In message <9450AE5B-9401-4E16-856E-FB6B45C3FAAD@xxxxxxxxx>, =?utf-8?Q?=F0=9F=9 4=93Dan_Wing?= writes: > RFC6346 reduces the space for TCP/UDP ports, which makes port-based = > attacks against protocols easier, as was mentioned in RFC6056: =20 > > "It is also worth noting that, provided adequate algorithms are in > use, the larger the range from which ephemeral ports are selected, > the smaller the chances of an attacker are to guess the selected port > number." > > The primary mitigation against the Kaminsky was port randomization and = > attacks against other protocols may also need such port randomization. = > If RFC6346 progresses to Proposed Standard, its impact to the size of = > the port space should be noted in RFC6346bis's security considerations. > > -d And https://tools.ietf.org/html/draft-ietf-dnsop-cookies-00 removes the need for port randomization once deployed. If you don't get a cookie back then you can retry using a randomised port. And just so you know it is not vapour ware BIND 9.10 has a experimental implementation sans the error code called SIT. We haven't yet stopped randomizing the port but that is planned for. Once we have a allocated code point we will be dropping non SIT responses from servers we have had a SIT response from. > On Dec 1, 2014, at 2:38 PM, The IESG <iesg-secretary@xxxxxxxx> wrote: > > >=20 > > The IESG has received a request from an individual participant to make > > the following status changes: > >=20 > > - RFC6346 from Experimental to Proposed Standard > > (The Address plus Port (A+P) Approach to the IPv4 Address Shortage) > >=20 > > The supporting document for this request can be found here: > >=20 > > = > http://datatracker.ietf.org/doc/status-change-address-plus-port-to-propose= > d/ > >=20 > > The IESG plans to make a decision in the next few weeks, and solicits > > final comments on this action. Please send substantive comments to the > > ietf@xxxxxxxx mailing lists by 2014-12-29. Exceptionally, comments may = > be > > sent to iesg@xxxxxxxx instead. In either case, please retain the > > beginning of the Subject line to allow automated sorting. > >=20 > > The affected document can be obtained via > > http://datatracker.ietf.org/doc/rfc6346/ > >=20 > > IESG discussion of this request can be tracked via > > = > http://datatracker.ietf.org/doc/status-change-address-plus-port-to-propose= > d/ballot/ > >=20 > >=20 > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx