Force fallback to TCP

[dulive]

Hello,

Is it possible to force an arbitrary MPTCP connection to fallback to TCP from the userspace, for example using NETLINK?

[VenkateswaranJ]

Hello,

Mptcp connection will fall back to TCP on the below scenarios.

1. Any of the hosts (server or client) is not Mptcp capable.
2. If there is any buggy middlebox in your network that remove or change the Mptcp option in the TCP packet header.

Currently, you can't force an active MPTCP connection to TCP fallback via Netlink command.

[dulive]

Currently, you can't force an active MPTCP connection to TCP fallback via Netlink command.

Are there any plans to support it in the future or it's out of the scope?

[VenkateswaranJ]

Current Netlink command implementation only focus on managing Mptcp connection (create subflow, destroy subflow etc.,)
You can have a look here #186

But can you share your use case for this? Why do you want to force an active Mptcp Connection to TCP in the middle of communication?

[dulive]

Actually it wouldn't be in the middle of a communication but rather when a MPTCP connection is created or established.

Basically I want to force fallback to TCP if a MPTCP connection was created/established for some interface that I don't want to use MPTCP (for example the interface is connected to an unprotected/untrusted network) or if I don't trust the other side to use MPTCP.

[VenkateswaranJ]

Sorry for misunderstanding your question. So if you know that untrusted interface beforehand then I would suggest you create a TCP socket to initiate a connection to that interface instead of an MPTCP socket. If you only get to know that untrusted interface after the connection is established then there is no straightforward way to force that connection to fallback(at least as far as I know).

[dulive]

This is not for a software/application to use MPTCP but for a daemon/mptcpd plugin that would control the use of MPTCP on the system (for example, if any application on the system tried to use MPTCP through an untrusted interface it would force it to TCP).

there is no straightforward way to force that connection to fallback(at least as far as I know).

I see, but could it work if the packets were intercepted with Netfilter and altered to be simply TCP?

[matttbe]

Hello,

I don't think we should do some policy management via the Path Manager.

With Netfilter, you can drop TCP options. Would it not be OK for you?
I don't know if we can do something "similar" with other "security" features implemented in the kernel..

[VenkateswaranJ]

This is not for a software/application to use MPTCP but for a daemon/mptcpd plugin that would control the use of MPTCP on the system (for example, if an application on the system tried to use MPTCP through an untrusted interface it would force it to TCP).

Hmm, Mptcpd daemon can't do that. It can only manage active mptcp connection (like create/destroy subflow, announce/remove IP etc., ). It's not possible to make any changes at the mptcp connection level.

I see, but could it work if the packets were intercepted with Netfilter and altered to be simply TCP?

Yepp you can do that. I even tried it sometime before for testing, it will fall back to infinite mapping.

Also check this issue: multipath-tcp/mptcp#420

#! /usr/bin/env python2.7
from scapy.all import *
from netfilterqueue import NetfilterQueue
import os

iptablesr = "iptables -A FORWARD -j NFQUEUE --queue-num 1"

os.system(iptablesr)
os.system("sysctl net.ipv4.ip_forward=1")

def check_mptcp_option(option_list):
    for option in option_list:
    	if option[0] == 30:
    	    return True
    return False

def modify(packet):
	ip_pkt = IP(packet.get_payload())
	try:
		ip_tcp = ip_pkt.getlayer(TCP)
		if check_mptcp_option(ip_tcp.options):
			payload_before = len(ip_pkt[TCP])
			option = list(ip_pkt[TCP].options[-1][1])
			option[-1] = 'm'
			option = "".join(option)
			ip_pkt[TCP].options = ip_pkt[TCP].options[:-1]
			ip_pkt[TCP].options.append((30, ""))
			payload_after = len(ip_pkt[TCP])
			payload_dif = payload_after - payload_before
			ip_pkt[IP].len = ip_pkt[IP].len + payload_dif
			ip_pkt[TCP].dataofs = (payload_after - len(ip_pkt[TCP].payload))/4
			del ip_pkt[IP].chksum
			del ip_pkt[TCP].chksum
			print ip_pkt[TCP].options
			packet.set_payload(str(ip_pkt))
		packet.accept()
	except Exception as e:
		print e
		packet.accept() #just skip the packet unmodified.

nfqueue = NetfilterQueue()
nfqueue.bind(1, modify)
try:
    print "[*] waiting for data"
    nfqueue.run()
except KeyboardInterrupt:
    nfqueue.unbind()
    print "Flushing iptables."
    os.system('iptables -F')
    os.system('iptables -X')

[dulive]

With Netfilter, you can drop TCP options. Would it not be OK for you?

As I never used Netfilter I was looking if there was already something more easy and direct since there are events for MPTCP communication creation and establishment. At the same time, queuing all IPv4 and IPv6 packets just to modify those which are MPTCP and from/to an untrusted/unprotected interface seems a little too much for a simple Mptcpd plugin for example. But is always something that I can try.

Hmm, Mptcpd daemon can't do that. It can only manage active mptcp connection (like create/destroy subflow, announce/remove IP etc., ). It's not possible to make any changes at the mptcp connection level.

Well a plugin can extend Mptcpd to do so, it can have its own Netlink socket and everything, but this is not related to the issue/question.

Also check this issue: multipath-tcp/mptcp#420

Will do so.

[matttbe]

With Netfilter, you can drop TCP options. Would it not be OK for you?

As I never used Netfilter I was looking if there was already something more easy and direct since there are events for MPTCP communication creation and establishment. At the same time, queuing all IPv4 and IPv6 packets just to modify those which are MPTCP and from/to an untrusted/unprotected interface seems a little too much for a simple Mptcpd plugin for example. But is always something that I can try.

With IPTables for example, you can match MPTCP traffic with -p tcp --tcp-option 30. Then you can use TCPOPTSTRIP target to strip MPTCP option. Additionally, you can restrict to one interface and only to SYN. For example:

iptables -w -t filter -A OUTPUT -o eth0 -p tcp --tcp-option 30 --tcp-flags SYN,ACK SYN -j TCPOPTSTRIP --strip-options 30

(same with ip6tables, similar with nftables or other tools on top of them)

So does it make sense not to do some policy actions from the PM? :)

[dulive]

Interesting I didn't know about that, it's probably the best solution.
Now I just have to learn how to do that in C.

So does it make sense not to do some policy actions from the PM? :)

With what you said it makes a lot of sense

Thank you both.