Re: [shara] port randomization (draft-ymbk-aplusp-03)

[Rémi Després <remi.despres@free.fr>]

Jan Zorz @ go6.si  -  le (m/j/a) 3/14/09 8:45 AM:
> Pierre, hi.
>
> pierre.levis@orange-ftgroup.com wrote:
>> I'm also wondering, currently how many OSs and how many NATs do 
>> implement a good randomization function?
> Not sure... but rather than port randomization I would prefer to see 
> dnssec implemented in clients, maybe also combined with dnscurve.
DNSsec is better, but hosts have to also support DNS servers that don't 
have, and therefore port randomization.
Note that, if both hosts and DNS have IPv6 addresse, hosts are can 
randomize on the full range of ephemeral ports (not concerned with Shara 
mechanisms).

>> More generally, in port range solutions we (I include myself) propose 
>> sophisticated functions that surely make sense.
> We have no other option. But, how sophisticated (complex) may we get? 
> Where is the balance between "good enough" usability and complexity on 
> the other hand?
Full agreement.
The proposal than is included in SAM 
(www.nabble.com/FYI:-draft-despres-sam-02--enclosed-td22493319.html) is 
intended to be good enough and simpler than the other proposals so far.
(Routing is still based on prefixes, and the cyphering function is just 
a modulo 2^n multiplication by an odd constant of the bits to be scrambled.)
>> However, I do believe that, if we want to see vendors rapidly 
>> implement port range capabilities, we have to agree on a minimum set 
>> of functionalities that makes it possible to build a viable port 
>> range solution.
> If we want to assure at least minimum compatibility between different 
> vendors equipment and still have a solution, that makes sense to 
> customer, then we need to set, what minimum means. I suspect every 
> vendor will speculate with it's own proprietary features, so we need 
> to set basics straight. You are perfectly right.
Full agreement.

Regards,

RD