IETF Logo Mail Archive

Re: [shara] port randomization (draft-ymbk-aplusp-03)

"Dan Wing" <dwing@cisco.com> Mon, 16 March 2009 15:14 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: shara@core3.amsl.com
Delivered-To: shara@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2B6C528C15E for <shara@core3.amsl.com>; Mon, 16 Mar 2009 08:14:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.217
X-Spam-Level:
X-Spam-Status: No, score=-6.217 tagged_above=-999 required=5 tests=[AWL=0.382, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Rg3jGgjFMwd for <shara@core3.amsl.com>; Mon, 16 Mar 2009 08:14:33 -0700 (PDT)
Received: from sj-iport-3.cisco.com (sj-iport-3.cisco.com [171.71.176.72]) by core3.amsl.com (Postfix) with ESMTP id 35FFA28C125 for <shara@ietf.org>; Mon, 16 Mar 2009 08:14:33 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.38,373,1233532800"; d="scan'208";a="142988718"
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-3.cisco.com with ESMTP; 16 Mar 2009 15:15:15 +0000
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id n2GFFFNB010903; Mon, 16 Mar 2009 08:15:15 -0700
Received: from dwingwxp01 ([10.32.240.194]) by sj-core-2.cisco.com (8.13.8/8.13.8) with ESMTP id n2GFFFdR008715; Mon, 16 Mar 2009 15:15:15 GMT
From: "Dan Wing" <dwing@cisco.com>
To: "'Jan Zorz @ go6.si'" <jan@go6.si>, <shara@ietf.org>
References: <022a01c9a2ab$fd5abf60$fd736b80@cisco.com><49B91C8B.5010906@go6.si><04a201c9a338$d5ce8f70$fd736b80@cisco.com> <49B9752B.8030407@go6.si>
Date: Mon, 16 Mar 2009 08:15:15 -0700
Message-ID: <051901c9a64a$0256bf40$fd55150a@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AcmjU/Xn9aBSLQbkQZG0RCk7kwz6nAC9cV1Q
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
In-Reply-To: <49B9752B.8030407@go6.si>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2523; t=1237216515; x=1238080515; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20RE=3A=20[shara]=20port=20randomization=20(draft -ymbk-aplusp-03) |Sender:=20; bh=Udb3BSRqATtPT1pVNtog8UzXKECtHX/Xl/eVWaPM7y4=; b=K2QqKAwYpVOkAwx/rx537qY3o3r3zHlRMSs/p1HiGJkj8bs9VnoHBx0IRO S3NsP+YhFoXdBPNfr9s6xF/mZbjbYNPOFQ+rlay4isucY0XFbaBByZQAHE6A aDVtG2p3lE5KMFPl9nQ8L2Xe8x+1q5LCw83Dg28Y5QOxJoug8/UY8=;
Authentication-Results: sj-dkim-1; header.From=dwing@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Subject: Re: [shara] port randomization (draft-ymbk-aplusp-03)
X-BeenThere: shara@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Sharing of an IPv4 Address discussion list <shara.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/shara>
List-Post: <mailto:shara@ietf.org>
List-Help: <mailto:shara-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2009 15:14:34 -0000

 

> -----Original Message-----
> From: shara-bounces@ietf.org [mailto:shara-bounces@ietf.org] 
> On Behalf Of Jan Zorz @ go6.si
> Sent: Thursday, March 12, 2009 1:49 PM
> To: shara@ietf.org
> Subject: Re: [shara] port randomization (draft-ymbk-aplusp-03)
> 
> 
> 
> Dan Wing wrote: 
> 
> 		How important is port randomization and how big 
> is the impact in real 
> 		life,
> 		    
> 
> 	
> 	Over the last 10 years there have been several attacks against
> 	TCP and DNS that have exploited predictable emphemeral 
> ports.  The
> 	industry response to those attacks has been to (a) randomize 
> 	ephemeral port selection (rather than incrementing to the next 
> 	port number) and (b) increase the ephemeral port range used by 
> 	the OS.
> 	
> 	See
> 	
> http://tools.ietf.org/html/draft-ietf-tsvwg-port-randomization
> -02#section-1
> 	for more detailed answer to your question.
> 	  
> 
> Dan, hi. 
> 
> I'm well aware of that draft, it is also referenced in in A+P 
> draft. Maybe I was not clear enough in my question, let me 
> re-phrase it.
> In shared IP solutions we are taking away ports from 
> customers, we are taking away resources and everything is a 
> compromise. 
> Being said that, if we are happy with compromise, why not 
> introduce compromise also in a dirty hack as port randomization is.
>  So, can we live with randomization within for example range 
> of 512 ports? Is this "good enough"? We are quite fond of accepting 
> the compromise of shared IP as "good enough", because we have 
> no other option, so can we accept also the compromise of less 
> randomness in 
> port randomization hack? 
> 
> I'm also curious to hear some aproximation from any HW 
> vendor, what does allocating "one port per request" means for 
> PRR in larger scale.

This is what today's NAPT devices do today, but without a separate
protocol to request each port.

And, the CPE does not necessarily need to request each port; it
could ask for ~5 or ~10 ports and then utilize them as it needs,
and then get another batch of ~10 ports.  It comes down to
the design decisions for the protocol between the CPE and the 
PRR so that it is possible to utilize the entire 64K port 
range.

-d

> I suspect this 
> might very well be performance suicide, but this is only my 
> speculation. If not - good, we can go in that direction, 
> which I recognise as good also in several other ways.
> 
> Thank you for your time and effort, Jan Zorz
> 
>

v2.8.7 | Report a Bug | By Email