IETF Logo Mail Archive

Re: [BEHAVE] CGN REQ: Port Set Assignment

"Dan Wing" <dwing@cisco.com> Tue, 15 March 2011 21:27 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7A14F3A6B82 for <behave@core3.amsl.com>; Tue, 15 Mar 2011 14:27:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.294
X-Spam-Level:
X-Spam-Status: No, score=-110.294 tagged_above=-999 required=5 tests=[AWL=0.305, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DE6O4Vq769ag for <behave@core3.amsl.com>; Tue, 15 Mar 2011 14:27:04 -0700 (PDT)
Received: from sj-iport-2.cisco.com (sj-iport-2.cisco.com [171.71.176.71]) by core3.amsl.com (Postfix) with ESMTP id 0B5473A6D54 for <behave@ietf.org>; Tue, 15 Mar 2011 14:27:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=dwing@cisco.com; l=4687; q=dns/txt; s=iport; t=1300224509; x=1301434109; h=from:to:cc:references:in-reply-to:subject:date: message-id:mime-version:content-transfer-encoding; bh=12Dw5rOYrTCNoxfPIer2P4drJTCqMkVZnEIl4EcQQC8=; b=S9IUMWN/JPeU+twdJBUfpMk7MUv/FvsORq41aiaUjTaiNrGIYJpo/dGi 3o7/QJs75bBfH4p3iEtYJWTXTP4pVH7xIGEYTynOxjtjSPLpyFJypwScm hfZFzPnsmZ+Rx+sT4t3ZwCwWFkvkEZXW/698DDADLLCVI0CPXmBNEOCYk g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AiYBAEZ2f02tJV2Y/2dsb2JhbACYT4Fki1p3pFycdIViBIUw
X-IronPort-AV: E=Sophos;i="4.63,191,1299456000"; d="scan'208";a="320664527"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by sj-iport-2.cisco.com with ESMTP; 15 Mar 2011 21:28:29 +0000
Received: from dwingWS ([10.32.240.196]) by rcdn-core-1.cisco.com (8.14.3/8.14.3) with ESMTP id p2FLSSWl027844; Tue, 15 Mar 2011 21:28:28 GMT
From: Dan Wing <dwing@cisco.com>
To: mohamed.boucadair@orange-ftgroup.com, draft-ietf-behave-lsn-requirements@tools.ietf.org
References: <94C682931C08B048B7A8645303FDC9F33C4DBA3B56@PUEXCB1B.nanterre.francetelecom.fr>, <127401cbe33a$322a1c60$967e5520$@com> <94C682931C08B048B7A8645303FDC9F33C4D682FC2@PUEXCB1B.nanterre.francetelecom.fr>, <12f501cbe341$fe3310d0$fa993270$@com> <94C682931C08B048B7A8645303FDC9F33C4D682FC3@PUEXCB1B.nanterre.francetelecom.fr>
In-Reply-To: <94C682931C08B048B7A8645303FDC9F33C4D682FC3@PUEXCB1B.nanterre.francetelecom.fr>
Date: Tue, 15 Mar 2011 14:28:28 -0700
Message-ID: <138701cbe357$ed3e63e0$c7bb2ba0$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcvjIqvyHEN/PZAJQFafEA4YjAjBJAAF4EfQAACQgjEAATpYcAAATtl/AAU6NjA=
Content-language: en-us
Cc: 'DENG Xiaohong ESP/PEK' <xiaohong.deng@orange-ftgroup.com>, behave@ietf.org
Subject: Re: [BEHAVE] CGN REQ: Port Set Assignment
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2011 21:27:05 -0000

> -----Original Message-----
> From: mohamed.boucadair@orange-ftgroup.com
> [mailto:mohamed.boucadair@orange-ftgroup.com]
> Sent: Tuesday, March 15, 2011 12:02 PM
> To: Dan Wing; draft-ietf-behave-lsn-requirements@tools.ietf.org
> Cc: behave@ietf.org; DENG Xiaohong ESP/PEK
> Subject: RE : [BEHAVE] CGN REQ: Port Set Assignment
> 
> Re-
> 
> A "Port Set" does not mean necessarily "contiguous port range"!

It is not relevant if they are contiguous or not.  This is a false sense of
security.

If they are fixed, the ports can be determined by causing the victim to view
HTML which opens img1.example.com, img2.example.com, img3.example.com, etc.,
to servers controlled by the attacker.  The attacker can then have
Javascript release one of those mappings, wait, and the  attacker will know
the victim will re-use that port -- because it's the only port available.
Proof of concept code that does this has been circulating.

-d

> Both pure randomized port set or Simple port randomization with port
> sets can be considered.
> 
> We have an implementation to assess the behavior of simple port
> randomization (only two lines of codes are needed to implement it: the
> algorithm uses the port mask and port value).
> 
> Another solution to generate random ports is available at:
> http://tools.ietf.org/html/draft-bajko-pripaddrassign-03#section-5.
> 
> Cheers,
> Med
> 
> 
> ________________________________________
> De : Dan Wing [dwing@cisco.com]
> Date d'envoi : mardi 15 mars 2011 19:51
> À : BOUCADAIR Mohamed OLNC/NAD/TIP; draft-ietf-behave-lsn-
> requirements@tools.ietf.org
> Cc : behave@ietf.org
> Objet : RE: [BEHAVE] CGN REQ: Port Set Assignment
> 
> > -----Original Message-----
> > From: mohamed.boucadair@orange-ftgroup.com
> > [mailto:mohamed.boucadair@orange-ftgroup.com]
> > Sent: Tuesday, March 15, 2011 11:19 AM
> > To: Dan Wing; draft-ietf-behave-lsn-requirements@tools.ietf.org
> > Cc: behave@ietf.org
> > Subject: RE : [BEHAVE] CGN REQ: Port Set Assignment
> >
> > Re-,
> >
> > Please see inline.
> >
> > Cheers,
> > Med
> > ________________________________________
> > De : Dan Wing [dwing@cisco.com]
> > Date d'envoi : mardi 15 mars 2011 18:55
> > À : BOUCADAIR Mohamed OLNC/NAD/TIP; draft-ietf-behave-lsn-
> > requirements@tools.ietf.org
> > Cc : behave@ietf.org
> > Objet : RE: [BEHAVE] CGN REQ: Port Set Assignment
> >
> > > -----Original Message-----
> > > From: behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] On
> > > Behalf Of mohamed.boucadair@orange-ftgroup.com
> > > Sent: Tuesday, March 15, 2011 8:07 AM
> > > To: draft-ietf-behave-lsn-requirements@tools.ietf.org
> > > Cc: 'behave' <(behave@ietf.org)>
> > > Subject: [BEHAVE] CGN REQ: Port Set Assignment
> > >
> > > Re-,
> > >
> > > Section 5 http://tools.ietf.org/html/draft-ietf-behave-lsn-
> > > requirements-01#section-5 discusses various modes for the port
> > > assignment but there is no explicit requirement.
> > >
> > > I suggest in addition to the dynamic mode, the CGN MUST (SHOULD?)
> > > support the ability to assign port sets.
> >
> > Why?
> >
> > Med: We can ask the other question around: why only the dynamic NAT
> > should be supported?
> 
> Because that's what NATs do today -- NATs in people's homes and
> deployed by enterprises do that today.
> 
> > More seriously, the use of port set has several advantages in term of
> > log reduction and in some implementation(s) has important  impact on
> > performances (because of the per-entry write operations). Tests we
> have
> > done for some implementations showed severe degradation. FWIW, some
> CGN
> > implementations support only the port set allocation and the length
> of
> > the port set is even no configurable!
> 
> Yes, well aware.
> 
> > IMO, the decision to activate the port set or use the dynamic mode
> > should left to operators (enterprise, service providers, etc.).
> 
> Their incentive is to reduce costs.  But "port sets" (or "bulk port
> allocations", or whatever term) increase the attack surface of
> the subscribers, with no cost or security risk to the ISP.  The
> incentives are in the wrong place.  It's obvious what an ISP
> will do -- they will prefer to increase the attack surface of
> their subscribers.
> 
> Speaking personally (not as chair), I do not support the
> IETF making a recommendation that users be restricted to
> a fixed set of port numbers.
> 
> -d
> 
> 
> 
> > -d
> >
> > > The selection of the dynamic
> > > mode vs. port set is deployment-specific.
> > >
> > > Cheers,
> > > Med

v2.23.0 | Report a Bug | By Email