Dear Gang, Please see inline.
Cheers, Med -----Message d'origine----- De : GangChen [mailto:[email protected]] Envoyé : samedi 17 septembre 2011 10:29 À : BOUCADAIR Mohamed OLNC/NAD/TIP Cc : Simon Perreault; [email protected] Objet : Re: [Softwires] Analysis of Port Indexing Algorithms (draft-bsd-softwire-stateless-port-index-analysis) Dear Med, > The logic we adopted for guessing complexity of a valid port and for the > whole range is as mentioned in > http://tools.ietf.org/html/draft-bsd-softwire-stateless-port-index-analysis-00#section-2: > " In each analyzed port derivation algorithm, an attacker may implement > a redirection loop to detect a significant amount of allowed ports. > For all monotonously scattered schemes, the whole Port-Set may be > deduced by extrapolation while this is not applicable for contiguous > port ranges (because no information about port bounds is leaked in > the IPv4-translatable IPv6 address)." It seems same criteria applied for these two properties. But why would you get different complexity level for each property targeting to same algorithm? (e.g. For portrange judgment, Guessing Complexity of a Valid Port is low; Guessing Complexity of the whole Port-Set is Medium) Med: For a contiguous port range, if you know port N it is easy to guess the next port. This is why we indicated "Low" but since the port range bounds are not leaked in the port itself, it is not easy to guess the whole port (hence the "Medium"). But still the loop vector above applies for all port set allocation algorithms and under some conditions the server may by itself detects the whole port set. For me, the statement is more proper for whole Port-Set prediction. I guess we need to add texts for valid Port prediction? Med: any text proposal is welcome. _______________________________________________ Softwires mailing list [email protected] https://www.ietf.org/mailman/listinfo/softwires
