Re: [Softwires] Comments on draft-dec-stateless-4v6-02
Nejc Škoberne <nejc@skoberne.net> Tue, 23 August 2011 15:05 UTC
Return-Path: <nejc@skoberne.net>
X-Original-To: softwires@ietfa.amsl.com
Delivered-To: softwires@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DA0321F84DC for <softwires@ietfa.amsl.com>; Tue, 23 Aug 2011 08:05:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.204
X-Spam-Level:
X-Spam-Status: No, score=-2.204 tagged_above=-999 required=5 tests=[AWL=0.095, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VnBt2W7LG4NA for <softwires@ietfa.amsl.com>; Tue, 23 Aug 2011 08:05:36 -0700 (PDT)
Received: from mail.tnode.com (common.tnode.com [91.185.203.243]) by ietfa.amsl.com (Postfix) with ESMTP id 7517321F84D8 for <softwires@ietf.org>; Tue, 23 Aug 2011 08:05:35 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.tnode.com (Postfix) with ESMTP id 9729F227878B; Tue, 23 Aug 2011 17:06:41 +0200 (CEST)
Received: from mail.tnode.com ([127.0.0.1]) by localhost (mail.tnode.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0vIhq55z4qcl; Tue, 23 Aug 2011 17:06:40 +0200 (CEST)
Received: from [158.125.103.63] (co-staff-103-063.lut.ac.uk [158.125.103.63]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: nejc@skoberne.net) by mail.tnode.com (Postfix) with ESMTPSA id 9D4852278783; Tue, 23 Aug 2011 17:06:40 +0200 (CEST)
Message-ID: <4E53C200.50805@skoberne.net>
Date: Tue, 23 Aug 2011 16:06:40 +0100
From: Nejc Škoberne <nejc@skoberne.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20110812 Thunderbird/6.0
MIME-Version: 1.0
To: Wojciech Dec <wdec.ietf@gmail.com>
References: <4E5253F9.1000206@skoberne.net> <CAFFjW4jHJkM5gDBYiCokpEUpgAhXVOLYc65dV8pfNpnOjmcgpA@mail.gmail.com>
In-Reply-To: <CAFFjW4jHJkM5gDBYiCokpEUpgAhXVOLYc65dV8pfNpnOjmcgpA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: "softwires@ietf.org" <softwires@ietf.org>, draft-dec-stateless-4v6@tools.ietf.org
Subject: Re: [Softwires] Comments on draft-dec-stateless-4v6-02
X-BeenThere: softwires@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: softwires wg discussion list <softwires.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/softwires>, <mailto:softwires-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/softwires>
List-Post: <mailto:softwires@ietf.org>
List-Help: <mailto:softwires-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/softwires>, <mailto:softwires-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Aug 2011 15:05:37 -0000
Dear Wojciech, > - If one believes that port unrestriced TCP provides "enough" security, > then the port-restriction does little to alter that in consideration of > host/CPE practices (no randomization). As you point out, such "belief" > may be misplaced, especially with larger widow sizes. Granted, a system > with full random source port selection across the full port range is ideal. My point was, that this "little" is not as little as some people might think. This is what I tried to show with my calculation. I still think the difference is significant in practice and that using port-restricted systems without any measures (like random port selection in draft-bajko-pripaddrassign-03) is one of the trade-offs which should be considered when deciding on a mechanism. That's all. > - The security offered by UDP is easily overcome with very modest > resources. The CPU/GPU reference is made to illustrate the point that > computationally it is trivial, and it's worth adding that bandwidth wise > it is also likely to be so esp on a high speed link. But what do you have to compute anyway? It's just trying 2^32 values until you get "a bingo". So I don't think it is the computational complexity which is relevant here, but rather bandwidth or preferrably packet rate. That's why I would just remove the GPU part. > The paper you indicated provides a neat summary of the level of security > based on source ports as offered by many implementations still today, > including those of CPEs: > > ---snip--- > > Moreover, ephemeral source ports are not actually selected from the full > 16-bit range, but a smaller subset range.Ports 1-1024 are reserved for > privileged processes, and ports 49152-65535 are reserved for private > ports.In some cases, operating systems have even reserved ports > 5001-65535 for private usage, leaving only 3977 ports for dynamic kernel > assignment. > > Currently, existing source port selection is so predictable as to make > guessing reasonably trivial; even for the blind TCP spoofing attacker. Indeed. But I think have to consider long-term consequences? I can imagine that operating systems will start to implement RFC 6056 eventually and when they do, it will be these NAT-based port-restricted mechanisms, which will degrade security (of course, only to certain extent). And people should be aware of this. Thanks, Nejc
- [Softwires] Comments on draft-dec-stateless-4v6-02 Nejc Škoberne
- Re: [Softwires] Comments on draft-dec-stateless-4… Wojciech Dec
- Re: [Softwires] Comments on draft-dec-stateless-4… Nejc Škoberne