Internet DRAFT - draft-paasch-mptcp-application-authentication
draft-paasch-mptcp-application-authentication
Internet Engineering Task Force C. Paasch
Internet-Draft Apple, Inc.
Intended status: Experimental A. Ford
Expires: November 28, 2016 Pexip
May 27, 2016
Application Layer Authentication for MPTCP
draft-paasch-mptcp-application-authentication-00
Abstract
Multipath TCP (MPTCP), described in [3], is an extension to TCP to
provide the ability to simultaneously use multiple paths between
hosts.
MPTCP currently specifies a single authentication mechanism, using
keys that are initially exchanged in the clear. There are
application-layer protocols that may have better information as to
the identity of the parties and so is able to better provide keying
material that could be used for the authentication of future
subflows.
This document specifies "application layer authentication" for
Multipath TCP, an alternatively negotiated keying mechanism for
MPTCP.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 28, 2016.
Paasch & Ford Expires November 28, 2016 [Page 1]
Internet-Draft MPTCP Application Layer Auth May 2016
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Key in plaintext . . . . . . . . . . . . . . . . . . . . 3
1.2. Token generation . . . . . . . . . . . . . . . . . . . . 3
1.2.1. Hash collision . . . . . . . . . . . . . . . . . . . 3
1.2.2. Derive information from the token . . . . . . . . . . 3
2. Proposed Technical Changes . . . . . . . . . . . . . . . . . 4
2.1. MP_CAPABLE Changes . . . . . . . . . . . . . . . . . . . 4
2.2. MP_JOIN Changes . . . . . . . . . . . . . . . . . . . . . 6
2.3. Data Sequence Number Changes . . . . . . . . . . . . . . 6
2.4. MP_FASTCLOSE Changes . . . . . . . . . . . . . . . . . . 7
3. Security Considerations . . . . . . . . . . . . . . . . . . . 7
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
5.1. Normative References . . . . . . . . . . . . . . . . . . 7
5.2. Informative References . . . . . . . . . . . . . . . . . 8
1. Introduction
The MPTCP handshake serves multiple purposes. First, hosts discover
their peer's support of MPTCP. Second, each host announces a key
that will be tied to this MPTCP session. The key also serves
multiple purposes. First, the derivate of the key is being used as a
token-identifier for the MPTCP connection. This derivate is a
truncated hash of the key. Second, another truncated hash of the key
serves as the initial data sequence number. And third, the key
itself is used as an authenticator to prove that the host behind the
IP-address used to establish new subflows is indeed the one that
participated in the handshake of the initial subflow.
In the following we explain the shortcomings of this exchange and how
they impact the deployment of MPTCP.
Paasch & Ford Expires November 28, 2016 [Page 2]
Internet-Draft MPTCP Application Layer Auth May 2016
1.1. Key in plaintext
The key-exchange happens during the handshake of the initial subflow.
RFC 6824 specifies that this exchange happens in plaintext. As has
been noted in RFC 7430, an eavesdropper on the initial handshake is
thus able to learn the keys used in this MPTCP session. This allows
him to generate the session's tokens and data sequence numbers,
enabling him to effectively hijack the MPTCP session by creating a
subflow with a different IP-address. The attacker will be able to
generate a valid HMAC as he has full knowledge of the keys of this
MPTCP session.
To enhance MPTCP's security, it would be beneficial to not reveal
MPTCP's keys in plaintext on the wire.
1.2. Token generation
The token is a truncation of the 32 most significant bits of the
SHA-1 of the key. The key must be a random number of sufficient
entropy to be used as part of the authentication mechanism, and thus
a host has no control over the token as it is generating the key for
the MPTCP-session. This has some implications on the deployability
of MPTCP, outlined hereafter.
1.2.1. Hash collision
Due to the nature of the token-generation, the 32-bit token might
collide with another already existing MPTCP session. While a 32-bit
token collision should be very rare on client devices, a busy server
(with potentially tens of millions of active MPTCP connections) will
have a very high probability of a token collision.
Upon such a collision, the server needs to generate a new
cryptographically secure 64-bit key, and derive the token through a
SHA-1 computation upon which he finally can verify the uniqueness of
the token. If a collision happened again, the server has to start
anew. This process imposes a computation overhead and complexity
upon the server and impacts the scalability compared to regular TCP.
Allowing a server to generate a token in such a way that uniqueness
can be achieved easily would be beneficial for the scalability and
deployment of MPTCP.
1.2.2. Derive information from the token
As the token is a truncated hash of the key, it is entirely of a
random nature. As has been shown in [5], this brings several
deployment challenges in large server farms. In particular, the
Paasch & Ford Expires November 28, 2016 [Page 3]
Internet-Draft MPTCP Application Layer Auth May 2016
layer-4 load balancers in front of this server farm need to maintain
MPTCP-specific state in order to map a token to the server.
The token can be looked at as a route-identifier, as it allows the
server to associate the incoming SYN+MP_JOIN with an existing MPTCP-
session. However, the random nature of the token does not allow a
load balancer in the middle to do the same without having to maintain
MPTCP-specific state.
If the token can be generated in such a way that it carries the
required routing information in such a way that it can be deciphered
by all the trusted parties in the server farm deployment, large-scale
deployment of MPTCP would be simplified.
In the following we suggest an alternative handshake that allows
MPTCP to increase its security by leveraging an external key-exchange
and thus benefit from the security provided by protocols like TLS.
As a side-effect of this approach, the token also can be exchanged in
a more flexible way, addressing the above identified issues with the
token generation.
2. Proposed Technical Changes
2.1. MP_CAPABLE Changes
To resolve the issues identified in the previous section, this
proposal separates the key handling for security (i.e. the method for
protecting new subflow exchanges) from the token exchange. This
means that:
o Key exchange is handled in the application layer
o Meaning can be exchanged in the token, and a custom generation
method can be used, as it is decoupled from keying material
This specification allocates the 'G' bit from the flags of MP_CAPABLE
as an alternative security mechanism - "handled by application
layer". In this case, the MP_CAPABLE exchange will send and receive
tokens rather than keys.
When the 'G' bit is set to 1, this implies support for this new
mechanism, and the MP_CAPABLE exchange will operate as follows. The
tokens take the place of the keys in the MP_CAPABLE exchange, but
otherwise the exchange remains very similar. This exchange still
maintains support for stateless servers. Note that this now means
that tokens are 64 bits in length.
Paasch & Ford Expires November 28, 2016 [Page 4]
Internet-Draft MPTCP Application Layer Auth May 2016
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------+-------+---------------+
| Kind | Length |Subtype|Version|A|B|C|D|E|F|G|H|
+---------------+---------------+-------+-------+---------------+
| Option Sender's Token (64 bits) |
| (if option Length > 4) |
| |
+---------------------------------------------------------------+
| Option Receiver's Token (64 bits) |
| (if option Length > 12) |
| |
+-------------------------------+-------------------------------+
| Data-Level Length (16 bits) | Checksum (16 bits, optional) |
+-------------------------------+-------------------------------+
Figure 1: Proposed Multipath Capable (MP_CAPABLE) Option
The MP_CAPABLE option is carried on the SYN, SYN/ACK, and ACK packets
that start the first subflow of an MPTCP connection, as well as the
first packet that carries data, if the initiator wishes to send
first. The data carried by each option is as follows, where A =
initiator and B = listener.
o SYN (A->B): only the first four octets (Length = 4).
o SYN/ACK (B->A): B's token for this connection (Length = 12).
o ACK (no data) (A->B): A's token followed by B's token (Length =
20).
o ACK (with first data) (A->B): A's key followed by B's key followed
by Data-Level Length, and optional Checksum (Length = 22 or 24).
The contents of the option is determined by the SYN and ACK flags of
the packet, along with the option's length field. For the diagram
shown in Figure 1, "sender" and "receiver" refer to the sender or
receiver of the TCP packet (which can be either host).
If the sender of the initial SYN supports both SHA-1 (as specified in
[3]) and application-layer, it can set both G and H bits to "1". The
sender of the SYN/ACK can then make a decision as to which mode to
support, and selects only one of those bits in the SYN/ACK.
Paasch & Ford Expires November 28, 2016 [Page 5]
Internet-Draft MPTCP Application Layer Auth May 2016
2.2. MP_JOIN Changes
The MP_JOIN exchange remains almost the same:
Host A Host B
------------------------ ----------
Address A1 Address A2 Address B1
---------- ---------- ----------
| | |
| | SYN + MP_JOIN(Token-B, R-A) |
| |------------------------------->|
| |<-------------------------------|
| | SYN/ACK + MP_JOIN(HMAC-B, R-B) |
| | |
| | ACK + MP_JOIN(HMAC-A) |
| |------------------------------->|
| |<-------------------------------|
| | ACK |
HMAC-A = HMAC(Key=(Key-A+Key-B), Msg=(R-A+R-B))
HMAC-B = HMAC(Key=(Key-B+Key-A), Msg=(R-B+R-A))
Figure 2: Example Use of MP_JOIN
However, the token presented is now 64 bits. The key used in the
HMAC exchange here is provided by the application layer. Otherwise,
there are no other changes to the handshake. Note, however, that an
MP_JOIN message cannot be sent until the application layer protocol
has determined that the key exchange has completed.
Depending on the key-exchange protocol that is in use at the
application layer, it may be that the client already knows the key,
while the server is not yet aware of it. In that case the server
might receive SYN+MP_JOIN with a valid token, but the MPTCP-state on
the server has not yet been populated with the key. The server must
silently drop in that case the SYN+MP_JOIN. The client will
retransmit its SYN+MP_JOIN and eventually the application on the
server will have populated the MPTCP-state with the key.
2.3. Data Sequence Number Changes
The Initial Data Sequence Number for each host involved in an MPTCP
connection is, by [3], derived from the SHA-1 hash of the key. If
application-layer authentication is selected, the IDSN MUST instead
be derived from the most-significant 64 bits of the SHA-1 hash of the
token.
Paasch & Ford Expires November 28, 2016 [Page 6]
Internet-Draft MPTCP Application Layer Auth May 2016
2.4. MP_FASTCLOSE Changes
MP_FASTCLOSE is the other method that uses the key in [3]. Given
there is no knowledge as to a potential key's sensitivity, it can no
longer be said that a key should be sent here. Instead, a truncation
of the 64 most-significant bits of the SHA-1 hash [4] of the key
should be used.
3. Security Considerations
This draft is proposing a mechanism that would allow an application-
layer protocol to provide security, rather than relying on a
cleartext exchange of the keys. As such, this document itself does
not introduce any additional security concerns, but provides a
mechanism by which additional security could be added to the MPTCP
handshake, depending on the authentication method used at the
application layer.
4. IANA Considerations
This document would update the "MPTCP Handshake Algorithms" sub-
registry under the "Transmission Control Protocol (TCP) Parameters"
registry, based on the flags in MP_CAPABLE, to add the following
algorithm:
+----------+----------------------------------+---------------+
| Flag Bit | Meaning | Reference |
+----------+----------------------------------+---------------+
| G | Application-layer Authentication | This document |
+----------+----------------------------------+---------------+
Table 1: MPTCP Handshake Algorithms
5. References
5.1. Normative References
[1] Postel, J., "Transmission Control Protocol", STD 7, RFC
793, September 1981.
[2] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[3] Ford, A., Raiciu, C., Handley, M., Bonaventure, O., and C.
Paasch, "TCP Extensions for Multipath Operation with
Multiple Addresses", draft-ietf-mptcp-rfc6824bis-05 (work
in progress), January 2016.
Paasch & Ford Expires November 28, 2016 [Page 7]
Internet-Draft MPTCP Application Layer Auth May 2016
[4] National Institute of Science and Technology, "Secure Hash
Standard", Federal Information Processing Standard (FIPS)
180-3, October 2008,
<http://csrc.nist.gov/publications/fips/fips180-3/
fips180-3_final.pdf>.
5.2. Informative References
[5] Paasch, C., Greenway, G., and A. Ford, "Multipath TCP
behind Layer-4 loadbalancers", draft-paasch-mptcp-
loadbalancer-00 (work in progress), September 2015.
Authors' Addresses
Christoph Paasch
Apple, Inc.
Cupertino
US
EMail: cpaasch@apple.com
Alan Ford
Pexip
EMail: alan.ford@gmail.com
Paasch & Ford Expires November 28, 2016 [Page 8]