If multipath TCP is the next big thing to bring resilience and efficiency to networking, then there are some serious security issues to address before it goes mainstream.
MPTCP is an extension to the Internet’s primary communication protocol. It allows a TCP session to move over multiple connections and network providers to the same destination. Should one drop, the session seamlessly moves to its second, backup connection, keeping phone calls or Internet sessions alive.
Right now, multipath TCP is not deployed on Windows machines or in the mainstream Linux kernel, for example. Apple iOS devices have it, but for now, Siri is the only function to make use of it. Networking giants such as Cisco and Juniper, however, are starting to deploy it in networking gear.
At next week’s Black Hat conference in Las Vegas, two researchers from Neohapsis hope their talk on MPTCP’s security shortcomings urges the industry to address the security implications before the technology is rolled out, causes a major shift, and no one is ready for the consequences.
“It solves big problems we have today in an elegant fashion,” said Catherine Pearce, security consultant and one of the presenters, along with Patrick Thomas. “You don’t have to replace hardware or software; it handles all that stuff behind the scenes. But security tools are naïve [to MPTCP], and make assumptions that are no longer valid that were valid in the past.”
Pearce said the extensions cause three fundamental security shifts for traditional intrusion detection, intrusion prevention and other security gear. First, the way the protocol reroutes traffic on the fly and changes network addresses during a connection leaves detection technologies blind to traffic. Security gear, Pearce said, cannot correlate and reassemble traffic as it is split over multiple streams.
Trust models users and networks have fostered with Internet providers are also changed—and in some cases broken. Contrary to that, providers will no longer be able to sniff traffic—under court order for example—unless they work hand in hand with other providers handling split traffic sessions.
“Technology like MPTCP makes it much harder for surveillance states,” Pearce said. “If I split traffic across my cell provider and an ISP I may not trust, in order for a surveillance state to snoop they have to collaborate with all these parties. It’s a much harder proposition.”
Finally, Pearce said, there will be ambiguity for firewalls about what incoming and outgoing traffic looks like. She said that MPTCP enables endpoints to tell servers there are other addresses to which the server may connect, but the firewall may not necessarily interpret that as an outgoing connection.
“You’re going to be dealing with architectural shifts that force you to solve problems in a different way,” Pearce said. “MPTCP is small now, but it’s gaining momentum. It will be in a lot of venues and have a lot of vendors’ support. My focus will be to try to make sure the security industry keeps up with protocol development and secures it properly. It’s not about marketing something for the next three months.”
Pearce concedes that attacks exploiting weaknesses caused by MPTCP are not practical yet, but cautions that there are serious privacy implications on the horizon as well as a shift forcing more protection toward the endpoint, wresting control away from network providers.
“Current security presumes that if I can see traffic, I can understand it,” Pearce said. “If I control a server at either end of a session, I can use it to evade IDS or provide resilient connections if a defender locks me out. It changes things quite a bit.”