Re: [multipathtcp] Stephen Farrell's No Objection on draft-ietf-mptcp-experience-06: (with COMMENT)

<philip.eardley@bt.com> Mon, 03 October 2016 15:36 UTC

Return-Path: <philip.eardley@bt.com>
X-Original-To: multipathtcp@ietfa.amsl.com
Delivered-To: multipathtcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 763D012961A; Mon, 3 Oct 2016 08:36:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.598
X-Spam-Level:
X-Spam-Status: No, score=-5.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dm-XaZwjtxIY; Mon, 3 Oct 2016 08:36:07 -0700 (PDT)
Received: from smtpb1.bt.com (smtpb1.bt.com [62.7.242.142]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E87E4129619; Mon, 3 Oct 2016 08:36:06 -0700 (PDT)
Received: from EPDAG01D-UKBR.domain1.systemhost.net (193.113.197.205) by EVMED06-UKBR.bt.com (10.216.161.38) with Microsoft SMTP Server (TLS) id 14.3.195.1; Mon, 3 Oct 2016 16:36:00 +0100
Received: from rew09926dag03d.domain1.systemhost.net (10.55.202.30) by EPDAG01D-UKBR.domain1.systemhost.net (193.113.197.205) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 3 Oct 2016 16:36:04 +0100
Received: from rew09926dag03b.domain1.systemhost.net (10.55.202.22) by rew09926dag03d.domain1.systemhost.net (10.55.202.30) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Mon, 3 Oct 2016 16:36:03 +0100
Received: from rew09926dag03b.domain1.systemhost.net ([fe80::d514:fe50:560c:401e]) by rew09926dag03b.domain1.systemhost.net ([fe80::d514:fe50:560c:401e%12]) with mapi id 15.00.1210.000; Mon, 3 Oct 2016 16:36:03 +0100
From: <philip.eardley@bt.com>
To: <Olivier.Bonaventure@uclouvain.be>, <stephen.farrell@cs.tcd.ie>, <iesg@ietf.org>
Thread-Topic: Stephen Farrell's No Objection on draft-ietf-mptcp-experience-06: (with COMMENT)
Thread-Index: AQHSDnVeLFmf7BtYTEuNTABv8gHXGaB5GBOAgAAIHACAABREAIAdxE5A
Date: Mon, 3 Oct 2016 15:36:03 +0000
Message-ID: <2c171f734083442db9cc60695de9767d@rew09926dag03b.domain1.systemhost.net>
References: <147385003530.1966.83385935910172454.idtracker@ietfa.amsl.com> <d8376f59-1fc5-7ba8-8223-e47dd0518381@uclouvain.be> <6847d79e-d40d-3e8f-1800-5a2beeb3a53f@cs.tcd.ie> <c2f7cc19-98cd-3b83-3114-8da4d9027fce@uclouvain.be>
In-Reply-To: <c2f7cc19-98cd-3b83-3114-8da4d9027fce@uclouvain.be>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.55.202.243]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/multipathtcp/jH-I6cy8IezOE9yx-clSIJ1urrs>
Cc: multipathtcp@ietf.org, draft-ietf-mptcp-experience@ietf.org, mptcp-chairs@ietf.org
Subject: Re: [multipathtcp] Stephen Farrell's No Objection on draft-ietf-mptcp-experience-06: (with COMMENT)
X-BeenThere: multipathtcp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multi-path extensions for TCP <multipathtcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/multipathtcp/>
List-Post: <mailto:multipathtcp@ietf.org>
List-Help: <mailto:multipathtcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Oct 2016 15:36:10 -0000

I didn’t see any more emails in this thread. Stephen, are you happy with the proposed text? 

The proposed text works for me and I think is an interesting point to add - but I'm not sure it directly answers your point (I guess the answer is something like 'No information about MPTCP-tailored attacks' or 'no information that can be shared')

Olivier & authors - is it possible to do a new version of the document please - I think the Discuss and the other comments are quite easy to resolve, and it would be good to publish the document (finally!)

Thanks!
phil


-----Original Message-----
From: Olivier Bonaventure [mailto:Olivier.Bonaventure@uclouvain.be] 
Sent: 14 September 2016 18:55
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>;; The IESG <iesg@ietf.org>;
Cc: multipathtcp@ietf.org; draft-ietf-mptcp-experience@ietf.org; mptcp-chairs@ietf.org; Eardley,PL,Philip,TUB8 R <philip.eardley@bt.com>;
Subject: Re: Stephen Farrell's No Objection on draft-ietf-mptcp-experience-06: (with COMMENT)

Hello,

>>
>> Another point is the impact of MPTCP on existing IDS, firewalls and 
>> other types middleboxes that could only see a portion of the traffic.
>> There have been blackhat presentations on this, e.g.
>>
>> https://www.blackhat.com/docs/us-14/materials/us-14-Pearce-Multipath-
>> TCP-Breaking-Todays-Networks-With-Tomorrows-Protocols.pdf
>>
>>
>> I haven't seen deployment of those attacks, but could extend section 
>> 3.5 or discuss this in a bit more details if you think that this 
>> would be useful.
>
> If such text would be considered useful in the RFC, then I'd be for 
> it. I'm happy that the AD/chairs/editors and WG figure that out. I'm 
> equally happy to review if someone proposes text.

Here is a proposed text

5.  Security Considerations

    The security considerations for Multipath TCP have already been
    documented in [RFC6181], [RFC6182], [RFC6824] and [RFC7430].

    From a security viewpoint, it is important to note that Multipath
    TCP, like other multipath solutions such as SCTP, has the ability to
    send packets belonging to a single connection over different paths.
    This design feature of Multipath TCP implies that middleboxes that
    have been deployed on-path assuming that they would observe all the
    packets exchanged for a given connection in both directions may not
    function correctly anymore.  A typical example are firewalls, IDS or
    DPIs deployed in enterprise networks.  Those devices expect to
    observe all the packets from all TCP connections.  With Multipath
    TCP, those middleboxes may not observe anymore all packets since some
    of them may follow a different path.  The two examples below
    illustrate typical deployments of such middleboxes.  The first
    example, Figure 8, shows a Multipath TCP enabled smartphone attached
    to both an enterprise and a cellular network.  If a Multipath TCP
    connection is established by the smartphone towards a server, some of
    the packets sent by the smartphone or the server may be transmitted
    over the cellular network and thus be invisible for the enterprise
    middlebox.

      smartphone +----- entreprise net --- MBox----+------ server
                 |                                 |
                 +----- cellular net  -------------+


       Figure 8: Enteprise Middlebox may not observe all packets from
                               multihomed host

    The second example, Figure 9, shows a possible issue when multiple
    middleboxes are deployed inside a network.  For simplicity, we assume
    that network1 is the default IPv4 path while network2 is the default
    IPv6 path.  A similar issue could occur with per-flow load balancing
    such as ECMP [RFC2992].  With regular TCP, all packets from each
    connection would either pass through Mbox1 or Mbox2.  With Multipath
    TCP, the client can easily establish a subflow over network1 and
    another over network2 and each middlebox would only observe a part of
    the traffic of the end-to-end Multipath TCP connection.

      client ----R-- network1  --- MBox1 -----R------------- server
                 |                            |
                 +-- network2  --- MBox2 -----+


         Figure 9: Interactions between load balancing and security
                                 Middleboxes

    In these two cases, it is possible for an attacker to evade some
    security measures operating on the TCP bytestream and implemented on
    the middleboxes by controlling the bytes that are actually sent over
    each subflow and there are tools that ease those kinds of evasion
    [PZ15] [PT14].  This is not a security issue for Multipath TCP itself
    since Multipath TCP behaves correctly.  However, this demonstrates
    the difficulty of enforcing security policies by relying only on on-
    path middleboxes instead of enforcing them directly on the endpoints.

Olivier