[BEHAVE] RE : CGN REQ: Port Set Assignment

[<mohamed.boucadair@orange-ftgroup.com>]

Re-

A "Port Set" does not mean necessarily "contiguous port range"!

Both pure randomized port set or Simple port randomization with port sets can be considered.

We have an implementation to assess the behavior of simple port randomization (only two lines of codes are needed to implement it: the algorithm uses the port mask and port value).

Another solution to generate random ports is available at: http://tools.ietf.org/html/draft-bajko-pripaddrassign-03#section-5.

Cheers,
Med


________________________________________
De : Dan Wing [dwing@cisco.com]
Date d'envoi : mardi 15 mars 2011 19:51
À : BOUCADAIR Mohamed OLNC/NAD/TIP; draft-ietf-behave-lsn-requirements@tools.ietf.org
Cc : behave@ietf.org
Objet : RE: [BEHAVE] CGN REQ: Port Set Assignment

> -----Original Message-----
> From: mohamed.boucadair@orange-ftgroup.com
> [mailto:mohamed.boucadair@orange-ftgroup.com]
> Sent: Tuesday, March 15, 2011 11:19 AM
> To: Dan Wing; draft-ietf-behave-lsn-requirements@tools.ietf.org
> Cc: behave@ietf.org
> Subject: RE : [BEHAVE] CGN REQ: Port Set Assignment
>
> Re-,
>
> Please see inline.
>
> Cheers,
> Med
> ________________________________________
> De : Dan Wing [dwing@cisco.com]
> Date d'envoi : mardi 15 mars 2011 18:55
> À : BOUCADAIR Mohamed OLNC/NAD/TIP; draft-ietf-behave-lsn-
> requirements@tools.ietf.org
> Cc : behave@ietf.org
> Objet : RE: [BEHAVE] CGN REQ: Port Set Assignment
>
> > -----Original Message-----
> > From: behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] On
> > Behalf Of mohamed.boucadair@orange-ftgroup.com
> > Sent: Tuesday, March 15, 2011 8:07 AM
> > To: draft-ietf-behave-lsn-requirements@tools.ietf.org
> > Cc: 'behave' <(behave@ietf.org)>
> > Subject: [BEHAVE] CGN REQ: Port Set Assignment
> >
> > Re-,
> >
> > Section 5 http://tools.ietf.org/html/draft-ietf-behave-lsn-
> > requirements-01#section-5 discusses various modes for the port
> > assignment but there is no explicit requirement.
> >
> > I suggest in addition to the dynamic mode, the CGN MUST (SHOULD?)
> > support the ability to assign port sets.
>
> Why?
>
> Med: We can ask the other question around: why only the dynamic NAT
> should be supported?

Because that's what NATs do today -- NATs in people's homes and
deployed by enterprises do that today.

> More seriously, the use of port set has several advantages in term of
> log reduction and in some implementation(s) has important  impact on
> performances (because of the per-entry write operations). Tests we have
> done for some implementations showed severe degradation. FWIW, some CGN
> implementations support only the port set allocation and the length of
> the port set is even no configurable!

Yes, well aware.

> IMO, the decision to activate the port set or use the dynamic mode
> should left to operators (enterprise, service providers, etc.).

Their incentive is to reduce costs.  But "port sets" (or "bulk port
allocations", or whatever term) increase the attack surface of
the subscribers, with no cost or security risk to the ISP.  The
incentives are in the wrong place.  It's obvious what an ISP
will do -- they will prefer to increase the attack surface of
their subscribers.

Speaking personally (not as chair), I do not support the
IETF making a recommendation that users be restricted to
a fixed set of port numbers.

-d



> -d
>
> > The selection of the dynamic
> > mode vs. port set is deployment-specific.
> >
> > Cheers,
> > Med