mptcp threat analysis an update n.
Download
Skip this Video
Download Presentation
MPTCP threat analysis: an update

Loading in 2 Seconds...

play fullscreen
1 / 23

MPTCP threat analysis: an update - PowerPoint PPT Presentation


  • 98 Views
  • Uploaded on

MPTCP threat analysis: an update. marcelo bagnulo IETF77 – MPTCP WG. Scope: Types of attackers. On-path vs. Off-path On-path attackers Full time on the path Passive (man on the side) Active: Blocking packets Changing packets. Scenario. IDB LB1,…, LBn. IDA LA1,…, LAn. IDX

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'MPTCP threat analysis: an update' - mills


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
mptcp threat analysis an update

MPTCP threat analysis:an update

marcelo bagnulo

IETF77 – MPTCP WG

scope types of attackers
Scope: Types of attackers
  • On-path vs. Off-path
  • On-path attackers
    • Full time on the path
    • Passive (man on the side)
    • Active:
      • Blocking packets
      • Changing packets
scenario
Scenario

IDB

LB1,…, LBn

IDA

LA1,…, LAn

IDX

LX1,…, LXn

scenario1
Scenario

IDB

LB1,…, LBn

IDA

LA1,…, LAn

IDA

LA1,…, LAn

IDB

LB1,…, LBn

IDX

LX1,…, LXn

redirection attacks
Redirection attacks

IDB

LB1,…, LBn

IDA

LA1,…, LAn

IDA

LA1,…, LAn

IDB

LB1,…, LBn

IDX

LX1,…, LXn

flooding
Flooding

IDX

LX1,…, LXn

IDA

LA1,…, LAn

IDX

LX1,…, LXn

flooding1
Flooding

IDX

LX1,…LAi,…, LXn

IDA

LA1,…, LAn

IDX

LX1,…, LXn

flooding2
Flooding

IDX

LX1,…LAi,…, LXn

IDA

LA1,…, LAn

IDX

LX1,…, LXn

flooding and mptcp
Flooding and MPTCP
  • If MPTCP performs a 3-wayhandshakepernewflowandtheyidentifytheconnection
  • Thisprovidesthereachability check requiredtopreventfloodingattacks
  • Itisveryimportantto NOT send data without a prior reachability check
connection hijacking
Connection Hijacking

IDB

LB1,…, LBn

IDA

LA1,…, LAn

IDA

LA1,…,…, LAn

IDB

LB1,…, LBn

IDX

LX1,…, LXn

connection hijacking1
Connection Hijacking

IDB

LB1,…, LBn

IDA

LA1,…, LAn

IDA

LA1,…,LXi,…, LAn

IDB

LB1,…, LBn

IDX

LX1,…, LXn

connection hijacking2
Connection Hijacking

IDB

LB1,…, LBn

IDA

LA1,…, LAn

IDA

LA1,…,LXi,…, LAn

IDX

LX1,…, LXn

additional threat
Additional Threat
  • In current TCP, an on-path attacker can launch a hijacking attack, but an off-path attacker can’t.
  • So, MPTCP security must prevent off path atackers to perform hijacking attacks
hijacking and mptcp with cookie based security
Hijacking and MPTCP with cookie based security
  • MPTCP can use a combination of seq# and cookie for security. (as in draft-ford-mptcp-multiaddressed)
    • By Seq# i refer to the data seq# (not the one per flow, but the one of the data)
    • They are both exchanged in the first 3 way exchange, when the ULID pair is defined for the connection.
  • So what residual hijacking attacks can be performed with this protection?
time shifted future attacks
Time-shifted/future attacks
  • A time-shiftedattackisanattackwhere:
    • Theattackerison-pathduring a periodof time andobtainsinformation (e.g. The cookie andtheseq#) or even installsstateifneeded.
    • Thentheattackerleavestheonpathlocation
    • Theattakcscontinues even aftertheattackerlefttheonpathposition
  • Current TCP isnot vulnerable to time-shiftedattacks
    • i.e. Whentheattackerleavestheposition, it no longerreceivesthepacketsofthe TCP connection
time shifted attack in mptcp
Time shifted attack in MPTCP

IDB

LB1,…, LBn

IDA

LA1,…, LAn

Attacker on path learns

cookie and seq#

IDA

LA1,…, LAn

IDB

LB1,…, LBn

Any side initiates the connection

time shifted attack in mptcp1
Time shifted attack in MPTCP

Attacker leaves the location to a more comfortable one and adds new flow

IDB

LB1,…, LBn

IDA

LA1,…, LAn

IDA

LA1,…,LXi,…, LAn

IDB

LB1,…, LBn

IDX

LX1,…, LXn

taxonomy of time shofted attacks
Taxonomy of time shofted attacks
  • Type of attacker: Passive vs. Active
  • Vulnerability window to take over:
    • Only the initial handshake
    • Every subflow addition handshake
  • Integrity attacks
  • Replay attacks
  • Detectable vs. Undetactable attacks
cookie based solution
Cookie based solution
  • Type of attacker: Passive
  • Vulnerability window to take over: both the initial and the every next subflow
  • Vulnerable to Integrity attacks
  • Vulnerable to Replay attacks
  • Undetactable attacks
plain text key exchange keyed hmac
Plain text key exchange + keyed HMAC
  • Type of attacker: Passive
  • Vulnerability window to take over: Only the initial handshake
  • Vulnerable to Integrity attacks
  • Vulnerable to Replay attacks
  • Undetactable attacks
leap of faith ssh type of security
Leap of faith/ssh type of security
  • Type of attacker: Active
  • Vulnerability window to take over: Only the initial handshake
  • Vulnerable to Integrity attacks
  • Replay attacks: possible to protect
  • Detectable attacks
nat considerations
NAT considerations
  • NAT compatibility implies that the endpoints do not know the IP address pair, which is exactly what we need to protect
  • Implies that integrity protection is very hard to achieve
next steps
Next steps
  • It would be possible to craft a solution with different pieces that mitigates most of the threats?