IETF Logo Mail Archive

Re: [shara] port randomization (draft-ymbk-aplusp-03)

"Dan Wing" <dwing@cisco.com> Thu, 12 March 2009 15:30 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: shara@core3.amsl.com
Delivered-To: shara@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2A2E33A6806 for <shara@core3.amsl.com>; Thu, 12 Mar 2009 08:30:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.261
X-Spam-Level:
X-Spam-Status: No, score=-6.261 tagged_above=-999 required=5 tests=[AWL=0.338, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xxTnQNhTYGJ4 for <shara@core3.amsl.com>; Thu, 12 Mar 2009 08:30:43 -0700 (PDT)
Received: from sj-iport-3.cisco.com (sj-iport-3.cisco.com [171.71.176.72]) by core3.amsl.com (Postfix) with ESMTP id 5CC063A6B15 for <shara@ietf.org>; Thu, 12 Mar 2009 08:30:43 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.38,351,1233532800"; d="scan'208";a="141987895"
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-3.cisco.com with ESMTP; 12 Mar 2009 15:31:18 +0000
Received: from sj-core-4.cisco.com (sj-core-4.cisco.com [171.68.223.138]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id n2CFVIfM030492; Thu, 12 Mar 2009 08:31:18 -0700
Received: from dwingwxp01 ([10.32.240.194]) by sj-core-4.cisco.com (8.13.8/8.13.8) with ESMTP id n2CFVILM008317; Thu, 12 Mar 2009 15:31:18 GMT
From: Dan Wing <dwing@cisco.com>
To: Gabor.Bajko@nokia.com, shara@ietf.org
References: <022a01c9a2ab$fd5abf60$fd736b80@cisco.com> <A99B171D26E1564B92D36826128CD66127EE038A28@NOK-EUMSG-01.mgdnok.nokia.com>
Date: Thu, 12 Mar 2009 08:31:18 -0700
Message-ID: <040401c9a327$974763a0$fd736b80@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
In-Reply-To: <A99B171D26E1564B92D36826128CD66127EE038A28@NOK-EUMSG-01.mgdnok.nokia.com>
Thread-Index: Acmiq/RP1aEDLzHtTdypcxfbxQQGlAAKaeAgABRTsmA=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2656; t=1236871878; x=1237735878; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20RE=3A=20[shara]=20port=20randomization=20(draft -ymbk-aplusp-03) |Sender:=20; bh=tuF9FYlRINhpMn1hHx8vng4G5LY5ki+DwCf0HODvCJ0=; b=NTD1gXSH2e9NrHaB4WCDY4+XYrBnrxSd8yA6QFpZx27vlBl0whvtqqS2EQ LHGWkjoY3H576icMQ4WMryaeIamjjEqvzD9y9znC065t2Tiq2opfpwRc2ykH eS4G3HWRVY;
Authentication-Results: sj-dkim-3; header.From=dwing@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
Subject: Re: [shara] port randomization (draft-ymbk-aplusp-03)
X-BeenThere: shara@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Sharing of an IPv4 Address discussion list <shara.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/shara>
List-Post: <mailto:shara@ietf.org>
List-Help: <mailto:shara-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2009 15:30:44 -0000

 

> -----Original Message-----
> From: Gabor.Bajko@nokia.com [mailto:Gabor.Bajko@nokia.com] 
> Sent: Wednesday, March 11, 2009 10:52 PM
> To: dwing@cisco.com; shara@ietf.org
> Subject: RE: [shara] port randomization (draft-ymbk-aplusp-03)
> 
> 
> 
>   >-----Original Message-----
>   >From: shara-bounces@ietf.org 
> [mailto:shara-bounces@ietf.org] On Behalf Of
>   >ext Dan Wing
>   >Sent: Wednesday, March 11, 2009 5:46 PM
>   >To: shara@ietf.org
>   >Subject: [shara] port randomization (draft-ymbk-aplusp-03)
>   >
>   
> >http://tools.ietf.org/html/draft-ymbk-aplusp-03#section-4.8 says, in
>   >part:
>   >
>   >   ...
>   >   Port randomization is also a bit compromised in A+P 
> solution.  As CPE
>   >   can randomize ports only within port range that is 
> allocated to it,
>   >   randomness is more limited than in the the scenario 
> with full range
>   >   of ports, allowed for randomization.  We can assume, 
> that CPE either
>   >   gets port range from ephemeral range (49152-65535) or from
>   >   "registered ports" range (1024-49151).  Both ranges can 
> be used for
>   >   randomization, see [I-D.ietf-tsvwg-port-randomization] for more
>   >   details.
>   >
>   >Has consideration been given to having the PRR return only 
> *one* port
>   >for each request, or to returning a list of port numbers which are
>   >not consecutive and are not a bit-pattern of ports?  These 
> techniques
>   >would allow the PRR to distribute the requests randomly across the
>   >entire port range instead of within a block of ~100 (or whatever).
> 
> This is exactly the intention of section 4 and 5 in 
> http://www.ietf.org/internet-drafts/draft-bajko-pripaddrassign-01.txt
> 
> What section 5 describes is a way to communicate a list of 
> preallocated random ports to the client, in an indirect way.

Yes, but that list of random ports would not change until the user
said "I don't want this IP address anymore", perhaps.  What I am
suggesting is that the CPE could say "I don't want this port
anymore" and the CPE could exchange that port for a new random
port.

-d

>   >Further fleshing out of the technique described in Section 4.4
>   >("Dynamic allocation of port ranges") could be useful towards
>   >allowing applications to benefit from the security advantage of
>   >port randomization.
>   
> Yes, this is explicitely stated in section 2 of the above 
> mentioned draft.
> 
> - gabor
> 
>   >-d
>   >
>   >
>   >_______________________________________________
>   >shara mailing list
>   >shara@ietf.org
>   >https://www.ietf.org/mailman/listinfo/shara

v2.23.0 | Report a Bug | By Email