Re: [shara] [BEHAVE] TR: I-DAction:draft-boucadair-pppext-portrange-option-00.txt
<teemu.savolainen@nokia.com> Fri, 06 February 2009 07:32 UTC
Return-Path: <teemu.savolainen@nokia.com>
X-Original-To: shara@core3.amsl.com
Delivered-To: shara@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 815033A69AA; Thu, 5 Feb 2009 23:32:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000,
BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ayZHaaT05U9;
Thu, 5 Feb 2009 23:32:54 -0800 (PST)
Received: from mgw-mx06.nokia.com (smtp.nokia.com [192.100.122.233]) by
core3.amsl.com (Postfix) with ESMTP id E26153A695E;
Thu, 5 Feb 2009 23:32:53 -0800 (PST)
Received: from esebh106.NOE.Nokia.com (esebh106.ntc.nokia.com
[172.21.138.213]) by mgw-mx06.nokia.com (Switch-3.2.6/Switch-3.2.6) with
ESMTP id n167WMkn011174; Fri, 6 Feb 2009 09:32:31 +0200
Received: from vaebh102.NOE.Nokia.com ([10.160.244.23]) by
esebh106.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 6 Feb 2009 09:32:19 +0200
Received: from smtp.mgd.nokia.com ([65.54.30.6]) by vaebh102.NOE.Nokia.com
over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 6 Feb 2009 09:32:14 +0200
Received: from nok-am1mhub-08.mgdnok.nokia.com (65.54.30.15) by
NOK-am1MHUB-02.mgdnok.nokia.com (65.54.30.6) with Microsoft SMTP Server (TLS)
id 8.1.291.1; Fri, 6 Feb 2009 08:32:13 +0100
Received: from NOK-EUMSG-01.mgdnok.nokia.com ([65.54.30.106]) by
nok-am1mhub-08.mgdnok.nokia.com ([65.54.30.15]) with mapi;
Fri, 6 Feb 2009 08:32:13 +0100
From: <teemu.savolainen@nokia.com>
To: <dwing@cisco.com>, <mohamed.boucadair@orange-ftgroup.com>,
<dthaler@windows.microsoft.com>, <randy@psg.com>
Date: Fri, 6 Feb 2009 08:31:48 +0100
Thread-Topic: [BEHAVE] [shara]TR:
I-DAction:draft-boucadair-pppext-portrange-option-00.txt
Thread-Index: AcmH6rF7O8eIFT3dRwGVzm6VhD6rmwADK9cQAAsCqgAAANc0wAABZXTg
Message-ID: <18034D4D7FE9AE48BF19AB1B0EF2729F27E8726BD7@NOK-EUMSG-01.mgdnok.nokia.com>
References: <6CF039C5B32037498B02251E11CDE6B007BB7096@ftrdmel3><004e01c987e9$8b837df0$c2f0200a@cisco.com><m2hc38zcd3.wl%randy@psg.com>
<E9CACA3D8417CE409FE3669AAE1E5A4F118EB4D7AF@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com>
<6CF039C5B32037498B02251E11CDE6B007BB734A@ftrdmel3>
<014b01c9882a$19255210$c2f0200a@cisco.com>
In-Reply-To: <014b01c9882a$19255210$c2f0200a@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 06 Feb 2009 07:32:14.0325 (UTC)
FILETIME=[07D7AA50:01C9882D]
X-Nokia-AV: Clean
Cc: behave@ietf.org, shara@ietf.org
Subject: Re: [shara]
[BEHAVE] TR: I-DAction:draft-boucadair-pppext-portrange-option-00.txt
X-BeenThere: shara@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Sharing of an IPv4 Address discussion list <shara.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/shara>,
<mailto:shara-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/shara>
List-Post: <mailto:shara@ietf.org>
List-Help: <mailto:shara-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shara>,
<mailto:shara-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Feb 2009 07:32:55 -0000
Dan, We have a draft pending on Internet-Draft submission tool: http://www.ietf.org/proceedings/staging/draft-bajko-pripaddrassign-00.txt that describes what you ask. (Note: that link will not work after the draft gets published). Please check that out, it is discussing more about this and also describing alternative solution using cryptographically random port allocation scheme. These administrators could configure a host to get say 1000 ports, but of course not specific ones as those would be randomized from the 64K-1K range. With proper tools administrators can of course see what ports are/were assigned to users. Best regards, Teemu >-----Original Message----- >From: behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] >On Behalf Of ext Dan Wing >Sent: 06 February, 2009 09:11 >To: mohamed.boucadair@orange-ftgroup.com; >dthaler@windows.microsoft.comcom; randy@psg.com >Cc: behave@ietf.org; shara@ietf.org >Subject: Re: [BEHAVE] [shara]TR: >I-DAction:draft-boucadair-pppext-portrange-option-00.txt > > > > >> -----Original Message----- >> From: mohamed.boucadair@orange-ftgroup.com >> [mailto:mohamed.boucadair@orange-ftgroup.com] >> Sent: Thursday, February 05, 2009 10:35 PM >> To: dthaler@windows.microsoft.com; randy@psg.com; dwing@cisco.com >> Cc: behave@ietf.org; shara@ietf.org >> Subject: RE: [BEHAVE] [shara]TR: >> I-DAction:draft-boucadair-pppext-portrange-option-00.txt >> >> >> Thank you for your comment. >> >> There is a subtlety between subnet mask and port mask: >> subnets need to be hierarchical but not port ranges! > >I disagree. Port ranges all belong to the same IP address -- >from the view of the rest of the Internet. This is akin to >the rest of the Internet's view of a subnet. It is only the >local IP address (subnet) that is aware of the separation of >ports (or IP addresses) to individual hosts. > >> Non contiguous port range is proposed as a solution to assign with a >> single mask for instance "M" Port Ranges with "n" Port Ranges within >> the well-known Port Range. This means that well-known PR won't be >> assigned to the same user. >> >> I see other advantages on the usage of non contiguous PR: >> e.g. an attacker would have more difficulty to "guess" a port value >> within the Port Range. > >draft-boucadair-pppext-portrange-option does not describe this >advantage. I am not convinced this would thwart an attacker >significantly. If a user is permitted XXXX ports, an attacker >can determine what ports they are by a range of contiguous >bits or a range of non-contiguous bits. I agree the attacker >has to perform more probes to learn the non-contiguous bit >pattern, of course. But an analysis of this advantage would be useful. > >> By the way, I have the same question as Randy. > >I am not talking about the proverbial Grandma or "Joe Sixpack" >when I say "users". Those users have no need to understand >255.255.255.0, or IP addresses, or ARP. > >However, network administrators are users, and they need to >understand these bit-masks in order to successfully configure >equipment. Based on industry experience with IP, >non-contiguous subnet masks are not used in very many >networks. This is because the complexity to use them exceeds >their value. > >Justification of the value of non-contiguous port masks would >be useful. > >-d > > >> >> >> Med >> >> >> >> -----Message d'origine----- >> De : behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] De la >> part de Dave Thaler Envoyé : vendredi 6 février 2009 02:10 À : Randy >> Bush; Dan Wing Cc : behave@ietf.org; shara@ietf.org Objet : Re: >> [BEHAVE] [shara]TR: >> I-DAction:draft-boucadair-pppext-portrange-option-00.txt >> >> Yes. :) >> >> I had the same feedback last IETF. >> This is the same thing all over again as a non-contiguous >subnet mask, >> which the industry effectively got rid of as having too many >problems >> in practice (but being fine in theory). >> >> -Dave >> >> -----Original Message----- >> From: shara-bounces@ietf.org [mailto:shara-bounces@ietf.org] >On Behalf >> Of Randy Bush >> Sent: Thursday, February 05, 2009 3:35 PM >> To: Dan Wing >> Cc: behave@ietf.org; shara@ietf.org >> Subject: Re: [shara] [BEHAVE] TR: >> I-DAction:draft-boucadair-pppext-portrange-option-00.txt >> >> > I like this draft overall, but I would restrict this so that only >> > contiguous port ranges are permitted. Non-contiguous >> subnet masks are >> > difficult for many people to understand (even today) and I expect >> > there would be similar confusion with non-contiguous port ranges. >> >> do people have to understand these? >> >> randy >> _______________________________________________ >> shara mailing list >> shara@ietf.org >> https://www.ietf.org/mailman/listinfo/shara >> >> _______________________________________________ >> Behave mailing list >> Behave@ietf.org >> https://www.ietf.org/mailman/listinfo/behave > >_______________________________________________ >Behave mailing list >Behave@ietf.org >https://www.ietf.org/mailman/listinfo/behave >
- [shara] TR: I-D Action:draft-boucadair-pppext-por… mohamed.boucadair
- Re: [shara] [BEHAVE] TR: I-DAction:draft-boucadai… Dan Wing
- Re: [shara] [BEHAVE] TR: I-DAction:draft-boucadai… Randy Bush
- Re: [shara] [BEHAVE] TR: I-DAction:draft-boucadai… Dave Thaler
- Re: [shara] [BEHAVE] TR: I-DAction:draft-boucadai… Randy Bush
- Re: [shara] [BEHAVE] TR: I-DAction:draft-boucadai… mohamed.boucadair
- Re: [shara] [BEHAVE] TR: I-DAction:draft-boucadai… Randy Bush
- Re: [shara] [BEHAVE] TR: I-DAction:draft-boucadai… Dan Wing
- Re: [shara] [BEHAVE] TR: I-DAction:draft-boucadai… mohamed.boucadair
- Re: [shara] [BEHAVE] TR: I-DAction:draft-boucadai… Dan Wing
- Re: [shara] [BEHAVE] TR: I-DAction:draft-boucadai… teemu.savolainen
- Re: [shara] [BEHAVE] TR: I-DAction:draft-boucadai… Gabor.Bajko
- Re: [shara] [BEHAVE]TR: I-DAction:draft-boucadair… pierre.levis
- Re: [shara] [BEHAVE] TR: I-D Action:draft-boucada… mohamed.boucadair
- Re: [shara] [BEHAVE]TR: I-DAction:draft-boucadair… pierre.levis
- Re: [shara] [BEHAVE] TR: I-D Action:draft-boucada… Rémi Després
- Re: [shara] [BEHAVE] TR: I-D Action:draft-boucada… Rémi Després
- Re: [shara] [BEHAVE] TR: I-DAction:draft-boucadai… Randy Bush
- Re: [shara] [BEHAVE] TR:I-DAction:draft-boucadair… Dan Wing