Re: [shara] port randomization (draft-ymbk-aplusp-03)

"Dan Wing" <dwing@cisco.com> Thu, 12 March 2009 17:34 UTC

From: "Dan Wing" <dwing@cisco.com>
To: "'Jan Zorz @ go6.si'" <jan@go6.si>, <shara@ietf.org>
References: <022a01c9a2ab$fd5abf60$fd736b80@cisco.com> <49B91C8B.5010906@go6.si>
Date: Thu, 12 Mar 2009 10:34:45 -0700
Message-ID: <04a201c9a338$d5ce8f70$fd736b80@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <49B91C8B.5010906@go6.si>
Thread-Index: AcmjL5Z3CZdN0U89Q/KOw2gwsGUEkwACHdpg
Subject: Re: [shara] port randomization (draft-ymbk-aplusp-03)
Precedence: list

> How important is port randomization and how big is the impact in real 
> life,

Over the last 10 years there have been several attacks against
TCP and DNS that have exploited predictable emphemeral ports.  The
industry response to those attacks has been to (a) randomize 
ephemeral port selection (rather than incrementing to the next 
port number) and (b) increase the ephemeral port range used by 
the OS.

See
http://tools.ietf.org/html/draft-ietf-tsvwg-port-randomization-02#section-1
for more detailed answer to your question.

-d


> if we randomize within
> smaller range? Is it worthy to make already complex solution 
> (shared IP) 
> even more complex just because of that?
> 
> Regards, Jan Zorz
> > -d
> >
> >
> > _______________________________________________
> > shara mailing list
> > shara@ietf.org
> > https://www.ietf.org/mailman/listinfo/shara
> >   
> _______________________________________________
> shara mailing list
> shara@ietf.org
> https://www.ietf.org/mailman/listinfo/shara

[shara] port randomization (draft-ymbk-aplusp-03) Dan Wing
Re: [shara] port randomization (draft-ymbk-aplusp… Gabor.Bajko
Re: [shara] port randomization (draft-ymbk-aplusp… Dan Wing
Re: [shara] port randomization (draft-ymbk-aplusp… Randy Bush
Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
Re: [shara] port randomization (draft-ymbk-aplusp… teemu.savolainen
Re: [shara] port randomization (draft-ymbk-aplusp… Dan Wing
Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
Re: [shara] port randomization (draft-ymbk-aplusp… pierre.levis
Re: [shara] port randomization (draft-ymbk-aplusp… Lars Eggert
Re: [shara] port randomization (draft-ymbk-aplusp… Rémi Denis-Courmont
Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
Re: [shara] port randomization (draft-ymbk-aplusp… Rémi Després
Re: [shara] port randomization (draft-ymbk-aplusp… Rémi Després
Re: [shara] port randomization (draft-ymbk-aplusp… teemu.savolainen
Re: [shara] port randomization (draft-ymbk-aplusp… MILES DAVID
Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
Re: [shara] port randomization (draft-ymbk-aplusp… Dan Wing
Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
Re: [shara] port randomization (draft-ymbk-aplusp… Dan Wing
Re: [shara] port randomization (draft-ymbk-aplusp… Gabor.Bajko
Re: [shara] port randomization (draft-ymbk-aplusp… Dan Wing
Re: [shara] port randomization (draft-ymbk-aplusp… Dan Wing
Re: [shara] port randomization (draft-ymbk-aplusp… pierre.levis
Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
Re: [shara] port randomization (draft-ymbk-aplusp… mohamed.boucadair
Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
Re: [shara] port randomization (draft-ymbk-aplusp… mohamed.boucadair
Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
Re: [shara] port randomization (draft-ymbk-aplusp… mohamed.boucadair