Re: [shara] port randomization (draft-ymbk-aplusp-03)

["Jan Zorz @ go6.si" <jan@go6.si>]

Dan, Gabor, hi.
>>     
>>> Wouldn't a lease time associated with each allocated port or 
>>> port range be enough?
>>>       
>> Somewhat; the CPE might want to get a new port more aggressively
>> for whatever reason.
>>
>> Let's pretend we had a SHARA solution in place in 2005, and 
>> everybody agreed in 2005 that a 1 hour lease made sense.  The
>> SP equipment was configured to provide a 1 hour lease of a
>> bunch of random ports.  Then Kaminsky DNS attack surfaces in 2008, 
>> 3 years later.  Due to that attack, CPE want to get a fresh, 
>> random UDP port for every DNS query.  Does the existing DHCP 
>> lease mechanism support a CPE wanting/needing to do that?  It
>> is my understanding that it does not;
>>     
>
> That is, for some ports (read: applications), aggressively
> short port leases may be desirable while for other ports it 
> may be desirable to have longer leases.  Having the client
> request a short lease duration for any port might work, but
> seems chatty because the client will have to refresh the
> lease even for ports that are actively sending/receiving
> traffic.  The PRR can already tell which ports are actively
> sending/receiving traffic (because it is forwarding that
> traffic).
>
> Perhaps this is getting too much into the details of the
> design of the protocol between the CPE and the PRR.
>
> -d
>
>   
Pierre joined me with my question, how big allocation of ports is big 
enough for randomisation. Let's try to find out that first.
The other suggestion, that I found quite interesting (if not brilliant) 
is to offload DNS resolving to the core (PRR?) and do port randomisation 
there.

Regards, Jan Zorz