IETF Logo Mail Archive

Re: [shara] port randomization (draft-ymbk-aplusp-03)

" Rémi Denis-Courmont" <remi.denis-courmont@nokia.com> Fri, 13 March 2009 08:23 UTC

Return-Path: <Remi.Denis-Courmont@nokia.com>
X-Original-To: shara@core3.amsl.com
Delivered-To: shara@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B8B9D3A683D for <shara@core3.amsl.com>; Fri, 13 Mar 2009 01:23:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.299
X-Spam-Level:
X-Spam-Status: No, score=-6.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d1DZ4G1l6l8r for <shara@core3.amsl.com>; Fri, 13 Mar 2009 01:23:06 -0700 (PDT)
Received: from mgw-mx06.nokia.com (smtp.nokia.com [192.100.122.233]) by core3.amsl.com (Postfix) with ESMTP id 5F38328C0F0 for <shara@ietf.org>; Fri, 13 Mar 2009 01:22:45 -0700 (PDT)
Received: from esebh106.NOE.Nokia.com (esebh106.ntc.nokia.com [172.21.138.213]) by mgw-mx06.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id n2D8Mxsh007161; Fri, 13 Mar 2009 10:23:18 +0200
Received: from esebh102.NOE.Nokia.com ([172.21.138.183]) by esebh106.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 13 Mar 2009 10:22:49 +0200
Received: from mgw-int01.ntc.nokia.com ([172.21.143.96]) by esebh102.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Fri, 13 Mar 2009 10:22:48 +0200
Received: from leon.remlab.net (esdhcp041160.research.nokia.com [172.21.41.160]) by mgw-int01.ntc.nokia.com (Switch-3.2.5/Switch-3.2.5) with ESMTP id n2D8MlqW026458; Fri, 13 Mar 2009 10:22:47 +0200
From: "=?iso-8859-15?q?R=E9mi?= Denis-Courmont" <remi.denis-courmont@nokia.com>
Organization: Maemo Software - Nokia Devices R&D
To: shara@ietf.org
Date: Fri, 13 Mar 2009 10:23:13 +0200
User-Agent: KMail/1.11.0 (Linux/2.6.28.7; KDE/4.2.0; i686; ; )
References: <022a01c9a2ab$fd5abf60$fd736b80@cisco.com> <04a201c9a338$d5ce8f70$fd736b80@cisco.com> <49B9752B.8030407@go6.si>
In-Reply-To: <49B9752B.8030407@go6.si>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-15"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Message-Id: <200903131023.13616.remi.denis-courmont@nokia.com>
X-OriginalArrivalTime: 13 Mar 2009 08:22:48.0616 (UTC) FILETIME=[E4E0FA80:01C9A3B4]
X-Nokia-AV: Clean
Subject: Re: [shara] port randomization (draft-ymbk-aplusp-03)
X-BeenThere: shara@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Sharing of an IPv4 Address discussion list <shara.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/shara>
List-Post: <mailto:shara@ietf.org>
List-Help: <mailto:shara-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Mar 2009 08:23:06 -0000

	Hello,

On Thursday 12 March 2009 22:48:43 ext Jan Zorz @ go6.si wrote:
> How important is port randomization and how big is the impact in real
> life,

It depends a _lot_ on the protocol.

To reiterate what Dan said, DNS is vulnerable. The well-publicized attacks on 
DNS (and in particular the "Kaminsky" vulnerability) rely on predictable port 
numbers. Or rather, they are mitigated by port randomization.

In principle, running a DNS cache on the NAT/address-sharing box could solve 
this. DNS would be proxied at the application layer, and so port randomization 
could be achieved properly by the box. Unfortunately, some of "box" vendors 
probably do not want to have to provide a DNS cache.

-- 
Rémi Denis-Courmont
Centralien
Nokia Devices R&D, Maemo Software, Helsinki

v2.8.7 | Report a Bug | By Email