iOS 7 Adds Multipath TCP
A host may now add a new subflow, and this subflow will be authenticated using a hash derived from the keys exchanged earlier, and nonces that are unique to each new subflow. The MP_JOIN option is used to carry this data. Throughout the connection, hosts may inform each other of newly acquired addresses and they may use the for new subflows. Since each subflow has its own set of sequence numbers, "Data Sequence Signals" are used to communicate how the sequence numbers in the subflow map to the combined data flow. The protocol has a lot of little details that make it well suited for hosts connected to multiple wireless networks. For example, different subflows may have different priorities. One usage scenario is a cell phone connected to a Wifi as well as a cellular network, and roaming between the two. For example, you start a TCP connection at home, and continue using it as you leave the house and your phone switches to the cellular network. As long as both networks are available for a while, MPTCP may drop the Wifi connection and exclusively use the cell phone data connection until you reach another WiFi network. But enough about how the protocol works, here are some packets. A quick BPF to capture these packets (for example with tcpdump):
tcp[12]&0xf0=>0xe0
It is not perfect, but because the options involved are rather large, you will find MPTCP packets by looking for larger TCP header sizes. This filter looks for a header size of 56 and above, with 60 being the maximum (you don't really need the bitmask for the filter). Wireshark and tshark deal rather well with MPTCP. For example, tshark displays for the TCP options:
Multipath TCP: Multipath Capable Kind: Multipath TCP (30) Length: 12 0000 .... = Multipath TCP subtype: Multipath Capable (0) .... 0000 = Multipath TCP version: 0 Multipath TCP flags: 0x01 0... .... = Checksum required: 0 .... ...1 = Use HMAC-SHA1: 1 Multipath TCP Sender's Key: 8848941202347829228
16:44:15.681318 IP 70.91.145.11.57799 > 17.174.8.5.443: Flags [S], seq 847601216, win 65535, options [mss 1460,nop,wscale 3,Unknown Option 3000017acdc123cc42a7ec,nop,nop,TS val 102569696 ecr 0,sackOK,eol], length 0
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
Comments
Should this line read 'each new subflow'?
"and nonces that are unique to each no subflow."
Does this mean that we are likely to see mobile malware that makes use of Multipath TCP to find byod devices that talk back to a server on two different IP addresses, one of which is likely bypassing the corporate firewall via a cellular network and essentially advertising itself as an attack vector to the malware originator?
Anonymous
Oct 1st 2013
1 decade ago
I haven't had a chance yet to test this with different IDS/Firewalls, but I expect that they will have problems with it. They need to be able to combine the subflows and figure out the combined content. If possible, it may be best to block TCP Option 0x30, but again, I haven't test this, and it may "break stuff".
The use case for MPTCP assumes that you are connected to different networks that are not necessarily under one administrative control. This is a difficult scenario no matter what IDS or firewall you have.
Anonymous
Oct 1st 2013
1 decade ago
Anonymous
Oct 2nd 2013
1 decade ago
Anonymous
Oct 4th 2013
1 decade ago