Re: [multipathtcp] Comments on threats draft

marcelo bagnulo braun <marcelo@it.uc3m.es> Fri, 01 October 2010 14:32 UTC

Return-Path: <marcelo@it.uc3m.es>
X-Original-To: multipathtcp@core3.amsl.com
Delivered-To: multipathtcp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E1B113A6F40 for <multipathtcp@core3.amsl.com>; Fri, 1 Oct 2010 07:32:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.467
X-Spam-Level:
X-Spam-Status: No, score=-106.467 tagged_above=-999 required=5 tests=[AWL=0.132, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FDYkygrwiXl2 for <multipathtcp@core3.amsl.com>; Fri, 1 Oct 2010 07:31:54 -0700 (PDT)
Received: from smtp01.uc3m.es (smtp01.uc3m.es [163.117.176.131]) by core3.amsl.com (Postfix) with ESMTP id C1E403A6F36 for <multipathtcp@ietf.org>; Fri, 1 Oct 2010 07:30:19 -0700 (PDT)
X-uc3m-safe: yes
Received: from marcelo-bagnulos-macbook-pro.local (wlap005.it.uc3m.es [163.117.139.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp01.uc3m.es (Postfix) with ESMTP id 74525BEF8AA; Fri, 1 Oct 2010 16:31:02 +0200 (CEST)
Message-ID: <4CA5F0A6.8010704@it.uc3m.es>
Date: Fri, 01 Oct 2010 16:31:02 +0200
From: marcelo bagnulo braun <marcelo@it.uc3m.es>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; es-ES; rv:1.9.2.8) Gecko/20100802 Thunderbird/3.1.2
MIME-Version: 1.0
To: "McDonald, Andrew" <andrew.mcdonald@roke.co.uk>
References: <4C9890A3.3040403@roke.co.uk>
In-Reply-To: <4C9890A3.3040403@roke.co.uk>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
X-TM-AS-Product-Ver: IMSS-7.0.0.3116-6.0.0.1038-17676.007
Cc: multipathtcp@ietf.org
Subject: Re: [multipathtcp] Comments on threats draft
X-BeenThere: multipathtcp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Multi-path extensions for TCP <multipathtcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/multipathtcp>
List-Post: <mailto:multipathtcp@ietf.org>
List-Help: <mailto:multipathtcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Oct 2010 14:35:01 -0000

  Hi Andrew,

sorry for the delay and thanks for the comments

replies below

El 21/09/10 13:01, McDonald, Andrew escribió:
> Hi Marcelo (& all),
>
> I've been reading the MPTCP Threat Analysis draft 
> (draft-ietf-mptcp-threat-02), and wanted to provide some 
> feedback/comments.
>
> Sections 5 and 6 provide a nice, detailed work through of the key 
> problem scenarios faced by MPTCP.
>
> One problem that is not currently mentioned, but has been discussed 
> recently on the list, is SYN flooding and the need to support 
> countermeasures for this (e.g. SYN cookies). In the context of MPTCP 
> it is relevant to note that this applies primarily to the initial 
> handshake - for subsequent 'join' handshakes the receiving end will 
> already have the relevant connection state if the SYN is valid 
> (assuming appropriate identifiers in the SYN), and so can reject the 
> connection if this state does not exist.

the thing here is why this is different from the normal TCP case?
I mean, the goal of the draft is to identify threats introduced by MPTCP 
(compared to TCP) and i am not sure this is the case.
>
> The draft currently steps straight from discussion of attacks to 
> recommendations on solutions. I think it would be helpful to insert a 
> summary of security requirements before this. This would, hopefully, 
> provide a checklist against which we could evaluate the security 
> solutions being proposed.
>
> A suggestion for this section would be:
>
> --x--x--
>
> Security Requirements
>
> From the analysis of threats, we can identify some key requirements 
> for the security components of MPTCP:
> 1) Verify that the address received in requests to add/remove a 
> subflow belongs to the other endpoint.
mmm, actually, if you manage achieve this first requirement, then you 
are done!
the problem is that this is very hard to do, so we usually go for less 
ambitious goal.
Actually, to prevent hijacking we aim for a goal that would be something 
like: Make sure that the additional addresses are added by the same 
party that you initially established the communication with

>    (This is primarily motivated by the flooding attacks described in 
> section 5.)
> 2) Verify that requests to add/remove a subflow genuinely come from 
> the other endpoint.
well, the flooding attacks are more about "making sure that the guy 
receiving the traffic actually wants it)

>    (This is primarily motivated by the hijacking attacks described in 
> section 6.1.)
> 3) Verify that a request to add/remove a subflow is 'fresh', i.e., it 
> has not been time-shifted/replayed.
>    (This is primarily motivated by the time-shifting attacks described 
> in section 6.2.)
>


well, actually, this is not really a time shofted attack, but a reply 
attack, right?

actually, we are reccomending a solution that is vulnerable to time 
shifted attacks, so i am not sure we should require time shofted attack 
protection.
> Further goals should also be considered:
> 1) A man-in-the-middle should only be able to masquerade as a valid 
> endpoint if he has witnessed the entire initial handshake. Preferably 
> demonstration of knowledge of the 'current state' of the connection 
> should also be required.
again, this is contradictory with the requirement of preveting time 
shifted attacks

>    (This is based on the desire, from section 6.1, to avoid off-path 
> attackers whilst supporting the use of NATs, as discussed in section 
> 6.3, and aiming for an 'at least as good as standard TCP' level of 
> security where knowledge of endpoint addresses/ports and current 
> sequence numbers are required to hijack a connection.)
> 2) Future enhancement of the security solution should be supported. At 
> a minimum this should include support for algorithm agility for any 
> cases where cryptographic functions are used.
>

this is stated in the reccomendations.

My main problem with defining requirements is that they are very hard to 
phrase properly. This is not a requirements document but a threat 
analysis, which is food for thought when designing a solution. Agreeing 
in threats is way much easier than agreeing in requirements. I would not 
extend the scope of this document ot requirements, since we are not 
chartered to do so.

> --x--x--
>
> I'm also not totally sure about the placement of the current section 
> 6.3 on NAT considerations. I'd suggest pulling this out as a 
> subsection of a new section entitled something like "Solution 
> Constraints". NAT would be one item under this, with others being the 
> requirement for low data overhead on TCP handshake messages (because 
> of restrictions space in TCP options) 

but this doesn't really apply. I mean we could send public jeysin the 
payload, nothing prevents us from doing that.

> and the need for low computation overhead (particular at the 
> SYN-received stage, before the handshake is complete, to avoid high 
> computational requirements during high workloads).
imho this is a rat-hole. stating that some forms of crypto are heavy 
have proven to be a rat-hole many times before, so i would rather stay 
away from that, if we can.

Regards, marcelo

>
> In this section, it might also be worth noting the desire to support 
> the 'break-before-make' scenario for adding subflows, since this also 
> places significant constraints on what a security solution might look 
> like.
>
> Best regards,
>
> Andrew
>