On Apr 1, 2013, at 3:17 PM, Ole Troan (otroan) <[email protected]> wrote:
> >>> The meeting minutes record a disagreement over what port mapping algorithm >>> to use. This affects both MAP-E and LW 4over6. As I understand it: >>> >>> - either of these two technologies will work with either contiguous ports >>> or ports scattered according to the GMA algorithm >>> >>> - the real objection to GMA comes from Alain Durand, who wants to set up >>> simple min-port, max-port filters on his network equipment. >>> >>> >>> We all agree that port scattering offers negligible security advantage. >> >> Port scattering, using GMA, provides tiny security advantage. An attacker >> can determine the Generalized Modulus Algorithm, by causing a victim to open >> a bunch of TCP connections. One way an attacker can cause a bunch of TCP >> connections to be opened is by sending an email with a bunch of <img src> >> tags to servers where the attacker can observe the TCP source ports for the >> connections. Another way is to do the same with a web page. GMA is a good >> amount of engineering and confusion for little gain, but the *appearance* of >> a gain because to a person the port numbers will appear random. On other >> words, a false sense of security. Port numbers are being used in courts of >> law and explaining GMA to the lay person will be complex. I believe it is >> an unnecessary complexity. > > Can you please read the latest draft? > What exactly is complex and confusing? Non-contiguous ports are more confusing than contiguous ports, especially to people that don't understand binary math. IP stacks used to allow non-contiguous 1's in subnet masks which were cute, but caused confusion with the humans. (and some stacks couldn't cope well, but that is another topic.) I worry about the humans being confused with the binary math. > GMA aka "port prefix" was not designed for scattering ports, that's a side > effect. The requirement leading to that effect is, independence of end user > ipv6 prefix. I.e avoid having to reserve a specific ipv6 prefix from > assignment. I agree the requirement is something we need. Appendix B of draft-ietf-softwire-map-05.txt (March 18, I presume 'the latest') mentions the port scattering as an extreme case, which the algorithm supports. Can we remove that support? -d > Ole > > >> >> -d >> >> >>> >>> The reason that I heard given for preferring GMA for MAP-E is that it >>> eliminates a restriction on the End-User Ipv6 address because the PSID is >>> free to range from 0 upwards rather than from some higher number upwards. I >>> don't follow this argument for two reasons: >>> >>> - you now have a restriction that the offset field A must range from 1 >>> upwards >>> >>> - the PSID field has an upper limit 2^k-1 imposed by the sharing ratio, >>> imposing a further restriction on the End-User IPv6 address value. >>> >>> Could someone spell out more clearly why the GMA was seen as necessary for >>> MAP-E? >>> _______________________________________________ >>> Softwires mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/softwires >> >> _______________________________________________ >> Softwires mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/softwires _______________________________________________ Softwires mailing list [email protected] https://www.ietf.org/mailman/listinfo/softwires
