Presentation is loading. Please wait.

Presentation is loading. Please wait.

Some Thoughts on MPTCP Proxies and Middleboxes

Published byGerard Price Modified over 9 years ago

Similar presentations

Presentation on theme: "Some Thoughts on MPTCP Proxies and Middleboxes"— Presentation transcript:

1 Some Thoughts on MPTCP Proxies and Middleboxes
Ed Lopez –

2 Prologue Middleboxes (and proxies) break the end-to-end principal of Internet architecture Stateful ones force single path architectures Packet transforms, especially by encapsulation, NAT devices and proxies, are particularly problematic Unfortunately, middleboxes perform functions essential to their operators, often due to regulation and other non-technical requirements Financial (PCI) and healthcare (HIPPA) compliance are good examples Carrier-grade NAT (CGN) will become a permanent fixture, due to IPv6 mobility requirements Encapsulation is everywhere! Much of what I will talk about is noted in 6824, but responses either provide flexibility in MPTCP protocol (i.e. less security), or force fallback to standard TCP This discussion is about how middlebox vendors will actively respond to MPTCP threats over time

3 MPTCP Middlebox Issues
FW/NAT – Will embedded addresses in MPTCP options be properly NAT’d? Especially critical with CGN Application Layer Inspection Engines – Are biased to a single session paradigm Engines using protocol decoders (i.e. reassembling traffic in context) will fail because they cannot properly reassemble an MPTCP session Flow-based engines will suffer degradation due to false negatives, due to inability to match patterns in data across multiple sessions Proxy services will fail due to improper protocol statefulness Especially transparent ones DNS/FQDN inspection solutions will degrade, since path joins occur after resolutions Including DNSSEC MPTCP open to Man-In-The-Middle attacks

4 MPTCP Middleboxes Issues (cont’d)
Host A Host B SP-X SP-Y B.X B.Y SUB-FLOW A<>B.X SUB-FLOW A<>B.Y Even if host has single link/path, the single session bias issues are still present Across multiple paths, how can application data be meaningfully inspected NAT issues abound! Host A Host B SP-X SP-Y B.X B.Y SUB-FLOW A.X<>B.X SUB-FLOW A.Y<>B.Y A.X A.Y SUB-FLOW A.Y<>B.X SUB-FLOW A.X<>B.Y

5 Solutions Middleboxes Will Create
First, MPTCP will be seen as an attack vector Create option to block the MPTCP options (or unknown TCP options), to force fallback to standard TCP DNS/FQDN inspection services (such as web filtering) will probe for sites using MPTCP, and include this information to enforcement devices Better than broad option blocking, allows entities to choose which categories of sites are allowed for MPTCP

6 Solutions Middleboxes Will Create
MPTCP application-layer gateway (ALG) capabilities will emerge Ability to detect/inspect MPTCP option values, to look for MITM issues Ability to block/limit undesirable paths Properly translate IP addresses in MPTCP options across NAT devices MPTCP proxy devices Initially edge devices, rather than cloud based Path convergence is easier at the edge

7 Edge MPTCP Proxy Host A Host B SP-X SP-Y B.X B.Y SUB-FLOW FW.X<>B.X SUB-FLOW FW.Z<>B.Y SP-Z FW.X FW.Z SUB-FLOW FW.Z<>B.X SUB-FLOW FW.X<>B.Y MPTCP Proxy TCP A<>FW FW Multi-path devices front end to user and/or server hosts to converge all MPTCP subflows As MPTCP Proxy has access to all subflows, it provides an inspection point High-availability and other resiliency mechanisms can be applied to MPTCP proxies

8 Summary The current state of middlebox support for MPTCP will limit its usefulness Middlebox creators will actively pursue methodologies to workaround or mitigate functional degradation effects of MPTCP Any information in the MPTCP options is subject to inspection and action by middleboxes MPTCP proxies will be developed, likely at first on the edge, then followed by cloud/carrier

Download ppt "Some Thoughts on MPTCP Proxies and Middleboxes"

Similar presentations

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.

NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.
17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.

17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
Deployment Considerations for Dual-stack Lite draft-lee-softwire-dslite-deployment-00 Yiu Lee, Roberta Magione, Carl Williams, Christian Jacquenet Mohamed.

Deployment Considerations for Dual-stack Lite draft-lee-softwire-dslite-deployment-00 Yiu Lee, Roberta Magione, Carl Williams, Christian Jacquenet Mohamed.
H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.

NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Security Forum 2001John Kristoff - DePaul University1 Network Firewalls John Kristoff +1 312 362-5878 DePaul University Chicago, IL 60604.

Security Forum 2001John Kristoff - DePaul University1 Network Firewalls John Kristoff DePaul University Chicago, IL
Rethink the design of the Internet CSCI 780, Fall 2005.

Rethink the design of the Internet CSCI 780, Fall 2005.
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.

Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
Beth Johnson April 27, 1998. What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
Circuit & Application Level Gateways CS-431 Dick Steflik.

Circuit & Application Level Gateways CS-431 Dick Steflik.

Similar presentations

Ads by Google