Re: [BEHAVE] CGN REQ: Port Set Assignment
"Dan Wing" <dwing@cisco.com> Wed, 16 March 2011 15:04 UTC
Return-Path: <dwing@cisco.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 234753A69AB for <behave@core3.amsl.com>; Wed, 16 Mar 2011 08:04:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.312
X-Spam-Level:
X-Spam-Status: No, score=-110.312 tagged_above=-999 required=5 tests=[AWL=0.287, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zx+9JDuUII0L for <behave@core3.amsl.com>; Wed, 16 Mar 2011 08:04:26 -0700 (PDT)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id B84CD3A699E for <behave@ietf.org>; Wed, 16 Mar 2011 08:04:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=dwing@cisco.com; l=5498; q=dns/txt; s=iport; t=1300287953; x=1301497553; h=from:to:cc:references:in-reply-to:subject:date: message-id:mime-version:content-transfer-encoding; bh=Wrz1pBhDjlwHfZov0iMggjzSFFlTL3Bvs9x1xpY/n4c=; b=buR7GUUJpCtOGbORzSex8Wk649OFu78kYOzcoWykpUXk8N/aNAhQEeVS Ap+YBGGSCj8F8GAb6kfTquCDw4zZift+t1otC/EY9AOj6QIilMyu5SXpO 2upyqi7OrDjEm3Kjo1gmFLHVwhDGrDnH1rjwjxp03QwYC4zJqduDQuOzC w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsAAC5vgE2tJXG9/2dsb2JhbACYVYFki1R3pGKMbI9phWMEhS8
X-IronPort-AV: E=Sophos;i="4.63,194,1299456000"; d="scan'208";a="667718263"
Received: from rcdn-core2-2.cisco.com ([173.37.113.189]) by sj-iport-6.cisco.com with ESMTP; 16 Mar 2011 15:05:52 +0000
Received: from dwingWS ([10.32.240.196]) by rcdn-core2-2.cisco.com (8.14.3/8.14.3) with ESMTP id p2GF5p98001227; Wed, 16 Mar 2011 15:05:52 GMT
From: Dan Wing <dwing@cisco.com>
To: mohamed.boucadair@orange-ftgroup.com, 'Reinaldo Penno' <rpenno@juniper.net>, draft-ietf-behave-lsn-requirements@tools.ietf.org
References: <13e001cbe361$06f7b120$14e71360$@com> <C9A53B9D.3C324%rpenno@juniper.net> <140501cbe364$9ca93240$d5fb96c0$@com> <94C682931C08B048B7A8645303FDC9F33C4DBA3CC8@PUEXCB1B.nanterre.francetelecom.fr>
In-Reply-To: <94C682931C08B048B7A8645303FDC9F33C4DBA3CC8@PUEXCB1B.nanterre.francetelecom.fr>
Date: Wed, 16 Mar 2011 08:05:51 -0700
Message-ID: <164801cbe3eb$a43a3950$ecaeabf0$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcvjIqvyHEN/PZAJQFafEA4YjAjBJAAF4EfQAACQgjEAATpYcAAATtl/AAU6NjAAAd3SygAAUxxAAADVbCQAADD60AAPk29wABItJQA=
Content-language: en-us
Cc: 'DENG Xiaohong ESP/PEK' <xiaohong.deng@orange-ftgroup.com>, behave@ietf.org
Subject: Re: [BEHAVE] CGN REQ: Port Set Assignment
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Mar 2011 15:04:28 -0000
> -----Original Message----- > From: behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] On > Behalf Of mohamed.boucadair@orange-ftgroup.com > Sent: Tuesday, March 15, 2011 11:28 PM > To: Dan Wing; 'Reinaldo Penno'; draft-ietf-behave-lsn- > requirements@tools.ietf.org > Cc: DENG Xiaohong ESP/PEK; behave@ietf.org > Subject: Re: [BEHAVE] CGN REQ: Port Set Assignment > > > Re-, > > Please see inline. > > Cheers, > Med > > -----Message d'origine----- > De : Dan Wing [mailto:dwing@cisco.com] > Envoyé : mardi 15 mars 2011 23:59 > À : 'Reinaldo Penno'; BOUCADAIR Mohamed OLNC/NAD/TIP; draft-ietf- > behave-lsn-requirements@tools.ietf.org > Cc : DENG Xiaohong ESP/PEK; behave@ietf.org > Objet : RE: [BEHAVE] CGN REQ: Port Set Assignment > > > -----Original Message----- > > From: behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] On > > Behalf Of Reinaldo Penno > > Sent: Tuesday, March 15, 2011 3:52 PM > > To: Dan Wing; mohamed.boucadair@orange-ftgroup.com; draft-ietf- > behave- > > lsn-requirements@tools.ietf.org > > Cc: 'DENG Xiaohong ESP/PEK'; behave@ietf.org > > Subject: Re: [BEHAVE] CGN REQ: Port Set Assignment > > > > > > > > > > On 3/15/11 3:33 PM, "Dan Wing" <dwing@cisco.com> wrote: > > > > >> -----Original Message----- > > >> From: behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] On > > >> Behalf Of Reinaldo Penno > > >> Sent: Tuesday, March 15, 2011 3:19 PM > > >> To: Dan Wing; mohamed.boucadair@orange-ftgroup.com; draft-ietf- > > behave- > > >> lsn-requirements@tools.ietf.org > > >> Cc: 'DENG Xiaohong ESP/PEK'; behave@ietf.org > > >> Subject: Re: [BEHAVE] CGN REQ: Port Set Assignment > > >> > > >> That are security considerations that need to be understood in > > relation > > >> to > > >> port block. But many of those can be mitigated. Having said that, > I > > >> would > > >> guess there are at least 3 CGN vendors that implement such a > > feature. > > >> Therefore, CGN vendors already do that today. > > >> > > >> As for your example, If the attacker has this access to your > machine > > >> the victim should be worried about his credit card, not ports. (;- > ) > > > > > > Yes, there are always more severe risks. Could get run over by a > > bus, too. > > > > > > But building a system which has predictable ports is risky for two > > reasons: > > > > > > * security, which everyone likes to discount as "not important". > > > * the port limit will be wrong > > > > There are many ways to overcome the issues you point below. I think > you > > might have a specific implementation in mind. > > I am thinking of A+P-like schemes. > > Med: Which ones? Dynamic modes have been proposed in A+P; see > http://tools.ietf.org/html/draft-rqb-dynamic-port-ranges-02. Port > randomization requirement can be fairly honored. > > No implementation magic can > change the number of ports allocated by those schemes, because > those schemes generally stick port information into the IPv6 > address or into a tunnel header. > > Med: This is true for the stateless A+P mode but not the binding mode > (see: http://tools.ietf.org/html/draft-ymbk-aplusp-09#section-4.4 for > more details). Most of the benefits attributed to A+P is that it's stateless in the SP's network. I haven't seen anyone excited about that, but I don't talk to everyone. -d > > > -d > > > > > o It will be either too high (too many ports, costing money > > > in the future ("why are we spending $30 for each IPv4 > > > address, giving everyone 1000 ports, but the average user > > > only consuming 10 ports? We are throwing money away"), > > > o It will be too low (too few ports, harming an application, > > > causing support calls). This will be expensive to correct, > > > with some fixed-port schemes, because it requires re-IP'ing > > > the access network for some users or for all users. Some > > > other fixed-port schemes could be changed with a single > > > CLI setting, and don't have this risk. > > > > > > -d > > > > > > > > >> > > >> On 3/15/11 2:28 PM, "Dan Wing" <dwing@cisco.com> wrote: > > >> > > >>>> A "Port Set" does not mean necessarily "contiguous port range"! > > >>> > > >>> It is not relevant if they are contiguous or not. This is a > false > > >> sense of > > >>> security. > > >>> > > >>> If they are fixed, the ports can be determined by causing the > > victim > > >> to view > > >>> HTML which opens img1.example.com, img2.example.com, > > >> img3.example.com, etc., > > >>> to servers controlled by the attacker. The attacker can then > have > > >>> Javascript release one of those mappings, wait, and the attacker > > >> will know > > >>> the victim will re-use that port -- because it's the only port > > >> available. > > >>> Proof of concept code that does this has been circulating. > > >> > > >> _______________________________________________ > > >> Behave mailing list > > >> Behave@ietf.org > > >> https://www.ietf.org/mailman/listinfo/behave > > > > > > > _______________________________________________ > > Behave mailing list > > Behave@ietf.org > > https://www.ietf.org/mailman/listinfo/behave > > _______________________________________________ > Behave mailing list > Behave@ietf.org > https://www.ietf.org/mailman/listinfo/behave
- [BEHAVE] CGN REQ: Port Set Assignment mohamed.boucadair
- Re: [BEHAVE] CGN REQ: Port Set Assignment Dan Wing
- [BEHAVE] RE : CGN REQ: Port Set Assignment mohamed.boucadair
- Re: [BEHAVE] CGN REQ: Port Set Assignment Dan Wing
- [BEHAVE] RE : CGN REQ: Port Set Assignment mohamed.boucadair
- Re: [BEHAVE] CGN REQ: Port Set Assignment Benson Schliesser
- Re: [BEHAVE] CGN REQ: Port Set Assignment Dan Wing
- Re: [BEHAVE] CGN REQ: Port Set Assignment Reinaldo Penno
- Re: [BEHAVE] CGN REQ: Port Set Assignment Dan Wing
- Re: [BEHAVE] CGN REQ: Port Set Assignment Reinaldo Penno
- Re: [BEHAVE] CGN REQ: Port Set Assignment Dan Wing
- Re: [BEHAVE] CGN REQ: Port Set Assignment mohamed.boucadair
- Re: [BEHAVE] CGN REQ: Port Set Assignment mohamed.boucadair
- Re: [BEHAVE] CGN REQ: Port Set Assignment mohamed.boucadair
- Re: [BEHAVE] CGN REQ: Port Set Assignment xiaohong.deng
- Re: [BEHAVE] CGN REQ: Port Set Assignment Simon Perreault
- Re: [BEHAVE] CGN REQ: Port Set Assignment Simon Perreault
- Re: [BEHAVE] CGN REQ: Port Set Assignment Francis Dupont
- Re: [BEHAVE] CGN REQ: Port Set Assignment Simon Perreault
- Re: [BEHAVE] CGN REQ: Port Set Assignment mohamed.boucadair
- Re: [BEHAVE] CGN REQ: Port Set Assignment Dan Wing
- Re: [BEHAVE] CGN REQ: Port Set Assignment Francis Dupont
- Re: [BEHAVE] CGN REQ: Port Set Assignment Dan Wing
- Re: [BEHAVE] CGN REQ: Port Set Assignment mohamed.boucadair
- Re: [BEHAVE] CGN REQ: Port Set Assignment mohamed.boucadair
- Re: [BEHAVE] CGN REQ: Port Set Assignment mohamed.boucadair
- Re: [BEHAVE] CGN REQ: Port Set Assignment mohamed.boucadair
- Re: [BEHAVE] CGN REQ: Port Set Assignment Dan Wing
- Re: [BEHAVE] CGN REQ: Port Set Assignment Benson Schliesser
- Re: [BEHAVE] CGN REQ: Port Set Assignment Benson Schliesser
- Re: [BEHAVE] CGN REQ: Port Set Assignment xiaohong.deng
- Re: [BEHAVE] CGN REQ: Port Set Assignment Simon Perreault
- Re: [BEHAVE] CGN REQ: Port Set Assignment mohamed.boucadair
- Re: [BEHAVE] CGN REQ: Port Set Assignment Benson Schliesser