IETF Logo Mail Archive

Re: [multipathtcp] MPTCP backup flag attack via MP_PRIO message

Alan Ford <alan.ford@gmail.com> Thu, 20 July 2017 15:33 UTC

Return-Path: <alan.ford@gmail.com>
X-Original-To: multipathtcp@ietfa.amsl.com
Delivered-To: multipathtcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5BFF126CB6 for <multipathtcp@ietfa.amsl.com>; Thu, 20 Jul 2017 08:33:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KFlEf1SCyaDL for <multipathtcp@ietfa.amsl.com>; Thu, 20 Jul 2017 08:33:36 -0700 (PDT)
Received: from mail-wr0-x243.google.com (mail-wr0-x243.google.com [IPv6:2a00:1450:400c:c0c::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 942DA1252BA for <multipathtcp@ietf.org>; Thu, 20 Jul 2017 08:33:35 -0700 (PDT)
Received: by mail-wr0-x243.google.com with SMTP id o33so3042032wrb.1 for <multipathtcp@ietf.org>; Thu, 20 Jul 2017 08:33:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=q2kfJRN4k5f8WyNZJf8wgfjBAF7Xj5cBcLfRcLaXS4s=; b=kpfzJwT7hUPfZpD4jzmJMdPdgCi/AFaZUjltNTGzyH1XubDuNwtqnPfnd23PY95odZ McuOXTl05zgkgbzlHUMqUMMpIjhymMOFHt1LHWZ1qPITaM9Tqgj5LSWHU+6HCEIsWJqA I/l5QhyBwZWcyH+66L68Q/YM0vF4Nd1GPHSd4LPPeRsyuszCpgH9zhiLE9ytwbBLKBVw yNVHsR51cyqFuwVulBSWx7vZBa+E6tX1W/cr+W8rbnP3XDJhyGQhGA447/6nJ7TVf9rp DQjAYRFknh3023M/xfZepfsppAviHoVQ5DajRy9vaW5djHabgSjxh1Rtl/p1fTqh0/l4 JUOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=q2kfJRN4k5f8WyNZJf8wgfjBAF7Xj5cBcLfRcLaXS4s=; b=jRnr9afzlf3nQcA6wnEHN0aDTMUVjCPk1+qRExubnJhhZ5xuEsSek8wca7EqD5mmte XJP3EZSn6T7ic7wwqMHbbpBRoEnWvVZPY4jIuDTxnC0T52pSF7GevGpUMGWPzyA+ZGMg +W+bndVDx0E0Vjhv6Q4TMUO6mOM46qrMUxMy2PN0v/TJJZvI5NJ6ElzOP8iFXmdWQgqi YZUS05y3WR+BO5P1z0peT1MH1r0G2f5CBZI2tX7HAO9+GrRHDoGeRSWlqQppfriFMUT9 5vENoe+yPVIWet/HOx0EEePvQNWwlg2Z2RbeNzcRMtqtpKCsPNss13k8c7+P+vRWHZM0 I8EA==
X-Gm-Message-State: AIVw111TtupC1cXa4fD7LwyjPGfp2jj2fvw7IxxaWw7ji9ugOC5Frsik H5zn3YKKaOW7ew==
X-Received: by 10.223.154.203 with SMTP id a69mr7379412wrc.139.1500564814185; Thu, 20 Jul 2017 08:33:34 -0700 (PDT)
Received: from dhcp-8374.meeting.ietf.org (dhcp-8374.meeting.ietf.org. [31.133.131.116]) by smtp.gmail.com with ESMTPSA id g83sm2283739wmf.29.2017.07.20.08.33.32 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 20 Jul 2017 08:33:33 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_C3EAD0E2-0E02-492F-8096-30381F6C1ABD"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Alan Ford <alan.ford@gmail.com>
In-Reply-To: <20170720152058.GJ3049@Chimay.local>
Date: Thu, 20 Jul 2017 16:33:31 +0100
Cc: Olivier Bonaventure <Olivier.Bonaventure@uclouvain.be>, Zhiyun Qian <zhiyunq@cs.ucr.edu>, multipathtcp@ietf.org, Zubair <zubair-shafiq@uiowa.edu>, Franck Le <fle@us.ibm.com>, Alex Liu <alexliu@cse.msu.edu>, Ali Munir <munirali@msu.edu>
Message-Id: <D13C88F7-2CB6-4D84-9FAD-DA10FEE7546C@gmail.com>
References: <800c331f808d608354fc00be24283cb6.squirrel@webmail.cs.ucr.edu> <742E211F-F754-4149-88E2-3BE51645F49D@gmail.com> <c0929925-1b3a-e36c-511d-bda3da312a71@uclouvain.be> <20170720152058.GJ3049@Chimay.local>
To: Christoph Paasch <cpaasch@apple.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/multipathtcp/OFxfrfoNzHp6ylK-xIGpwcJ0ARQ>
Subject: Re: [multipathtcp] MPTCP backup flag attack via MP_PRIO message
X-BeenThere: multipathtcp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multi-path extensions for TCP <multipathtcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/multipathtcp/>
List-Post: <mailto:multipathtcp@ietf.org>
List-Help: <mailto:multipathtcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 15:33:38 -0000

Comments inline...

> On 20 Jul 2017, at 16:20, Christoph Paasch <cpaasch@apple.com> wrote:
> 
> On 20/07/17 - 17:05:40, Olivier Bonaventure wrote:
>> Alan,
>>> 
>>> Please bear in mind that the goal of MPTCP with respect to security, as discussed in the original architectural design in RFC6182, is to provide a security model no worse than TCP. So whilst this attack would be possible, it can only be done by an on-path attacker, and if succeeded would allow the on-path attacker to intercept all traffic. Which would be the same for a single-path TCP connection on the same path.
>>> 
>>> As a side point, the same kind of attack could be launched via REMOVE_ADDR messages, but this would not succeed since this is specified with some protection - ensuring the subflow is really unavailable through the use of TCP keepalive signals. This same protection cannot be used against the MP_PRIO since the referenced subflow is not unavailable.
>>> 
>>> If the WG considered this risk worth addressing, we could look at adding a nonce + signature to MP_PRIO.
>> 
>> Since the attacker is on path, this does not help if the attacker is on the
>> first path.

That scenario has always been out of scope. If an attacker has observed the initial exchange, all bets are off, and we are only as secure as single-path TCP.

>>> We discuss several solutions in a forthcoming paper [ICNP2017], but a
>>> simple approach to cope with this attack would be to reconsider the
>>> utilisation of the address identifier in the MP_PRIO option. This
>>> option allows a host to set/change the priority of all the subflows
>>> associated to a given address identifier on another subflow. It could
>>> have use cases, such as sending MP_PRIO over a WiFi subflow to put the
>>> cellular subflow in backup mode without sending a packet over the
>>> cellular interface, but this looks like an edge case. Looking at the
>>> attack that we have identified, the working group should evaluate the
>>> removal of the address identifier in rfc6824bis. If the MP_PRIO option
>>> does not include an address identifier, then it becomes impossible for
>>> an attacker who is on-path of a given subflow to change the priority
>>> of the other subflows.
>> 
>> Remove the address identifier from the MP_PRIO seems a safe solution to me.
>> I do not see a benefit in sending MP_PRIO on another subflow than the one
>> that you want to affect.
> 
> +1
> 
> As far as I know, there is no implementation that relies on the address-ID
> in the MP_PRIO to signal the priorities.

So the main reason for this was to permit the signalling of backup for a subflow which was also signalled via ADD_ADDR. ADD_ADDR does not have a ‘B’ bit in it, so the priority would be signalled separately.

We could add the prio bit to ADD_ADDR to resolve this issue. However, this limits extensibility in MP_PRIO e.g. with other signals which have been suggested in the past ("backup but do not open”, use for differing traffic types, etc).

Regards,
Alan

v2.23.0 | Report a Bug | By Email