[BEHAVE] DNS vs port overloading

Simon Perreault <simon.perreault@viagenie.ca> Thu, 27 June 2013 14:21 UTC

Return-Path: <simon.perreault@viagenie.ca>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC16E21F9948 for <behave@ietfa.amsl.com>; Thu, 27 Jun 2013 07:21:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.141
X-Spam-Level:
X-Spam-Status: No, score=-2.141 tagged_above=-999 required=5 tests=[AWL=0.459, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ho-rBoxchhFI for <behave@ietfa.amsl.com>; Thu, 27 Jun 2013 07:21:14 -0700 (PDT)
Received: from jazz.viagenie.ca (jazz.viagenie.ca [IPv6:2620:0:230:8000::2]) by ietfa.amsl.com (Postfix) with ESMTP id 941C321F9E48 for <behave@ietf.org>; Thu, 27 Jun 2013 07:21:11 -0700 (PDT)
Received: from [IPv6:::1] (unknown [IPv6:2001:660:3001:4012:7ddf:d947:bc5f:fe38]) by jazz.viagenie.ca (Postfix) with ESMTPSA id BD60047121; Thu, 27 Jun 2013 10:21:10 -0400 (EDT)
Message-ID: <51CC4A59.8080801@viagenie.ca>
Date: Thu, 27 Jun 2013 16:21:13 +0200
From: Simon Perreault <simon.perreault@viagenie.ca>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Mark Andrews <marka@isc.org>
References: <CB1B483277FEC94E9B58357040EE5D02325A6E93@xmb-rcd-x15.cisco.com> <2f7dce8264c8a9a72640629502a44295@cacaoweb.org> <51C1681A.5030909@viagenie.ca> <f8741fad1af1cee094de9c59408b7425@cacaoweb.org> <51C40374.8080403@viagenie.ca> <21e25b7ae1501228a67656b2fa4bc009@cacaoweb.org> <51CAA20F.4070307@viagenie.ca> <7f35bf30538732e3953bd33bcab7a791@cacaoweb.org> <51CC444C.1030507@viagenie.ca> <20130627141434.3B0BD365EA62@drugs.dv.isc.org>
In-Reply-To: <20130627141434.3B0BD365EA62@drugs.dv.isc.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Cc: behave@ietf.org, ivan@cacaoweb.org
Subject: [BEHAVE] DNS vs port overloading
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jun 2013 14:21:14 -0000

Le 2013-06-27 16:14, Mark Andrews a écrit :
>> I have suggested that one condition where port overloading could be used
>> is when the NAT knows that it will not disrupt the application protocol.
>> For example, the protocols running on TCP port 80 and UDP port 53 (HTTP
>> and DNS) are purely client-server and therefore would not be affected by
>> port overloading. Allowing NATs to do port overloading for those ports
>> only would probably solve the scalability problem since they account for
>> a large portion of the traffic.
>
> And overloading DNS could potentially defeat the port randomisation
> done by the server even though nameservers do port overloading
> themselves to send traffic out a large set of ports choosen at
> random and reselected from at random.

Good point.

Could that be solved with operational advice? In the case of CGN, we 
could advise the ISP could to make sure that its recursive nameserver 
sits on the border between the internal and external realm such that no 
DNS traffic is handled by the CGN.

Would that fully address your concern?

Simon