Abstract
Multipath Transmission Control Protocol (MPTCP) is an approach towards high-throughput and efficient load balancing over multiple paths. Each of paths forms a TCP connection with an IP address, and those can be implemented as multiple network interfaces or multiple ports within a network interface. In this paper, we focus on the multiple network interfaces environment. Each network interface with an IP address is called as a subflow. A subflow is a TCP connection which can have a different internet path identified by IP addresses of source and destination network interfaces. To control these multiple subflows, MPTCP supports many options. Specifically, to establish a new subflow, MPTCP uses an ADD_ADDR option. A host sends ADD_ADDR option to inform another host of its IP address, and then, the host receiving ADD_ADDR option tries to establish a subflow at the address of ADD_ADDR option. However, by forging the ADD_ADDR option, an attacker can create a fake subflow that passes through itself and eventually hijack the connection between both end hosts. In a previous study, Hash-based Message Authentication (HMAC) was added to the ADD_ADDR option, preventing it from being forged. Nevertheless, since the keys for generating HMAC can be leaked during three-way handshake, a variant of the ADD_ADDR attack called the persistent ADD_ADDR attack can be possible. To this end, we propose a protocol that can prevent the ADD_ADDR attacks by backward confirmation of the ADD_ADDR option without encryption. The main idea of our proposal is to apply a digital signature scheme for the backward confirmation. We show security analysis for the proposed protocol and compare with the previous studies in terms of time/space overheads.
Original language | English |
---|---|
Article number | 8922596 |
Pages (from-to) | 177438-177448 |
Number of pages | 11 |
Journal | IEEE Access |
Volume | 7 |
DOIs | |
Publication status | Published - 2019 |
Bibliographical note
Funding Information:This work was supported in part by the National Research Foundation of Korea (NRF), Ministry of Science and Information and Communication Technology (MSIT) under Grant 2019R1A2C2088812, in part by the NRF, MSIT, through the Next-Generation Information Computing Development Program under Grant 2017M3C4A7083676, and in part by the Military Crypto Research Center, Defense Acquisition Program Administration (DAPA) and Agency for Defense Development (ADD) under Grant UD170109ED.
Publisher Copyright:
© 2013 IEEE.
Keywords
- ADD_ADDR attack
- MPTCP
- connection hijacking
- network security
ASJC Scopus subject areas
- General Computer Science
- General Materials Science
- General Engineering