[shara] port randomization (draft-ymbk-aplusp-03)
"Dan Wing" <dwing@cisco.com> Thu, 12 March 2009 00:45 UTC
Return-Path: <dwing@cisco.com>
X-Original-To: shara@core3.amsl.com
Delivered-To: shara@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 5A7D23A6BA1 for <shara@core3.amsl.com>;
Wed, 11 Mar 2009 17:45:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.148
X-Spam-Level:
X-Spam-Status: No, score=-6.148 tagged_above=-999 required=5 tests=[AWL=0.451,
BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hvseafbVoe0O for
<shara@core3.amsl.com>; Wed, 11 Mar 2009 17:45:56 -0700 (PDT)
Received: from sj-iport-2.cisco.com (sj-iport-2.cisco.com [171.71.176.71]) by
core3.amsl.com (Postfix) with ESMTP id 995F43A6B47 for <shara@ietf.org>;
Wed, 11 Mar 2009 17:45:56 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.38,346,1233532800"; d="scan'208";a="140628188"
Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-2.cisco.com
with ESMTP; 12 Mar 2009 00:46:33 +0000
Received: from sj-core-4.cisco.com (sj-core-4.cisco.com [171.68.223.138]) by
sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id n2C0kXNj009647 for
<shara@ietf.org>; Wed, 11 Mar 2009 17:46:33 -0700
Received: from dwingwxp01 ([10.32.240.194]) by sj-core-4.cisco.com
(8.13.8/8.13.8) with ESMTP id n2C0kIPr023717 for <shara@ietf.org>;
Thu, 12 Mar 2009 00:46:18 GMT
From: "Dan Wing" <dwing@cisco.com>
To: <shara@ietf.org>
Date: Wed, 11 Mar 2009 17:46:17 -0700
Message-ID: <022a01c9a2ab$fd5abf60$fd736b80@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
Thread-Index: Acmiq/RP1aEDLzHtTdypcxfbxQQGlA==
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1166; t=1236818793;
x=1237682793; c=relaxed/simple; s=sjdkim2002;
h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;
d=cisco.com; i=dwing@cisco.com;
z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com>
|Subject:=20port=20randomization=20(draft-ymbk-aplusp-03) |Sender:=20;
bh=SX4pzm7PAjziCuzLYhpOKv6WpzzFDrtqmmFcPDrxT6I=;
b=mMLItp8eeFzlmlnAp3gX1UVA+19gCkptWOM3U0Z8VUhNKnD5ixSEXNcuM0
ZgxA9G4k3cpU9UlPKj+2Vi1Xmj+63che9+Iy8kg/36E5z8P8KL5zxcfD/r92 cWE1Y7Wmwj;
Authentication-Results: sj-dkim-2; header.From=dwing@cisco.com;
dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
Subject: [shara] port randomization (draft-ymbk-aplusp-03)
X-BeenThere: shara@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Sharing of an IPv4 Address discussion list <shara.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/shara>,
<mailto:shara-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/shara>
List-Post: <mailto:shara@ietf.org>
List-Help: <mailto:shara-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shara>,
<mailto:shara-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2009 00:45:57 -0000
http://tools.ietf.org/html/draft-ymbk-aplusp-03#section-4.8 says, in part: ... Port randomization is also a bit compromised in A+P solution. As CPE can randomize ports only within port range that is allocated to it, randomness is more limited than in the the scenario with full range of ports, allowed for randomization. We can assume, that CPE either gets port range from ephemeral range (49152-65535) or from "registered ports" range (1024-49151). Both ranges can be used for randomization, see [I-D.ietf-tsvwg-port-randomization] for more details. Has consideration been given to having the PRR return only *one* port for each request, or to returning a list of port numbers which are not consecutive and are not a bit-pattern of ports? These techniques would allow the PRR to distribute the requests randomly across the entire port range instead of within a block of ~100 (or whatever). Further fleshing out of the technique described in Section 4.4 ("Dynamic allocation of port ranges") could be useful towards allowing applications to benefit from the security advantage of port randomization. -d
- [shara] port randomization (draft-ymbk-aplusp-03) Dan Wing
- Re: [shara] port randomization (draft-ymbk-aplusp… Gabor.Bajko
- Re: [shara] port randomization (draft-ymbk-aplusp… Dan Wing
- Re: [shara] port randomization (draft-ymbk-aplusp… Randy Bush
- Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
- Re: [shara] port randomization (draft-ymbk-aplusp… teemu.savolainen
- Re: [shara] port randomization (draft-ymbk-aplusp… Dan Wing
- Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
- Re: [shara] port randomization (draft-ymbk-aplusp… pierre.levis
- Re: [shara] port randomization (draft-ymbk-aplusp… Lars Eggert
- Re: [shara] port randomization (draft-ymbk-aplusp… Rémi Denis-Courmont
- Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
- Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
- Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
- Re: [shara] port randomization (draft-ymbk-aplusp… Rémi Després
- Re: [shara] port randomization (draft-ymbk-aplusp… Rémi Després
- Re: [shara] port randomization (draft-ymbk-aplusp… teemu.savolainen
- Re: [shara] port randomization (draft-ymbk-aplusp… MILES DAVID
- Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
- Re: [shara] port randomization (draft-ymbk-aplusp… Dan Wing
- Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
- Re: [shara] port randomization (draft-ymbk-aplusp… Dan Wing
- Re: [shara] port randomization (draft-ymbk-aplusp… Gabor.Bajko
- Re: [shara] port randomization (draft-ymbk-aplusp… Dan Wing
- Re: [shara] port randomization (draft-ymbk-aplusp… Dan Wing
- Re: [shara] port randomization (draft-ymbk-aplusp… pierre.levis
- Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
- Re: [shara] port randomization (draft-ymbk-aplusp… mohamed.boucadair
- Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
- Re: [shara] port randomization (draft-ymbk-aplusp… mohamed.boucadair
- Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
- Re: [shara] port randomization (draft-ymbk-aplusp… mohamed.boucadair