datatracker.ietf.org
Sign in
Version 5.6.2.p3, 2014-07-31
Report a bug

Threat Analysis for TCP Extensions for Multipath Operation with Multiple Addresses
RFC 6181

Internet Engineering Task Force (IETF)                        M. Bagnulo
Request for Comments: 6181                                          UC3M
Category: Informational                                       March 2011
ISSN: 2070-1721

       Threat Analysis for TCP Extensions for Multipath Operation
                        with Multiple Addresses

Abstract

   Multipath TCP (MPTCP for short) describes the extensions proposed for
   TCP so that endpoints of a given TCP connection can use multiple
   paths to exchange data.  Such extensions enable the exchange of
   segments using different source-destination address pairs, resulting
   in the capability of using multiple paths in a significant number of
   scenarios.  Some level of multihoming and mobility support can be
   achieved through these extensions.  However, the support for multiple
   IP addresses per endpoint may have implications on the security of
   the resulting MPTCP.  This note includes a threat analysis for MPTCP.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc6181.

Bagnulo                       Informational                     [Page 1]
RFC 6181                  MPTCP Threat Analysis               March 2011

Copyright Notice

   Copyright (c) 2011 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Scope  . . . . . . . . . . . . . . . . . . . . . . . . . . . .  3
   3.  Related Work . . . . . . . . . . . . . . . . . . . . . . . . .  4
   4.  Basic MPTCP  . . . . . . . . . . . . . . . . . . . . . . . . .  6
   5.  Flooding Attacks . . . . . . . . . . . . . . . . . . . . . . .  8
   6.  Hijacking Attacks  . . . . . . . . . . . . . . . . . . . . . . 10
     6.1.  Hijacking Attacks to the Basic MPTCP . . . . . . . . . . . 10
     6.2.  Time-Shifted Hijacking Attacks . . . . . . . . . . . . . . 13
     6.3.  NAT Considerations . . . . . . . . . . . . . . . . . . . . 14
   7.  Recommendation . . . . . . . . . . . . . . . . . . . . . . . . 15
   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 16
   9.  Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 16
   10. Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 16
   11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16
     11.1. Normative References . . . . . . . . . . . . . . . . . . . 16
     11.2. Informative References . . . . . . . . . . . . . . . . . . 16

Bagnulo                       Informational                     [Page 2]
RFC 6181                  MPTCP Threat Analysis               March 2011

1.  Introduction

   Multipath TCP (MPTCP for short) describes the extensions proposed for
   TCP [RFC0793] so that endpoints of a given TCP connection can use
   multiple paths to exchange data.  Such extensions enable the exchange
   of segments using different source-destination address pairs,
   resulting in the capability of using multiple paths in a significant
   number of scenarios.  Some level of multihoming and mobility support
   can be achieved through these extensions.  However, the support for
   multiple IP addresses per endpoint may have implications on the
   security of the resulting MPTCP.  This note includes a threat
   analysis for MPTCP.  There are many other ways to provide multiple
   paths for a TCP connection other than the usage of multiple
   addresses.  The threat analysis performed in this document is limited
   to the specific case of using multiple addresses per endpoint.

[include full document text]