Traditional network applications may leverage a single path for every unique connection. As multiple redundant paths between application clients and servers become more common in private networks as well as on the Internet, modern state-of-the-art protocol implementations attempt to take advantage of these multiple paths to improve throughput, reduce latency, and increase connection resiliency. One example of such a protocol is the Multipath Transmission Control Protocol (MPTCP). This protocol allows two endpoints to exchange data for a single connection across multiple subflows which can use different paths and network interfaces. This use case is especially relevant with laptops and mobile phones, which natively support multiple network attachment points (e.g., Ethernet, Wi-Fi®, and cellular endpoints). An application can pass data for a single connection across any of these interfaces, thus achieving lower latency, managing bandwidth costs, and improving resiliency when the physical client moves between different networks. When underlying MPTCP subflows re-establish, the application layer connection remains up at all times.
As MPTCP is being defined, one commonly overlooked area is its integration into existing enterprise/corporate security models. Since a single MPTCP flow may carry data across multiple different subflows and network paths, deep inspection and threat prevention devices (such as next-generation firewalls or next-generation intrusion prevention systems) can no longer effectively enforce the corporate security policies.