The Dangers and Promise of Multipath TCP
New enhancements are coming to TCP that might make communications more or less secure, depending on how it is used.
At the heart of all modern network communications is the protocol known as TCP. TCP is now set to be expanded with a set of extensions known as multipath TCP. The promise and the potential dangers of multipath TCP were outlined by a pair of researchers from Neohapsis at the Black Hat security conference in Las Vegas last week.
In an interview with Enterprise Networking Planet, Patrick Thomas, security consultant at Neohapsis, explained that TCP has aged well, but the mobile era is putting new strains on it.
"Multipath TCP extensions on top of regular TCP allows us to do important things that we need for mobile," Thomas said. "Things like easy roaming and the ability to aggregate unrelated links into higher availabilty links."
Instead of relying on a single path, the promise of multipath TCP is multiple lanes that a communication path can take, based on availability and latency. Catherine Pearce, security consultant at Neohapsis, explained that with regular TCP, an endpoint is defined by its IP address. With multipath TCP, an endpoint starts with one IP address, but it can add or remove addresses.
"Multipath TCP completely removes the reliance on using only one IP address," Pearce said. "You can communicate on one IP address at a time, or many IP addresses all at once."
Pearce added that multipath TCP still enables one-to-one communications, albeit in a different manner than traditional TCP.
Going a step further, multipath TCP can work on either the IPv4 or the IPv6 address space at the same time.
"Machines that have more than one way to communicate, no longer have to pick just one connection," Thomas said. "If a connection becomes unreliable it can be torn down, and a new one can be brought up."
The intelligence for multipath TCP is built directly into the protocol, such that applications built on top get the benefit of being able to leverage better availability and latency.
While multipath TCP offers benefits for connectivity and availability from multipath TCP, however, there is also potential security risk for network security professionals. One of the potential risks comes from cross-path traffic fragmentation, which can make connections into moving targets.
"Connections can move across IP addresses in the course of a perfectly valid multipath TCP connection," Thomas commented. "Reverse connections also now become possible."
So instead of the traditional client-server relationship in a TCP connection, with multipath TCP the definition of who is the server and who is the client changes.
The risk for security professionals is that modern network security technologies aren't yet fully ready for the new era of TCP. For example, IPS systems are not currently able to re-assemble a full multipath TCP session. That means that multipath TCP sessions would not be able to be properly inspected, representing a potential security risk.
"We need vendors to be ready for this and understand multipath TCP," Thomas said. "Until that point, they are blinded."
There are positive security attributes to consider as well. Pearce noted that privacy can be significantly enhanced with multipath TCP. Instead of a user relying on a single service provider, they can have as many providers as they want. With multiple network connections, issues of network neutrality and bandwidth throttling become muted as the network connection can shift to get the best possible speed.
Mixing multipath TCP with the Tor anonymizing network also has potential. With Tor today, a connection is routed through multiple hops in a bid to obfuscate the source of origin. In a multipath approach, the potential for more connections can potentially provide additional layers of obfuscation.
While the promises and risks of multipath TCP are now being exposed, there is time for networking professionals and vendors to figure out what needs to be done. Apple uses multipath TCP as part of the Siri voice attendant system, but beyond that, currently multipath TCP is not widely implemented or supported on systems today.
Sean Michael Kerner is a senior editor at Enterprise Networking Planet and InternetNews.com. Follow him on Twitter @TechJournalist.