Hello, folks, Our port randomization I-D (draft-ietf-tsvwg-port-randomization) has been shipped to the IESG. Lars reviewed the I-D (see the current thread on the tsvwg mailing-list: http://www.ietf.org/mail-archive/web/tsvwg/current/msg09679.html), and asked a how a few specific issues would apply to transport protocols other than TCP. So I'm posting the questions here in the hope that some of you might know the answer and be so kind to help (see bellow). Section 3.1., paragraph 10: >> Port numbers that are currently in use by a TCP in the LISTEN state >> should not be allowed for use as ephemeral ports. (This to prevent an attacker from shijacking an incoming connection by binding a port number on which a process is LISTENning for incoming connections, and simulating a "simultaneous open" scenario). Are there similar issues for DCCP? Section 3.1., paragraph 13: >> It should be noted that most applications based on popular >> implementations of TCP API (such as the Sockets API) perform >> "passive opens" in three steps. Firstly, the application obtains a >> file descriptor to be used for inter-process communication (e.g., >> by issuing a socket() call). Secondly, the application binds the >> file descriptor to a local TCP port number (e.g., by issuing a >> bind() call), thus creating a TCP in the fictional CLOSED state. >> Thirdly, the aforementioned TCP is put in the LISTEN state (e.g., >> by issuing a listen() call). As a result, with such an >> implementation of the TCP API, even if port numbers in use for TCPs >> in the LISTEN state were not allowed for use as ephemeral ports, >> there is a window of time between the second and the third steps in >> which an attacker could be allowed to select a port number that >> would be later used for listening to incoming connections. >> Therefore, these implementations of the TCP API should enforce a >> stricter requirement for the allocation of port numbers: port >> numbers that are in use by a TCP in the LISTEN or CLOSED states >> should not be allowed for allocation as ephemeral ports [CPNI-TCP] >> [I-D.gont-tcp-security]. Are there similar issues for DCCP? Thanks so much! Kind regards, -- Fernando Gont e-mail: fernando@xxxxxxxxxxx || fgont@xxxxxxx PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
