IETF Logo Mail Archive

Re: [BEHAVE] CGN REQ: Port Set Assignment

<mohamed.boucadair@orange-ftgroup.com> Wed, 16 March 2011 06:26 UTC

Return-Path: <mohamed.boucadair@orange-ftgroup.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5A3E53A67DA for <behave@core3.amsl.com>; Tue, 15 Mar 2011 23:26:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.131
X-Spam-Level:
X-Spam-Status: No, score=-3.131 tagged_above=-999 required=5 tests=[AWL=0.117, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_LOW=-1, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3NUKHEMfli8s for <behave@core3.amsl.com>; Tue, 15 Mar 2011 23:26:28 -0700 (PDT)
Received: from relais-inet.francetelecom.com (relais-ias92.francetelecom.com [193.251.215.92]) by core3.amsl.com (Postfix) with ESMTP id 012E43A67DB for <behave@ietf.org>; Tue, 15 Mar 2011 23:26:28 -0700 (PDT)
Received: from omfedm06.si.francetelecom.fr (unknown [xx.xx.xx.2]) by omfedm13.si.francetelecom.fr (ESMTP service) with ESMTP id C4EC1324521; Wed, 16 Mar 2011 07:27:53 +0100 (CET)
Received: from PUEXCH11.nanterre.francetelecom.fr (unknown [10.101.44.27]) by omfedm06.si.francetelecom.fr (ESMTP service) with ESMTP id 9AE8A27C037; Wed, 16 Mar 2011 07:27:53 +0100 (CET)
Received: from PUEXCB1B.nanterre.francetelecom.fr ([10.101.44.11]) by PUEXCH11.nanterre.francetelecom.fr ([10.101.44.27]) with mapi; Wed, 16 Mar 2011 07:27:53 +0100
From: mohamed.boucadair@orange-ftgroup.com
To: Dan Wing <dwing@cisco.com>, 'Reinaldo Penno' <rpenno@juniper.net>, "draft-ietf-behave-lsn-requirements@tools.ietf.org" <draft-ietf-behave-lsn-requirements@tools.ietf.org>
Date: Wed, 16 Mar 2011 07:27:52 +0100
Thread-Topic: [BEHAVE] CGN REQ: Port Set Assignment
Thread-Index: AcvjIqvyHEN/PZAJQFafEA4YjAjBJAAF4EfQAACQgjEAATpYcAAATtl/AAU6NjAAAd3SygAAUxxAAADVbCQAADD60AAPk29w
Message-ID: <94C682931C08B048B7A8645303FDC9F33C4DBA3CC8@PUEXCB1B.nanterre.francetelecom.fr>
References: <13e001cbe361$06f7b120$14e71360$@com> <C9A53B9D.3C324%rpenno@juniper.net> <140501cbe364$9ca93240$d5fb96c0$@com>
In-Reply-To: <140501cbe364$9ca93240$d5fb96c0$@com>
Accept-Language: fr-FR
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: fr-FR
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-PMX-Version: 5.5.9.395186, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2010.12.28.90317
Cc: DENG Xiaohong ESP/PEK <xiaohong.deng@orange-ftgroup.com>, "behave@ietf.org" <behave@ietf.org>
Subject: Re: [BEHAVE] CGN REQ: Port Set Assignment
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Mar 2011 06:26:29 -0000

Re-,

Please see inline.

Cheers,
Med 

-----Message d'origine-----
De : Dan Wing [mailto:dwing@cisco.com] 
Envoyé : mardi 15 mars 2011 23:59
À : 'Reinaldo Penno'; BOUCADAIR Mohamed OLNC/NAD/TIP; draft-ietf-behave-lsn-requirements@tools.ietf.org
Cc : DENG Xiaohong ESP/PEK; behave@ietf.org
Objet : RE: [BEHAVE] CGN REQ: Port Set Assignment

> -----Original Message-----
> From: behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] On
> Behalf Of Reinaldo Penno
> Sent: Tuesday, March 15, 2011 3:52 PM
> To: Dan Wing; mohamed.boucadair@orange-ftgroup.com; draft-ietf-behave-
> lsn-requirements@tools.ietf.org
> Cc: 'DENG Xiaohong ESP/PEK'; behave@ietf.org
> Subject: Re: [BEHAVE] CGN REQ: Port Set Assignment
> 
> 
> 
> 
> On 3/15/11 3:33 PM, "Dan Wing" <dwing@cisco.com> wrote:
> 
> >> -----Original Message-----
> >> From: behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] On
> >> Behalf Of Reinaldo Penno
> >> Sent: Tuesday, March 15, 2011 3:19 PM
> >> To: Dan Wing; mohamed.boucadair@orange-ftgroup.com; draft-ietf-
> behave-
> >> lsn-requirements@tools.ietf.org
> >> Cc: 'DENG Xiaohong ESP/PEK'; behave@ietf.org
> >> Subject: Re: [BEHAVE] CGN REQ: Port Set Assignment
> >>
> >> That are security considerations that need to be understood in
> relation
> >> to
> >> port block. But many of those can be mitigated. Having said that, I
> >> would
> >> guess there are at least 3 CGN vendors that implement such a
> feature.
> >> Therefore, CGN vendors already do that today.
> >>
> >> As for your example, If the attacker has this access to your machine
> >> the victim should be worried about his credit card, not ports. (;-)
> >
> > Yes, there are always more severe risks.  Could get run over by a
> bus, too.
> >
> > But building a system which has predictable ports is risky for two
> reasons:
> >
> >   * security, which everyone likes to discount as "not important".
> >   * the port limit will be wrong
> 
> There are many ways to overcome the issues you point below. I think you
> might have a specific implementation in mind.

I am thinking of A+P-like schemes. 

Med: Which ones? Dynamic modes have been proposed in A+P; see http://tools.ietf.org/html/draft-rqb-dynamic-port-ranges-02. Port randomization requirement can be fairly honored.

 No implementation magic can
change the number of ports allocated by those schemes, because
those schemes generally stick port information into the IPv6
address or into a tunnel header.

Med: This is true for the stateless A+P mode but not the binding mode (see: http://tools.ietf.org/html/draft-ymbk-aplusp-09#section-4.4 for more details).



-d


> >       o It will be either too high (too many ports, costing money
> >         in the future ("why are we spending $30 for each IPv4
> >         address, giving everyone 1000 ports, but the average user
> >         only consuming 10 ports?  We are throwing money away"),
> >       o It will be too low (too few ports, harming an application,
> >         causing support calls).  This will be expensive to correct,
> >         with some fixed-port schemes, because it requires re-IP'ing
> >         the access network for some users or for all users.  Some
> >         other fixed-port schemes could be changed with a single
> >         CLI setting, and don't have this risk.
> >
> > -d
> >
> >
> >>
> >> On 3/15/11 2:28 PM, "Dan Wing" <dwing@cisco.com> wrote:
> >>
> >>>> A "Port Set" does not mean necessarily "contiguous port range"!
> >>>
> >>> It is not relevant if they are contiguous or not.  This is a false
> >> sense of
> >>> security.
> >>>
> >>> If they are fixed, the ports can be determined by causing the
> victim
> >> to view
> >>> HTML which opens img1.example.com, img2.example.com,
> >> img3.example.com, etc.,
> >>> to servers controlled by the attacker.  The attacker can then have
> >>> Javascript release one of those mappings, wait, and the  attacker
> >> will know
> >>> the victim will re-use that port -- because it's the only port
> >> available.
> >>> Proof of concept code that does this has been circulating.
> >>
> >> _______________________________________________
> >> Behave mailing list
> >> Behave@ietf.org
> >> https://www.ietf.org/mailman/listinfo/behave
> >
> 
> _______________________________________________
> Behave mailing list
> Behave@ietf.org
> https://www.ietf.org/mailman/listinfo/behave

v2.23.0 | Report a Bug | By Email