Re: Using RELATED for a level4 protocol (MPTCP)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Tue, 22 May 2012, Nicolas Maître wrote:

> I'm a complete newbie in netfilter hacking and I'm trying to implement
> the support of MPTCP [0] (standing for MultiPath TCP) in netfilter in
> the context of a master's thesis.
> 
> I'll just summarize some points of MPTCP here to get a chance to be
> understood with my request.
> MPTCP is an extension of TCP which enables it to use multiple paths as
> part of a single "MPTCP connection", answering to a multihoming and
> performance demand. It acts as a higher-level, using TCP connections
> as subflows and it has been designed to be backward-compatible with
> regular TCP.
> It exposes a similar interface to TCP to the application layer. A
> figure might help to get the whole thing:
> 
>        +-------------------------------+
>        |           Application         |
>        +-------------------------------+
>        |             MPTCP             |
>        + - - - - - - - + - - - - - - - +
>        | Subflow (TCP) | Subflow (TCP) |
>        +-------------------------------+
>        |       IP      |      IP       |
>        +-------------------------------+
> (If you cannot read it properly, the 2 figures in this mail are taken
> from [0] where they are displayed correctly with a monospace font).
> 
> It's currently being standardized by the IETF.
> Furthermore, a Linux implementation is already available and working fine [1].
> 
> Now, what I'd like some help with is for the handling of additional
> subflows.  Here is a figure to illustrate the setup of an additional
> subflow.
> 
>               Host A                                  Host B
>      ------------------------                       ----------
>      Address A1    Address A2                       Address B1
>      ----------    ----------                       ----------
>          |             |                                |
>          |             | SYN + MP_CAPABLE               |
> Initial subflow negotiation
>          |--------------------------------------------->|
>          |<---------------------------------------------|
>          |          SYN/ACK + MP_CAPABLE(Key-B)         |
>          |             |                                |
>          |        ACK + MP_CAPABLE(Key-A, Key-B)        |
>          |--------------------------------------------->|
>          |             |                                |
>          |             |   SYN + MP_JOIN(Token-B, R-A)  |
> Additional subflow
>          |             |------------------------------->|
>          |             |<-------------------------------|
>          |             |  SYN/ACK + MP_JOIN(MAC-B, R-B) |
>          |             |                                |
>          |             |      ACK + MP_JOIN(MAC-A)      |
>          |             |------------------------------->|
>          |             |                                |
> 
> As subflows are negotiated (and authenticated) with an option in a
> regular TCP handshake, I'd like to know if there is currently a simple
> way of accepting new subflow packets with netfilter.
> Specifically, I thought of handling the MP_JOIN with a kind of
> conntrack's RELATED state. Indeed, the first packet of the MP_JOIN
> step can be "expected" and verified to be originating from the same
> host than the initial subflow.

As far as I see, after the hosts advertised their addresses (which can 
later be updated) any one of them may initiate a subflow to the possible 
advertised addresses/ports of the other side.

There are two possibilities:

a. conntrack helper: Whenever an address advertisement is detected,
   a corresponding expectation is created. It's not very nice that
   the expectation may never be used and thus created unnecessarily.
b. mptcp target and match: The target keeps record of 
   the ids/addresses/ports from the advertisements. New subflows
   can be allowed by the match, which searches for a match in the
   pool of the id/address/port entries.

The target/match looks nicer and thus one could have a little bit firmer 
grasp on the protocol - it looks quite easy to force opening up any 
address/port by the firewall if MPTCP is blindly accepted.
 
> After inspection of the code, I doubt that this would be possible as
> the expectation setup takes the ip addresses and ports as parameters.
> I therefore assume that the whole expectation system is only usable
> for protocols on the application level?
> Could you confirm that it's not the good way to go?
> But then, do you see any tool in the framework that would be helpful
> to me? Or give me some advices/pointers to integrate this in an
> elegant way into netfilter ?
> 
> In advance, thank you!
> 
> 
> [0] http://tools.ietf.org/html/draft-ietf-mptcp-multiaddressed-07
> [1] http://mptcp.info.ucl.ac.be/

Best regards,
Jozsef
-
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

[Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

Powered by Linux