IETF Logo Mail Archive

[shara] port randomization (draft-ymbk-aplusp-03)

"Dan Wing" <dwing@cisco.com> Thu, 12 March 2009 00:45 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: shara@core3.amsl.com
Delivered-To: shara@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5A7D23A6BA1 for <shara@core3.amsl.com>; Wed, 11 Mar 2009 17:45:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.148
X-Spam-Level:
X-Spam-Status: No, score=-6.148 tagged_above=-999 required=5 tests=[AWL=0.451, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hvseafbVoe0O for <shara@core3.amsl.com>; Wed, 11 Mar 2009 17:45:56 -0700 (PDT)
Received: from sj-iport-2.cisco.com (sj-iport-2.cisco.com [171.71.176.71]) by core3.amsl.com (Postfix) with ESMTP id 995F43A6B47 for <shara@ietf.org>; Wed, 11 Mar 2009 17:45:56 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.38,346,1233532800"; d="scan'208";a="140628188"
Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-2.cisco.com with ESMTP; 12 Mar 2009 00:46:33 +0000
Received: from sj-core-4.cisco.com (sj-core-4.cisco.com [171.68.223.138]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id n2C0kXNj009647 for <shara@ietf.org>; Wed, 11 Mar 2009 17:46:33 -0700
Received: from dwingwxp01 ([10.32.240.194]) by sj-core-4.cisco.com (8.13.8/8.13.8) with ESMTP id n2C0kIPr023717 for <shara@ietf.org>; Thu, 12 Mar 2009 00:46:18 GMT
From: "Dan Wing" <dwing@cisco.com>
To: <shara@ietf.org>
Date: Wed, 11 Mar 2009 17:46:17 -0700
Message-ID: <022a01c9a2ab$fd5abf60$fd736b80@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
Thread-Index: Acmiq/RP1aEDLzHtTdypcxfbxQQGlA==
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1166; t=1236818793; x=1237682793; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20port=20randomization=20(draft-ymbk-aplusp-03) |Sender:=20; bh=SX4pzm7PAjziCuzLYhpOKv6WpzzFDrtqmmFcPDrxT6I=; b=mMLItp8eeFzlmlnAp3gX1UVA+19gCkptWOM3U0Z8VUhNKnD5ixSEXNcuM0 ZgxA9G4k3cpU9UlPKj+2Vi1Xmj+63che9+Iy8kg/36E5z8P8KL5zxcfD/r92 cWE1Y7Wmwj;
Authentication-Results: sj-dkim-2; header.From=dwing@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
Subject: [shara] port randomization (draft-ymbk-aplusp-03)
X-BeenThere: shara@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Sharing of an IPv4 Address discussion list <shara.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/shara>
List-Post: <mailto:shara@ietf.org>
List-Help: <mailto:shara-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2009 00:45:57 -0000

http://tools.ietf.org/html/draft-ymbk-aplusp-03#section-4.8 says, in part:

   ...
   Port randomization is also a bit compromised in A+P solution.  As CPE
   can randomize ports only within port range that is allocated to it,
   randomness is more limited than in the the scenario with full range
   of ports, allowed for randomization.  We can assume, that CPE either
   gets port range from ephemeral range (49152-65535) or from
   "registered ports" range (1024-49151).  Both ranges can be used for
   randomization, see [I-D.ietf-tsvwg-port-randomization] for more
   details.

Has consideration been given to having the PRR return only *one* port
for each request, or to returning a list of port numbers which are
not consecutive and are not a bit-pattern of ports?  These techniques
would allow the PRR to distribute the requests randomly across the 
entire port range instead of within a block of ~100 (or whatever). 

Further fleshing out of the technique described in Section 4.4
("Dynamic allocation of port ranges") could be useful towards 
allowing applications to benefit from the security advantage of 
port randomization.

-d

v2.8.7 | Report a Bug | By Email