Re: [BEHAVE] CGN REQ: Port Set Assignment
<xiaohong.deng@orange-ftgroup.com> Wed, 16 March 2011 10:09 UTC
Return-Path: <xiaohong.deng@orange-ftgroup.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9BDC23A6912 for <behave@core3.amsl.com>; Wed, 16 Mar 2011 03:09:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.996
X-Spam-Level:
X-Spam-Status: No, score=-2.996 tagged_above=-999 required=5 tests=[AWL=0.253, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VGDZHmTv97Nd for <behave@core3.amsl.com>; Wed, 16 Mar 2011 03:09:10 -0700 (PDT)
Received: from p-mail1.rd.francetelecom.com (p-mail1.rd.francetelecom.com [195.101.245.15]) by core3.amsl.com (Postfix) with ESMTP id 91A953A68EE for <behave@ietf.org>; Wed, 16 Mar 2011 03:09:10 -0700 (PDT)
Received: from p-mail1.rd.francetelecom.com (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 68A1B8B800A; Wed, 16 Mar 2011 11:11:05 +0100 (CET)
Received: from ftrdsmtp1.rd.francetelecom.fr (unknown [10.192.128.46]) by p-mail1.rd.francetelecom.com (Postfix) with ESMTP id 5DC088B8002; Wed, 16 Mar 2011 11:11:05 +0100 (CET)
Received: from ch-mailsrv.rd.francetelecom.fr ([10.193.250.27]) by ftrdsmtp1.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.4675); Wed, 16 Mar 2011 11:10:36 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 16 Mar 2011 18:10:31 +0800
Message-ID: <0962B0BEF842A24191AD9BE41A8DD2FC015EC5A5@ch-mailsrv.rd.francetelecom.fr>
In-Reply-To: <94C682931C08B048B7A8645303FDC9F33C4DBA3CC8@PUEXCB1B.nanterre.francetelecom.fr>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: RE:[BEHAVE] CGN REQ: Port Set Assignment
Thread-Index: AcvjIqvyHEN/PZAJQFafEA4YjAjBJAAF4EfQAACQgjEAATpYcAAATtl/AAU6NjAAAd3SygAAUxxAAADVbCQAADD60AAPk29wAAWmONA=
References: <13e001cbe361$06f7b120$14e71360$@com> <C9A53B9D.3C324%rpenno@juniper.net> <140501cbe364$9ca93240$d5fb96c0$@com> <94C682931C08B048B7A8645303FDC9F33C4DBA3CC8@PUEXCB1B.nanterre.francetelecom.fr>
From: xiaohong.deng@orange-ftgroup.com
To: mohamed.boucadair@orange-ftgroup.com, dwing@cisco.com, rpenno@juniper.net, draft-ietf-behave-lsn-requirements@tools.ietf.org
X-OriginalArrivalTime: 16 Mar 2011 10:10:36.0068 (UTC) FILETIME=[64929640:01CBE3C2]
Cc: behave@ietf.org
Subject: Re: [BEHAVE] CGN REQ: Port Set Assignment
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Mar 2011 10:09:12 -0000
|> >> -----Original Message----- |> >> From: behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] On |> >> Behalf Of Reinaldo Penno |> >> Sent: Tuesday, March 15, 2011 3:19 PM |> >> To: Dan Wing; mohamed.boucadair@orange-ftgroup.com; draft-ietf- |> behave- |> >> lsn-requirements@tools.ietf.org |> >> Cc: 'DENG Xiaohong ESP/PEK'; behave@ietf.org |> >> Subject: Re: [BEHAVE] CGN REQ: Port Set Assignment |> >> |> >> That are security considerations that need to be understood in |> relation |> >> to |> >> port block. But many of those can be mitigated. Having |said that, I |> >> would guess there are at least 3 CGN vendors that implement such a |> feature. |> >> Therefore, CGN vendors already do that today. |> >> |> >> As for your example, If the attacker has this access to your |> >> machine the victim should be worried about his credit card, not |> >> ports. (;-) |> > |> > Yes, there are always more severe risks. Could get run over by a |> bus, too. |> > |> > But building a system which has predictable ports is risky for two |> reasons: |> > |> > * security, which everyone likes to discount as "not important". |> > * the port limit will be wrong |> |> There are many ways to overcome the issues you point below. I think |> you might have a specific implementation in mind. | |I am thinking of A+P-like schemes. Xiaohong: When you refer to A+P-like schemes, I can imagine B4 element with port set restricted NAT and AFTR with by passing port set feature, and Address + Port embedded IPv6 prefix is not necessary for Port Set Assignment. Does that make sense? | |Med: Which ones? Dynamic modes have been proposed in A+P; see |http://tools.ietf.org/html/draft-rqb-dynamic-port-ranges-02. |Port randomization requirement can be fairly honored. | | No implementation magic can |change the number of ports allocated by those schemes, because |those schemes generally stick port information into the IPv6 |address or into a tunnel header. | |Med: This is true for the stateless A+P mode but not the |binding mode (see: |http://tools.ietf.org/html/draft-ymbk-aplusp-09#section-4.4 |for more details). Xiaohong: Right, the binding mode doesn't require stick port information into the IPv6 address or into a tunnel header. Cheers, Xiaohong opensource A+P: http://opensourceaplusp.weebly.com/ | | | |-d | | |> > o It will be either too high (too many ports, costing money |> > in the future ("why are we spending $30 for each IPv4 |> > address, giving everyone 1000 ports, but the average user |> > only consuming 10 ports? We are throwing money away"), |> > o It will be too low (too few ports, harming an application, |> > causing support calls). This will be expensive to correct, |> > with some fixed-port schemes, because it requires re-IP'ing |> > the access network for some users or for all users. Some |> > other fixed-port schemes could be changed with a single |> > CLI setting, and don't have this risk. |> > |> > -d |> > |> > |> >> |> >> On 3/15/11 2:28 PM, "Dan Wing" <dwing@cisco.com> wrote: |> >> |> >>>> A "Port Set" does not mean necessarily "contiguous port range"! |> >>> |> >>> It is not relevant if they are contiguous or not. This |is a false |> >> sense of |> >>> security. |> >>> |> >>> If they are fixed, the ports can be determined by causing the |> victim |> >> to view |> >>> HTML which opens img1.example.com, img2.example.com, |> >> img3.example.com, etc., |> >>> to servers controlled by the attacker. The attacker can |then have |> >>> Javascript release one of those mappings, wait, and the attacker |> >> will know |> >>> the victim will re-use that port -- because it's the only port |> >> available. |> >>> Proof of concept code that does this has been circulating. |> >> |> >> _______________________________________________ |> >> Behave mailing list |> >> Behave@ietf.org |> >> https://www.ietf.org/mailman/listinfo/behave |> > |> |> _______________________________________________ |> Behave mailing list |> Behave@ietf.org |> https://www.ietf.org/mailman/listinfo/behave | |
- [BEHAVE] CGN REQ: Port Set Assignment mohamed.boucadair
- Re: [BEHAVE] CGN REQ: Port Set Assignment Dan Wing
- [BEHAVE] RE : CGN REQ: Port Set Assignment mohamed.boucadair
- Re: [BEHAVE] CGN REQ: Port Set Assignment Dan Wing
- [BEHAVE] RE : CGN REQ: Port Set Assignment mohamed.boucadair
- Re: [BEHAVE] CGN REQ: Port Set Assignment Benson Schliesser
- Re: [BEHAVE] CGN REQ: Port Set Assignment Dan Wing
- Re: [BEHAVE] CGN REQ: Port Set Assignment Reinaldo Penno
- Re: [BEHAVE] CGN REQ: Port Set Assignment Dan Wing
- Re: [BEHAVE] CGN REQ: Port Set Assignment Reinaldo Penno
- Re: [BEHAVE] CGN REQ: Port Set Assignment Dan Wing
- Re: [BEHAVE] CGN REQ: Port Set Assignment mohamed.boucadair
- Re: [BEHAVE] CGN REQ: Port Set Assignment mohamed.boucadair
- Re: [BEHAVE] CGN REQ: Port Set Assignment mohamed.boucadair
- Re: [BEHAVE] CGN REQ: Port Set Assignment xiaohong.deng
- Re: [BEHAVE] CGN REQ: Port Set Assignment Simon Perreault
- Re: [BEHAVE] CGN REQ: Port Set Assignment Simon Perreault
- Re: [BEHAVE] CGN REQ: Port Set Assignment Francis Dupont
- Re: [BEHAVE] CGN REQ: Port Set Assignment Simon Perreault
- Re: [BEHAVE] CGN REQ: Port Set Assignment mohamed.boucadair
- Re: [BEHAVE] CGN REQ: Port Set Assignment Dan Wing
- Re: [BEHAVE] CGN REQ: Port Set Assignment Francis Dupont
- Re: [BEHAVE] CGN REQ: Port Set Assignment Dan Wing
- Re: [BEHAVE] CGN REQ: Port Set Assignment mohamed.boucadair
- Re: [BEHAVE] CGN REQ: Port Set Assignment mohamed.boucadair
- Re: [BEHAVE] CGN REQ: Port Set Assignment mohamed.boucadair
- Re: [BEHAVE] CGN REQ: Port Set Assignment mohamed.boucadair
- Re: [BEHAVE] CGN REQ: Port Set Assignment Dan Wing
- Re: [BEHAVE] CGN REQ: Port Set Assignment Benson Schliesser
- Re: [BEHAVE] CGN REQ: Port Set Assignment Benson Schliesser
- Re: [BEHAVE] CGN REQ: Port Set Assignment xiaohong.deng
- Re: [BEHAVE] CGN REQ: Port Set Assignment Simon Perreault
- Re: [BEHAVE] CGN REQ: Port Set Assignment mohamed.boucadair
- Re: [BEHAVE] CGN REQ: Port Set Assignment Benson Schliesser