IETF Logo Mail Archive

Re: [Tsvwg] WGLC for Port Randomization starts now (April 1st)

Joe Touch <touch@ISI.EDU> Thu, 28 May 2009 15:29 UTC

Return-Path: <touch@ISI.EDU>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 09D873A6F14 for <tsvwg@core3.amsl.com>; Thu, 28 May 2009 08:29:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.223
X-Spam-Level:
X-Spam-Status: No, score=-2.223 tagged_above=-999 required=5 tests=[AWL=-0.224, BAYES_00=-2.599, J_CHICKENPOX_41=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IlI-FkNxSV1R for <tsvwg@core3.amsl.com>; Thu, 28 May 2009 08:29:57 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 2BDD43A6FFA for <tsvwg@ietf.org>; Thu, 28 May 2009 08:29:57 -0700 (PDT)
Received: from [192.168.1.46] (pool-71-106-86-44.lsanca.dsl-w.verizon.net [71.106.86.44]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id n4SFVJQN002502; Thu, 28 May 2009 08:31:21 -0700 (PDT)
Message-ID: <4A1EAE47.2090006@isi.edu>
Date: Thu, 28 May 2009 08:31:19 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: Randy Stewart <randall@lakerest.net>
References: <20090415033307.F00C0CD585E@lawyers.icir.org> <4A037030.6040107@isi.edu> <0C53DCFB700D144284A584F54711EC58074EEED6@xmb-sjc-21c.amer.cisco.com> <4A1AB6EE.5080900@gont.com.ar> <0C53DCFB700D144284A584F54711EC58074EEF11@xmb-sjc-21c.amer.cisco.com> <4A1BF56D.3020709@isi.edu> <0C53DCFB700D144284A584F54711EC58074EF74C@xmb-sjc-21c.amer.cisco.com> <4A1D6F4E.2080005@isi.edu> <9F71CBFA-9E70-4CD4-B60D-D15F45842739@lakerest.net> <4A1EA9AE.7000309@isi.edu> <D49426F5-E25E-4C7F-A38D-966C9CD834E2@lakerest.net>
In-Reply-To: <D49426F5-E25E-4C7F-A38D-966C9CD834E2@lakerest.net>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: "James Polk (jmpolk)" <jmpolk@cisco.com>, "Anantha Ramaiah (ananth)" <ananth@cisco.com>, tsvwg <tsvwg@ietf.org>, mallman@icir.org, Fernando Gont <fernando@gont.com.ar>
Subject: Re: [Tsvwg] WGLC for Port Randomization starts now (April 1st)
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2009 15:29:58 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Randy Stewart wrote:
> 
> On May 28, 2009, at 11:11 AM, Joe Touch wrote:
> 
> 
> 
> Randy Stewart wrote:
>>>> Joe:
>>>>
>>>> In-line..
>>>>
>>>> ...
>>>>> Basically for BSD we take a v-tag used in a connection.. call it
>>>>> 'X', and
>>>>> we place just the tag 'X' into a "timed-wait" cache for 2MSL. There
>>>>> is no
>>>>> restriction on the socket here.. just the tag 'X' will not be used
>>>>> again
>>>>> with this socket.
> 
> ...
>>>>> So basically the socket/port and peer socket/port is re-used right away
>>>>> with
>>>>> the restriction being that the vtag 'X' cannot be used.
>>>>
>>>>> Hope that clears up the issue  :-)
> 
> Yes, but it also underscores my concern. What you did was basically:
> 
>     - increase the space available to a single service from
>     a single IP address
>         going from TCP's 16 bits (max) of source port to
>         48 bits of source port + vtag
> 
>     - *decrease* the space available for different
>     services from different IP addresses
>         going from TCP's 32 bits of address +
>         16 bits of source port + 16 bits of
>         dest port (64 bits) down to only 32
> 
>> Joe:
> 
>> I don't follow your meaning here..
> 
>> I can have
> 
>> IP-A Port-X Vtag-Y <---->
>> and
>> IP-A Port-Y Vtag=Y <---->
> 
>> existing simultaneously... so I don't see how this decreased the
>> space for services from different IP addresses...

OK so there's two cases:

	1) the vtag is the unique thing held (NO OTHER STATE)
	2) the vtag is held in the context of the socket pair

In 1), the vtag effectively is the connection ID.

In 2), the connection ID is the 5-tuple of
[srcIP,srcport,dstIP,dstport,vtag]

In the case of 1), you decrease the space available for connections vs.
TCP when you include connections from different machines and for
different services.

In the case of 2), you increase the space available, and I don't have
the concern raised above.

I am still a bit confused as to which case is true; you appeared to give
two different responses.

Joe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkoerkcACgkQE5f5cImnZrvVlQCgoNoQPGril0N687ocbOD1n0ex
cUoAn35PgtR+ogd0NGkkPZBD74H39MzN
=uJLP
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email