IETF Logo Mail Archive

Re: [Tsvwg] WGLC for Port Randomization starts now (April 1st)

"Brian F. G. Bidulock" <bidulock@openss7.org> Thu, 28 May 2009 20:37 UTC

Return-Path: <bidulock@openss7.org>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9DD113A6964 for <tsvwg@core3.amsl.com>; Thu, 28 May 2009 13:37:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.509
X-Spam-Level:
X-Spam-Status: No, score=-2.509 tagged_above=-999 required=5 tests=[AWL=0.090, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pugZ34ugdOxA for <tsvwg@core3.amsl.com>; Thu, 28 May 2009 13:37:31 -0700 (PDT)
Received: from gw.openss7.com (gw.openss7.com [206.75.119.236]) by core3.amsl.com (Postfix) with ESMTP id 88EA23A6A7D for <tsvwg@ietf.org>; Thu, 28 May 2009 13:37:31 -0700 (PDT)
Received: from wilbur.pigworks.openss7.net (IDENT:DcWOynwYg6y0a/l2GHu8glpYTMKxFSqs@ns5.evil.openss7.net [192.168.9.5]) by gw.openss7.com (8.13.8/8.13.8/Debian-3) with ESMTP id n4SKciQl005461; Thu, 28 May 2009 14:38:44 -0600
Received: from wilbur.pigworks.openss7.net (IDENT:sh3kjPWIFtRoprrjAxTxqiUZMkWH/kq9@localhost [127.0.0.1]) by wilbur.pigworks.openss7.net (8.13.8/8.13.8/Debian-3) with ESMTP id n4SKciVl019125; Thu, 28 May 2009 14:38:44 -0600
Received: (from brian@localhost) by wilbur.pigworks.openss7.net (8.13.8/8.13.8/Submit) id n4SKci2F019124; Thu, 28 May 2009 14:38:44 -0600
Date: Thu, 28 May 2009 14:38:44 -0600
From: "Brian F. G. Bidulock" <bidulock@openss7.org>
To: Randy Stewart <randall@lakerest.net>
Message-ID: <20090528203844.GA18571@openss7.org>
Mail-Followup-To: Randy Stewart <randall@lakerest.net>, Joe Touch <touch@ISI.EDU>, "James Polk (jmpolk)" <jmpolk@cisco.com>, "Anantha Ramaiah (ananth)" <ananth@cisco.com>, tsvwg <tsvwg@ietf.org>, mallman@icir.org, Fernando Gont <fernando@gont.com.ar>
References: <4A037030.6040107@isi.edu> <0C53DCFB700D144284A584F54711EC58074EEED6@xmb-sjc-21c.amer.cisco.com> <4A1AB6EE.5080900@gont.com.ar> <0C53DCFB700D144284A584F54711EC58074EEF11@xmb-sjc-21c.amer.cisco.com> <4A1BF56D.3020709@isi.edu> <0C53DCFB700D144284A584F54711EC58074EF74C@xmb-sjc-21c.amer.cisco.com> <4A1D6F4E.2080005@isi.edu> <9F71CBFA-9E70-4CD4-B60D-D15F45842739@lakerest.net> <20090528145114.GB2677@openss7.org> <2CF8190F-ECCB-422A-BA5A-7ED17DFDF33D@lakerest.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <2CF8190F-ECCB-422A-BA5A-7ED17DFDF33D@lakerest.net>
Organization: http://www.openss7.org/
Dsn-Notification-To: <bidulock@openss7.org>
X-Spam-To: <blockme@openss7.com>
User-Agent: Mutt/1.5.13 (2006-08-11)
Cc: tsvwg <tsvwg@ietf.org>, Joe Touch <touch@ISI.EDU>, "Anantha Ramaiah (ananth)" <ananth@cisco.com>, mallman@icir.org, Fernando Gont <fernando@gont.com.ar>, "James Polk (jmpolk)" <jmpolk@cisco.com>
Subject: Re: [Tsvwg] WGLC for Port Randomization starts now (April 1st)
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: bidulock@openss7.org
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2009 20:37:32 -0000

Randy,

Randy Stewart wrote:                          (Thu, 28 May 2009 11:15:27)
> 
> If you don't keep a timed wait, then you could get old packets
> injected on a new association.. for example an ABORT could
> be tossed at you from an old association where you re-used
> the vtag...

I'm not sure that a time-wait will do that either: that is: When
all the vtags are in timed-wait what will you do?  If you refuse
the connection there is a DoS attack waiting to be exploited. If
you go with a vtag in timed-wait then you have a risk, just as
other approaches.  Just putting a vtag into timed-wait risks a
DoS attack.

For example, using a cryptographically generated vtag (which they
need to be anyway) the chances of reusing a vtag within a window
are very slim.  The chances get better when there are more
associations formed and dropped within a time window, just as with
your approach.  However, a cryptographical approach does not consume
memory per vtag and is therefore not vulnerable to these expoits.

--brian

-- 
Brian F. G. Bidulock
bidulock@openss7.org
http://www.openss7.org/

v2.23.0 | Report a Bug | By Email