Securing MultiPath TCP Mathieu Jadin and Gautier Tihon Universite´ catholique de Louvain, Louvain-la-Neuve, Belgium Emails: [email protected], [email protected] Abstract—MultiPath TCP (MPTCP) is a recent TCP extension Application layer protocols can also encrypt and authentic- that enables hosts to send the data belonging to one connection ate data. Transport Layer Security (TLS) [3] was designed for over multiple paths. It is already deployed for various use this purpose. Various documents have analysed the security of cases, notably on smartphones. In parallel with this, there is a growing deployment of encryption and authentication techniques the TLS protocol from different viewpoints [10, 11, 12]. Over to counter various forms of attacks. Tcpcrypt and the Transport the years, various extensions to TLS have been developed and Layer Security (TLS) are some of these security solutions. deployed. Besides attacks on the cryptographic algorithms or In this paper, we propose MPTCPsec, a MultiPath TCP their implementations [10], TLS is also vulnerable to some extension that closely integrates authentication and encryption forms of attacks that affect the underlying TCP protocol [13]. inside the protocol and shows how it counters several types of attacks. In this paper, we propose a security scheme specially designed for Multipath TCP: MPTCPsec (MPTCP secure). I. INTRODUCTION MPTCPsec brings two main improvements compared to using The Transmission Control Protocol (TCP) is the most application layer security protocols such as TLS or SSH above widely used protocol to exchange data over the Internet. MPTCP: It was designed at a time when security was not a major • MPTCPsec can detect and recover from packet injection concern. Multipath TCP [1] is a major extension to TCP attacks by closing a compromised subflow, in constrast that allows data from a single connection to be exchanged with application layer protocols like TLS that just close over different paths. It has already seen significant adoption the TCP connection when they detect an attack. since it is used on all Apple devices to support the Siri voice • MPTCPsec protects the application data (with authentic- recognition application. In Korea, high-end smartphones use ation and encryption) and authenticates the TCP options Multipath TCP to combine WiFi and LTE and achieve higher that are used to control the Multipath TCP connection. bandwidth [2]. This prevents various types of attacks where an attacker During the last decade, security has been a growing concern would try to impact subflows that he does not control. for Internet protocols and various solutions using encryption This paper is organised as follows. We first describe the key and authentication have been deployed. Most of the success- parts of Multipath TCP in Section II. We then detail the main ful deployments are in the application layer with protocols threats that we have considered in our design of MPTCPsec like SSH or TLS [3]. In the network and transport layer, and explain how they can be countrered in Section III. We encryption and authentication have been less successful. When compare MPTCPsec with related work in Section IV. Our IPsec [4] was designed, it was intended as a mandatory part work goes beyond the design of MPTCPsec since we have also of IPv6. IPv6 is now widely deployed but IPsec remains implemented it inside the Linux kernel. Our implementation restricted to some VPNs. In the transport layer, progress has leverages both the reference implementation of Multipath TCP been slower. Three types of solutions have been proposed in the Linux kernel [14] and the Linux crypto API and to improve the security of TCP. A first approach is to tune performs all cryptographic operations inside the kernel. Due the TCP stack to prevent some segment injection attacks. to space limitations, it unfortunately cannot be described in [5, 6]. Another approach is to add authentication to the TCP this short paper. protocol [7]. However, these solutions assume that a secret is shared between the communicating hosts. They are currently II. MULTIPATH TCP only used to authenticate BGP sessions. Another approach is MultiPath TCP [1] uses several paths to exchange data by tcpcrypt [8]. This TCP extension adds authentication and establishing one TCP connection, called subflow in [1], over encryption to TCP. It was designed to provide opportunistic each path. The number of subflows that compose a Multipath encryption. In contrast with application layer solutions such TCP connection is not constant. Subflows can appear and as TLS, it does not use certificates to authenticate the server, disappear during the lifetime of a connection. For example, but allows the client and the server to perform a secure key a smartphone can create a new subflow each time it attaches handshake and negotiate keys. This prevents attacks such as itself to a new WiFi access point. Thanks to the utilisation of pervasive monitoring [9] but does not address man-in-the- multiple subflows, Multipath TCP can support mobility [15] middle attacks. The IETF has formed the tcpinc working and achieve resource pooling [16]. A detailed overview of group to standardise a TCP extension heavily inspired by Multipath TCP may be found in [17]. We focus here on the tcpcrypt [8]. TCP options that are used by Multipath TCP and are relevant 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Host A Host B Address A1 Address A2 Address B1 Kind Length Subtype (reserved) F m M a A SYN + MP_CAPABLE(Key-A) Data ACK (4 or 8 bytes, depending on flags) Data sequence number (4 or 8 bytes, depending on flags) SYN/ACK + MP_CAPABLE(Key-B) ACK + MP_CAPABLE(Key-A, Key-B) Subflow Sequence Number Data-Level Length Checksum SYN + MP_JOIN(Token-B, R-A) Figure 2. Format of the DSS option. SYN/ACK + MP_JOIN(HMAC-B, R-B) ACK + MP_JOIN(HMAC-A) ACK number space of the subflow. It also contains a cumulative acknowledgement field (Data ACK in Figure 2). Thanks to the Figure 1. MPTCP three-way handshake (between addresses A1 and B1) and DSS option, it is possible to retransmit over a subflow data that subflow establishment (between addresses A2 and B1). R-A (resp. R-B) is the was transmitted initially over another subflow without success. random number of Host A (resp. Host B). HMAC-A (resp. HMAC-B) is equal to HMAC(R-A+R-B, Key-A+Key-B) (resp. HMAC(R-B+R-A, Key-B+Key-A)). The DSS option contains an optional Checksum that allows to detect middlebox interference [1]. When packet losses occur, Multipath TCP first retransmits for understanding the security issues that affect Multipath TCP the lost packets over the same subflow. In this case, the retrans- [18, 19]. mitted packet contains the same DSS option as the original one. If a subflow fails, unacknowledged data previously sent A. Connection and subflow establishment on this subflow must be retransmitted on another subflow. This A Multipath TCP connection starts with a three-way hand- is called a re-injection [1]. In this case, a new DSS shake. The Multipath Capable (MP_CAPABLE) option option is computed to map the retransmitted data onto the is used, as shown in the top of Figure1, to negotiate the use of new subflow. MPTCP and exchange 64-bit keys. These keys are sent in clear The DSS option contains a series of flags. The F flag marks during the handshake of the first subflow1. MPTCP uses these the end of the bytestream. DSS options with the F flag set are keys for three different purposes. Firstly, MPTCP hosts derive called DATA-FIN. They are used to terminate Multipath TCP a token that uniquely identifies the Multipath TCP connection connections as the FIN flag is used in TCP to terminate regular from a hash of the key [1]. Secondly, the Initial Data connections. Sequence Number (IDSN) of a connection is also derived C. Address advertisement from these keys. Thirdly, the keys are used to authenticate the establishment of subflows with the MP_JOIN option. To establish subflows between their different interfaces, The Join (MP_JOIN) option enables hosts to attach new hosts that use Multipath TCP must learn the IP addresses of subflows to an existing Multipath TCP connection. This option the remote host. Multipath TCP uses two TCP options for is used during the three-way handshake that establishes the this purpose. The Add Address (ADD_ADDR) and Remove additional subflow. An example is shown in Figure 1. The Address (REMOVE_ADDR) options allow hosts to advertise establishment of the additional subflow is authenticated with a and remove addresses on which subflows can be established. HMAC computed over random numbers exchanged during the These options are typically included in pure acknowledge- handshake (R-A and R-B in Figure 1) with the keys exchanged ments and the host that receives an option can decide to create during the initial TCP handshake. The token is used by Host a subflow or not towards the advertised address. The ability to B to identify the concerned MPTCP connection. advertise addresses creates a security threat that is discussed in [19, 18]. The latest Multipath TCP draft has added a HMAC B. Data transfer in the ADD_ADDR option to authenticate it. Data Sequence Signal DSS The ( ) option, shown in D. Connection release Figure 2, enables the transmission of data over different paths. In a nutshell, Multipath TCP uses two levels of sequence A Multipath TCP connection can be closed gracefully by numbers: (i) the regular TCP sequence numbers at the subflow using a DSS option with the F flag set (called a DATA-FIN) or level and (ii) the Data Sequence Numbers (DSN) at the con- abruptly with the Fast Close (MP_FASTCLOSE) option.