Re: [Int-area] Some comments for 4rd
"Dan Wing" <dwing@cisco.com> Mon, 18 April 2011 23:20 UTC
Return-Path: <dwing@cisco.com>
X-Original-To: int-area@ietfc.amsl.com
Delivered-To: int-area@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id D7D01E067C for <int-area@ietfc.amsl.com>; Mon, 18 Apr 2011 16:20:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.556
X-Spam-Level:
X-Spam-Status: No, score=-110.556 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zjUD-E0WWIsD for <int-area@ietfc.amsl.com>; Mon, 18 Apr 2011 16:20:00 -0700 (PDT)
Received: from sj-iport-2.cisco.com (sj-iport-2.cisco.com [171.71.176.71]) by ietfc.amsl.com (Postfix) with ESMTP id 62A06E06AB for <int-area@ietf.org>; Mon, 18 Apr 2011 16:20:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=dwing@cisco.com; l=1928; q=dns/txt; s=iport; t=1303168800; x=1304378400; h=from:to:references:in-reply-to:subject:date:message-id: mime-version:content-transfer-encoding; bh=GeyI8HB+zU8FwEShKnX146C/qzaqiIaJ73eYBgWqb/k=; b=MEhQCrLxaAnH5DhaVq/66mwpiz5fdUi85KMIu4M1Tp/Dc+U8gnnNEeUj 3F3u6Y1e4OZACT1DR5DVvS+ITF1WWuTGEo93oanzR1/fASJcCJnbwmr0E gjzSqgiVYgg4n1J5eBZaA57yM+8sdPRc9t9HG475Foe+3vh8eyBmqoCmf 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgIBAMnFrE2rRDoI/2dsb2JhbACXOoFjjCJ3qlCcXIVxBIVi
X-IronPort-AV: E=Sophos;i="4.64,236,1301875200"; d="scan'208";a="340070077"
Received: from mtv-core-3.cisco.com ([171.68.58.8]) by sj-iport-2.cisco.com with ESMTP; 18 Apr 2011 23:19:59 +0000
Received: from dwingWS (sjc-vpn4-1192.cisco.com [10.21.84.167]) by mtv-core-3.cisco.com (8.14.3/8.14.3) with ESMTP id p3INJxdW011574; Mon, 18 Apr 2011 23:19:59 GMT
From: Dan Wing <dwing@cisco.com>
To: c-sun@bb.softbank.co.jp, tena@huawei.com, int-area@ietf.org
References: <00ef01cbfa30$5eb5ad50$1c2107f0$@com> <6CADC58598A4D249AD3B5026CE8CC33906D758D5@CI-EXMB-09V.bb.local>
In-Reply-To: <6CADC58598A4D249AD3B5026CE8CC33906D758D5@CI-EXMB-09V.bb.local>
Date: Mon, 18 Apr 2011 16:19:59 -0700
Message-ID: <0c2301cbfe1f$2344e4f0$69ceaed0$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Acv513EEgB0AidJaRV+R6cpHxz5MQgAWIj5wANQbB6AAJ1Rt4A==
Content-Language: en-us
Subject: Re: [Int-area] Some comments for 4rd
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/int-area>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Apr 2011 23:20:02 -0000
> -----Original Message----- > From: int-area-bounces@ietf.org [mailto:int-area-bounces@ietf.org] On > Behalf Of c-sun@bb.softbank.co.jp > Sent: Sunday, April 17, 2011 9:28 PM > To: tena@huawei.com; int-area@ietf.org > Subject: Re: [Int-area] Some comments for 4rd > > Hi Tina > Thank you for your comments. > > >5. In section 5 of applicability draft > > "Shared address issues [I-D.ietf-intarea-shared-addressing- > issues] describes a method for > > the random selection of TCP Sequence Number, that reduces the > ability of attacker to correctly guess the 5-ruple." > > > Random selection of TCP Sequence Number is to prevent the attacker > from guessing the next TCP SN, not the 5-tuple. > > You are right. I will change it in the next version of draft. I noticed the existing text in http://tools.ietf.org/html/draft-ietf-intarea-shared-addressing-issues-05#se ction-5 says the client goes into TIME_WAIT ("It is important to realize that the TCP design makes it undesirable for clients to re-use ports while they remain in the TIME-WAIT state (typically 4 minutes after the connection has concluded).") -- however, that depends on the client doing the active close. I see that http://tools.ietf.org/html/rfc6056#section-2.3 discusses what happens when the server does the active close: the client doesn't go into TIME_WAIT. The recommendation in draft-ietf-intarea-shared-addressing-issues appears to re-enforce the suggestion in the last sentence of http://tools.ietf.org/html/rfc6056#section-2.3, which says: A simple but inefficient approach to minimize the rate of collisions of instance-ids would be, e.g., in the case of TCP, for both endpoints of a TCP connection to keep state about recent connections (e.g., have both endpoints end up in the TIME-WAIT state). perhaps you could cite RFC6056 and reduce the discussion in Section 5? -d
- [Int-area] Some comments for 4rd Tina Tsou
- Re: [Int-area] Some comments for 4rd Tetsuya Murakami
- Re: [Int-area] Some comments for 4rd c-sun
- Re: [Int-area] Some comments for 4rd Dan Wing
- Re: [Int-area] Some comments for 4rd Tina Tsou
- Re: [Int-area] Some comments for 4rd c-sun