[secdir] secdir review of draft-ietf-mptcp-architecture-04

Tobias Gondrom <tobias.gondrom@gondrom.org> Thu, 20 January 2011 11:46 UTC

Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3C4B83A70FA for <secdir@core3.amsl.com>; Thu, 20 Jan 2011 03:46:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.158
X-Spam-Level:
X-Spam-Status: No, score=-95.158 tagged_above=-999 required=5 tests=[AWL=0.204, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IWrUrCX7YAzM for <secdir@core3.amsl.com>; Thu, 20 Jan 2011 03:46:03 -0800 (PST)
Received: from lvps83-169-7-107.dedicated.hosteurope.de (lvps83-169-7-107.dedicated.hosteurope.de [83.169.7.107]) by core3.amsl.com (Postfix) with ESMTP id 7A0433A6F22 for <secdir@ietf.org>; Thu, 20 Jan 2011 03:46:02 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=nyx0bnYPEkacZaLVSiePj0+NKRP7JpGEQsePE5xkVKcDdxT+u/yUbYP+dkC9MsssVdpGmZbWW6yfNQJ30xM3ofQRkjGOy712y8MgOjcQqIU5gP6Fqa9pue99wcTt8Edp; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding;
Received: (qmail 32005 invoked from network); 20 Jan 2011 12:47:48 +0100
Received: from 94-194-102-93.zone8.bethere.co.uk (HELO seraphim.heaven) (94.194.102.93) by lvps83-169-7-107.dedicated.hosteurope.de with (DHE-RSA-AES256-SHA encrypted) SMTP; 20 Jan 2011 12:47:48 +0100
Message-ID: <4D382103.6080601@gondrom.org>
Date: Thu, 20 Jan 2011 11:48:19 +0000
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101206 SUSE/3.1.7 Lightning/1.0b2 Thunderbird/3.1.7
MIME-Version: 1.0
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-mptcp-architecture.all@tools.ietf.org
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: [secdir] secdir review of draft-ietf-mptcp-architecture-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jan 2011 11:46:03 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors. Document editors and WG chairs should treat these
comments just like any other last call comments.


In general the MPTCP idea and approach look good.
There is a large number of security implications and potential problems
with MPTCP. The draft's security consideration section basically just
refers to two other drafts (draft-ietf-mptcp-threat-06 and
draft-ietf-mptcp-multiaddressed-02) to address and solve them. As these
elements are pretty central, I am not convinced that these references to
"work in progress" drafts are sufficient and only "informative".
Draft draft-ietf-mptcp-threat-06 describes some of the security concerns
in good detail. I would recommend that the progress of the
draft-ietf-mptcp-architecture draft should be halted/delayed until the
referenced drafts (or at least some of them) are released.


There are a number of issues I would like to raise (some of them might
have been answered in one of the several referenced documents or
documents referenced by referenced document):

- section 5.8: Considering the wide range of threats and potential
problems, section "5.8. Security"  3rd paragraph should change "A
multi-addressed Multipath TCP SHOULD be able to"  to "A multi-addressed
Multipath TCP MUST be able to".  These are really mandatory requirements
to make sure MPTCP does not break and is equal to TCP.

- does MPTCP reduce quality of service for other TCP users?
section 2.2.3 states:
"The use of multiple paths MUST NOT unduly harm users using single-path
TCP at shared bottlenecks, beyond the impact that would occur from
another single-path TCP flow."
I fully agree with this concern. However you do not indicate how this
shall be achieved.
Considering the TCP-transparancy paradigm in MPTCP this could conflict
with "fair shared resources" at bottlenecks? Maybe you can elaborate on
how you want to achieve that. I am not sure I can fully see or
understand that from draft-ietf-mptcp-congestion-01 (which btw. you
maybe should reference in section 2.2.3)?
- section 4, paragraph "Congestion Control":
this is referencing to draft-ietf-mptcp-congestion-01, which in turn
claims to have no security considerations and references to
draft-ford-mptcp-multiaddressed-01 (which is experimental and a bit
vague with the security considerations and still work in progress) and a
non-existent [REF] to deal with this problem. This is not satisfying.

- does it lead to traffic shaping (meaning that the network provider
will give individual users different qualities of service for TCP). E.g.
To make MPTCP equal to one TCP, do you have to reduce QoS for some of
its TCP pieces? Or do you identify MPTCP at bottlenecks and allow only
for specific users MPTCP?

- Packet Scheduling:
-- section 4, paragraph "Packet Scheduling" and section 5.3 "Buffer"
thinking about scheduling packets on MPTCP layer means holding TCP
packets back while waiting for others. Does that introduce a new
dimension of memory resource requirements on the receiving machine which
could lead to "flooding" attacks with MPTCP. (E.g. sending a MPTCP where
one TCP packet is missing by intent and making the receiving endpoint
keep all packets keep in memory waiting for the missing subflow packet)?
(also refers to section 5.2.  Reliability and Retransmissions)

- what should happen when two subflow packets (with the same connection
level sequence number) arrive via two different TCP paths? Within the
time until all connection packets have been re-arranged (e.g. while
waiting). Does that mean you can disrupt MPTCP by listening in on one
subflow on one path and sending fake messages that will overlap (in
connection sequence number) with packets from other paths?

- agree with the assessment of section 5.1 on double sequencing ("a
connection level sequence number, and another sequence number for each
subflow").
However:
- could this also make Denial of Service scenarios easier?
(or meaning makes it more difficult for middleboxes to determine whether
a TCP DoS attack is ongoing or a normal MPTCP (MPTCP's several TCP
subflows from one source may look like "flooding" from one source)?

- section "5.6.  Connection Identification":
comment: The Connection id MUST be protected against spoofing, because
for MPTCP aware clients this could be used to divert traffic from a
legitimate client to a non-legitimate client by spoofing to operate
under the same connection id? Normally a server will reply back to the
sender's IP address (the same TCP subflow). With MPTCP an attacker might
inject a second "connection" into the flow and divert answers from the
server to new IP (using the second MPTCP subflow path)?


Kind regards, Tobias