Sign in / up

* Posts by Secvalve

4 publicly visible posts • joined 31 Jul 2014

Multipath TCP speeds up the internet so much that security breaks

Secvalve
Reply Icon

Re: When in trouble or in doubt...

While i agree you should be in control of your network, its also easy to think that you have more visibility or control than you do. You'd be surprised how many time i see orgs not stripping/proxying outbound SSL and not understanding why it matters to their DLP.

For a small or HIGHLY managed network you can work to maintain security via network totalitarianism. The larger the network, or the more dynamic the systems on it, the less realistic this becomes. Within the .mil space or small companies this can be done. But i have never seen this succeed in big dynamic orgs, other than in very tightly restricted network segments. Usually i can tunnel over http or DNS for a good length of time anyway. If they catch on and block that, then there are other methods.

1 0
Secvalve
Reply Icon

Heh i'm not an academic, i'm a lowly Security consultant. I get paid to 1. break stuff and 2. Help people secure things for the future. Sanity left long ago. Research is a side hobby of mine and not my day job (yet?)..

I'm used to people spinning this into the sky is falling, or commenting on this work when they obviously haven't read the actual article or sources. This leads to a hilarious bingo card by the way: "OMG SO OBVIOUS" = take one token, "Why would i want this" = 1 token, "KILL IT, KILL IT!" = 2 tokens...

You're right that the mobile space is a big driver. Another is highly connected networks such as one might find in datacenters. This is because it allows you to aggregate link capacity without complicated & proprietary tech.

0 0
Secvalve
Reply Icon

Re: Oh good, a proper expert.

You can't implement it at the application layer yet without either OS support or administrative privileges (for crafting raw packets)

To your question though, i think this sort of technique shows huge promise as a privacy preserving technology. I'm not the right person to make it happen, if you break TOR you kill people. Nevertheless, i will be encouraging the right people to look into it.

1 0
Secvalve

HI, I’m Catherine Pearce (@secvalve), the primary researcher for the Blackhat research referred to here.

Just thought I’d clarify a few things and attempt to bring some nuance back to this discussion. One of my key points in this work was to raise awareness to this tech so people can respond appropriately, in whatever way that means for them and their technology.

Firstly, Many of the techniques done in MPTCP aren't entirely novel, you could do them at the application layer if you wanted to - but MPTCP brings them to most existing tech without having to handle the complexity in the application. I recommend people see this paper if they're technically inclined: http://inl.info.ucl.ac.be/system/files/nsdi12-final125.pdf As for the discussions on congestion, flow control, and network load, there has been some research done into this, see "theoretical background" here: http://nrg.cs.ucl.ac.uk/mptcp/

One short way to think about packet switching is that packets of data should be sent wherever the best route is at the time. With TCP however, you're stuck with whatever link and address(es) you initially use. MPTCP extends TCP and frees you from this restriction.

Shifting power: Yes, one of the key things a tech like MPTCP does is shift some degree of trust away from network operators and on to the endpoints. While you should be using things like encryption, in cases where this isn't possible or efficient you are generally at the mercy of whichever networks you pass your traffic over. MPTCP gives you a bit more choice, and a bit more ability to split things up and compare difference. This is seen as bad in organizations (who like to be effectively totalitarian in their own domain), but is a good thing if you're trying to protect yourself from a network (state-level attackers).

Regarding how people can deal with this, of course they can bottleneck it, or stop it going multipath in the first place, but this prevents you from getting the benefits. Network operators shouldn't shortsightedly kill something because they don't understand it - there are more sensible ways to deal with a threat than panicking and beating it to death.

Oh, and MPTCP can also split traffic over both ipv6 and ipv4 at the same time. I find that fun to think about...

More details will come out next week -- Catherine

3 0