[secdir] Secdir review of draft-ietf-mptcp-multiaddressed-09

Alexey Melnikov <alexey.melnikov@isode.com> Thu, 16 August 2012 12:22 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB2C421F8464; Thu, 16 Aug 2012 05:22:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.878
X-Spam-Level:
X-Spam-Status: No, score=-102.878 tagged_above=-999 required=5 tests=[AWL=-0.279, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uCUnUROgddwJ; Thu, 16 Aug 2012 05:22:03 -0700 (PDT)
Received: from waldorf.isode.com (cl-125.lon-03.gb.sixxs.net [IPv6:2a00:14f0:e000:7c::2]) by ietfa.amsl.com (Postfix) with ESMTP id BC36E21F8462; Thu, 16 Aug 2012 05:22:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1345119721; d=isode.com; s=selector; i=@isode.com; bh=DNtKJZIKC2tKy/5fppfVN9rAmsKWaOYqkz3LARpnm4M=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=jPirB2KQ3E52VZYFmu6TkyunJj2F+3fazjekdp9ULZSop62+3JJSMHhlKxktKNH3e2u1cL 1RBH5c91CloWpN53sYNq7K8ChujFJXTve3V+dGJmEaGjeUoVKJp53XMVkCkzJWWyuc6ivU joMx5foyvKgYqLuiwQWLwS9unPwSg04=;
Received: from [172.16.1.29] (shiny.isode.com [62.3.217.250]) by waldorf.isode.com (submission channel) via TCP with ESMTPSA id <UCzl5wBdyEeK@waldorf.isode.com>; Thu, 16 Aug 2012 13:22:01 +0100
X-SMTP-Protocol-Errors: PIPELINING
Message-ID: <502CE623.6090804@isode.com>
Date: Thu, 16 Aug 2012 13:22:59 +0100
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
To: The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, draft-ietf-mptcp-multiaddressed.all@tools.ietf.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [secdir] Secdir review of draft-ietf-mptcp-multiaddressed-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Aug 2012 12:22:04 -0000

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the IESG. 
  These comments were written primarily for the benefit of the security 
area directors.  Document editors and WG chairs should treat these 
comments just like any other last call comments.

This document describes a set of extensions to traditional TCP to 
support multipath operation, i.e. the ability to simultaneously use 
multiple (potentially disjoint) paths between peers.  The protocol 
offers the same type of service to applications as TCP (i.e. reliable
bytestream), and provides the components necessary to establish and
use multiple TCP flows across paths.

The Security Consideration states:

    The fundamental goal is for the security of
    MPTCP to be "no worse" than regular TCP today, and the key security
    requirements are:

    o  Provide a mechanism to confirm that the parties in a subflow
       handshake are the same as in the original connection setup.

    o  Provide verification that the peer can receive traffic at a new
       address before using it as part of a connection.

    o  Provide replay protection, i.e. ensure that a request to add/
       remove a subflow is 'fresh'.

And then explains in details how these security requirements are met. I 
think the design and explanation is quite reasonable.

The Security Considerations also mentions that the ability of 
negotiating a particular hashing mechanism is susceptible to bid-down 
attacks for on-path attackers and points out that this is also true for 
TCP without MPTCP extension.

I think there are a couple of things missing from the Security 
Considerations section:

Section 3.3.1 says that the same data can be sent on multiple subflows 
(for resiliency). What if an attacker tries to send different data on 
multiple subflows pretending it is the same? Is there a security 
consideration here? (I admit I am quite ignorant and might be missing 
something obvious here.)

Section 3.3.1 implies that unacknowledged connection level data 
(received before the mapping is received) can be used for DoS? Should 
this be mentioned in the Section 5.



Other minor comments/nits:

2.7.  Notable features

    o  To meet the threats identified in [7], the following steps are
       taken: keys are sent in the clear in the MP_CAPABLE messages;
       MP_JOIN messages are secured with HMAC-SHA1

The first mention of HMAC-SHA1 needs a reference.

       using those keys; and
       standard TCP validity checks are made on the other messages (
       ensuring sequence numbers are in-window).

In 3.1:

    This key is generated by its sender and has local meaning only, and
    its method of generation is implementation-specific.  The key MUST be
    hard to guess, and it MUST be unique for the sending host at any one
    time.  Recommendations for generating random keys are given in [11].
    Connections will be indexed at each host by the token (the truncated
    SHA-1 hash of the key).  Therefore, an implementation will require a
    mapping from each token to the corresponding connection, and in turn
    to the keys for the connection.

Sounds like a good text for the Security Consideration section (maybe 
add a pointer from there?)

  [...]

    This exchange allows the safe passage of MPTCP options on SYN packets
    to be determined.  If any of these options are dropped, MPTCP SHOULD

"SHOULD" or "will"? Use of SHOULD doesn't seem correct here.

    gracefully fall back to regular single-path TCP, as documented in
    Section 3.6.  Note that new subflows MUST NOT be established (using
    the process documented in Section 3.2) until a DSS option has been
    successfully received across the path (as documented in Section 3.3).

  [...]

    These bits negotiate capabilities in similar ways.  For the 'C' bit,
    if either host requires the use of checksums, checksums MUST be used.
    In other words, the only way for checksums not to be used is if both
    hosts in their SYNs set C=0.  This decision is confirmed by the
    setting of the 'C' bit in the third packet (the ACK) of the
    handshake.  For example, if the initiator sets C=0 in the SYN, but
    the responder sets C=1 in the SYN/ACK, checksums MUST be used in both

Is support of C=1 required in all implementations?

It is also a bit unusual (at least to me) that the initiator is not able 
to refuse to support C=1.

    directions, and the initiator will set C=1 in the ACK.  The decision
    whether to use checksums will be stored by an implementation in a
    per-connection binary state variable.