ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Last Call: RFC 6346 successful: moving to Proposed Standard

2014-12-03 19:34:33
from [Mark Andrews] [Permanent Link] 

In message <9450AE5B-9401-4E16-856E-FB6B45C3FAAD(_at_)cisco(_dot_)com>, 
=?utf-8?Q?=F0=9F=9
4=93Dan_Wing?= writes:

RFC6346 reduces the space for TCP/UDP ports, which makes port-based =
attacks against protocols easier, as was mentioned in RFC6056: =20

  "It is also worth noting that, provided adequate algorithms are in
   use, the larger the range from which ephemeral ports are selected,
   the smaller the chances of an attacker are to guess the selected port
   number."

The primary mitigation against the Kaminsky was port randomization and =
attacks against other protocols may also need such port randomization.  =
If RFC6346 progresses to Proposed Standard, its impact to the size of =
the port space should be noted in RFC6346bis's security considerations.

-d


And https://tools.ietf.org/html/draft-ietf-dnsop-cookies-00 removes
the need for port randomization once deployed.  If you don't get a
cookie back then you can retry using a randomised port.

And just so you know it is not vapour ware BIND 9.10 has a experimental
implementation sans the error code called SIT.  We haven't yet
stopped randomizing the port but that is planned for.

Once we have a allocated code point we will be dropping non SIT
responses from servers we have had a SIT response from.


On Dec 1, 2014, at 2:38 PM, The IESG <iesg-secretary(_at_)ietf(_dot_)org> 
wrote:


=20
The IESG has received a request from an individual participant to make
the following status changes:
=20
- RFC6346 from Experimental to Proposed Standard
   (The Address plus Port (A+P) Approach to the IPv4 Address Shortage)
=20
The supporting document for this request can be found here:
=20
=

http://datatracker.ietf.org/doc/status-change-address-plus-port-to-propose=
d/

=20
The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf(_at_)ietf(_dot_)org mailing lists by 2014-12-29. Exceptionally, 
comments may =

be

sent to iesg(_at_)ietf(_dot_)org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.
=20
The affected document can be obtained via
http://datatracker.ietf.org/doc/rfc6346/
=20
IESG discussion of this request can be tracked via
=

http://datatracker.ietf.org/doc/status-change-address-plus-port-to-propose=
d/ballot/

=20
=20



-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka(_at_)isc(_dot_)org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Last Call: RFC 6346 successful: moving to Proposed Standard, 🔓Dan Wing
Next by Date:  Re: Last Call: RFC 6346 successful: moving to Proposed Standard, George Michaelson
Previous by Thread:  Re: Last Call: RFC 6346 successful: moving to Proposed Standard, 🔓Dan Wing
Next by Thread:  Re: Last Call: RFC 6346 successful: moving to Proposed Standard, George Michaelson
Indexes:  [Date] [Thread] [Top] [All Lists]