Emerging networking technology used by Apple, Cisco will frustrate firewalls

Multipath TCP improves performance but hampers security

Catherine Pearce, security consultant with Neohapsis

Catherine Pearce, security consultant with Neohapsis

Today's security software is ineffective against an emerging networking technology already in use by Apple for its Siri voice-recognition software, according to research presented at the Black Hat hacking conference this week.

The technology, called Multipath TCP (MPTCP), is a souped-up sibling of TCP, a cornerstone Internet protocol for transferring data packets between computers. Cisco and Juniper have also put MPTCP in some of their equipment.

But while TCP can only use one connection path to send data, MPTCP can simultaneously use different connection paths, such as Wi-Fi and a mobile phone's data connection, which results in better performance and resiliency.

MPTCP is still in its early days, and the Internet Engineering Task Force, which creates Internet technology standards, is still studying it. But because MPTCP is already backwards-compatible with TCP, it works, and Apple uses it for Siri.

The problem is that splitting data steams over different connection paths poses thorny issues for security technologies such as firewalls and deep packet inspection software, which are designed for regular TCP, said Catherine Pearce, a security consultant with Neohapsis.

MPTCP "can be used to break pretty much every security control you throw in front of it in some way," Pearce said in a phone interview on Thursday. "As this rolls out, this is going to be huge. It doesn't change routing. It changes how networking works in some really fundamental ways."

One of MPTCP's quirks is that it decouples a TCP data stream from a specific IP address, Neohapsis wrote on its blog. Since data could come from multiple IP addresses, security devices can't see the full stream of packets to detect malicious behavior.

"Right now we know of no tool that can do it," Pearce said.

It changes the model that assumes an IP address can be attributed to a single host or that a client always connects to a specific server, she said.

Another issue is that the application sending packets can determine over which connection the packets are sent. A firewall may not be able to determine if one TCP stream is related to another, Pearce said.

MPTCP is designed for resiliency, so if one data stream is blocked by a security device, the protocol will try to find a way around it. It means that endpoints receiving data have less control and are likely to accept data streams that can't -- at least at this point -- be linked together for analysis.

The technology could be a nightmare for those fighting botnets, or networks of compromised computers used to send spam and distribute malware. Mixing the use of MPTCP with distributed anonymity services such as Tor could make the data traffic "really hard to surveil," Pearce said.

Network operators could use a blunt-force defense and block MPTCP packets since they're designated as such in the packet headers, Pearce said, but that will not be viable if many applications use it.

Networks have to support MPTCP in order for applications to utilize it. There are implementations for several operating systems, including Linux, BSD and Android, Pearce said.

Microsoft has not supported it yet for Windows, which could set the pace for how many developers eventually embrace it, she said.

The slide deck for the presentation, which Pearce gave with her colleague Patrick Thomas on Wednesday, is now online.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the Computerworld newsletter!

Error: Please check your email address.

Tags black hatsecurityNetworkingNeohapsis

More about Internet Engineering Task ForceJuniperLinuxNeohapsis

CIO
ARN
Techworld
CMO