Re: [shara] port randomization (draft-ymbk-aplusp-03)

"Jan Zorz @ go6.si" <jan@go6.si> Sat, 14 March 2009 07:54 UTC

Message-ID: <49BB62DD.9080109@go6.si>
Date: Sat, 14 Mar 2009 08:55:09 +0100
From: "Jan Zorz @ go6.si" <jan@go6.si>
Organization: go6.si
User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209)
MIME-Version: 1.0
To: =?ISO-8859-15?Q?R=E9mi_Denis-Courmont?= <remi.denis-courmont@nokia.com>
References: <022a01c9a2ab$fd5abf60$fd736b80@cisco.com> <04a201c9a338$d5ce8f70$fd736b80@cisco.com> <49B9752B.8030407@go6.si> <200903131023.13616.remi.denis-courmont@nokia.com>
In-Reply-To: <200903131023.13616.remi.denis-courmont@nokia.com>
Content-Type: multipart/alternative; boundary="------------050504040303090304060600"
Cc: shara@ietf.org
Subject: Re: [shara] port randomization (draft-ymbk-aplusp-03)
Precedence: list

Rémi Denis-Courmont wrote:
> 	Hello,
>
> On Thursday 12 March 2009 22:48:43 ext Jan Zorz @ go6.si wrote:
>   
>> How important is port randomization and how big is the impact in real
>> life,
>>     
>
> It depends a _lot_ on the protocol.
>
> To reiterate what Dan said, DNS is vulnerable. The well-publicized attacks on 
> DNS (and in particular the "Kaminsky" vulnerability) rely on predictable port 
> numbers. Or rather, they are mitigated by port randomization.
>
> In principle, running a DNS cache on the NAT/address-sharing box could solve 
> this. DNS would be proxied at the application layer, and so port randomization 
> could be achieved properly by the box. Unfortunately, some of "box" vendors 
> probably do not want to have to provide a DNS cache.
>   
Remi, hi.

This seems quite a good idea. Maybe we should think and search for a 
solution in this direction.
Why do you suspect, that some of the vendors would refuse to provide a 
DNS cache?

regards, Jan Zorz

[shara] port randomization (draft-ymbk-aplusp-03) Dan Wing
Re: [shara] port randomization (draft-ymbk-aplusp… Gabor.Bajko
Re: [shara] port randomization (draft-ymbk-aplusp… Dan Wing
Re: [shara] port randomization (draft-ymbk-aplusp… Randy Bush
Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
Re: [shara] port randomization (draft-ymbk-aplusp… teemu.savolainen
Re: [shara] port randomization (draft-ymbk-aplusp… Dan Wing
Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
Re: [shara] port randomization (draft-ymbk-aplusp… pierre.levis
Re: [shara] port randomization (draft-ymbk-aplusp… Lars Eggert
Re: [shara] port randomization (draft-ymbk-aplusp… Rémi Denis-Courmont
Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
Re: [shara] port randomization (draft-ymbk-aplusp… Rémi Després
Re: [shara] port randomization (draft-ymbk-aplusp… Rémi Després
Re: [shara] port randomization (draft-ymbk-aplusp… teemu.savolainen
Re: [shara] port randomization (draft-ymbk-aplusp… MILES DAVID
Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
Re: [shara] port randomization (draft-ymbk-aplusp… Dan Wing
Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
Re: [shara] port randomization (draft-ymbk-aplusp… Dan Wing
Re: [shara] port randomization (draft-ymbk-aplusp… Gabor.Bajko
Re: [shara] port randomization (draft-ymbk-aplusp… Dan Wing
Re: [shara] port randomization (draft-ymbk-aplusp… Dan Wing
Re: [shara] port randomization (draft-ymbk-aplusp… pierre.levis
Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
Re: [shara] port randomization (draft-ymbk-aplusp… mohamed.boucadair
Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
Re: [shara] port randomization (draft-ymbk-aplusp… mohamed.boucadair
Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
Re: [shara] port randomization (draft-ymbk-aplusp… mohamed.boucadair