On 2014-12-4, at 17:28, Andrew Sullivan <ajs@xxxxxxxxxxxxxxxxxx> wrote: > > In addition, I agree with the remarks elsewhere in the thread that > reducing the number of ports available to clients reduces their > resilience to certain kinds of DNS attacks. I'm aware that someone > offers an alternative mechanism elsewhere in this thread, but that is > not yet standardized or widely deployed, so it is not an answer today. And it's not only DNS that is being attacked, that attack just happened to be widely publicized. (For example, BGP sessions have been the target of TCP RST attacks.) Port randomization is a generally useful technique, which is why we did RFC6056, the effectiveness of which is reduced by A+P. Lars
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail