp>
Date: Sun, 23 Jul 2017 23:29:31 -0700
X-Gmail-Original-Message-ID: <CAO249yd5msxaU+R-UmMGM4wO-S9weniOCrPH70UqBAOVb7XW5A@mail.gmail.com>
Message-ID: <CAO249yd5msxaU+R-UmMGM4wO-S9weniOCrPH70UqBAOVb7XW5A@mail.gmail.com>
To: Alan Ford <alan.ford@gmail.com>
Cc: Yoshifumi Nishida <nishida@sfc.wide.ad.jp>, Alex Liu <alexliu@cse.msu.edu>, Ali Munir <munirali@msu.edu>, Christoph Paasch <cpaasch@apple.com>, Franck Le <fle@us.ibm.com>, Zubair <zubair-shafiq@uiowa.edu>, multipathtcp <multipathtcp@ietf.org>
Content-Type: multipart/alternative; boundary="001a1140e33078610f05550a5602"
Archived-At: <https://mailarchive.ietf.org/arch/msg/multipathtcp/FHC3pmmnOoonUYgpQtlLiUa5-i8>
Subject: Re: [multipathtcp] MPTCP backup flag attack via MP_PRIO message
X-BeenThere: multipathtcp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multi-path extensions for TCP <multipathtcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/multipathtcp/>
List-Post: <mailto:multipathtcp@ietf.org>
List-Help: <mailto:multipathtcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jul 2017 06:29:38 -0000
Hi Alan, On Sun, Jul 23, 2017 at 6:04 AM, Alan Ford <alan.ford@gmail.com> wrote: > Hi Yoshi, > > On Fri, 21 Jul 2017 at 22:37, Yoshifumi Nishida <nishida@sfc.wide.ad.jp> > wrote: > >> Hi Alan, >> >> On Fri, Jul 21, 2017 at 12:45 AM, Alan Ford <alan.ford@gmail.com> wrote: >> >>> Hi Yoshi, >>> >>> On 20 Jul 2017, at 22:22, Yoshifumi Nishida <nishida@sfc.wide.ad.jp> >>> wrote: >>> >>> On Thu, Jul 20, 2017 at 8:33 AM, Alan Ford <alan.ford@gmail.com> wrote: >>>> >>>> >>>> So the main reason for this was to permit the signalling of backup for >>>> a subflow which was also signalled via ADD_ADDR. ADD_ADDR does not have a >>>> ‘B’ bit in it, so the priority would be signalled separately. >>>> >>> >>> I think adding 'B' bit in ADD_ADDR has been proposed to be added in the >>> bis draft. >>> I have seen a few supports while haven't seen any oppositions. >>> Do we need more discussions on this? >>> >>> >>> Actually on further reflection (i.e. Christoph and Olivier reminding me >>> offline), this would be unnecessary, since MP_JOIN has a ‘B’ bit so it is >>> not required in ADD_ADDR. >>> >>> Given this I can see no reason to have the Address ID in MP_PRIO and >>> feel we can remove it. >>> >>> (The proposal for a bit in ADD_ADDR was, I believe, as a “do not even >>> attempt to establish to this address unless all other subflows fail - which >>> is different to the ‘B’ semantics in MP_PRIO and MP_JOIN) >>> >> >> Yes, I thought it's a valid use case. >> If we remove addr id from MP_PRIO, I think we will always need to >> establish a subflow to make it backup. >> > > That has always been the case - MP_PRIO only affects running subflows. > With Address ID it could have affected policy on subflows that were later > established, but would not affect subflow establishment policy. > > The proposal to signal a break-before-make backup flag has been suggested > but has not received sufficient traction to be adopted. > Right. But, I am wondering if we might want to think about it again just in case. Let's say a server has two address S1, S2 while the client is behind FW. As the client is behind firewall, the server uses ADD_ADDR to send the info for S2, but it want it to be used as a backup. In this case, if MP_PRIO has addr id field, the server is able to set the addr as a backup. But, if MP_PRIO doesn't have addr id, all the server can do is to wait until the client establishes the connection with S2. -- Yoshi
- [multipathtcp] MPTCP backup flag attack via MP_PR… Zhiyun Qian
- Re: [multipathtcp] MPTCP backup flag attack via M… Alan Ford
- Re: [multipathtcp] MPTCP backup flag attack via M… Olivier Bonaventure
- Re: [multipathtcp] MPTCP backup flag attack via M… Christoph Paasch
- Re: [multipathtcp] MPTCP backup flag attack via M… Alan Ford
- Re: [multipathtcp] MPTCP backup flag attack via M… Zhiyun Qian
- Re: [multipathtcp] MPTCP backup flag attack via M… Zhiyun Qian
- Re: [multipathtcp] MPTCP backup flag attack via M… Christoph Paasch
- Re: [multipathtcp] MPTCP backup flag attack via M… Yoshifumi Nishida
- Re: [multipathtcp] MPTCP backup flag attack via M… Alan Ford
- Re: [multipathtcp] MPTCP backup flag attack via M… Yoshifumi Nishida
- Re: [multipathtcp] MPTCP backup flag attack via M… Alan Ford
- Re: [multipathtcp] MPTCP backup flag attack via M… Yoshifumi Nishida
- Re: [multipathtcp] MPTCP backup flag attack via M… Olivier Bonaventure
- Re: [multipathtcp] MPTCP backup flag attack via M… Yoshifumi Nishida