At 11:42 26/07/2007, Murari Sridharan wrote:
In this context I wanted to bring up a related issue that might also
strengthen this sort of a port randomization proposal.
Today the 64k port limitation is starting to become a huge problem
and most often admins add ip addresses to increase the scalability.
Given that most often the destination port (and sometimes the
destination address) is well known, the only scalability left is the
source address. Increasing ip addresses to improve scalability seems
a fairly round about approach and frankly doesn't scale well. Given
that the 64k limit is not fundamental why not provide a scaling
factor similar to the receive window to scale the number of usable
ports. This also makes randomization much more meaningful because in
certain proxy scenarios the number of connections quickly exhausts
the available ports and at that point the attacker can simply use
any port assuming he can guess the source address.
While I may agree with increasing the range of port numbers, I think
this is out of the scope of the port randomization draft we have authored.
There are a few things that may be worth noting:
* The port randomization approaches discussed in the port
randomization draft are independent of the range of ephemeral ports.
That is, even if at some point we decide to scale the port numbers
(or whatever), the approaches discussed in the port randomization
draft would still apply.
* Most TCP implementations use for the ephemeral ports a very small
subspace eg, ports 1024-4999) of the available port number space.
That is, you may be using 1/10th of the range you have available. In
this respect, our port randomization draft advises to increase the
port number range used for ephemeral ports. This may help a bit in
the scenarios you are describing.
Kind regards,
--
Fernando Gont
e-mail: fernando@xxxxxxxxxxx || fgont@xxxxxxx
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
