IETF Logo Mail Archive

Re: [multipathtcp] MPTCP backup flag attack via MP_PRIO message

Zhiyun Qian <zhiyunq@cs.ucr.edu> Thu, 20 July 2017 15:53 UTC

Return-Path: <qzy888@gmail.com>
X-Original-To: multipathtcp@ietfa.amsl.com
Delivered-To: multipathtcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5870A1252BA for <multipathtcp@ietfa.amsl.com>; Thu, 20 Jul 2017 08:53:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.45
X-Spam-Level:
X-Spam-Status: No, score=-1.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PUE5pk-6qLNP for <multipathtcp@ietfa.amsl.com>; Thu, 20 Jul 2017 08:53:13 -0700 (PDT)
Received: from mail-ua0-x22b.google.com (mail-ua0-x22b.google.com [IPv6:2607:f8b0:400c:c08::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C28EC12F268 for <multipathtcp@ietf.org>; Thu, 20 Jul 2017 08:53:12 -0700 (PDT)
Received: by mail-ua0-x22b.google.com with SMTP id 80so26394530uas.0 for <multipathtcp@ietf.org>; Thu, 20 Jul 2017 08:53:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=XV/a+LcZVy4lVITbzgZlK2/jm8OsYFjnBDf90BdSjio=; b=ROlS2YEFoA3JSNIf/rCTrk2pZuVN3oxHiHkY+0Ee8Qdsw1Vn/AJorwQlhIqAYH7pgj Eo/RSZF0RDbZ2B3KKINTnrZaJ81AIhU61xUTG4I8eZuw8ej0c3wLTkJN1NJAzkc2QqSi Pch/uBtwGfxt/RJuFQRT2ZvhZiZ0KssLs3fWYZ/SlcIXY4C7c+BFS/m9gGSp+3UsQLZC dxkRfska/yXKuZ8fmGF/LDjyeGFZFFC5bbFncU4mH5fS/Brl77enZzCQ2O7/NZzEhZFY 0TQ5PJzkk49vTBWq72EoDDdEvDzE1nMKxrE2Nu19FFIu7QDfSLich7N9JxBf+7R5mLdp QV7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=XV/a+LcZVy4lVITbzgZlK2/jm8OsYFjnBDf90BdSjio=; b=dAgeVjOhRg4QpQVppl6ZgBsmtdpNM2fURMRUV7Zj03Wi0SE+1/LGm3uaT/niS2qoTb VyCsJqtX+TqCwD+IEDogqt2AIsCEImpeGZxmqFABtMzfsOyPnGarOgxo4czI/Y8qPixl ShZ7W3G+Mf1tdkiEZ5TnyMEOSpTg8qcw9ghHXTVCP+Rku/vkEhamNDamYersl9Tfv40E RVwrPD8/UYjytRXp3c7H7S2Hkj+j71zzhh9bw9xBJCI12HesLy4++Xa/qkqN/qXot9L1 nReokaA2AnTtyKLD5j4g9Ff6IWkTwtB7xG8OiH5hr+g2ln3oDlonKkKnyabn7m+CO84j KLZg==
X-Gm-Message-State: AIVw112HnJ3KJzjp84XxSlgvCNyDSkVFryOHgSNqpqZnIYWh7HYxBdqy t/e8H4YWKH9A9wED1alK34ATU4BmRA==
X-Received: by 10.31.159.201 with SMTP id i192mr2128227vke.116.1500565991611; Thu, 20 Jul 2017 08:53:11 -0700 (PDT)
MIME-Version: 1.0
Sender: qzy888@gmail.com
Received: by 10.103.149.65 with HTTP; Thu, 20 Jul 2017 08:53:10 -0700 (PDT)
In-Reply-To: <742E211F-F754-4149-88E2-3BE51645F49D@gmail.com>
References: <800c331f808d608354fc00be24283cb6.squirrel@webmail.cs.ucr.edu> <742E211F-F754-4149-88E2-3BE51645F49D@gmail.com>
From: Zhiyun Qian <zhiyunq@cs.ucr.edu>
Date: Thu, 20 Jul 2017 08:53:10 -0700
X-Google-Sender-Auth: ZQ1UGRocIxMLbijhaOmuRoXnAlo
Message-ID: <CALvgte9jR=qNqRpStTC4geG4WSxEitwSN2X+Y5pb7jdejQW4PQ@mail.gmail.com>
To: Alan Ford <alan.ford@gmail.com>
Cc: multipathtcp@ietf.org, Zubair <zubair-shafiq@uiowa.edu>, Franck Le <fle@us.ibm.com>, Alex Liu <alexliu@cse.msu.edu>, Ali Munir <munirali@msu.edu>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/multipathtcp/VjAHB4uv26ZUl84zCHxqK8D_HTI>
Subject: Re: [multipathtcp] MPTCP backup flag attack via MP_PRIO message
X-BeenThere: multipathtcp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multi-path extensions for TCP <multipathtcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/multipathtcp/>
List-Post: <mailto:multipathtcp@ietf.org>
List-Help: <mailto:multipathtcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 15:53:14 -0000

Hi Alan,

I'd argue this vulnerability does make MPTCP worse than TCP in the
sense of increased risk or attack surface:

The key problem is that this vulnerability allows an attacker on *any*
path to direct all traffic in other paths to the path it sits on. In
contrast, for TCP the attacker has to sit on *a specific* path to be
able to observe and control all traffic.

-Zhiyun


On Thu, Jul 20, 2017 at 8:00 AM, Alan Ford <alan.ford@gmail.com> wrote:
> Hi Zhiyun,
>
> Please bear in mind that the goal of MPTCP with respect to security, as discussed in the original architectural design in RFC6182, is to provide a security model no worse than TCP. So whilst this attack would be possible, it can only be done by an on-path attacker, and if succeeded would allow the on-path attacker to intercept all traffic. Which would be the same for a single-path TCP connection on the same path.
>
> As a side point, the same kind of attack could be launched via REMOVE_ADDR messages, but this would not succeed since this is specified with some protection - ensuring the subflow is really unavailable through the use of TCP keepalive signals. This same protection cannot be used against the MP_PRIO since the referenced subflow is not unavailable.
>
> If the WG considered this risk worth addressing, we could look at adding a nonce + signature to MP_PRIO.
>
> Regards,
> Alan
>
>> On 20 Jul 2017, at 08:28, Zhiyun Qian <zhiyunq@cs.ucr.edu> wrote:
>>
>> Dear all,
>>
>> We are a group of researchers (cc:ed on the email) who recently
>> discovered a security flaw in the MP_PRIO messge that allows a
>> man-in-the-middle attacker on a single path to divert all traffic to
>> its own path, effectively hijacking the entire MPTCP connection. Below
>> we describe the problem in brief (more details will be found in our
>> upcoming ICNP paper. We also hope to submit an Internet draft soon).
>> We thank Olivier Bonaventure for his valuable feedback.
>>
>> ---------------------------------------------------------------
>>
>> MPTCP supports using sub-connections as backup – i.e., using a
>> sub-connection to send data only if there is no other sub-connection
>> available. Specifically, an MPTCP host can send a request to the other
>> host to set any sub-connection as a backup by using the MPTCP MP_PRIO
>> option. Hosts can request change in the priority to use a
>> subconnection as regular or backup.  To set a sub-connection as
>> backup, a host can request a change in the sub-connection priority by
>> sending MPTCP MP_PRIO option to the other host with the corresponding
>> address identifier. The key property of MP_PRIO messages is that they
>> can be sent on any sub-connection. The reason is that if a
>> sub-connection is already congested, it may not be possible to deliver
>> the message to pause itself. After receiving such a control packet,
>> the sender will stop sending data and the corresponding
>> sub-connection’s throughput will drop to zero.
>>
>> Unfortunately, unlike MP_JOIN, such a MP_PRIO option has no
>> authentication required by the specification whatsoever, allowing an
>> attacker controlling only one path to set any sub-connection as backup
>> and launch traffic divergence and connection hijack attacks. The
>> backup flag vulnerability allows an attacker to divert traffic among
>> MPTCP sub-connections. An attacker can offload traffic from the
>> eavesdropped sub-connection to other MPTCP sub-connections by sending
>> forged packets with the MP_PRIO option to set the eavesdropped
>> sub-connection as a backup. An attacker can also onload traffic from
>> non-eavesdropped sub-connections to the eavesdropped sub-connection by
>> sending forged packets with the MP_PRIO option to set all other
>> sub-connections as backup. This attack is similar to connection hijack
>> attack, where an attacker diverts all the traffic to pass through the
>> sub-connection on the eavesdropped path.
>>
>>
>> Connection Hijack Example:
>>
>> Consider a scenario where two sub-connections of an MPTCP connection
>> pass through paths p1 and p2. An attacker can hijack the
>> non-eavesdropped subconnection on p2 by dynamically changing the
>> priority of a sub-connection and declaring it as backup.
>>
>> To launch this attack an attacker only needs to know the address
>> identifier of the host , which can be obtained by eavesdropping other
>> paths or easily guessed as they are set incrementally in current Linux
>> implementation of MPTCP. Since the identifier has only 8 bits, it can
>> even be brute forced. To set a non-eavesdropped sub-connection as
>> backup between hosts A and B, an attacker can request a change in the
>> sub-connection priority by sending MPTCP MP_PRIO option to host B with
>> the address identifier of host A. Since by design the MP_PRIO messages
>> can be sent on any sub-connection, the attacker eavesdropping on any
>> path capable of sending such a forged backup message can pause any
>> other path. Note that a backup MPTCP sub-connection may still be used
>> for data transmission later, which can be detected by the attacker by
>> observing the overall MPTCP throughput.
>>
>> Effectively, this attack degrades an MPTCP connection to a regular TCP
>> connection as all traffic will be routed through the
>> attacker-controlled path. We argue that this vulnerability makes MPTCP
>> less secure than TCP, because the entire MPTCP connection can be
>> compromised (fully controlled by an attacker) as long as any one of
>> the communication paths is compromised. Unfortunately, MPTCP
>> specification does not include any authentication mechanism whatsoever
>> regarding the MP_PRIO message.
>>
>> We discuss several solutions in a forthcoming paper [ICNP2017], but a
>> simple approach to cope with this attack would be to reconsider the
>> utilisation of the address identifier in the MP_PRIO option. This
>> option allows a host to set/change the priority of all the subflows
>> associated to a given address identifier on another subflow. It could
>> have use cases, such as sending MP_PRIO over a WiFi subflow to put the
>> cellular subflow in backup mode without sending a packet over the
>> cellular interface, but this looks like an edge case. Looking at the
>> attack that we have identified, the working group should evaluate the
>> removal of the address identifier in rfc6824bis. If the MP_PRIO option
>> does not include an address identifier, then it becomes impossible for
>> an attacker who is on-path of a given subflow to change the priority
>> of the other subflows.
>>
>> Best,
>> -Zhiyun
>>
>> _______________________________________________
>> multipathtcp mailing list
>> multipathtcp@ietf.org
>> https://www.ietf.org/mailman/listinfo/multipathtcp
>

v2.23.0 | Report a Bug | By Email