IETF Logo Mail Archive

Re: [shara] port randomization (draft-ymbk-aplusp-03)

<teemu.savolainen@nokia.com> Sat, 14 March 2009 11:32 UTC

Return-Path: <teemu.savolainen@nokia.com>
X-Original-To: shara@core3.amsl.com
Delivered-To: shara@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E70293A69B1 for <shara@core3.amsl.com>; Sat, 14 Mar 2009 04:32:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.255
X-Spam-Level:
X-Spam-Status: No, score=-6.255 tagged_above=-999 required=5 tests=[AWL=0.343, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VhAdO7uulzBd for <shara@core3.amsl.com>; Sat, 14 Mar 2009 04:32:12 -0700 (PDT)
Received: from mgw-mx09.nokia.com (smtp.nokia.com [192.100.105.134]) by core3.amsl.com (Postfix) with ESMTP id 62C943A6933 for <shara@ietf.org>; Sat, 14 Mar 2009 04:32:12 -0700 (PDT)
Received: from esebh105.NOE.Nokia.com (esebh105.ntc.nokia.com [172.21.138.211]) by mgw-mx09.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id n2EBWjnw006296; Sat, 14 Mar 2009 06:32:47 -0500
Received: from esebh102.NOE.Nokia.com ([172.21.138.183]) by esebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Sat, 14 Mar 2009 13:32:42 +0200
Received: from smtp.mgd.nokia.com ([65.54.30.7]) by esebh102.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Sat, 14 Mar 2009 13:32:43 +0200
Received: from NOK-EUMSG-01.mgdnok.nokia.com ([65.54.30.86]) by nok-am1mhub-03.mgdnok.nokia.com ([65.54.30.7]) with mapi; Sat, 14 Mar 2009 12:32:42 +0100
From: <teemu.savolainen@nokia.com>
To: <jan@go6.si>, <shara@ietf.org>
Date: Sat, 14 Mar 2009 12:32:05 +0100
Thread-Topic: [shara] port randomization (draft-ymbk-aplusp-03)
Thread-Index: Acmke5VN+jto375MQ7+2M1TXET0sJAAGC+wA
Message-ID: <18034D4D7FE9AE48BF19AB1B0EF2729F27F26003A5@NOK-EUMSG-01.mgdnok.nokia.com>
References: <022a01c9a2ab$fd5abf60$fd736b80@cisco.com> <A99B171D26E1564B92D36826128CD66127EE038A28@NOK-EUMSG-01.mgdnok.nokia.com> <040401c9a327$974763a0$fd736b80@cisco.com> <m24oxyg1gk.wl%randy@psg.com> <18034D4D7FE9AE48BF19AB1B0EF2729F27F25FF603@NOK-EUMSG-01.mgdnok.nokia.com> <49BB651C.8050700@go6.si>
In-Reply-To: <49BB651C.8050700@go6.si>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_18034D4D7FE9AE48BF19AB1B0EF2729F27F26003A5NOKEUMSG01mgd_"
MIME-Version: 1.0
X-OriginalArrivalTime: 14 Mar 2009 11:32:43.0104 (UTC) FILETIME=[96EF9E00:01C9A498]
X-Nokia-AV: Clean
Subject: Re: [shara] port randomization (draft-ymbk-aplusp-03)
X-BeenThere: shara@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Sharing of an IPv4 Address discussion list <shara.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/shara>
List-Post: <mailto:shara@ietf.org>
List-Help: <mailto:shara-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Mar 2009 11:32:14 -0000

Hi Jan,

There is indeed need for trade-off discussions at some point, and to also look whether different deployment scenarios are happy with something other deployment scenarios are not. E.g. it may make a difference whether a host is allocated 1,10,10,1000, or 10000 ports.

I do not believe ROM requirements in CPEs or hosts can be a real factor here - the code changes required for port restricted addresses are small (there's no new protocol, just new parameters on the existing ones + control SW - especially if indeed can be handled just by configuration on some platforms). I also don't think there's any mandatory requirement to upgrade existing CPEs or hosts - those are already addressable. The port restricted address support can be deployed along with new devices (perhaps at the same time those are added with IPv6 support?).

While AES support may be an issue for CPEs - I don't know what features CPEs currently have - it is not an issue say e.g. for cellular devices, which already have all the crypto libraries required for SSL/TLS and often also for IPsec.

If a device is so restricted that it cannot do port restricted addressing, then its best to move to IPv6 or obtain enough full IPv4 addresses from somewhere.

Best regards,

    Teeu

________________________________
From: shara-bounces@ietf.org [mailto:shara-bounces@ietf.org] On Behalf Of ext Jan Zorz @ go6.si
Sent: 14 March, 2009 10:05
To: shara@ietf.org
Subject: Re: [shara] port randomization (draft-ymbk-aplusp-03)

Teemu, hi.


Now if the non-contiguous port set is less random, say contains multiple non-contiguous ranges allocated with port masks (see the same draft), less effort is needed in dhcp-client (no AES calls needed) and multiplexing gateway, as no AES calls are needed and mapping tables can be simpler (as bitmasks can be used). In DHCP server effort is pretty similar except for key generation part that is not needed.


Exactly.

Comments? This is interesting topic to look into.

I don't think these are issues for the end-nodes, but maybe someone who would be involved in gateway implementation could comment their perspectives?


ISP's already have issues with not enough memory in CPE for firmwares even without v6 and/or shared IP solution. With growing complexity of shared IP solution their problem is not going away, but getting bigger :) If we suspect, that ISP will replace all the HW, then we can go complex. If we suspect, that ISP will want to "just upgrade" CPE firmware to support IPv6 and shared IP, then we need to do something that would fit into HW of yesterday and today. Am I somehow thinking into sensible direction?

v2.8.7 | Report a Bug | By Email