Re: [Tsvwg] WGLC for Port Randomization starts now (April 1st)

"Anantha Ramaiah (ananth)" <ananth@cisco.com> Thu, 28 May 2009 06:36 UTC

Return-Path: <ananth@cisco.com>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 284E83A6AC2 for <tsvwg@core3.amsl.com>; Wed, 27 May 2009 23:36:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.53
X-Spam-Level:
X-Spam-Status: No, score=-6.53 tagged_above=-999 required=5 tests=[AWL=0.069, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cUoqBAlnGZtO for <tsvwg@core3.amsl.com>; Wed, 27 May 2009 23:36:26 -0700 (PDT)
Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id 2EF8A3A6934 for <tsvwg@ietf.org>; Wed, 27 May 2009 23:36:26 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.41,263,1241395200"; d="scan'208";a="191191306"
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-1.cisco.com with ESMTP; 28 May 2009 06:38:09 +0000
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id n4S6c9GY005242; Wed, 27 May 2009 23:38:09 -0700
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-5.cisco.com (8.13.8/8.13.8) with ESMTP id n4S6c97n025261; Thu, 28 May 2009 06:38:09 GMT
Received: from xmb-sjc-21c.amer.cisco.com ([171.70.151.176]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 27 May 2009 23:38:08 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 27 May 2009 23:38:07 -0700
Message-ID: <0C53DCFB700D144284A584F54711EC5807563756@xmb-sjc-21c.amer.cisco.com>
In-Reply-To: <4A1E12E3.8050601@isi.edu>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Tsvwg] WGLC for Port Randomization starts now (April 1st)
thread-index: AcnfTMcsemtTDE4ESNe5Y3y+nt8+ygAESGrA
References: <20090415033307.F00C0CD585E@lawyers.icir.org> <4A037030.6040107@isi.edu> <0C53DCFB700D144284A584F54711EC58074EEED6@xmb-sjc-21c.amer.cisco.com> <4A1AB6EE.5080900@gont.com.ar> <0C53DCFB700D144284A584F54711EC58074EEF11@xmb-sjc-21c.amer.cisco.com> <4A1BF56D.3020709@isi.edu> <0C53DCFB700D144284A584F54711EC58074EF74C@xmb-sjc-21c.amer.cisco.com> <4A1D6F4E.2080005@isi.edu> <0C53DCFB700D144284A584F54711EC58075636B3@xmb-sjc-21c.amer.cisco.com> <4A1E12E3.8050601@isi.edu>
From: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
To: Joe Touch <touch@ISI.EDU>
X-OriginalArrivalTime: 28 May 2009 06:38:08.0807 (UTC) FILETIME=[DD372B70:01C9DF5E]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=3362; t=1243492689; x=1244356689; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=ananth@cisco.com; z=From:=20=22Anantha=20Ramaiah=20(ananth)=22=20<ananth@cisco .com> |Subject:=20RE=3A=20[Tsvwg]=20WGLC=20for=20Port=20Randomiza tion=20starts=20now=20(April=201st) |Sender:=20; bh=tV4wnSJMGHdMyET3DxdhaoIiixgKJ3rHU+QMWbUzXkA=; b=nRBYCA4Naw/LCBGxHWr5XVO56R9BgfPbdA4lSqSeeGlCeIi/f8taR1Bw0l YbpwI6O+A6+nKOqCCq3yn8CPJ/vUGXryo26B80kVAEPlpsEIo6/4m4mU1o1d Kdzvr55sivMV4DD7dVNoy0JVnRDJmoKHwpsjfafebpwlcpXSl60Jo=;
Authentication-Results: sj-dkim-1; header.From=ananth@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Cc: tsvwg <tsvwg@ietf.org>, "James Polk (jmpolk)" <jmpolk@cisco.com>, Fernando Gont <fernando@gont.com.ar>, mallman@icir.org
Subject: Re: [Tsvwg] WGLC for Port Randomization starts now (April 1st)
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2009 06:36:34 -0000

Yep, I stand corrected on that point (Randy did point to me the same),
agreed,  the chances of collision are more compared to sequential. As
far as port reuse is concerned, the key point is that in case of TCP it
is a 16 bit number (since TCP doesn't have any extra mechanism to
discard duplicates) whereas in SCTP it is 32 bit number (vtag). Pl see
my other post.

-Anantha 

> -----Original Message-----
> From: Joe Touch [mailto:touch@ISI.EDU] 
> Sent: Wednesday, May 27, 2009 9:28 PM
> To: Anantha Ramaiah (ananth)
> Cc: Fernando Gont; mallman@icir.org; James Polk (jmpolk); tsvwg
> Subject: Re: [Tsvwg] WGLC for Port Randomization starts now 
> (April 1st)
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Oh, and a point about vtags being random:
> 
> Anantha Ramaiah (ananth) wrote:
> ...
> >> " A new Verification Tag value MUST be used each time the
> >>    endpoint tears-down and then re-establishes an 
> association to the
> >>    same peer."
> >>
> >> Can you explain how you know that the tag is new unless 
> you hold it 
> >> for some period of time?
> > 
> > Well, this is purely implementation specific, some imp. can 
> simply be 
> > ok having a sequential allocation for vtags.
> 
> ...
> > The SCTP RFC doesn't say that vtag
> > generation needs to be sequential/random (rightfully so, 
> since it is 
> > all implementation details).
> 
> Yes, it does:
> 
> - From 4960:
> 
>     Verification Tag: A 32-bit unsigned integer that is randomly
>                                                         ^^^^^^^^
>       generated...
>       ^^^^^^^^^
> 
> Then later:
> 
>  A) "A" first sends an INIT chunk to "Z".  In the INIT, "A" must
>       provide its Verification Tag (Tag_A) in the Initiate Tag field.
>       Tag_A SHOULD be a random number in the range of 1 to 4294967295
>                         ^^^^^^^^^^^^^
>       (see Section 5.3.1 for Tag value selection).  After sending the
>       INIT, "A" starts the T1-init timer and enters the COOKIE-WAIT
>       state.
> 
> 
> The verification tag is copied from the initiate tag on 
> connection establishment, which is defined as being random as follows:
> 
> 5.3.1.  Selection of Tag Value
> 
>    Initiate Tag values should be selected from the range of 1 
> to 2**32 -
>    1.  It is very important that the Initiate Tag value be 
> randomized to
>    help protect against "man in the middle" and "sequence number"
>    attacks.  The methods described in [RFC4086] can be used for the
>    Initiate Tag randomization.  Careful selection of Initiate Tags is
>    also necessary to prevent old duplicate packets from previous
>    associations being mistakenly processed as belonging to the current
>    association.
> 
> That's pretty random, and AFAICT cannot be sequential and be 
> OK. The trouble with randomness, however, as I noted is that 
> it often is
> (incorrectly) tied to parameters that repeat on reboot.
> 
> Joe
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iEYEARECAAYFAkoeEuMACgkQE5f5cImnZrt4ygCg49IUXOHhqDaYln5UdlbhU1Eu
> mRsAn12Ugysx32gLlVUqb93nGSFvRNGJ
> =qMOl
> -----END PGP SIGNATURE-----
>