IETF Logo Mail Archive

Re: [shara] port randomization (draft-ymbk-aplusp-03)

Lars Eggert <lars.eggert@nokia.com> Fri, 13 March 2009 08:22 UTC

Return-Path: <lars.eggert@nokia.com>
X-Original-To: shara@core3.amsl.com
Delivered-To: shara@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9111F28C0F0 for <shara@core3.amsl.com>; Fri, 13 Mar 2009 01:22:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.761
X-Spam-Level:
X-Spam-Status: No, score=-1.761 tagged_above=-999 required=5 tests=[AWL=0.839, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oGOxvbw+sx9N for <shara@core3.amsl.com>; Fri, 13 Mar 2009 01:22:19 -0700 (PDT)
Received: from mail.fit.nokia.com (unknown [IPv6:2001:2060:40:1::123]) by core3.amsl.com (Postfix) with ESMTP id 0214128C0ED for <shara@ietf.org>; Fri, 13 Mar 2009 01:22:18 -0700 (PDT)
Received: from [IPv6:2001:2060:40:2:219:e3ff:fe06:dc74] ([IPv6:2001:2060:40:2:219:e3ff:fe06:dc74]) (authenticated bits=0) by mail.fit.nokia.com (8.14.3/8.14.3) with ESMTP id n2D8MjeH048476 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Fri, 13 Mar 2009 10:22:46 +0200 (EET) (envelope-from lars.eggert@nokia.com)
Message-Id: <BFD278DB-6E72-476E-84F8-5CD764F7A1E8@nokia.com>
From: Lars Eggert <lars.eggert@nokia.com>
To: pierre.levis@orange-ftgroup.com
In-Reply-To: <D109C8C97C15294495117745780657AE0B6BEB6B@ftrdmel1>
Content-Type: multipart/signed; boundary=Apple-Mail-126-927328201; micalg=sha1; protocol="application/pkcs7-signature"
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Fri, 13 Mar 2009 10:22:45 +0200
References: <022a01c9a2ab$fd5abf60$fd736b80@cisco.com><49B91C8B.5010906@go6.si><04a201c9a338$d5ce8f70$fd736b80@cisco.com> <49B9752B.8030407@go6.si> <D109C8C97C15294495117745780657AE0B6BEB6B@ftrdmel1>
X-Mailer: Apple Mail (2.930.3)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0.1 (mail.fit.nokia.com [IPv6:2001:2060:40:1::123]); Fri, 13 Mar 2009 10:22:47 +0200 (EET)
X-Virus-Scanned: ClamAV 0.94.2/9103/Fri Mar 13 04:52:35 2009 on fit.nokia.com
X-Virus-Status: Clean
Cc: "shara@ietf.org" <shara@ietf.org>
Subject: Re: [shara] port randomization (draft-ymbk-aplusp-03)
X-BeenThere: shara@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Sharing of an IPv4 Address discussion list <shara.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/shara>
List-Post: <mailto:shara@ietf.org>
List-Help: <mailto:shara-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Mar 2009 08:22:20 -0000

On 2009-3-13, at 10:08, pierre.levis@orange-ftgroup.com wrote:
> I'm also wondering, currently how many OSs and how many NATs do  
> implement a good randomization function?

No need to wonder, at least for OS: http://tools.ietf.org/html/draft-ietf-tsvwg-port-randomization-02#appendix-A

Lars

> More generally, in port range solutions we (I include myself)  
> propose sophisticated functions that surely make sense.
> However, I do believe that, if we want to see vendors rapidly  
> implement port range capabilities, we have to agree on a minimum set  
> of functionalities that makes it possible to build a viable port  
> range solution.
> I'm very convinced, for example, that it is straighforward (I mean  
> almost no cost and without any performance lost) for all vendors to  
> upgrade their routers to PRRs (Port Range Router), we did that on  
> Linux only by configuration.
>
>
>
> Pierre
>
> De : shara-bounces@ietf.org [mailto:shara-bounces@ietf.org] De la  
> part de Jan Zorz @ go6.si
> Envoyé : jeudi 12 mars 2009 21:49
> À : shara@ietf.org
> Objet : Re: [shara] port randomization (draft-ymbk-aplusp-03)
>
>
>
> Dan Wing wrote:
>>
>>> How important is port randomization and how big is the impact in  
>>> real
>>> life,
>>>
>>
>> Over the last 10 years there have been several attacks against
>> TCP and DNS that have exploited predictable emphemeral ports.  The
>> industry response to those attacks has been to (a) randomize
>> ephemeral port selection (rather than incrementing to the next
>> port number) and (b) increase the ephemeral port range used by
>> the OS.
>>
>> See
>> http://tools.ietf.org/html/draft-ietf-tsvwg-port-randomization-02#section-1
>> for more detailed answer to your question.
>>
> Dan, hi.
>
> I'm well aware of that draft, it is also referenced in in A+P draft.  
> Maybe I was not clear enough in my question, let me re-phrase it.
> In shared IP solutions we are taking away ports from customers, we  
> are taking away resources and everything is a compromise.
> Being said that, if we are happy with compromise, why not introduce  
> compromise also in a dirty hack as port randomization is.
>  So, can we live with randomization within for example range of 512  
> ports? Is this "good enough"? We are quite fond of accepting
> the compromise of shared IP as "good enough", because we have no  
> other option, so can we accept also the compromise of less  
> randomness in
> port randomization hack?
>
> I'm also curious to hear some aproximation from any HW vendor, what  
> does allocating "one port per request" means for PRR in larger  
> scale. I suspect this
> might very well be performance suicide, but this is only my  
> speculation. If not - good, we can go in that direction, which I  
> recognise as good also in several other ways.
>
> Thank you for your time and effort, Jan Zorz
> <ATT00001.txt>

v2.8.7 | Report a Bug | By Email