Re: [shara] port randomization (draft-ymbk-aplusp-03)

[<mohamed.boucadair@orange-ftgroup.com>]

 
 
Thank you for  this clarification. 
 
Please see inline.

  _____  

De : Jan Zorz @ go6.si [mailto:jan@go6.si] 
Envoyé : mardi 17 mars 2009 14:44
À : BOUCADAIR Mohamed RD-CORE-CAE
Cc : Gabor.Bajko@nokia.com; shara@ietf.org; dwing@cisco.com
Objet : Re: [shara] port randomization (draft-ymbk-aplusp-03)


mohamed.boucadair@orange-ftgroup.com wrote: 

 
Thanks.
 
What I missed in your initial answer is why you are referring to offloading the DNS resv to the **core (PRR)**.


Mohamed, hi.

Sorry for the mess. This referred to avoiding to complicate even further with port randomization within contiguous, non-contiguous or random port ranges allocated to CPE. My personal feeling is that we already did a solution complex enough and we might not have to go towards the way of making it even more complex.

 
[Med]  Randomisation should not be seen as a target per se, but rather the problem it solves. For me, randomisation does not solve security issues but makes difficult some attacks. Non-contiguous port range does also...
 
Randomisation can also be implemented with port range solutions, but some concerns are to be studied: 
- What is the port range limit beyond which randomisation is not **efficient**? 
- If randomisation is to be implemented, instead of non contiguous port ranges for instance, what is the impact on the PRR performances?
 
BTW, I agree with you and Pierre that a minimum of functionalities are needed to have implementation of port range solution. 
 
Cheers,
Med 
 

Thanks, Jan Zorz