On 2014-12-4, at 17:28, Andrew Sullivan <ajs(_at_)anvilwalrusden(_dot_)com>
wrote:
In addition, I agree with the remarks elsewhere in the thread that
reducing the number of ports available to clients reduces their
resilience to certain kinds of DNS attacks. I'm aware that someone
offers an alternative mechanism elsewhere in this thread, but that is
not yet standardized or widely deployed, so it is not an answer today.
And it's not only DNS that is being attacked, that attack just happened to be
widely publicized. (For example, BGP sessions have been the target of TCP RST
attacks.) Port randomization is a generally useful technique, which is why we
did RFC6056, the effectiveness of which is reduced by A+P.
Lars
signature.asc
Description: Message signed with OpenPGP using GPGMail