IETF Logo Mail Archive

[shara] draft-thaler-port-restricted-ip-issues: Security Considerations

<mohamed.boucadair@orange-ftgroup.com> Mon, 01 March 2010 10:03 UTC

Return-Path: <mohamed.boucadair@orange-ftgroup.com>
X-Original-To: shara@core3.amsl.com
Delivered-To: shara@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3658A28C176 for <shara@core3.amsl.com>; Mon, 1 Mar 2010 02:03:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.248
X-Spam-Level:
X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ht3GlVTE+25I for <shara@core3.amsl.com>; Mon, 1 Mar 2010 02:03:34 -0800 (PST)
Received: from relais-inet.francetelecom.com (relais-ias243.francetelecom.com [80.12.204.243]) by core3.amsl.com (Postfix) with ESMTP id 3D55728C0DE for <shara@ietf.org>; Mon, 1 Mar 2010 02:03:31 -0800 (PST)
Received: from omfeda05.si.francetelecom.fr (unknown [xx.xx.xx.198]) by omfeda11.si.francetelecom.fr (ESMTP service) with ESMTP id 8E60B1B87A0; Mon, 1 Mar 2010 11:03:29 +0100 (CET)
Received: from PUEXCH61.nanterre.francetelecom.fr (unknown [10.101.44.32]) by omfeda05.si.francetelecom.fr (ESMTP service) with ESMTP id 76E0E18003E; Mon, 1 Mar 2010 11:03:29 +0100 (CET)
Received: from PUEXCB1B.nanterre.francetelecom.fr ([10.101.44.7]) by PUEXCH61.nanterre.francetelecom.fr ([10.101.44.32]) with mapi; Mon, 1 Mar 2010 11:03:29 +0100
From: mohamed.boucadair@orange-ftgroup.com
To: "dthaler@microsoft.com" <dthaler@microsoft.com>
Date: Mon, 01 Mar 2010 11:03:27 +0100
Thread-Topic: draft-thaler-port-restricted-ip-issues: Security Considerations
Thread-Index: Acq5JnBJLWMiom81QmSIJakA0pw5tg==
Message-ID: <21217_1267437809_4B8B90F1_21217_19318_1_94C682931C08B048B7A8645303FDC9F30EFAFF52B1@PUEXCB1B.nanterre.francetelecom.fr>
Accept-Language: fr-FR
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: fr-FR
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-PMX-Version: 5.5.7.378829, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2010.3.1.92431
Cc: "shara@ietf.org" <shara@ietf.org>
Subject: [shara] draft-thaler-port-restricted-ip-issues: Security Considerations
X-BeenThere: shara@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Sharing of an IPv4 Address discussion list <shara.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/shara>
List-Post: <mailto:shara@ietf.org>
List-Help: <mailto:shara-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2010 10:03:35 -0000

Dear Dave, all,

You wrote in the draft: "One mitigation for security attacks against TCP is port randomization
   [I-D.ietf-tsvwg-port-randomization].  Reducing the port space
   available to host thus reduces its ability to randomize ports, and
   hence has negative security implications.  This issue would be made
   worse if there were any port sub-delegation (where sub-ranges are
   allocated out of larger ranges), since each hierarchy level would
   introduce some wasted ports."

Your statement is true for small contiguous port ranges. Nevertheless, it is more complicated to guess the port number when using ** non-contiguous ** port ranges (e.g., assign 64 contiguous port ranges using the same Port Range Mask to a given device, http://tools.ietf.org/html/draft-bajko-pripaddrassign-02#section-4.1) or with pre-allocated random port numbers as defined in http://tools.ietf.org/html/draft-bajko-pripaddrassign-02#section-5.  

More information can also be found at: http://www.ietf.org/proceedings/74/slides/shara-1/shara-1_files/v3_document.htm.

BTW, it is more complex to guess the TCP sequence number than the ports. Isn't sufficient to randomize the SN to mitigate issues listed in I-D.ietf-tsvwg-port-randomization? 

Cheers,
Med
*********************************
This message and any attachments (the "message") are confidential and intended solely for the addressees. 
Any unauthorised use or dissemination is prohibited.
Messages are susceptible to alteration. 
France Telecom Group shall not be liable for the message if altered, changed or falsified.
If you are not the intended addressee of this message, please cancel it immediately and inform the sender.
********************************

v2.23.0 | Report a Bug | By Email