IETF Logo Mail Archive

Re: [shara] [BEHAVE] TR:I-DAction:draft-boucadair-pppext-portrange-option-00.txt

"Dan Wing" <dwing@cisco.com> Fri, 20 February 2009 01:14 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: shara@core3.amsl.com
Delivered-To: shara@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EFF0E3A69E3 for <shara@core3.amsl.com>; Thu, 19 Feb 2009 17:14:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.524
X-Spam-Level:
X-Spam-Status: No, score=-6.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FYDCC7LCnCYE for <shara@core3.amsl.com>; Thu, 19 Feb 2009 17:14:38 -0800 (PST)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id AE80C3A68B4 for <shara@ietf.org>; Thu, 19 Feb 2009 17:14:38 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.38,237,1233532800"; d="scan'208";a="253144998"
Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-6.cisco.com with ESMTP; 20 Feb 2009 01:14:39 +0000
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id n1K1EdY8014429; Thu, 19 Feb 2009 17:14:39 -0800
Received: from dwingwxp01 ([10.32.240.194]) by sj-core-5.cisco.com (8.13.8/8.13.8) with ESMTP id n1K1EcFL013515; Fri, 20 Feb 2009 01:14:38 GMT
From: "Dan Wing" <dwing@cisco.com>
To: <Gabor.Bajko@nokia.com>, <mohamed.boucadair@orange-ftgroup.com>, <dthaler@windows.microsoft.com>, <randy@psg.com>
References: <6CF039C5B32037498B02251E11CDE6B007BB7096@ftrdmel3><004e01c987e9$8b837df0$c2f0200a@cisco.com><m2hc38zcd3.wl%randy@psg.com><E9CACA3D8417CE409FE3669AAE1E5A4F118EB4D7AF@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com><6CF039C5B32037498B02251E11CDE6B007BB734A@ftrdmel3> <014b01c9882a$19255210$c2f0200a@cisco.com> <A99B171D26E1564B92D36826128CD66127E350E97E@NOK-EUMSG-01.mgdnok.nokia.com>
Date: Thu, 19 Feb 2009 17:14:38 -0800
Message-ID: <07b901c992f8$99e3fd10$c2f0200a@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
Thread-Index: AcmH6rF7O8eIFT3dRwGVzm6VhD6rmwADK9cQAAsCqgAAANc0wAABCkFAArFNDuA=
In-Reply-To: <A99B171D26E1564B92D36826128CD66127E350E97E@NOK-EUMSG-01.mgdnok.nokia.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=6456; t=1235092479; x=1235956479; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20RE=3A=20[shara]=20[BEHAVE]=09TR=3AI-DAction=3Ad raft-boucadair-pppext-portrange-option-00.txt |Sender:=20; bh=qQ3pwc8sLWGEV2YfwWQ9wFpRqMUIvOZmW4I52Vtus8c=; b=sAURpRmowHmXGTA8jRdHtTX0k06+OrhIuAur9nYA9UN5NfyzzM8ENExRPx 30BGQ0Gj2TLLZtYiwk2IYil2ShM7Hut0C6bN1kGTMjPvwXSLK0G/4cw0J5D+ wp7cbJkQDz;
Authentication-Results: sj-dkim-2; header.From=dwing@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
Cc: shara@ietf.org
Subject: Re: [shara] [BEHAVE] TR:I-DAction:draft-boucadair-pppext-portrange-option-00.txt
X-BeenThere: shara@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Sharing of an IPv4 Address discussion list <shara.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/shara>
List-Post: <mailto:shara@ietf.org>
List-Help: <mailto:shara-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Feb 2009 01:14:40 -0000

 

> -----Original Message-----
> From: Gabor.Bajko@nokia.com [mailto:Gabor.Bajko@nokia.com] 
> Sent: Thursday, February 05, 2009 11:37 PM
> To: dwing@cisco.com; mohamed.boucadair@orange-ftgroup.com; 
> dthaler@windows.microsoft.com; randy@psg.com
> Cc: behave@ietf.org; shara@ietf.org
> Subject: RE: [shara] [BEHAVE] 
> TR:I-DAction:draft-boucadair-pppext-portrange-option-00.txt
> 
> Dan,
> 
> The attached document should appear shortly in the ietf 
> directories. Section 2 tries to justify the need for 
> non-contiguous port range allocation. Sections 4 and 5 
> explain how the non-contiguous port range and random port 
> delegation works.

(dropped BEHAVE)

Thanks.  I finally had time to look at this again.  It is
now posted at http://tools.ietf.org/html/draft-bajko-pripaddrassign-00

Thanks for providing explanation for the bit-mask.  I now understand 
why a bit mask is being proposed.  The two schemes described in
your draft (bit mask and cryptographic function) appear to be the
best achievable.

More complex mechanisms such as changing the secret key [1] would 
require even more coordination between the customer premise 
equipment and the service provider's equipment, which seems 
untenable.

[1]
http://tools.ietf.org/html/draft-ietf-tsvwg-port-randomization-02#section-3.4

-d



> - gabor
> 
>   >-----Original Message-----
>   >From: shara-bounces@ietf.org 
> [mailto:shara-bounces@ietf.org] On Behalf Of
>   >ext Dan Wing
>   >Sent: Thursday, February 05, 2009 11:11 PM
>   >To: mohamed.boucadair@orange-ftgroup.com; 
> dthaler@windows.microsoft.com;
>   >randy@psg.com
>   >Cc: behave@ietf.org; shara@ietf.org
>   >Subject: Re: [shara] [BEHAVE] TR: I-DAction:draft-boucadair-pppext-
>   >portrange-option-00.txt
>   >
>   >
>   >
>   >
>   >> -----Original Message-----
>   >> From: mohamed.boucadair@orange-ftgroup.com
>   >> [mailto:mohamed.boucadair@orange-ftgroup.com]
>   >> Sent: Thursday, February 05, 2009 10:35 PM
>   >> To: dthaler@windows.microsoft.com; randy@psg.com; dwing@cisco.com
>   >> Cc: behave@ietf.org; shara@ietf.org
>   >> Subject: RE: [BEHAVE] [shara]TR:
>   >> I-DAction:draft-boucadair-pppext-portrange-option-00.txt
>   >>
>   >>
>   >> Thank you for your comment.
>   >>
>   >> There is a subtlety between subnet mask and port mask:
>   >> subnets need to be hierarchical but not port ranges!
>   >
>   >I disagree.  Port ranges all belong to the same IP address --
>   >from the view of the rest of the Internet.  This is akin to the
>   >rest of the Internet's view of a subnet.  It is only the local
>   >IP address (subnet) that is aware of the separation of ports
>   >(or IP addresses) to individual hosts.
>   >
>   >> Non contiguous port range is proposed as a solution to assign
>   >> with a single mask for instance "M" Port Ranges with "n" Port
>   >> Ranges within the well-known Port Range. This means that
>   >> well-known PR won't be assigned to the same user.
>   >>
>   >> I see other advantages on the usage of non contiguous PR:
>   >> e.g. an attacker would have more difficulty to "guess" a port
>   >> value within the Port Range.
>   >
>   >draft-boucadair-pppext-portrange-option does not describe
>   >this advantage.  I am not convinced this would thwart an
>   >attacker significantly.  If a user is permitted XXXX ports,
>   >an attacker can determine what ports they are by a range
>   >of contiguous bits or a range of non-contiguous bits.  I
>   >agree the attacker has to perform more probes to learn
>   >the non-contiguous bit pattern, of course.  But an analysis
>   >of this advantage would be useful.
>   >
>   >> By the way, I have the same question as Randy.
>   >
>   >I am not talking about the proverbial Grandma or "Joe
>   >Sixpack" when I say "users".  Those users have no
>   >need to understand 255.255.255.0, or IP addresses,
>   >or ARP.
>   >
>   >However, network administrators are users, and they need
>   >to understand these bit-masks in order to successfully
>   >configure equipment.  Based on industry experience with
>   >IP, non-contiguous subnet masks are not used in very
>   >many networks.  This is because the complexity to use
>   >them exceeds their value.
>   >
>   >Justification of the value of non-contiguous port masks
>   >would be useful.
>   >
>   >-d
>   >
>   >
>   >>
>   >>
>   >> Med
>   >>
>   >>
>   >>
>   >> -----Message d'origine-----
>   >> De : behave-bounces@ietf.org [mailto:behave-bounces@ietf.org]
>   >> De la part de Dave Thaler
>   >> Envoyé : vendredi 6 février 2009 02:10
>   >> À : Randy Bush; Dan Wing
>   >> Cc : behave@ietf.org; shara@ietf.org
>   >> Objet : Re: [BEHAVE] [shara]TR:
>   >> I-DAction:draft-boucadair-pppext-portrange-option-00.txt
>   >>
>   >> Yes.  :)
>   >>
>   >> I had the same feedback last IETF.
>   >> This is the same thing all over again as a non-contiguous
>   >> subnet mask, which the industry effectively got rid of as
>   >> having too many problems in practice (but being fine in theory).
>   >>
>   >> -Dave
>   >>
>   >> -----Original Message-----
>   >> From: shara-bounces@ietf.org [mailto:shara-bounces@ietf.org]
>   >> On Behalf Of Randy Bush
>   >> Sent: Thursday, February 05, 2009 3:35 PM
>   >> To: Dan Wing
>   >> Cc: behave@ietf.org; shara@ietf.org
>   >> Subject: Re: [shara] [BEHAVE] TR:
>   >> I-DAction:draft-boucadair-pppext-portrange-option-00.txt
>   >>
>   >> > I like this draft overall, but I would restrict this 
> so that only
>   >> > contiguous port ranges are permitted.  Non-contiguous
>   >> subnet masks are
>   >> > difficult for many people to understand (even today) 
> and I expect
>   >> > there would be similar confusion with non-contiguous 
> port ranges.
>   >>
>   >> do people have to understand these?
>   >>
>   >> randy
>   >> _______________________________________________
>   >> shara mailing list
>   >> shara@ietf.org
>   >> https://www.ietf.org/mailman/listinfo/shara
>   >>
>   >> _______________________________________________
>   >> Behave mailing list
>   >> Behave@ietf.org
>   >> https://www.ietf.org/mailman/listinfo/behave
>   >
>   >_______________________________________________
>   >shara mailing list
>   >shara@ietf.org
>   >https://www.ietf.org/mailman/listinfo/shara
>

v2.8.7 | Report a Bug | By Email