On Dec 4, 2014, at 11:44 AM, Eggert, Lars <lars@xxxxxxxxxx> wrote: > And it's not only DNS that is being attacked, that attack just happened to be widely publicized. (For example, BGP sessions have been the target of TCP RST attacks.) Port randomization is a generally useful technique, which is why we did RFC6056, the effectiveness of which is reduced by A+P. This is a concern that's been discussed at length already. It's a real problem. However, the actually application for A+P is in a dual-stack environment, where DNS queries really ought to be going over the IPv6 transport, not the IPv4 transport. Additionally, a great many of the commonly used port-intensive services at this point are available over IPv6, and we would prefer that they go over IPv6. So although there is clearly a reduction in the available number of _IPv4_ ports in an A+P scenario, the total number of available ports in this situation is more: the host no doubt has at least one and perhaps more than one IPv6 address, which can be used for all but the remaining legacy applications. So it's possible that this ought to be discussed further in the document. But the fundamental answer to the port guessing vulnerability is "switch to IPv6." And as several people have already mentioned on this thread, the port starvation problem exists in any NAT, whether A+P is being done or no. It is particularly bad in CGN, whether they are stateful or stateless. So it's good to call out the issue and use it to motivate the advice that service providers _really_ ought to be turning on IPv6 if they haven't already.