IETF Logo Mail Archive

Re: [shara] port randomization (draft-ymbk-aplusp-03)

"Jan Zorz @ go6.si" <jan@go6.si> Thu, 12 March 2009 16:27 UTC

Return-Path: <jan@go6.si>
X-Original-To: shara@core3.amsl.com
Delivered-To: shara@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9B1873A6BD1 for <shara@core3.amsl.com>; Thu, 12 Mar 2009 09:27:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k6sleezrT6v9 for <shara@core3.amsl.com>; Thu, 12 Mar 2009 09:27:47 -0700 (PDT)
Received: from ipv6.go6.si (go6.si [212.44.108.1]) by core3.amsl.com (Postfix) with ESMTP id ABA823A6B15 for <shara@ietf.org>; Thu, 12 Mar 2009 09:27:47 -0700 (PDT)
Received: from [IPv6:2001:470:9b8e::219:e3ff:fed4:9252] (unknown [IPv6:2001:470:9b8e:0:219:e3ff:fed4:9252]) (Authenticated sender: jan) by ipv6.go6.si (Postfix) with ESMTP id 3811D45D8396 for <shara@ietf.org>; Thu, 12 Mar 2009 15:30:37 +0100 (CET)
Message-ID: <49B91C8B.5010906@go6.si>
Date: Thu, 12 Mar 2009 15:30:35 +0100
From: "Jan Zorz @ go6.si" <jan@go6.si>
Organization: go6.si
User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209)
MIME-Version: 1.0
To: shara@ietf.org
References: <022a01c9a2ab$fd5abf60$fd736b80@cisco.com>
In-Reply-To: <022a01c9a2ab$fd5abf60$fd736b80@cisco.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [shara] port randomization (draft-ymbk-aplusp-03)
X-BeenThere: shara@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Sharing of an IPv4 Address discussion list <shara.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/shara>
List-Post: <mailto:shara@ietf.org>
List-Help: <mailto:shara-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2009 16:27:51 -0000

Dan Wing wrote:
> http://tools.ietf.org/html/draft-ymbk-aplusp-03#section-4.8 says, in part:
>
>    ...
>    Port randomization is also a bit compromised in A+P solution.  As CPE
>    can randomize ports only within port range that is allocated to it,
>    randomness is more limited than in the the scenario with full range
>    of ports, allowed for randomization.  We can assume, that CPE either
>    gets port range from ephemeral range (49152-65535) or from
>    "registered ports" range (1024-49151).  Both ranges can be used for
>    randomization, see [I-D.ietf-tsvwg-port-randomization] for more
>    details.
>
> Has consideration been given to having the PRR return only *one* port
> for each request, or to returning a list of port numbers which are
> not consecutive and are not a bit-pattern of ports?  These techniques
> would allow the PRR to distribute the requests randomly across the 
> entire port range instead of within a block of ~100 (or whatever). 
>   
Hi. My concern with this approach is massive number of "states" or 
"redirects" in form
"IP+port -> tunnelX", that PRR would have to maintain. On the other 
hand, fragmented blocks of
ports (or one port per request) are much easier to release, when not in 
use anymore. But if we distribute
consecutive blocks to CPE's I think that we considerably lower the 
number of moving parts in the whole system.

Needs to be discussed.
> Further fleshing out of the technique described in Section 4.4
> ("Dynamic allocation of port ranges") could be useful towards 
> allowing applications to benefit from the security advantage of 
> port randomization.
>   
How important is port randomization and how big is the impact in real 
life, if we randomize within
smaller range? Is it worthy to make already complex solution (shared IP) 
even more complex just because of that?

Regards, Jan Zorz
> -d
>
>
> _______________________________________________
> shara mailing list
> shara@ietf.org
> https://www.ietf.org/mailman/listinfo/shara
>

v2.8.7 | Report a Bug | By Email