..

MPTCP Security

Overview

Multipath TCP(MPTCP) is a proposed extension to the standard TCP stack, where the endpoints of a given TCP connection can utilize multiple paths for data exchange. This enables segments to be exchanged using different source destination address pairs, resulting in the capability of using multiple paths in a significant number of scenarios. However, the support for multiple IP addresses per endpoint in MPTCP may have security implications by introducing more vulnerabilities on top of single-path TCP.

Why MPTCP?

  • MPTCP proposes the idea of resource pooling. It aims to increase resilience of connectivity by providing multiple paths, protecting end hosts from single point of failure.
  • MPTCP aims to increase the efficiency of resource usage, and thus increase the network capacity available to end hosts.
  • It aims to address application and network compatibility issues seen in other proposed steam-based protocols(most notably SCTP), because middleboxes are unaware of SCTP. Here, middleboxes refer to firewalls, IDS, NAT, etc.

From a security perspective, the goal is to prevent the attack from inserting their addresses as valid addresses for any given MPTCP connection.

MPTCP Amplication Attack

One type of flooding attack that can potentially be used with MPTCP is one where the attacker initiates a connection with a peer and includes a long list of alternative addresses in explicit mode. If the peer decides to establish subflows with all the available addresses, the attacker has managed to achieve an amplified attack. By sending a single packet containing all the alternative addresses, this triggers the peer to generate packets to all the destinations.

Recommendations

  • MPTCP should implement some form of reachability check using a random nounce(i.e TCP handshake) before adding a new address to an ongoing communication in order to prevent flooding attacks.
  • For now, I can’t think of anything more…

References

[1] R. Chaturvedi and S. Chand, ‘Multipath TCP security over different attacks’, Transactions on Emerging Telecommunications Technologies, vol. 31, Sep. 2020, doi: 10.1002/ett.4081.