Re: TSVDIR review of draft-ietf-intarea-shared-addressing-issues-02

Fernando Gont <> Wed, 02 February 2011 08:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E3BE83A68F1; Wed, 2 Feb 2011 00:00:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ghGibR4MEsgM; Wed, 2 Feb 2011 00:00:57 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id D7E6C3A6836; Wed, 2 Feb 2011 00:00:56 -0800 (PST)
Received: by ywk9 with SMTP id 9so3272619ywk.31 for <multiple recipients>; Wed, 02 Feb 2011 00:04:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:sender:message-id:date:from:user-agent :mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=nlT960Qf8grhVp39ahxfvuI7Eq0txL59FkVva90vPu0=; b=wQjC6Hw6R/ctlKAhZNIhaHszW+xaYFYAQCpCPn/mE1cpZ+AXtJuJyfrHbY3aS7+JHW bhfD3PhUqjfL974Q0DrW1h9/BDDsTT5+ppb7V02wgHFyprYPbxZeSuscXR6iZo4Ytcmc cwM8LvSnx4xGOLyuLVcUSA9T/6LzpEinCMtOs=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=PCNSw0A4WKBV8yElbX7hnwLHTI2BidX/xrr6JOKbfCK6DqTZCUjJDdRZ0F7sj86ftz jHEblFTLlPs7bnuXfs650Uj9O+9qXG4YpnxAcjbJQhIH4Z2dXfpEaD2GsltOmk6IaoX1 B99uBKVU6ENqd5dYV7W3DBwasxfURqCeDs5JY=
Received: by with SMTP id m2mr5726823ane.146.1296633855567; Wed, 02 Feb 2011 00:04:15 -0800 (PST)
Received: from [] ([]) by with ESMTPS id t1sm28328657ano.3.2011. (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 02 Feb 2011 00:04:14 -0800 (PST)
Sender: Fernando Gont <>
Message-ID: <>
Date: Wed, 02 Feb 2011 05:03:57 -0300
From: Fernando Gont <>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: Gecko/20100802 Thunderbird/3.1.2
MIME-Version: 1.0
To: TSV Dir <>
Subject: Re: TSVDIR review of draft-ietf-intarea-shared-addressing-issues-02
References: <>
In-Reply-To: <>
X-Enigmail-Version: 1.1.1
OpenPGP: id=D076FFF1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "" <>,, IETF discussion list <>
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 Feb 2011 08:00:58 -0000

On 01/02/2011 10:35 p.m., Joe Touch wrote:

>>    Over the long term, deploying IPv6 is the only way to ease pressure
>>    on the public IPv4 address pool and thereby mitigate the need for
>>    address sharing mechanisms that give rise to the issues identified
>>    herein.
> ?? This sentence is misleading. Clearly address sharing eases pressure
> too, but has caveats. It should be revised to be more clear about the
> options available.


> ...
>> 7.  Geo-location and Geo-proximity
> ?INT? This section is, IMO, odd; IP address never meant physical
> location anyway, and tunnels obviate that meaning regardless of the
> impact of NATs or other sharing techniques.

Agreed. But geo-location is nevertheless widely ued for marketing purposes.

>> 13.4.  Port Randomisation
> ...
>>    It should be noted that guessing the port information may not be
>>    sufficient to carry out a successful blind attack.   The exact TCP
>>    Sequence Number (SN) should also be known.
> There are data injection attacks that are possible even without knowing
> the exact SN.

draft-ietf-tcpm-tcp-security may be of use here.

> Further, port randomization is just one way to protect a connection
> (another includes timestamp verification, as noted in RFC4953).

RFC4953 is a little bit vague in this respect. It talks about an
"accepted window". However, as far as the current specs are concerned,
the "accepted window" is half the timestamps space: i.e., you need to
forge, at most, two different timestamps value. It also mentions that
timestamps may be easily predictable. However, this does not need to be
the case (see e.g., draft-gont-timestamps-generation)


Best regards,
Fernando Gont
e-mail: ||
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1