Security of communications using Bonding(MIKROTIK)

fororichi · November 12, 2010, 12:22pm

Hi, this is my first post and I hope to explain as best as possible.

I’m working on a project where I need to achieve optimum use of the BONDING to provide complete safety of the transmission to take advantage of the channels created with a Bonding.

Bonding = Bonding is a technology that allows to aggregate multiple ethernet-like interfaces into a single virtual link, thus getting higher data rates and providing failover.

I have to get is to make that data which will be transmitted on the virtual link created with the bonding are received correctly by the receiver, i.e., that are reliable and that can avoid being intercepted by communication outsiders (a man in the middle attack, for example).

The idea that we have is, for example, to send a Word, ‘BALL’, send a ‘B’ and an ‘A’ for an interface (per channel) and send an ‘L’ and ‘L’ by another channel.
We want to achieve that, until that I don’t receive the message in the destination, I can not know the entire message that I’m sending.

Thus, if at some point, an attacker (e.g., a hacker) capture me some package, he may not know what it is, because he don’t have the message full.

The idea is to use the Bonding channels(mikrotik) to provide communication security

Someone I can lend a hand to know where to direct/to route my project ?

Someone who has done something similar?

fewi · November 12, 2010, 1:51pm

http://wiki.mikrotik.com/wiki/Manual:Interface/Bonding#Bonding_modes
Some modes round robin packets.

That is not security. Let’s do that with caps. That is NOT security. Use IPsec with SHA, at least AES128, at least a 1024bit DH group, and appropriately short lifetimes (depends on traffic rate. Let’s say four hour, but do the math to back that up). That would be secure. If you feel like then combining that with bonding go right ahead after you have checked that the layout of physical connections is actually appropriate for bonding.

rmichael · November 12, 2010, 5:19pm

This is an interesting idea for obfuscating your communication. I would say it could have application in thwarting realtime MiTM attacks but not so much for privacy or long term data security.

fewi · November 12, 2010, 5:36pm

There would be several methods to force retransmits of packets, increasing the likelihood that all packets will eventually be seen on one of the links.

rmichael · November 12, 2010, 7:07pm

But passive taps like calea package don’t do that.

Chupaka · November 18, 2010, 1:22pm

I can’t see an answer in that ugly red text, so: what links do you use? is it Ethernet or something else? think about OOO packets - they will decrease TCP performance significantly over bording-rr