Alternative Approach for Authenticating Subflows of Multipath Transmission Control Protocol using Application Level Key

Abstract

Multipath Transmission Control Protocol (MPTCP) is an extension to Transmission Control Protocol (TCP) proposed by the Internet Engineering Task Force (IETF). The main intention of MPTCP was to use multiple network interfaces in a single network connection simultaneously. MPTCP create multiple TCP connections, which are known as subflows between two hosts. With the use of multiple connections, the throughput of the connection can be improved. Due to the availability of redundant connections, MPTCP can recover from network connection failures efficiently without noticing the application. It is clear that there is a number of advantages related to MPTCP. But researchers have identified that there are a considerable amount of security threats related to the connections initiated by MPTCP. These connections are vulnerable to a number of attacks like DoS attacks, flooding attacks, connection hijacking and so on. MPTCP shares a set of keys when establishing the first connection, also known as the first subflow and use these shared keys to authenticate the next subflows created by the hosts. These keys were in plain text format. One of the main reason for the security vulnerabilities is the exchange of keys in plain text format. A number of solutions were proposed to mitigate these security vulnerabilities. Using an encryption mechanism to secure the keys and changing the header formats are some of them. But this research is inspired by one of the proposed solutions to use external keys to authenticate the subflows. It has proposed to use new socket APIs to obtain the keys from the application level to authenticate the connection. But still, there is no proper implementation of this solution. Therefore as a proof of concept, this research has explored some alternate mechanism to use external keys to authenticate the subflows generated by the MPTCP with minimum modifications to the currently available MPTCP version. It has conducted a number of experiments on top of MPTCP in order to understand the behavior of the protocol, such as configuring of web server with MPTCP and connecting MPTCP enabled client so on. The final outcome of the research has been implemented on the Linux kernel and several experiments were conducted to examine the robustness of the solution, performance. Finally, the solution has evaluated whether the solution has achieved the requirement to use the external keys to authenticate the subflows