IETF Logo Mail Archive

Re: [Tsvwg] Re: [tcpm] Revision ofdraft-larsen-tsvwg-port-randomization

Joe Touch <touch@ISI.EDU> Thu, 26 July 2007 19:04 UTC

Return-path: <tsvwg-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IE8dK-00046v-Lt; Thu, 26 Jul 2007 15:04:22 -0400
Received: from tsvwg by megatron.ietf.org with local (Exim 4.43) id 1IE8dF-00046T-KZ for tsvwg-confirm+ok@megatron.ietf.org; Thu, 26 Jul 2007 15:04:17 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IE8dF-00046L-3K for tsvwg@ietf.org; Thu, 26 Jul 2007 15:04:17 -0400
Received: from vapor.isi.edu ([128.9.64.64]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IE8dE-0005Ng-LF for tsvwg@ietf.org; Thu, 26 Jul 2007 15:04:17 -0400
Received: from [130.129.37.253] (dhcp-25fd.ietf69.org [130.129.37.253]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id l6QJ3rWg005272; Thu, 26 Jul 2007 12:03:53 -0700 (PDT)
Message-ID: <46A8F00E.3010904@isi.edu>
Date: Thu, 26 Jul 2007 12:03:42 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.5 (Windows/20070716)
MIME-Version: 1.0
To: Caitlin Bestler <cait@asomi.com>
Subject: Re: [Tsvwg] Re: [tcpm] Revision ofdraft-larsen-tsvwg-port-randomization
References: <0C53DCFB700D144284A584F54711EC5803B6C65A@xmb-sjc-21c.amer.cisco.com> <EE1A9283-BF50-43C9-8308-37ECF1B60363@nokia.com> <FCA794787FDE0D4DBE9FFA11053ECEB60C26A16230@NA-EXMSG-C110.redmond.corp.microsoft.com> <B2769A1C-A07E-42BB-8992-1221B4B7151F@asomi.com>
In-Reply-To: <B2769A1C-A07E-42BB-8992-1221B4B7151F@asomi.com>
X-Enigmail-Version: 0.95.2
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="------------enig16BE6194D00E34179AF8DD27"
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f607d15ccc2bc4eaf3ade8ffa8af02a0
Cc: Murari Sridharan <muraris@microsoft.com>, "ext Anantha Ramaiah (ananth)" <ananth@cisco.com>, tsvwg <tsvwg@ietf.org>, Fernando Gont <fernando@gont.com.ar>
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
Errors-To: tsvwg-bounces@ietf.org


Caitlin Bestler wrote:
> 
> On Jul 26, 2007, at 9:03 AM, Murari Sridharan wrote:
> 
>> Aren't these directly related? Port randomization in general is good
>> and agreed not all scenarios exhaust ports but attacks typically are
>> on loaded servers and proxies, and if ports get exhausted in these key
>> scenarios where such a draft makes most sense, what's the point of
>> randomization?
>>
>>
> Port randomization is admittedly a limited solution, but it is a fully
> compatible solution.
> More general solutions, while theoretically better, will likely have
> deployment barriers
> that will actually make them even more limited as a solution.

Port randomization isn't really a 'solution' to port exhaustion; it's a
BCP-ish recommendation that's like ISN-randomization. It helps a bit and
it's low cost.

Port exhaustion, BTW, also can mean two things:
	a- we need more ports for services
	b- it's too easy to scan all port pairs to attack

Portnames and/or tcp-x2 (I think that's what Mark called it) address the
first issue. The second is, IMO, better addressed with proper security,
rather than haystack-hiding of a needle.

Joe

-- 
----------------------------------------------------------------------
Joe Touch                Sr. Network Engineer, USAF TSAT Space Segment
               Postel Center Director & Research Assoc. Prof., USC/ISI

v2.23.0 | Report a Bug | By Email