IETF Logo Mail Archive

Re: [shara] port randomization (draft-ymbk-aplusp-03)

<Gabor.Bajko@nokia.com> Thu, 12 March 2009 05:51 UTC

Return-Path: <Gabor.Bajko@nokia.com>
X-Original-To: shara@core3.amsl.com
Delivered-To: shara@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B13893A68A8 for <shara@core3.amsl.com>; Wed, 11 Mar 2009 22:51:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D4zgHv7lWyk5 for <shara@core3.amsl.com>; Wed, 11 Mar 2009 22:51:41 -0700 (PDT)
Received: from mgw-mx09.nokia.com (smtp.nokia.com [192.100.105.134]) by core3.amsl.com (Postfix) with ESMTP id A828F3A67A3 for <shara@ietf.org>; Wed, 11 Mar 2009 22:51:41 -0700 (PDT)
Received: from esebh106.NOE.Nokia.com (esebh106.ntc.nokia.com [172.21.138.213]) by mgw-mx09.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id n2C5pKaE014714; Thu, 12 Mar 2009 00:51:56 -0500
Received: from esebh102.NOE.Nokia.com ([172.21.138.183]) by esebh106.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 12 Mar 2009 07:51:32 +0200
Received: from smtp.mgd.nokia.com ([65.54.30.8]) by esebh102.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Thu, 12 Mar 2009 07:51:32 +0200
Received: from nok-am1mhub-07.mgdnok.nokia.com (65.54.30.14) by NOK-AM1MHUB-04.mgdnok.nokia.com (65.54.30.8) with Microsoft SMTP Server (TLS) id 8.1.340.0; Thu, 12 Mar 2009 06:51:32 +0100
Received: from NOK-EUMSG-01.mgdnok.nokia.com ([65.54.30.86]) by nok-am1mhub-07.mgdnok.nokia.com ([65.54.30.14]) with mapi; Thu, 12 Mar 2009 06:51:32 +0100
From: Gabor.Bajko@nokia.com
To: dwing@cisco.com, shara@ietf.org
Date: Thu, 12 Mar 2009 06:51:32 +0100
Thread-Topic: [shara] port randomization (draft-ymbk-aplusp-03)
Thread-Index: Acmiq/RP1aEDLzHtTdypcxfbxQQGlAAKaeAg
Message-ID: <A99B171D26E1564B92D36826128CD66127EE038A28@NOK-EUMSG-01.mgdnok.nokia.com>
References: <022a01c9a2ab$fd5abf60$fd736b80@cisco.com>
In-Reply-To: <022a01c9a2ab$fd5abf60$fd736b80@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 12 Mar 2009 05:51:32.0674 (UTC) FILETIME=[98C86220:01C9A2D6]
X-Nokia-AV: Clean
Subject: Re: [shara] port randomization (draft-ymbk-aplusp-03)
X-BeenThere: shara@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Sharing of an IPv4 Address discussion list <shara.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/shara>
List-Post: <mailto:shara@ietf.org>
List-Help: <mailto:shara-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2009 05:51:42 -0000

  >-----Original Message-----
  >From: shara-bounces@ietf.org [mailto:shara-bounces@ietf.org] On Behalf Of
  >ext Dan Wing
  >Sent: Wednesday, March 11, 2009 5:46 PM
  >To: shara@ietf.org
  >Subject: [shara] port randomization (draft-ymbk-aplusp-03)
  >
  >http://tools.ietf.org/html/draft-ymbk-aplusp-03#section-4.8 says, in
  >part:
  >
  >   ...
  >   Port randomization is also a bit compromised in A+P solution.  As CPE
  >   can randomize ports only within port range that is allocated to it,
  >   randomness is more limited than in the the scenario with full range
  >   of ports, allowed for randomization.  We can assume, that CPE either
  >   gets port range from ephemeral range (49152-65535) or from
  >   "registered ports" range (1024-49151).  Both ranges can be used for
  >   randomization, see [I-D.ietf-tsvwg-port-randomization] for more
  >   details.
  >
  >Has consideration been given to having the PRR return only *one* port
  >for each request, or to returning a list of port numbers which are
  >not consecutive and are not a bit-pattern of ports?  These techniques
  >would allow the PRR to distribute the requests randomly across the
  >entire port range instead of within a block of ~100 (or whatever).

This is exactly the intention of section 4 and 5 in http://www.ietf.org/internet-drafts/draft-bajko-pripaddrassign-01.txt

What section 5 describes is a way to communicate a list of preallocated random ports to the client, in an indirect way.


  >Further fleshing out of the technique described in Section 4.4
  >("Dynamic allocation of port ranges") could be useful towards
  >allowing applications to benefit from the security advantage of
  >port randomization.
  
Yes, this is explicitely stated in section 2 of the above mentioned draft.

- gabor

  >-d
  >
  >
  >_______________________________________________
  >shara mailing list
  >shara@ietf.org
  >https://www.ietf.org/mailman/listinfo/shara

v2.23.0 | Report a Bug | By Email