Re: [multipathtcp] Stephen Farrell's No Objection on draft-ietf-mptcp-experience-06: (with COMMENT)
<philip.eardley@bt.com> Mon, 03 October 2016 15:36 UTC
Return-Path: <philip.eardley@bt.com>
X-Original-To: multipathtcp@ietfa.amsl.com
Delivered-To: multipathtcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 763D012961A; Mon, 3 Oct 2016 08:36:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.598
X-Spam-Level:
X-Spam-Status: No, score=-5.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dm-XaZwjtxIY; Mon, 3 Oct 2016 08:36:07 -0700 (PDT)
Received: from smtpb1.bt.com (smtpb1.bt.com [62.7.242.142]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E87E4129619; Mon, 3 Oct 2016 08:36:06 -0700 (PDT)
Received: from EPDAG01D-UKBR.domain1.systemhost.net (193.113.197.205) by EVMED06-UKBR.bt.com (10.216.161.38) with Microsoft SMTP Server (TLS) id 14.3.195.1; Mon, 3 Oct 2016 16:36:00 +0100
Received: from rew09926dag03d.domain1.systemhost.net (10.55.202.30) by EPDAG01D-UKBR.domain1.systemhost.net (193.113.197.205) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 3 Oct 2016 16:36:04 +0100
Received: from rew09926dag03b.domain1.systemhost.net (10.55.202.22) by rew09926dag03d.domain1.systemhost.net (10.55.202.30) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Mon, 3 Oct 2016 16:36:03 +0100
Received: from rew09926dag03b.domain1.systemhost.net ([fe80::d514:fe50:560c:401e]) by rew09926dag03b.domain1.systemhost.net ([fe80::d514:fe50:560c:401e%12]) with mapi id 15.00.1210.000; Mon, 3 Oct 2016 16:36:03 +0100
From: philip.eardley@bt.com
To: Olivier.Bonaventure@uclouvain.be, stephen.farrell@cs.tcd.ie, iesg@ietf.org
Thread-Topic: Stephen Farrell's No Objection on draft-ietf-mptcp-experience-06: (with COMMENT)
Thread-Index: AQHSDnVeLFmf7BtYTEuNTABv8gHXGaB5GBOAgAAIHACAABREAIAdxE5A
Date: Mon, 03 Oct 2016 15:36:03 +0000
Message-ID: <2c171f734083442db9cc60695de9767d@rew09926dag03b.domain1.systemhost.net>
References: <147385003530.1966.83385935910172454.idtracker@ietfa.amsl.com> <d8376f59-1fc5-7ba8-8223-e47dd0518381@uclouvain.be> <6847d79e-d40d-3e8f-1800-5a2beeb3a53f@cs.tcd.ie> <c2f7cc19-98cd-3b83-3114-8da4d9027fce@uclouvain.be>
In-Reply-To: <c2f7cc19-98cd-3b83-3114-8da4d9027fce@uclouvain.be>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.55.202.243]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/multipathtcp/jH-I6cy8IezOE9yx-clSIJ1urrs>
Cc: multipathtcp@ietf.org, draft-ietf-mptcp-experience@ietf.org, mptcp-chairs@ietf.org
Subject: Re: [multipathtcp] Stephen Farrell's No Objection on draft-ietf-mptcp-experience-06: (with COMMENT)
X-BeenThere: multipathtcp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multi-path extensions for TCP <multipathtcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/multipathtcp/>
List-Post: <mailto:multipathtcp@ietf.org>
List-Help: <mailto:multipathtcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Oct 2016 15:36:10 -0000
I didn’t see any more emails in this thread. Stephen, are you happy with the proposed text? The proposed text works for me and I think is an interesting point to add - but I'm not sure it directly answers your point (I guess the answer is something like 'No information about MPTCP-tailored attacks' or 'no information that can be shared') Olivier & authors - is it possible to do a new version of the document please - I think the Discuss and the other comments are quite easy to resolve, and it would be good to publish the document (finally!) Thanks! phil -----Original Message----- From: Olivier Bonaventure [mailto:Olivier.Bonaventure@uclouvain.be] Sent: 14 September 2016 18:55 To: Stephen Farrell <stephen.farrell@cs.tcd.ie>; The IESG <iesg@ietf.org> Cc: multipathtcp@ietf.org; draft-ietf-mptcp-experience@ietf.org; mptcp-chairs@ietf.org; Eardley,PL,Philip,TUB8 R <philip.eardley@bt.com> Subject: Re: Stephen Farrell's No Objection on draft-ietf-mptcp-experience-06: (with COMMENT) Hello, >> >> Another point is the impact of MPTCP on existing IDS, firewalls and >> other types middleboxes that could only see a portion of the traffic. >> There have been blackhat presentations on this, e.g. >> >> https://www.blackhat.com/docs/us-14/materials/us-14-Pearce-Multipath- >> TCP-Breaking-Todays-Networks-With-Tomorrows-Protocols.pdf >> >> >> I haven't seen deployment of those attacks, but could extend section >> 3.5 or discuss this in a bit more details if you think that this >> would be useful. > > If such text would be considered useful in the RFC, then I'd be for > it. I'm happy that the AD/chairs/editors and WG figure that out. I'm > equally happy to review if someone proposes text. Here is a proposed text 5. Security Considerations The security considerations for Multipath TCP have already been documented in [RFC6181], [RFC6182], [RFC6824] and [RFC7430]. From a security viewpoint, it is important to note that Multipath TCP, like other multipath solutions such as SCTP, has the ability to send packets belonging to a single connection over different paths. This design feature of Multipath TCP implies that middleboxes that have been deployed on-path assuming that they would observe all the packets exchanged for a given connection in both directions may not function correctly anymore. A typical example are firewalls, IDS or DPIs deployed in enterprise networks. Those devices expect to observe all the packets from all TCP connections. With Multipath TCP, those middleboxes may not observe anymore all packets since some of them may follow a different path. The two examples below illustrate typical deployments of such middleboxes. The first example, Figure 8, shows a Multipath TCP enabled smartphone attached to both an enterprise and a cellular network. If a Multipath TCP connection is established by the smartphone towards a server, some of the packets sent by the smartphone or the server may be transmitted over the cellular network and thus be invisible for the enterprise middlebox. smartphone +----- entreprise net --- MBox----+------ server | | +----- cellular net -------------+ Figure 8: Enteprise Middlebox may not observe all packets from multihomed host The second example, Figure 9, shows a possible issue when multiple middleboxes are deployed inside a network. For simplicity, we assume that network1 is the default IPv4 path while network2 is the default IPv6 path. A similar issue could occur with per-flow load balancing such as ECMP [RFC2992]. With regular TCP, all packets from each connection would either pass through Mbox1 or Mbox2. With Multipath TCP, the client can easily establish a subflow over network1 and another over network2 and each middlebox would only observe a part of the traffic of the end-to-end Multipath TCP connection. client ----R-- network1 --- MBox1 -----R------------- server | | +-- network2 --- MBox2 -----+ Figure 9: Interactions between load balancing and security Middleboxes In these two cases, it is possible for an attacker to evade some security measures operating on the TCP bytestream and implemented on the middleboxes by controlling the bytes that are actually sent over each subflow and there are tools that ease those kinds of evasion [PZ15] [PT14]. This is not a security issue for Multipath TCP itself since Multipath TCP behaves correctly. However, this demonstrates the difficulty of enforcing security policies by relying only on on- path middleboxes instead of enforcing them directly on the endpoints. Olivier
- [multipathtcp] Stephen Farrell's No Objection on … Stephen Farrell
- Re: [multipathtcp] Stephen Farrell's No Objection… Mirja Kühlewind
- Re: [multipathtcp] Stephen Farrell's No Objection… Stephen Farrell
- Re: [multipathtcp] Stephen Farrell's No Objection… Mirja Kühlewind
- Re: [multipathtcp] Stephen Farrell's No Objection… Olivier Bonaventure
- Re: [multipathtcp] Stephen Farrell's No Objection… Anna Brunstrom
- Re: [multipathtcp] Stephen Farrell's No Objection… Stephen Farrell
- Re: [multipathtcp] Stephen Farrell's No Objection… Olivier Bonaventure
- Re: [multipathtcp] Stephen Farrell's No Objection… philip.eardley
- Re: [multipathtcp] Stephen Farrell's No Objection… Stephen Farrell
- Re: [multipathtcp] Stephen Farrell's No Objection… Olivier Bonaventure