IETF Logo Mail Archive

Re: [shara] port randomization (draft-ymbk-aplusp-03)

"Jan Zorz @ go6.si" <jan@go6.si> Thu, 12 March 2009 20:48 UTC

Return-Path: <jan@go6.si>
X-Original-To: shara@core3.amsl.com
Delivered-To: shara@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EC1F628C110 for <shara@core3.amsl.com>; Thu, 12 Mar 2009 13:48:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NzR-wvpX-CJn for <shara@core3.amsl.com>; Thu, 12 Mar 2009 13:48:13 -0700 (PDT)
Received: from ipv6.go6.si (go6.si [212.44.108.1]) by core3.amsl.com (Postfix) with ESMTP id 874A428C0D0 for <shara@ietf.org>; Thu, 12 Mar 2009 13:48:13 -0700 (PDT)
Received: from [IPv6:2001:470:9b8e::219:e3ff:fed4:9252] (unknown [IPv6:2001:470:9b8e:0:219:e3ff:fed4:9252]) (Authenticated sender: jan) by ipv6.go6.si (Postfix) with ESMTP id 2029345D8396 for <shara@ietf.org>; Thu, 12 Mar 2009 21:48:44 +0100 (CET)
Message-ID: <49B9752B.8030407@go6.si>
Date: Thu, 12 Mar 2009 21:48:43 +0100
From: "Jan Zorz @ go6.si" <jan@go6.si>
Organization: go6.si
User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209)
MIME-Version: 1.0
To: shara@ietf.org
References: <022a01c9a2ab$fd5abf60$fd736b80@cisco.com> <49B91C8B.5010906@go6.si> <04a201c9a338$d5ce8f70$fd736b80@cisco.com>
In-Reply-To: <04a201c9a338$d5ce8f70$fd736b80@cisco.com>
Content-Type: multipart/alternative; boundary="------------050003090207080202050406"
Subject: Re: [shara] port randomization (draft-ymbk-aplusp-03)
X-BeenThere: shara@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Sharing of an IPv4 Address discussion list <shara.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/shara>
List-Post: <mailto:shara@ietf.org>
List-Help: <mailto:shara-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2009 20:48:15 -0000


Dan Wing wrote:
>> How important is port randomization and how big is the impact in real 
>> life,
>>     
>
> Over the last 10 years there have been several attacks against
> TCP and DNS that have exploited predictable emphemeral ports.  The
> industry response to those attacks has been to (a) randomize 
> ephemeral port selection (rather than incrementing to the next 
> port number) and (b) increase the ephemeral port range used by 
> the OS.
>
> See
> http://tools.ietf.org/html/draft-ietf-tsvwg-port-randomization-02#section-1
> for more detailed answer to your question.
>   
Dan, hi.

I'm well aware of that draft, it is also referenced in in A+P draft. 
Maybe I was not clear enough in my question, let me re-phrase it.
In shared IP solutions we are taking away ports from customers, we are 
taking away resources and everything is a compromise.
Being said that, if we are happy with compromise, why not introduce 
compromise also in a dirty hack as port randomization is.
 So, can we live with randomization within for example range of 512 
ports? Is this "good enough"? We are quite fond of accepting
the compromise of shared IP as "good enough", because we have no other 
option, so can we accept also the compromise of less randomness in
port randomization hack?

I'm also curious to hear some aproximation from any HW vendor, what does 
allocating "one port per request" means for PRR in larger scale. I 
suspect this
might very well be performance suicide, but this is only my speculation. 
If not - good, we can go in that direction, which I recognise as good 
also in several other ways.

Thank you for your time and effort, Jan Zorz

v2.8.7 | Report a Bug | By Email