[multipathtcp] Comments on threats draft
"McDonald, Andrew" <andrew.mcdonald@roke.co.uk> Tue, 21 September 2010 11:07 UTC
Return-Path: <prvs=688030d37e=andrew.mcdonald@roke.co.uk>
X-Original-To: multipathtcp@core3.amsl.com
Delivered-To: multipathtcp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D0A593A69AC for <multipathtcp@core3.amsl.com>; Tue, 21 Sep 2010 04:07:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KAHvuE-bHXrg for <multipathtcp@core3.amsl.com>; Tue, 21 Sep 2010 04:07:05 -0700 (PDT)
Received: from ixe-mta-29.emailfiltering.com (ixe-mta-29-tx.emailfiltering.com [194.116.199.160]) by core3.amsl.com (Postfix) with ESMTP id 65CA83A69A2 for <multipathtcp@ietf.org>; Tue, 21 Sep 2010 04:07:04 -0700 (PDT)
Received: from salt-ext.roke.co.uk ([109.207.29.2]) by ixe-mta-29.emailfiltering.com with emfmta (version 4.6.0.72) vanilla id 167224310 for marcelo@it.uc3m.es; bb73739f65370865; Tue, 21 Sep 2010 12:07:27 +0100
Received: from [192.168.198.126] ([192.168.198.126]) by rsys005a.comm.ad.roke.co.uk with Microsoft SMTPSVC(6.0.3790.1830); Tue, 21 Sep 2010 12:01:55 +0100
Message-ID: <4C9890A3.3040403@roke.co.uk>
Date: Tue, 21 Sep 2010 12:01:55 +0100
From: "McDonald, Andrew" <andrew.mcdonald@roke.co.uk>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.9) Gecko/20100915 Lightning/1.0b2 Thunderbird/3.1.4
MIME-Version: 1.0
To: marcelo@it.uc3m.es
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 21 Sep 2010 11:01:55.0680 (UTC) FILETIME=[67761600:01CB597C]
Cc: multipathtcp@ietf.org
Subject: [multipathtcp] Comments on threats draft
X-BeenThere: multipathtcp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Multi-path extensions for TCP <multipathtcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/multipathtcp>
List-Post: <mailto:multipathtcp@ietf.org>
List-Help: <mailto:multipathtcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Sep 2010 11:07:06 -0000
Hi Marcelo (& all), I've been reading the MPTCP Threat Analysis draft (draft-ietf-mptcp-threat-02), and wanted to provide some feedback/comments. Sections 5 and 6 provide a nice, detailed work through of the key problem scenarios faced by MPTCP. One problem that is not currently mentioned, but has been discussed recently on the list, is SYN flooding and the need to support countermeasures for this (e.g. SYN cookies). In the context of MPTCP it is relevant to note that this applies primarily to the initial handshake - for subsequent 'join' handshakes the receiving end will already have the relevant connection state if the SYN is valid (assuming appropriate identifiers in the SYN), and so can reject the connection if this state does not exist. The draft currently steps straight from discussion of attacks to recommendations on solutions. I think it would be helpful to insert a summary of security requirements before this. This would, hopefully, provide a checklist against which we could evaluate the security solutions being proposed. A suggestion for this section would be: --x--x-- Security Requirements From the analysis of threats, we can identify some key requirements for the security components of MPTCP: 1) Verify that the address received in requests to add/remove a subflow belongs to the other endpoint. (This is primarily motivated by the flooding attacks described in section 5.) 2) Verify that requests to add/remove a subflow genuinely come from the other endpoint. (This is primarily motivated by the hijacking attacks described in section 6.1.) 3) Verify that a request to add/remove a subflow is 'fresh', i.e., it has not been time-shifted/replayed. (This is primarily motivated by the time-shifting attacks described in section 6.2.) Further goals should also be considered: 1) A man-in-the-middle should only be able to masquerade as a valid endpoint if he has witnessed the entire initial handshake. Preferably demonstration of knowledge of the 'current state' of the connection should also be required. (This is based on the desire, from section 6.1, to avoid off-path attackers whilst supporting the use of NATs, as discussed in section 6.3, and aiming for an 'at least as good as standard TCP' level of security where knowledge of endpoint addresses/ports and current sequence numbers are required to hijack a connection.) 2) Future enhancement of the security solution should be supported. At a minimum this should include support for algorithm agility for any cases where cryptographic functions are used. --x--x-- I'm also not totally sure about the placement of the current section 6.3 on NAT considerations. I'd suggest pulling this out as a subsection of a new section entitled something like "Solution Constraints". NAT would be one item under this, with others being the requirement for low data overhead on TCP handshake messages (because of restrictions space in TCP options) and the need for low computation overhead (particular at the SYN-received stage, before the handshake is complete, to avoid high computational requirements during high workloads). In this section, it might also be worth noting the desire to support the 'break-before-make' scenario for adding subflows, since this also places significant constraints on what a security solution might look like. Best regards, Andrew
- [multipathtcp] Comments on threats draft McDonald, Andrew
- Re: [multipathtcp] Comments on threats draft marcelo bagnulo braun