On 12/04/2014 01:44 PM, Eggert, Lars wrote:
On 2014-12-4, at 17:28, Andrew Sullivan <ajs(_at_)anvilwalrusden(_dot_)com>
wrote:
In addition, I agree with the remarks elsewhere in the thread that
reducing the number of ports available to clients reduces their
resilience to certain kinds of DNS attacks. I'm aware that
someone offers an alternative mechanism elsewhere in this thread,
but that is not yet standardized or widely deployed, so it is not
an answer today.
And it's not only DNS that is being attacked, that attack just
happened to be widely publicized. (For example, BGP sessions have
been the target of TCP RST attacks.) Port randomization is a
generally useful technique, which is why we did RFC6056, the
effectiveness of which is reduced by A+P.
+1
Cheers,
--
Fernando Gont
SI6 Networks
e-mail: fgont(_at_)si6networks(_dot_)com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
--
Fernando Gont
SI6 Networks
e-mail: fgont(_at_)si6networks(_dot_)com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492