IETF Logo Mail Archive

Re: [shara] [BEHAVE] TR: I-DAction:draft-boucadair-pppext-portrange-option-00.txt

"Dan Wing" <dwing@cisco.com> Fri, 06 February 2009 07:11 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: shara@core3.amsl.com
Delivered-To: shara@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 52B333A6B6A; Thu, 5 Feb 2009 23:11:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.586
X-Spam-Level:
X-Spam-Status: No, score=-6.586 tagged_above=-999 required=5 tests=[AWL=0.013, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XUdl8KI4G3f7; Thu, 5 Feb 2009 23:11:12 -0800 (PST)
Received: from sj-iport-2.cisco.com (sj-iport-2.cisco.com [171.71.176.71]) by core3.amsl.com (Postfix) with ESMTP id CC3093A680A; Thu, 5 Feb 2009 23:11:12 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.37,390,1231113600"; d="scan'208";a="129332900"
Received: from sj-dkim-4.cisco.com ([171.71.179.196]) by sj-iport-2.cisco.com with ESMTP; 06 Feb 2009 07:11:14 +0000
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-4.cisco.com (8.12.11/8.12.11) with ESMTP id n167BE26006663; Thu, 5 Feb 2009 23:11:14 -0800
Received: from dwingwxp01 ([10.32.240.194]) by sj-core-5.cisco.com (8.13.8/8.13.8) with ESMTP id n167BEmQ013422; Fri, 6 Feb 2009 07:11:14 GMT
From: "Dan Wing" <dwing@cisco.com>
To: <mohamed.boucadair@orange-ftgroup.com>, <dthaler@windows.microsoft.com>, <randy@psg.com>
References: <6CF039C5B32037498B02251E11CDE6B007BB7096@ftrdmel3><004e01c987e9$8b837df0$c2f0200a@cisco.com><m2hc38zcd3.wl%randy@psg.com> <E9CACA3D8417CE409FE3669AAE1E5A4F118EB4D7AF@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com> <6CF039C5B32037498B02251E11CDE6B007BB734A@ftrdmel3>
Date: Thu, 5 Feb 2009 23:11:14 -0800
Message-ID: <014b01c9882a$19255210$c2f0200a@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
In-Reply-To: <6CF039C5B32037498B02251E11CDE6B007BB734A@ftrdmel3>
Thread-Index: AcmH6rF7O8eIFT3dRwGVzm6VhD6rmwADK9cQAAsCqgAAANc0wA==
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=3996; t=1233904275; x=1234768275; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20RE=3A=20[BEHAVE]=20[shara]TR=3A=09I-DAction=3Ad raft-boucadair-pppext-portrange-option-00.txt |Sender:=20; bh=wq6tkXM36laWoGi96HsRZVfztJVtI92sQK+Fl9Nmjss=; b=DS3k8otAQdaXsMBVfQ2N8qAlI7lsCklIxnk0ZBqQauhCeM9sDKdsdTx7Yk xdYSdJZsOkVT38Smk0h3j7kg/EA0226kem64ym0CaXEQ4db8rxn9gzA0PDkZ fVPjMTlemA;
Authentication-Results: sj-dkim-4; header.From=dwing@cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; );
Cc: behave@ietf.org, shara@ietf.org
Subject: Re: [shara] [BEHAVE] TR: I-DAction:draft-boucadair-pppext-portrange-option-00.txt
X-BeenThere: shara@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Sharing of an IPv4 Address discussion list <shara.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/shara>
List-Post: <mailto:shara@ietf.org>
List-Help: <mailto:shara-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Feb 2009 07:11:14 -0000

 

> -----Original Message-----
> From: mohamed.boucadair@orange-ftgroup.com 
> [mailto:mohamed.boucadair@orange-ftgroup.com] 
> Sent: Thursday, February 05, 2009 10:35 PM
> To: dthaler@windows.microsoft.com; randy@psg.com; dwing@cisco.com
> Cc: behave@ietf.org; shara@ietf.org
> Subject: RE: [BEHAVE] [shara]TR: 
> I-DAction:draft-boucadair-pppext-portrange-option-00.txt
> 
> 
> Thank you for your comment.
> 
> There is a subtlety between subnet mask and port mask: 
> subnets need to be hierarchical but not port ranges!

I disagree.  Port ranges all belong to the same IP address -- 
from the view of the rest of the Internet.  This is akin to the 
rest of the Internet's view of a subnet.  It is only the local
IP address (subnet) that is aware of the separation of ports
(or IP addresses) to individual hosts.

> Non contiguous port range is proposed as a solution to assign 
> with a single mask for instance "M" Port Ranges with "n" Port 
> Ranges within the well-known Port Range. This means that 
> well-known PR won't be assigned to the same user. 
> 
> I see other advantages on the usage of non contiguous PR: 
> e.g. an attacker would have more difficulty to "guess" a port 
> value within the Port Range.

draft-boucadair-pppext-portrange-option does not describe
this advantage.  I am not convinced this would thwart an
attacker significantly.  If a user is permitted XXXX ports,
an attacker can determine what ports they are by a range
of contiguous bits or a range of non-contiguous bits.  I
agree the attacker has to perform more probes to learn
the non-contiguous bit pattern, of course.  But an analysis
of this advantage would be useful.

> By the way, I have the same question as Randy.

I am not talking about the proverbial Grandma or "Joe
Sixpack" when I say "users".  Those users have no
need to understand 255.255.255.0, or IP addresses,
or ARP.

However, network administrators are users, and they need 
to understand these bit-masks in order to successfully
configure equipment.  Based on industry experience with
IP, non-contiguous subnet masks are not used in very
many networks.  This is because the complexity to use
them exceeds their value.

Justification of the value of non-contiguous port masks 
would be useful.

-d


> 
> 
> Med
> 
>  
> 
> -----Message d'origine-----
> De : behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] 
> De la part de Dave Thaler
> Envoyé : vendredi 6 février 2009 02:10
> À : Randy Bush; Dan Wing
> Cc : behave@ietf.org; shara@ietf.org
> Objet : Re: [BEHAVE] [shara]TR: 
> I-DAction:draft-boucadair-pppext-portrange-option-00.txt
> 
> Yes.  :)
> 
> I had the same feedback last IETF.
> This is the same thing all over again as a non-contiguous 
> subnet mask, which the industry effectively got rid of as 
> having too many problems in practice (but being fine in theory).
> 
> -Dave
> 
> -----Original Message-----
> From: shara-bounces@ietf.org [mailto:shara-bounces@ietf.org] 
> On Behalf Of Randy Bush
> Sent: Thursday, February 05, 2009 3:35 PM
> To: Dan Wing
> Cc: behave@ietf.org; shara@ietf.org
> Subject: Re: [shara] [BEHAVE] TR: 
> I-DAction:draft-boucadair-pppext-portrange-option-00.txt
> 
> > I like this draft overall, but I would restrict this so that only 
> > contiguous port ranges are permitted.  Non-contiguous 
> subnet masks are 
> > difficult for many people to understand (even today) and I expect 
> > there would be similar confusion with non-contiguous port ranges.
> 
> do people have to understand these?
> 
> randy
> _______________________________________________
> shara mailing list
> shara@ietf.org
> https://www.ietf.org/mailman/listinfo/shara
> 
> _______________________________________________
> Behave mailing list
> Behave@ietf.org
> https://www.ietf.org/mailman/listinfo/behave

v2.8.7 | Report a Bug | By Email