On Dec 4, 2014, at 11:44 AM, Eggert, Lars <lars(_at_)netapp(_dot_)com> wrote:
And it's not only DNS that is being attacked, that attack just happened to be
widely publicized. (For example, BGP sessions have been the target of TCP RST
attacks.) Port randomization is a generally useful technique, which is why we
did RFC6056, the effectiveness of which is reduced by A+P.
This is a concern that's been discussed at length already. It's a real
problem. However, the actually application for A+P is in a dual-stack
environment, where DNS queries really ought to be going over the IPv6
transport, not the IPv4 transport. Additionally, a great many of the commonly
used port-intensive services at this point are available over IPv6, and we
would prefer that they go over IPv6. So although there is clearly a reduction
in the available number of _IPv4_ ports in an A+P scenario, the total number of
available ports in this situation is more: the host no doubt has at least one
and perhaps more than one IPv6 address, which can be used for all but the
remaining legacy applications.
So it's possible that this ought to be discussed further in the document. But
the fundamental answer to the port guessing vulnerability is "switch to IPv6."
And as several people have already mentioned on this thread, the port
starvation problem exists in any NAT, whether A+P is being done or no. It is
particularly bad in CGN, whether they are stateful or stateless. So it's good
to call out the issue and use it to motivate the advice that service providers
_really_ ought to be turning on IPv6 if they haven't already.