IETF Logo Mail Archive

Re: [Tsvwg] Port Randomization issues summary

Fernando Gont <fernando@gont.com.ar> Thu, 28 May 2009 21:53 UTC

Return-Path: <fernando.gont.netbook.win@gmail.com>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C52813A6F45 for <tsvwg@core3.amsl.com>; Thu, 28 May 2009 14:53:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.579
X-Spam-Level:
X-Spam-Status: No, score=-2.579 tagged_above=-999 required=5 tests=[AWL=0.020, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DCBJl5PEUrdI for <tsvwg@core3.amsl.com>; Thu, 28 May 2009 14:53:26 -0700 (PDT)
Received: from mail-gx0-f164.google.com (mail-gx0-f164.google.com [209.85.217.164]) by core3.amsl.com (Postfix) with ESMTP id B9E083A6D88 for <tsvwg@ietf.org>; Thu, 28 May 2009 14:53:25 -0700 (PDT)
Received: by gxk8 with SMTP id 8so794289gxk.13 for <tsvwg@ietf.org>; Thu, 28 May 2009 14:55:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=SdsHigkuzLbwhvR2bSmylLJj0aZuy6KhDRAhzpc145Y=; b=XQ3ceJG1z5GFCTdrQtYvHXcWCPlRjdF/TLip7ZEdZf9hLBavFN6pMrHXot2BPPn+aR ppuNPdvFq7d/aJfOzoHA7g2m8w9LNlnNrBUcj6d2PfwbOJugf9HFPcl7OGg6QXhdGttM V3yix6+7qFXqzp2di3SLOdHDhx3JPoUPEDY5M=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=sVB8XKEZlBT7iaze2PTHBp2fvMMjMdwar4FI23oXTZZ8rBPOvHL3ko10biaJPdUf4P 5O1WpAS/tTu9XIfQy9FxAjahL391KYCMeFoOrgx491XUVsrR+AOlUelPz/91CPt9USUT DF4h4qLs/4zKSrYykGhnbAl3Rw8VPFZnjDcmU=
Received: by 10.90.104.15 with SMTP id b15mr1388448agc.98.1243547705718; Thu, 28 May 2009 14:55:05 -0700 (PDT)
Received: from ?168.77.196.154? (154.196.lacnicxii.lacnic.net [168.77.196.154]) by mx.google.com with ESMTPS id 21sm902939agd.11.2009.05.28.14.55.01 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 28 May 2009 14:55:04 -0700 (PDT)
Sender: Fernando Gont <fernando.gont.netbook.win@gmail.com>
Message-ID: <4A1F0832.20305@gont.com.ar>
Date: Thu, 28 May 2009 18:54:58 -0300
From: Fernando Gont <fernando@gont.com.ar>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: Joe Touch <touch@ISI.EDU>
References: <20090415033307.F00C0CD585E@lawyers.icir.org> <4A037030.6040107@isi.edu> <0C53DCFB700D144284A584F54711EC58074EEED6@xmb-sjc-21c.amer.cisco.com> <4A1AB6EE.5080900@gont.com.ar> <0C53DCFB700D144284A584F54711EC58074EEF11@xmb-sjc-21c.amer.cisco.com> <4A1BF56D.3020709@isi.edu> <0C53DCFB700D144284A584F54711EC58074EF74C@xmb-sjc-21c.amer.cisco.com> <4A1D6F4E.2080005@isi.edu> <0C53DCFB700D144284A584F54711EC58075636B3@xmb-sjc-21c.amer.cisco.com> <4A1E10B9.3040408@isi.edu> <0C53DCFB700D144284A584F54711EC5807563761@xmb-sjc-21c.amer.cisco.com> <4A1E9922.2080007@isi.edu> <4A1EA0E7.4050309@isi.edu> <4A1EF737.20601@gont.com.ar> <4A1EF8D8.9050603@isi.edu>
In-Reply-To: <4A1EF8D8.9050603@isi.edu>
X-Enigmail-Version: 0.95.7
OpenPGP: id=D076FFF1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "James Polk (jmpolk)" <jmpolk@cisco.com>, "Anantha Ramaiah (ananth)" <ananth@cisco.com>, tsvwg <tsvwg@ietf.org>, mallman@icir.org
Subject: Re: [Tsvwg] Port Randomization issues summary
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2009 21:53:26 -0000

Joe Touch wrote:

>>> 1) randomizing connection IDs helps protect against blind attacks
>>>
>>> 	- but ultimately the only way to avoid old segments
>>> 	from interfering with new connections is to keep state
>> Yes. But... what does this have to do with port randomization?
> 
> It underscores the need to keep state in the endpoints, rather than just
> trust that randomization will provide safety.

Are you talking about the vtag randomization thing you were discussiing
with Anantha?



>>> 	- randomness requires keeping more state at the endpoints
>>> 	than sequential use of the ID space
>> Why?
> 
> If IDs are used in sequence, and endpoint can keep track of "do not use"
> ones using two IDs (representing the range to be avoided). If IDs are
> used randomly, then the endpoint needs a copy of each value to avoid.

Again, I guess you msut be referring to some vtag-thing here, right?



>>> 3) randomness is costly
>>>
>>> 	as SCTP demonstrated, asserting randomness may be better
>>> 	done by referring to existing separate definitions
>> I didn't follow the recent discussion of TIME-WAIT state in SCTP, etc.
>> Could you clarify this one?
> 
> See RFC4960, sec 5.3.1., which refers off to RFC4086 to define
> randomness, rather than defining it within the SCTP spec.

Ok.

Thanks,
-- 
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

v2.23.0 | Report a Bug | By Email