http://blog.multipath-tcp.org/blog/html/2015/07/24/korea.html
So, obviously, MPTCP can cause problems with Stateful Firewalls (as in asymmetric routing, out of state packets, etc.). Cisco's take on how to deal with MPTCP is just as interesting as MPTCP itself is.
Yep, for regular ASAs they advise you to let everything with option 30 set in the header have a free pass to your network (turn off NOOP replacement of option 30 in TCP headers via a tcp-map)... and btw, turn off packet inspection.
For ASA-X "next generation" firewalls with modern code levels, this behavior seems to be default, although it looks like you can have your packet inspection as well.
--p
"Darden, Patrick" <Patrick.Darden@p66.com> writes:
So, obviously, MPTCP can cause problems with Stateful Firewalls (as
in asymmetric routing, out of state packets, etc.). Cisco's take on
how to deal with MPTCP is just as interesting as MPTCP itself is.
...
It's not so much the statefulness of the firewall that's the problem,
it's that if the firewall wants to work at higher layers than TCP, in
particular at the TLS layer, it can't because it doesn't have all the
data.
Operators should probably consider that if they block or disable
MPTCP, the device using it might decide that network is broken or not
currently available to it for that service, and prefer its other
interface bypassing the firewall entirely.