On 12/03/2014 10:31 PM, Mark Andrews wrote:
In message <9450AE5B-9401-4E16-856E-FB6B45C3FAAD(_at_)cisco(_dot_)com>,
=?utf-8?Q?=F0=9F=9
4=93Dan_Wing?= writes:
RFC6346 reduces the space for TCP/UDP ports, which makes port-based =
attacks against protocols easier, as was mentioned in RFC6056: =20
"It is also worth noting that, provided adequate algorithms are in
use, the larger the range from which ephemeral ports are selected,
the smaller the chances of an attacker are to guess the selected port
number."
The primary mitigation against the Kaminsky was port randomization and =
attacks against other protocols may also need such port randomization. =
If RFC6346 progresses to Proposed Standard, its impact to the size of =
the port space should be noted in RFC6346bis's security considerations.
-d
And https://tools.ietf.org/html/draft-ietf-dnsop-cookies-00 removes
the need for port randomization once deployed. If you don't get a
cookie back then you can retry using a randomised port.
And just so you know it is not vapour ware BIND 9.10 has a experimental
implementation sans the error code called SIT. We haven't yet
stopped randomizing the port but that is planned for.
May I ask why would you want to do that?
Thanks,
--
Fernando Gont
e-mail: fernando(_at_)gont(_dot_)com(_dot_)ar ||
fgont(_at_)si6networks(_dot_)com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1