Multipath TCP Introduces Security Blind Spot

← Back to Stories (view on slashdot.org)

Multipath TCP Introduces Security Blind Spot

Posted by Unknown on Friday August 1, 2014 @01:25AM from the thwart-spies-and-your-friendly-sysadmin dept.

msm1267 (2804139) writes If multipath TCP is the next big thing to bring resilience and efficiency to networking, then there are some serious security issues to address before it goes mainstream. An expert at next week's Black Hat conference is expected to explain how the TCP extension leaves network security gear blind to traffic moving over multiple network streams. Today's IDS and IPS, for example, cannot correlate and re-assemble traffic as it's split over multiple paths. While such attacks are not entirely practical today, as multipath TCP becomes a fixture on popular networking gear and mobile devices, the risks will escalate. "[Multipath TCP] solves big problems we have today in an elegant fashion," said Catherine Pearce, security consultant and one of the presenters, along with Patrick Thomas. "You don't have to replace hardware or software; it handles all that stuff behind the scenes. But security tools are naïve [to MPTCP], and make assumptions that are no longer valid that were valid in the past."

11 of 60 comments (clear)

Min score:

Reason:

Sort:

News to be filed under "duh..." by Assmasher · 2014-08-01 01:29 · Score: 4, Insightful

Seriously, the second somebody proposed this it should have been (and surely was) clear what the authentication and security implications were. This doesn't mean multi-path is a bad thing, it just means it will likely be used in the appropriate places as opposed to 'everywhere in the tubes.'

--
Loading...
1. Re:News to be filed under "duh..." by Anonymous Coward · 2014-08-01 01:59 · Score: 2, Interesting
  
  Seriously, the second somebody proposed this it should have been (and surely was) clear what the authentication and security implications were.
  It's not like multi-homed protocols based on IP are new. SCTP has been around about a decade (half a decade as a real Internet standard).
2. Re:News to be filed under "duh..." by KiloByte · 2014-08-01 02:01 · Score: 4, Insightful
  
  For me, some extra resiliency against snooping is a bonus rather than a "critical vulnerability".
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Great! by Anonymous Coward · 2014-08-01 01:30 · Score: 3, Insightful

What you're saying is that Multipath-TCP will make deep packet inspection less useful? That's a win in my book. The net shouldn't be looking at packet contents anyway.
1. Re:Great! by Lennie · 2014-08-01 06:02 · Score: 3, Informative
  
  I'm not sure what you mean, but MultiPath-TCP is about combining different technologies.
  So one part of the stream will run over Comcast, sure. But an other part will be transfered of 3G/LTE/whatever...
  In that case Comcast isn't going to get the whole stream. Good luck with your IDS and deep packet inspection.
  Al though most deep packet inspection problem looks for port-numbers, HTTP Host-headers, HTTPS SNI names and destination IP-addresses anyway. So impact in that case might not be that bad.
  An other use case for MultiPath-TCP is roaming without dropping a connection. So for example, going from one WiFi to an other Wifi network without interruption.
  If that is a different provider again Comcast won't see the whole stream.
  
  --
  New things are always on the horizon
Design Issue by sociocapitalist · 2014-08-01 01:30 · Score: 3, Insightful

It's a design issue.
IDS and IPS can still intercept traffic taking muliple paths so long as those paths converge at the security device somewhere along the way.
i.e. traffic can be split across a WAN (MPLS / Internet IPSec paths for example) and be reassembled on the DMZ incoming to the destination site or hub site of a regional network.

--
blindly antisocialist = antisocial
Network-based IPS and IDS are obsolete by mysidia · 2014-08-01 01:38 · Score: 4, Insightful

Security is not meant to be, and now can't be a bolt-on feature without disrupting performance of the network. Nor is security what dictates the design of your protocols --- IP traffic is not meant to be intercepted, and more and more of it is becoming encrypted. Your IDS/IPS cannot look inside SSL traffic, either, which could contain exploit code (conveniently packed and encrypted by the SSL container).
You now need to move and have multiple IDS or IPS security agents on the end devices themselves; perhaps on the NIC, where you most certainly could have access to disparate MP-TCP sessions, with some software engineering.
I'm so sorry, it seems hard that you will now need to manage 1000 IPSes on all your endpoints which is less convenient than one centralized IPS, but the centralized IPS was always a hack and likely to be compromised or circumvented, for example, by tunneling, or leveraging a secondary WiFi network, as it's a ripe target.
In principle, the only sound thing to do is going to be to move your detectors.
1. Re:Network-based IPS and IDS are obsolete by amorsen · 2014-08-01 02:01 · Score: 2
  
  Your IDS/IPS cannot look inside SSL traffic
  Sure it can. You just push a new root certificate to your devices and intercept away.
  
  --
  Finally! A year of moderation! Ready for 2019?
2. Re:Network-based IPS and IDS are obsolete by thermowax · 2014-08-01 02:11 · Score: 2
  
  "Your IDS/IPS cannot look inside SSL traffic, either, which could contain exploit code (conveniently packed and encrypted by the SSL container)."
  You might want to go read up on SSLStrip before you make that assertion. There are a bunch of other utilities that do basically the same thing, but their names escape me at the moment.
  Admittedly, SSLStrip relies (generally) on the target ignoring the bad cert warning, but if you've compromised the target and inserted your root CA into the "trusted" list, well... no more warning. And, as someone else mentioned, if you're a netadmin and control the end nodes, there are lots of companies that will sell you inline appliances that will do exactly the same thing- completely transparently.
  WebSense and PaloAlto 6.0- and probably others- will even let you take the cleartext off-box for DLP, or "archiving".
  How much you want to bet that one of the trusted root CAs distributed with all browsers (eg, VeriSign) is an NSA plant? Trust no one.
Really??? by Jaime2 · 2014-08-01 01:54 · Score: 4, Insightful

Is this article suggesting that new communication paradigms are a bad idea because the security gear optimized for the old paradigm won't work? Should we wait for the security industry to invent multipath TCP? BTW, this is the same security gear that can already be thwarted by end-to-end encryption. How is this any different?
Re:Three duh's from the article: by Bengie · 2014-08-04 04:57 · Score: 2

With a 40Gb stream, there is about 5MB of data per millisecond. You're going to need some large network buffers to handle out of order packets.

The biggest issue is you went from firewalls that didn't need to know about each other's state to not only sharing state, but every packet. Essentially you went from a lock-free design to a giant lock.

I assume this would be way too much load for the firewalls, so you'd be better off mirroring all edge traffic to a central server to demultiplex the streams. Imagine you're a company with several 100gb connections, with a total of 1tb of bandwidth, and you have a central server that needs to somehow handle 1tb of mirrored packets getting forwarded to it. That'll be interesting.