[multipathtcp] Comments on threats draft
"McDonald, Andrew" <andrew.mcdonald@roke.co.uk> Tue, 21 September 2010 11:07 UTC
Return-Path: <prvs=688030d37e=andrew.mcdonald@roke.co.uk>
X-Original-To: multipathtcp@core3.amsl.com
Delivered-To: multipathtcp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D0A593A69AC for <multipathtcp@core3.amsl.com>; Tue, 21 Sep 2010 04:07:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KAHvuE-bHXrg for <multipathtcp@core3.amsl.com>; Tue, 21 Sep 2010 04:07:05 -0700 (PDT)
Received: from ixe-mta-29.emailfiltering.com (ixe-mta-29-tx.emailfiltering.com [194.116.199.160]) by core3.amsl.com (Postfix) with ESMTP id 65CA83A69A2 for <multipathtcp@ietf.org>; Tue, 21 Sep 2010 04:07:04 -0700 (PDT)
Received: from salt-ext.roke.co.uk ([109.207.29.2]) by ixe-mta-29.emailfiltering.com with emfmta (version 4.6.0.72) vanilla id 167224310 for marcelo@it.uc3m.es; bb73739f65370865; Tue, 21 Sep 2010 12:07:27 +0100
Received: from [192.168.198.126] ([192.168.198.126]) by rsys005a.comm.ad.roke.co.uk with Microsoft SMTPSVC(6.0.3790.1830); Tue, 21 Sep 2010 12:01:55 +0100
Message-ID: <4C9890A3.3040403@roke.co.uk>
Date: Tue, 21 Sep 2010 12:01:55 +0100
From: "McDonald, Andrew" <andrew.mcdonald@roke.co.uk>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.9) Gecko/20100915 Lightning/1.0b2 Thunderbird/3.1.4
MIME-Version: 1.0
To: marcelo@it.uc3m.es
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 21 Sep 2010 11:01:55.0680 (UTC) FILETIME=[67761600:01CB597C]
Cc: multipathtcp@ietf.org
Subject: [multipathtcp] Comments on threats draft
X-BeenThere: multipathtcp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Multi-path extensions for TCP <multipathtcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/multipathtcp>
List-Post: <mailto:multipathtcp@ietf.org>
List-Help: <mailto:multipathtcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Sep 2010 11:07:06 -0000
Hi Marcelo (& all),
I've been reading the MPTCP Threat Analysis draft
(draft-ietf-mptcp-threat-02), and wanted to provide some feedback/comments.
Sections 5 and 6 provide a nice, detailed work through of the key
problem scenarios faced by MPTCP.
One problem that is not currently mentioned, but has been discussed
recently on the list, is SYN flooding and the need to support
countermeasures for this (e.g. SYN cookies). In the context of MPTCP it
is relevant to note that this applies primarily to the initial handshake
- for subsequent 'join' handshakes the receiving end will already have
the relevant connection state if the SYN is valid (assuming appropriate
identifiers in the SYN), and so can reject the connection if this state
does not exist.
The draft currently steps straight from discussion of attacks to
recommendations on solutions. I think it would be helpful to insert a
summary of security requirements before this. This would, hopefully,
provide a checklist against which we could evaluate the security
solutions being proposed.
A suggestion for this section would be:
--x--x--
Security Requirements
From the analysis of threats, we can identify some key requirements for
the security components of MPTCP:
1) Verify that the address received in requests to add/remove a subflow
belongs to the other endpoint.
(This is primarily motivated by the flooding attacks described in
section 5.)
2) Verify that requests to add/remove a subflow genuinely come from the
other endpoint.
(This is primarily motivated by the hijacking attacks described in
section 6.1.)
3) Verify that a request to add/remove a subflow is 'fresh', i.e., it
has not been time-shifted/replayed.
(This is primarily motivated by the time-shifting attacks described
in section 6.2.)
Further goals should also be considered:
1) A man-in-the-middle should only be able to masquerade as a valid
endpoint if he has witnessed the entire initial handshake. Preferably
demonstration of knowledge of the 'current state' of the connection
should also be required.
(This is based on the desire, from section 6.1, to avoid off-path
attackers whilst supporting the use of NATs, as discussed in section
6.3, and aiming for an 'at least as good as standard TCP' level of
security where knowledge of endpoint addresses/ports and current
sequence numbers are required to hijack a connection.)
2) Future enhancement of the security solution should be supported. At a
minimum this should include support for algorithm agility for any cases
where cryptographic functions are used.
--x--x--
I'm also not totally sure about the placement of the current section 6.3
on NAT considerations. I'd suggest pulling this out as a subsection of a
new section entitled something like "Solution Constraints". NAT would be
one item under this, with others being the requirement for low data
overhead on TCP handshake messages (because of restrictions space in TCP
options) and the need for low computation overhead (particular at the
SYN-received stage, before the handshake is complete, to avoid high
computational requirements during high workloads).
In this section, it might also be worth noting the desire to support the
'break-before-make' scenario for adding subflows, since this also places
significant constraints on what a security solution might look like.
Best regards,
Andrew
- [multipathtcp] Comments on threats draft McDonald, Andrew
- Re: [multipathtcp] Comments on threats draft marcelo bagnulo braun