Forgot your password?
typodupeerror
Networking Security

Multipath TCP Introduces Security Blind Spot 60

Posted by Unknown Lamer
from the thwart-spies-and-your-friendly-sysadmin dept.
msm1267 (2804139) writes If multipath TCP is the next big thing to bring resilience and efficiency to networking, then there are some serious security issues to address before it goes mainstream. An expert at next week's Black Hat conference is expected to explain how the TCP extension leaves network security gear blind to traffic moving over multiple network streams. Today's IDS and IPS, for example, cannot correlate and re-assemble traffic as it's split over multiple paths. While such attacks are not entirely practical today, as multipath TCP becomes a fixture on popular networking gear and mobile devices, the risks will escalate. "[Multipath TCP] solves big problems we have today in an elegant fashion," said Catherine Pearce, security consultant and one of the presenters, along with Patrick Thomas. "You don't have to replace hardware or software; it handles all that stuff behind the scenes. But security tools are naïve [to MPTCP], and make assumptions that are no longer valid that were valid in the past."
This discussion has been archived. No new comments can be posted.

Multipath TCP Introduces Security Blind Spot

Comments Filter:
  • by Assmasher (456699) on Friday August 01, 2014 @09:29AM (#47580797) Journal

    Seriously, the second somebody proposed this it should have been (and surely was) clear what the authentication and security implications were. This doesn't mean multi-path is a bad thing, it just means it will likely be used in the appropriate places as opposed to 'everywhere in the tubes.'

  • Great! (Score:3, Insightful)

    by Anonymous Coward on Friday August 01, 2014 @09:30AM (#47580801)

    What you're saying is that Multipath-TCP will make deep packet inspection less useful? That's a win in my book. The net shouldn't be looking at packet contents anyway.

  • Design Issue (Score:4, Insightful)

    by sociocapitalist (2471722) on Friday August 01, 2014 @09:30AM (#47580809)

    It's a design issue.

    IDS and IPS can still intercept traffic taking muliple paths so long as those paths converge at the security device somewhere along the way.

    i.e. traffic can be split across a WAN (MPLS / Internet IPSec paths for example) and be reassembled on the DMZ incoming to the destination site or hub site of a regional network.

  • by mysidia (191772) on Friday August 01, 2014 @09:38AM (#47580857)

    Security is not meant to be, and now can't be a bolt-on feature without disrupting performance of the network. Nor is security what dictates the design of your protocols --- IP traffic is not meant to be intercepted, and more and more of it is becoming encrypted. Your IDS/IPS cannot look inside SSL traffic, either, which could contain exploit code (conveniently packed and encrypted by the SSL container).

    You now need to move and have multiple IDS or IPS security agents on the end devices themselves; perhaps on the NIC, where you most certainly could have access to disparate MP-TCP sessions, with some software engineering.

    I'm so sorry, it seems hard that you will now need to manage 1000 IPSes on all your endpoints which is less convenient than one centralized IPS, but the centralized IPS was always a hack and likely to be compromised or circumvented, for example, by tunneling, or leveraging a secondary WiFi network, as it's a ripe target.

    In principle, the only sound thing to do is going to be to move your detectors.

  • Really??? (Score:5, Insightful)

    by Jaime2 (824950) on Friday August 01, 2014 @09:54AM (#47580945)
    Is this article suggesting that new communication paradigms are a bad idea because the security gear optimized for the old paradigm won't work? Should we wait for the security industry to invent multipath TCP? BTW, this is the same security gear that can already be thwarted by end-to-end encryption. How is this any different?
  • by KiloByte (825081) on Friday August 01, 2014 @10:01AM (#47580997)

    For me, some extra resiliency against snooping is a bonus rather than a "critical vulnerability".

Evolution is a million line computer program falling into place by accident.

Working...