Protocol Action: 'Transport Protocol Port Randomization Recommendations' to BCP

The IESG <> Fri, 20 August 2010 13:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 104C43A6A92; Fri, 20 Aug 2010 06:43:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Z5m5JSmnx8j2; Fri, 20 Aug 2010 06:42:59 -0700 (PDT)
Received: from [] (localhost []) by (Postfix) with ESMTP id 0D5C83A6AA0; Fri, 20 Aug 2010 06:42:59 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: The IESG <>
To: IETF-Announce <>
Subject: Protocol Action: 'Transport Protocol Port Randomization Recommendations' to BCP
X-Test-IDTracker: no
Message-ID: <20100820134259.24669.35641.idtracker@localhost>
Date: Fri, 20 Aug 2010 06:42:59 -0700
Cc: Internet Architecture Board <>, RFC Editor <>
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "IETF announcement list. No discussions." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 20 Aug 2010 13:43:00 -0000

The IESG has approved the following document:
- 'Transport Protocol Port Randomization Recommendations'
  <draft-ietf-tsvwg-port-randomization-09.txt> as a BCP

This document is the product of the Transport Area Working Group.

The IESG contact person is Lars Eggert.

A URL of this Internet Draft is:

Technical Summary

Recently, awareness has been raised about a number of "blind" attacks
that can be performed against the Transmission Control Protocol
(TCP) and similar protocols.  These attacks rely on the attacker's
ability to guess or know the five-tuple (Protocol, Source Address,
Destination Address, Source Port, Destination Port) that identifies
the transport protocol instance to be attacked.  This document
describes a number of simple and efficient methods for the selection
of the client port number, such that the possibility of an attacker
guessing the exact value is reduced.  While this is not a replacement
for cryptographic methods for protecting the transport-protocol
instance, the described port number obfuscation algorithms provide
improved security/obfuscation with very little effort and without
any key management overhead.

Working Group Summary

Understanding that 'strong' consensus is nearly impossible in an open 
area WG such as TSVWG, with 5-6 sub-groups within this WG divided 
along technology focuses -- there is unwavering consensus in the WG 
amongst interested parties to publish this document. It has been 
reviewed by several people in the WG last call. Comments raised have 
been addressed.

Document Quality

Several stacks implement different port randomization techniques. The
techniques that this document describes include the ones implemented
by FreeBSD, Linux, NetBSD, OpenBSD and OpenSolaris.


James Polk ( is the document Shepherd. Lars Eggert
( is the responsible Area Director.