IETF Logo Mail Archive

Re: [shara] [BEHAVE]TR: I-DAction:draft-boucadair-pppext-portrange-option-00.txt

<pierre.levis@orange-ftgroup.com> Fri, 06 February 2009 07:55 UTC

Return-Path: <pierre.levis@orange-ftgroup.com>
X-Original-To: shara@core3.amsl.com
Delivered-To: shara@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 646B63A6963; Thu, 5 Feb 2009 23:55:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.054
X-Spam-Level:
X-Spam-Status: No, score=-3.054 tagged_above=-999 required=5 tests=[AWL=0.195, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jo04Te9D7sFY; Thu, 5 Feb 2009 23:55:14 -0800 (PST)
Received: from p-mail1.rd.francetelecom.com (p-mail1.rd.francetelecom.com [195.101.245.15]) by core3.amsl.com (Postfix) with ESMTP id C6DA43A6880; Thu, 5 Feb 2009 23:55:13 -0800 (PST)
Received: from ftrdmel1.rd.francetelecom.fr ([10.193.117.152]) by ftrdsmtp2.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.3959); Fri, 6 Feb 2009 08:55:08 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 6 Feb 2009 08:55:06 +0100
Message-ID: <D109C8C97C15294495117745780657AE0B3B048E@ftrdmel1>
In-Reply-To: <014b01c9882a$19255210$c2f0200a@cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [shara] [BEHAVE]TR: I-DAction:draft-boucadair-pppext-portrange-option-00.txt
Thread-Index: AcmH6rF7O8eIFT3dRwGVzm6VhD6rmwADK9cQAAsCqgAAANc0wAABkDQQ
From: <pierre.levis@orange-ftgroup.com>
To: <dwing@cisco.com>, <mohamed.boucadair@orange-ftgroup.com>, <dthaler@windows.microsoft.com>, <randy@psg.com>
X-OriginalArrivalTime: 06 Feb 2009 07:55:08.0892 (UTC) FILETIME=[3B25F1C0:01C98830]
Cc: behave@ietf.org, shara@ietf.org
Subject: Re: [shara] [BEHAVE]TR: I-DAction:draft-boucadair-pppext-portrange-option-00.txt
X-BeenThere: shara@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Sharing of an IPv4 Address discussion list <shara.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/shara>
List-Post: <mailto:shara@ietf.org>
List-Help: <mailto:shara-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Feb 2009 07:55:15 -0000

Hi all,

Forbid people to use non-contiguous port ranges, at this point in time, seems rather dangerous to me.

What if it later appears that for some use cases it is an interesting feature? As Med and Teemu pointed out it could improve, to some extent the security. 
If we say we do not permit non contiguous port ranges, does that mean implementers will have to code it? (as nowadays it is impossible to use 240/4).

May be we could simply say that if there is no particular reason to do otherwise, by default use contiguous port ranges

Regards,

Pierre


> -----Message d'origine-----
> De : shara-bounces@ietf.org [mailto:shara-bounces@ietf.org] 
> De la part de Dan Wing
> Envoyé : vendredi 6 février 2009 08:11
> À : BOUCADAIR Mohamed RD-CORE-CAE; 
> dthaler@windows.microsoft.com; randy@psg.com
> Cc : behave@ietf.org; shara@ietf.org
> Objet : Re: [shara] [BEHAVE]TR: 
> I-DAction:draft-boucadair-pppext-portrange-option-00.txt
> 
>  
> 
> > -----Original Message-----
> > From: mohamed.boucadair@orange-ftgroup.com 
> > [mailto:mohamed.boucadair@orange-ftgroup.com] 
> > Sent: Thursday, February 05, 2009 10:35 PM
> > To: dthaler@windows.microsoft.com; randy@psg.com; dwing@cisco.com
> > Cc: behave@ietf.org; shara@ietf.org
> > Subject: RE: [BEHAVE] [shara]TR: 
> > I-DAction:draft-boucadair-pppext-portrange-option-00.txt
> > 
> > 
> > Thank you for your comment.
> > 
> > There is a subtlety between subnet mask and port mask: 
> > subnets need to be hierarchical but not port ranges!
> 
> I disagree.  Port ranges all belong to the same IP address -- 
> from the view of the rest of the Internet.  This is akin to the 
> rest of the Internet's view of a subnet.  It is only the local
> IP address (subnet) that is aware of the separation of ports
> (or IP addresses) to individual hosts.
> 
> > Non contiguous port range is proposed as a solution to assign 
> > with a single mask for instance "M" Port Ranges with "n" Port 
> > Ranges within the well-known Port Range. This means that 
> > well-known PR won't be assigned to the same user. 
> > 
> > I see other advantages on the usage of non contiguous PR: 
> > e.g. an attacker would have more difficulty to "guess" a port 
> > value within the Port Range.
> 
> draft-boucadair-pppext-portrange-option does not describe
> this advantage.  I am not convinced this would thwart an
> attacker significantly.  If a user is permitted XXXX ports,
> an attacker can determine what ports they are by a range
> of contiguous bits or a range of non-contiguous bits.  I
> agree the attacker has to perform more probes to learn
> the non-contiguous bit pattern, of course.  But an analysis
> of this advantage would be useful.
> 
> > By the way, I have the same question as Randy.
> 
> I am not talking about the proverbial Grandma or "Joe
> Sixpack" when I say "users".  Those users have no
> need to understand 255.255.255.0, or IP addresses,
> or ARP.
> 
> However, network administrators are users, and they need 
> to understand these bit-masks in order to successfully
> configure equipment.  Based on industry experience with
> IP, non-contiguous subnet masks are not used in very
> many networks.  This is because the complexity to use
> them exceeds their value.
> 
> Justification of the value of non-contiguous port masks 
> would be useful.
> 
> -d
> 
> 
> > 
> > 
> > Med
> > 
> >  
> > 
> > -----Message d'origine-----
> > De : behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] 
> > De la part de Dave Thaler
> > Envoyé : vendredi 6 février 2009 02:10
> > À : Randy Bush; Dan Wing
> > Cc : behave@ietf.org; shara@ietf.org
> > Objet : Re: [BEHAVE] [shara]TR: 
> > I-DAction:draft-boucadair-pppext-portrange-option-00.txt
> > 
> > Yes.  :)
> > 
> > I had the same feedback last IETF.
> > This is the same thing all over again as a non-contiguous 
> > subnet mask, which the industry effectively got rid of as 
> > having too many problems in practice (but being fine in theory).
> > 
> > -Dave
> > 
> > -----Original Message-----
> > From: shara-bounces@ietf.org [mailto:shara-bounces@ietf.org] 
> > On Behalf Of Randy Bush
> > Sent: Thursday, February 05, 2009 3:35 PM
> > To: Dan Wing
> > Cc: behave@ietf.org; shara@ietf.org
> > Subject: Re: [shara] [BEHAVE] TR: 
> > I-DAction:draft-boucadair-pppext-portrange-option-00.txt
> > 
> > > I like this draft overall, but I would restrict this so that only 
> > > contiguous port ranges are permitted.  Non-contiguous 
> > subnet masks are 
> > > difficult for many people to understand (even today) and I expect 
> > > there would be similar confusion with non-contiguous port ranges.
> > 
> > do people have to understand these?
> > 
> > randy
> > _______________________________________________
> > shara mailing list
> > shara@ietf.org
> > https://www.ietf.org/mailman/listinfo/shara
> > 
> > _______________________________________________
> > Behave mailing list
> > Behave@ietf.org
> > https://www.ietf.org/mailman/listinfo/behave
> 
> _______________________________________________
> shara mailing list
> shara@ietf.org
> https://www.ietf.org/mailman/listinfo/shara
>

v2.8.7 | Report a Bug | By Email