IETF Logo Mail Archive

Re: [BEHAVE] CGN REQ: Port Set Assignment

<xiaohong.deng@orange-ftgroup.com> Wed, 16 March 2011 10:09 UTC

Return-Path: <xiaohong.deng@orange-ftgroup.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9BDC23A6912 for <behave@core3.amsl.com>; Wed, 16 Mar 2011 03:09:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.996
X-Spam-Level:
X-Spam-Status: No, score=-2.996 tagged_above=-999 required=5 tests=[AWL=0.253, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VGDZHmTv97Nd for <behave@core3.amsl.com>; Wed, 16 Mar 2011 03:09:10 -0700 (PDT)
Received: from p-mail1.rd.francetelecom.com (p-mail1.rd.francetelecom.com [195.101.245.15]) by core3.amsl.com (Postfix) with ESMTP id 91A953A68EE for <behave@ietf.org>; Wed, 16 Mar 2011 03:09:10 -0700 (PDT)
Received: from p-mail1.rd.francetelecom.com (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 68A1B8B800A; Wed, 16 Mar 2011 11:11:05 +0100 (CET)
Received: from ftrdsmtp1.rd.francetelecom.fr (unknown [10.192.128.46]) by p-mail1.rd.francetelecom.com (Postfix) with ESMTP id 5DC088B8002; Wed, 16 Mar 2011 11:11:05 +0100 (CET)
Received: from ch-mailsrv.rd.francetelecom.fr ([10.193.250.27]) by ftrdsmtp1.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.4675); Wed, 16 Mar 2011 11:10:36 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 16 Mar 2011 18:10:31 +0800
Message-ID: <0962B0BEF842A24191AD9BE41A8DD2FC015EC5A5@ch-mailsrv.rd.francetelecom.fr>
In-Reply-To: <94C682931C08B048B7A8645303FDC9F33C4DBA3CC8@PUEXCB1B.nanterre.francetelecom.fr>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: RE:[BEHAVE] CGN REQ: Port Set Assignment
Thread-Index: AcvjIqvyHEN/PZAJQFafEA4YjAjBJAAF4EfQAACQgjEAATpYcAAATtl/AAU6NjAAAd3SygAAUxxAAADVbCQAADD60AAPk29wAAWmONA=
References: <13e001cbe361$06f7b120$14e71360$@com> <C9A53B9D.3C324%rpenno@juniper.net> <140501cbe364$9ca93240$d5fb96c0$@com> <94C682931C08B048B7A8645303FDC9F33C4DBA3CC8@PUEXCB1B.nanterre.francetelecom.fr>
From: xiaohong.deng@orange-ftgroup.com
To: mohamed.boucadair@orange-ftgroup.com, dwing@cisco.com, rpenno@juniper.net, draft-ietf-behave-lsn-requirements@tools.ietf.org
X-OriginalArrivalTime: 16 Mar 2011 10:10:36.0068 (UTC) FILETIME=[64929640:01CBE3C2]
Cc: behave@ietf.org
Subject: Re: [BEHAVE] CGN REQ: Port Set Assignment
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Mar 2011 10:09:12 -0000

|> >> -----Original Message-----
|> >> From: behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] On 
|> >> Behalf Of Reinaldo Penno
|> >> Sent: Tuesday, March 15, 2011 3:19 PM
|> >> To: Dan Wing; mohamed.boucadair@orange-ftgroup.com; draft-ietf-
|> behave-
|> >> lsn-requirements@tools.ietf.org
|> >> Cc: 'DENG Xiaohong ESP/PEK'; behave@ietf.org
|> >> Subject: Re: [BEHAVE] CGN REQ: Port Set Assignment
|> >>
|> >> That are security considerations that need to be understood in
|> relation
|> >> to
|> >> port block. But many of those can be mitigated. Having 
|said that, I 
|> >> would guess there are at least 3 CGN vendors that implement such a
|> feature.
|> >> Therefore, CGN vendors already do that today.
|> >>
|> >> As for your example, If the attacker has this access to your 
|> >> machine the victim should be worried about his credit card, not 
|> >> ports. (;-)
|> >
|> > Yes, there are always more severe risks.  Could get run over by a
|> bus, too.
|> >
|> > But building a system which has predictable ports is risky for two
|> reasons:
|> >
|> >   * security, which everyone likes to discount as "not important".
|> >   * the port limit will be wrong
|> 
|> There are many ways to overcome the issues you point below. I think 
|> you might have a specific implementation in mind.
|
|I am thinking of A+P-like schemes. 

Xiaohong: When you refer to A+P-like schemes, I can imagine B4 element
 with port set restricted NAT and AFTR with by passing port set feature,
and 
Address + Port embedded IPv6 prefix is not necessary for Port Set
Assignment.
 Does that make sense?

|
|Med: Which ones? Dynamic modes have been proposed in A+P; see 
|http://tools.ietf.org/html/draft-rqb-dynamic-port-ranges-02. 
|Port randomization requirement can be fairly honored.
|
| No implementation magic can
|change the number of ports allocated by those schemes, because 
|those schemes generally stick port information into the IPv6 
|address or into a tunnel header.
|
|Med: This is true for the stateless A+P mode but not the 
|binding mode (see: 
|http://tools.ietf.org/html/draft-ymbk-aplusp-09#section-4.4 
|for more details).

Xiaohong: Right, the binding mode doesn't require  stick port
information into
 the IPv6  address or into a tunnel header.


Cheers,
Xiaohong
opensource A+P: http://opensourceaplusp.weebly.com/

|
|
|
|-d
|
|
|> >       o It will be either too high (too many ports, costing money
|> >         in the future ("why are we spending $30 for each IPv4
|> >         address, giving everyone 1000 ports, but the average user
|> >         only consuming 10 ports?  We are throwing money away"),
|> >       o It will be too low (too few ports, harming an application,
|> >         causing support calls).  This will be expensive to correct,
|> >         with some fixed-port schemes, because it requires re-IP'ing
|> >         the access network for some users or for all users.  Some
|> >         other fixed-port schemes could be changed with a single
|> >         CLI setting, and don't have this risk.
|> >
|> > -d
|> >
|> >
|> >>
|> >> On 3/15/11 2:28 PM, "Dan Wing" <dwing@cisco.com> wrote:
|> >>
|> >>>> A "Port Set" does not mean necessarily "contiguous port range"!
|> >>>
|> >>> It is not relevant if they are contiguous or not.  This 
|is a false
|> >> sense of
|> >>> security.
|> >>>
|> >>> If they are fixed, the ports can be determined by causing the
|> victim
|> >> to view
|> >>> HTML which opens img1.example.com, img2.example.com,
|> >> img3.example.com, etc.,
|> >>> to servers controlled by the attacker.  The attacker can 
|then have 
|> >>> Javascript release one of those mappings, wait, and the  attacker
|> >> will know
|> >>> the victim will re-use that port -- because it's the only port
|> >> available.
|> >>> Proof of concept code that does this has been circulating.
|> >>
|> >> _______________________________________________
|> >> Behave mailing list
|> >> Behave@ietf.org
|> >> https://www.ietf.org/mailman/listinfo/behave
|> >
|> 
|> _______________________________________________
|> Behave mailing list
|> Behave@ietf.org
|> https://www.ietf.org/mailman/listinfo/behave
|
|

v2.23.0 | Report a Bug | By Email