Search

EP-4381724-B1 - SECURING MULTI-PATH TCP (MPTCP) WITH WIREGUARD PROTOCOL

EP4381724B1EP 4381724 B1EP4381724 B1EP 4381724B1EP-4381724-B1

Inventors

  • HADDAD, WASSIM MICHEL
  • MAHKONEN, HEIKKI

Dates

Publication Date
20260506
Application Date
20210802

Claims (12)

  1. A method of a server to establish secure multipath communications between the server and a user device, the method comprising: establishing (1001) a WireGuard connection with the user device; establishing (1003) a first sub flow of a multipath transmission control protocol, MPTCP, connection with the user device using a first WireGuard virtual private network, VPN, tunnel, the first sub flow having a first path; sending (1005) a message to initiate a second path between the server and the user device, the message including a WireGuard interface address, a public key for the server, and a WireGuard indicator which indicates that the server supports WireGuard to secure MPTCP paths with a WireGuard VPN; receiving (1007) a reply message with a public key for the user device; and establishing (1011) a second sub flow of the MPTCP connection with the user device using a second WireGuard VPN tunnel, the second sub flow having the second path.
  2. The method of claim 1, further comprising: establishing (1013) a third sub flow of the MPTCP connection with the user device using a third WireGuard VPN tunnel, the third sub flow having a third path.
  3. The method of claim 1, further comprising: determining that the second sub flow is inactive; and tearing (1015) down the second WireGuard VPN tunnel in response to determining that the second sub flow is inactive.
  4. The method of claim 1, wherein the message includes an add address option of MPTCP.
  5. An electronic device comprising: a machine-readable storage medium (1118, 1148, 1248) having stored therein a secure multipath transmission control protocol, MPTCP, component; and a set of processors (1112, 1142, 1242) coupled to the machine-readable storage medium, at least one of the set of processors being configured to execute the secure MPTCP component to perform the method of claims 1-4.
  6. A machine-readable medium comprising computer program code which when executed by a computer carries out the method steps of any of claims 1-4.
  7. A method of a user device to establish secure multipath communications between a server and the user device, the method comprising: establishing (901) a WireGuard connection with the server; establishing (903) a first sub flow of a multipath transmission control protocol, MPTCP, connection with the server using a first WireGuard virtual private network, VPN, tunnel, the first sub flow having a first path; receiving (905) a message to initiate a second path between the server and the user device, the message including a WireGuard interface address, a public key for the server, and a WireGuard indicator which indicates that the server supports WireGuard to secure MPTCP paths with a WireGuard VPN; sending (907) a reply message with a public key for the user device; and establishing (911) a second sub flow of the MPTCP connection with the server using a second WireGuard VPN tunnel, the second sub flow having the second path.
  8. The method of claim 7, further comprising: establishing (913) a third sub flow of the MPTCP connection with the server using a third WireGuard VPN tunnel, the third sub flow having a third path.
  9. The method of claim 7, further comprising: determining that the second sub flow is inactive; and tearing (915) down the second WireGuard VPN tunnel in response to determining that the second sub flow is inactive.
  10. The method of claim 7, wherein the message includes an add address option of MPTCP.
  11. An electronic device comprising: a machine-readable storage medium (1118, 1148, 1248) having stored therein a secure multipath transmission control protocol, MPTCP, component; and a set of processors (1112, 1142, 1242) coupled to the machine-readable storage medium, at least one of the set of processors being configured to execute the secure MPTCP component to perform the method of claims 7-10.
  12. A machine-readable medium comprising computer program code which when executed by a computer carries out the method steps of any of claims 7-10.

Description

TECHNICAL FIELD Embodiments of the invention relate to the field of multi-path communication sessions; and more specifically, to a process and system for securing multi-path communication sessions. BACKGROUND ART Multipath communication involves the use of multiple independent pathways across a network or set of networks to communicate between two endpoint electronic devices. However, support in existing communication protocols can be limited. Multipath transmission control protocol (MPTCP) is one protocol that supports multipath communication. MPTCP is a protocol developed and managed by the Internet Engineering Task Force (IETF) Multipath TCP working group. MPTCP expands the operation of TCP to support connections that use multiple paths to maximize resource usage and increase redundancy. MPTCP enables inverse multiplexing of resources and increases TCP throughput to the sum of all available link-level channels instead of using a single one as required by TCP. Multipath TCP can be used in wireless networks, including wireless networks that include both Wi-Fi and mobile communication network protocols (e.g., 5G and 4G LTE). In MPTCP paths can be added or dropped to adjust bandwidth and redundancy, for example, if a user device moves within the coverage offered by a mobile communication network, new paths can be added or old paths dropped without disrupting the end-to-end TCP connection with the user device. MPTCP can also be utilized in data centers. Multipath TCP can balance a single TCP connection across multiple interfaces and reach very high throughput. However, MPTCP causes a number of new issues. From a network security perspective, multipath routing causes cross-path data fragmentation that results in firewalls and malware scanners becoming inefficient because they can only see one path's traffic in an MPTCP session. In addition, secure socket layer (SSL) decryption becomes inefficient due to the end-to-end encryption protocols. Thus, a mechanism for the efficient and secure operation of multi-path communication is not available for MPTCP. KR 2020 0007189 A discloses a method for transmitting medical information through MPTCP subflows. SUMMARY The invention is defined by claims 1, 5, 6, 7, 11 and 12. In one embodiment, a method of a server to establish secure multipath communications between the server and a user device includes establishing a WireGuard connection with the user device, establishing a first sub flow of a multipath transmission control protocol (MPTCP) connection with the user device using a first WireGuard virtual private network (VPN) tunnel, the first sub flow having a first path, sending a message to initiate a second path between the server and the user device, the message including a WireGuard interface address, public key for the server, and WireGuard indicator, receiving a reply message with a public key for the user device, and establishing a second sub flow of the MPTCP connection with the user device using a second WireGuard VPN tunnel, the second sub flow having the second path. In another embodiment, an electronic device includes a machine-readable storage medium having stored therein a secure MPTCP component, and a set of processors coupled to the machine-readable storage medium, at least one of the set of processors to execute the secure MPTCP component to perform a process including establishing a WireGuard connection with the user device, establishing a first sub flow of a MPTCP connection with the user device using a first WireGuard VPN tunnel, the first sub flow having a first path, sending a message to initiate a second path between the server and the user device, the message including a WireGuard interface address, public key for the server, and WireGuard indicator, receiving a reply message with a public key for the user device, and establishing a second sub flow of the MPTCP connection with the user device using a second WireGuard VPN tunnel, the second sub flow having the second path. In a further embodiment, a machine-readable medium includes computer program code which when executed by a computer carries out a method of establishing a WireGuard connection with the user device, establishing a first sub flow of a MPTCP connection with the user device using a first WireGuard VPN tunnel, the first sub flow having a first path, sending a message to initiate a second path between the server and the user device, the message including a WireGuard interface address, public key for the server, and WireGuard indicator, receiving a reply message with a public key for the user device, and establishing a second sub flow of the MPTCP connection with the user device using a second WireGuard VPN tunnel, the second sub flow having the second path. In one embodiment, a method of a user device to establish secure multipath communications between a server and the user device includes establishing a WireGuard connection with the server, establishing a first sub flow of a MPTCP con