ietf
[Top] [All Lists]

Re: Last Call: RFC 6346 successful: moving to Proposed Standard

2014-12-04 10:59:10
On Dec 4, 2014, at 11:44 AM, Eggert, Lars <lars(_at_)netapp(_dot_)com> wrote:
And it's not only DNS that is being attacked, that attack just happened to be 
widely publicized. (For example, BGP sessions have been the target of TCP RST 
attacks.) Port randomization is a generally useful technique, which is why we 
did RFC6056, the effectiveness of which is reduced by A+P.

This is a concern that's been discussed at length already.   It's a real 
problem.   However, the actually application for A+P is in a dual-stack 
environment, where DNS queries really ought to be going over the IPv6 
transport, not the IPv4 transport.   Additionally, a great many of the commonly 
used port-intensive services at this point are available over IPv6, and we 
would prefer that they go over IPv6.   So although there is clearly a reduction 
in the available number of _IPv4_ ports in an A+P scenario, the total number of 
available ports in this situation is more: the host no doubt has at least one 
and perhaps more than one IPv6 address, which can be used for all but the 
remaining legacy applications.

So it's possible that this ought to be discussed further in the document.   But 
the fundamental answer to the port guessing vulnerability is "switch to IPv6."  
 And as several people have already mentioned on this thread, the port 
starvation problem exists in any NAT, whether A+P is being done or no.   It is 
particularly bad in CGN, whether they are stateful or stateless.   So it's good 
to call out the issue and use it to motivate the advice that service providers 
_really_ ought to be turning on IPv6 if they haven't already.