draft-ietf-tsvwg-port-randomization-07.txt   draft-ietf-tsvwg-port-randomization-08.txt 
Transport Area Working Group M. Larsen Transport Area Working Group M. Larsen
(tsvwg) TietoEnator (tsvwg) TietoEnator
Internet-Draft F. Gont Internet-Draft F. Gont
Intended status: BCP UTN/FRH Intended status: BCP UTN/FRH
Expires: October 14, 2010 April 12, 2010 Expires: December 2, 2010 May 31, 2010
Transport Protocol Port Randomization Recommendations Transport Protocol Port Randomization Recommendations
draft-ietf-tsvwg-port-randomization-07 draft-ietf-tsvwg-port-randomization-08
Abstract Abstract
During the las few years, awareness has been raised about a number of During the las few years, awareness has been raised about a number of
"blind" attacks that can be performed against the Transmission "blind" attacks that can be performed against the Transmission
Control Protocol (TCP) and similar protocols. The consequences of Control Protocol (TCP) and similar protocols. The consequences of
these attacks range from throughput-reduction to broken connections these attacks range from throughput-reduction to broken connections
or data corruption. These attacks rely on the attacker's ability to or data corruption. These attacks rely on the attacker's ability to
guess or know the five-tuple (Protocol, Source Address, Destination guess or know the five-tuple (Protocol, Source Address, Destination
Address, Source Port, Destination Port) that identifies the transport Address, Source Port, Destination Port) that identifies the transport
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 14, 2010. This Internet-Draft will expire on December 2, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 11 skipping to change at page 3, line 11
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
2. Ephemeral Ports . . . . . . . . . . . . . . . . . . . . . . . 7 2. Ephemeral Ports . . . . . . . . . . . . . . . . . . . . . . . 7
2.1. Traditional Ephemeral Port Range . . . . . . . . . . . . . 7 2.1. Traditional Ephemeral Port Range . . . . . . . . . . . . . 7
2.2. Ephemeral port selection . . . . . . . . . . . . . . . . . 7 2.2. Ephemeral port selection . . . . . . . . . . . . . . . . . 7
2.3. Collision of instance-id's . . . . . . . . . . . . . . . . 8 2.3. Collision of instance-id's . . . . . . . . . . . . . . . . 9
3. Obfuscating the Ephemeral Ports . . . . . . . . . . . . . . . 10 3. Obfuscating the Ephemeral Ports . . . . . . . . . . . . . . . 10
3.1. Characteristics of a good ephemeral port obfuscation 3.1. Characteristics of a good ephemeral port obfuscation
algorithm . . . . . . . . . . . . . . . . . . . . . . . . 10 algorithm . . . . . . . . . . . . . . . . . . . . . . . . 10
3.2. Ephemeral port number range . . . . . . . . . . . . . . . 12 3.2. Ephemeral port number range . . . . . . . . . . . . . . . 12
3.3. Ephemeral Port Obfuscation Algorithms . . . . . . . . . . 12 3.3. Ephemeral Port Obfuscation Algorithms . . . . . . . . . . 12
3.3.1. Algorithm 1: Simple port randomization algorithm . . . 12 3.3.1. Algorithm 1: Simple port randomization algorithm . . . 12
3.3.2. Algorithm 2: Another simple port randomization 3.3.2. Algorithm 2: Another simple port randomization
algorithm . . . . . . . . . . . . . . . . . . . . . . 14 algorithm . . . . . . . . . . . . . . . . . . . . . . 14
3.3.3. Algorithm 3: Simple hash-based algorithm . . . . . . . 15 3.3.3. Algorithm 3: Simple hash-based algorithm . . . . . . . 15
3.3.4. Algorithm 4: Double-hash obfuscation algorithm . . . . 17 3.3.4. Algorithm 4: Double-hash obfuscation algorithm . . . . 17
skipping to change at page 3, line 45 skipping to change at page 3, line 45
Appendix A. Survey of the algorithms in use by some popular Appendix A. Survey of the algorithms in use by some popular
implementations . . . . . . . . . . . . . . . . . . . 31 implementations . . . . . . . . . . . . . . . . . . . 31
A.1. FreeBSD . . . . . . . . . . . . . . . . . . . . . . . . . 31 A.1. FreeBSD . . . . . . . . . . . . . . . . . . . . . . . . . 31
A.2. Linux . . . . . . . . . . . . . . . . . . . . . . . . . . 31 A.2. Linux . . . . . . . . . . . . . . . . . . . . . . . . . . 31
A.3. NetBSD . . . . . . . . . . . . . . . . . . . . . . . . . . 31 A.3. NetBSD . . . . . . . . . . . . . . . . . . . . . . . . . . 31
A.4. OpenBSD . . . . . . . . . . . . . . . . . . . . . . . . . 31 A.4. OpenBSD . . . . . . . . . . . . . . . . . . . . . . . . . 31
A.5. OpenSolaris . . . . . . . . . . . . . . . . . . . . . . . 31 A.5. OpenSolaris . . . . . . . . . . . . . . . . . . . . . . . 31
Appendix B. Changes from previous versions of the draft (to Appendix B. Changes from previous versions of the draft (to
be removed by the RFC Editor before publication be removed by the RFC Editor before publication
of this document as a RFC . . . . . . . . . . . . . . 32 of this document as a RFC . . . . . . . . . . . . . . 32
B.1. Changes from draft-ietf-tsvwg-port-randomization-06 . . . 32 B.1. Changes from draft-ietf-tsvwg-port-randomization-07 . . . 32
B.2. Changes from draft-ietf-tsvwg-port-randomization-05 . . . 32 B.2. Changes from draft-ietf-tsvwg-port-randomization-06 . . . 32
B.3. Changes from draft-ietf-tsvwg-port-randomization-04 . . . 32 B.3. Changes from draft-ietf-tsvwg-port-randomization-05 . . . 32
B.4. Changes from draft-ietf-tsvwg-port-randomization-03 . . . 32 B.4. Changes from draft-ietf-tsvwg-port-randomization-04 . . . 32
B.5. Changes from draft-ietf-tsvwg-port-randomization-02 . . . 32 B.5. Changes from draft-ietf-tsvwg-port-randomization-03 . . . 32
B.6. Changes from draft-ietf-tsvwg-port-randomization-01 . . . 32 B.6. Changes from draft-ietf-tsvwg-port-randomization-02 . . . 32
B.7. Changes from draft-ietf-tsvwg-port-randomization-00 . . . 33 B.7. Changes from draft-ietf-tsvwg-port-randomization-01 . . . 32
B.8. Changes from draft-larsen-tsvwg-port-randomization-02 . . 33 B.8. Changes from draft-ietf-tsvwg-port-randomization-00 . . . 33
B.9. Changes from draft-larsen-tsvwg-port-randomization-01 . . 33 B.9. Changes from draft-larsen-tsvwg-port-randomization-02 . . 33
B.10. Changes from draft-larsen-tsvwg-port-randomization-00 . . 33 B.10. Changes from draft-larsen-tsvwg-port-randomization-01 . . 33
B.11. Changes from draft-larsen-tsvwg-port-randomisation-00 . . 33 B.11. Changes from draft-larsen-tsvwg-port-randomization-00 . . 33
B.12. Changes from draft-larsen-tsvwg-port-randomisation-00 . . 33
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 35 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 35
1. Introduction 1. Introduction
Recently, awareness has been raised about a number of "blind" attacks Recently, awareness has been raised about a number of "blind" attacks
(i.e., attacks that can be performed without the need to sniff the (i.e., attacks that can be performed without the need to sniff the
packets that correspond to the transport protocol instance to be packets that correspond to the transport protocol instance to be
attacked) that can be performed against the Transmission Control attacked) that can be performed against the Transmission Control
Protocol (TCP) [RFC0793] and similar protocols. The consequences of Protocol (TCP) [RFC0793] and similar protocols. The consequences of
these attacks range from throughput-reduction to broken connections these attacks range from throughput-reduction to broken connections
skipping to change at page 8, line 19 skipping to change at page 8, line 19
count = max_ephemeral - min_ephemeral + 1; count = max_ephemeral - min_ephemeral + 1;
do { do {
port = next_ephemeral; port = next_ephemeral;
if (next_ephemeral == max_ephemeral) { if (next_ephemeral == max_ephemeral) {
next_ephemeral = min_ephemeral; next_ephemeral = min_ephemeral;
} else { } else {
next_ephemeral++; next_ephemeral++;
} }
if (five-tuple is unique) if (check_suitable_port(port))
return port; return port;
count--; count--;
} while (count > 0); } while (count > 0);
return ERROR; return ERROR;
Figure 1 Figure 1
Note:
check_suitable_port() is a function that checks whether the
resulting port number is acceptable as an ephemeral port. That
is, it checks whether the resulting port number is unique and may,
in addition, check that the port number is not in use for a
connection in the LISTEN or CLOSED states and that the port number
is not in the list of port numbers that should not be allocated as
ephemeral ports. In BSD-derived systems, the
check_suitable_port() would correspond to the in_pcblookup_local()
function, where all the necessary checks would be performed.
This algorithm works adequately provided that the number of This algorithm works adequately provided that the number of
transport-protocol instances (for a each transport protocol) that transport-protocol instances (for a each transport protocol) that
have a life-time longer than it takes to exhaust the total ephemeral have a life-time longer than it takes to exhaust the total ephemeral
port range is small, so that collisions of instance-id's are rare. port range is small, so that collisions of instance-id's are rare.
However, this method has the drawback that the 'next_ephemeral' However, this method has the drawback that the 'next_ephemeral'
variable and thus the ephemeral port range is shared between all variable and thus the ephemeral port range is shared between all
transport-protocol instances and the next ports chosen by the client transport-protocol instances and the next ports chosen by the client
are easy to predict. If an attacker operates an "innocent" server to are easy to predict. If an attacker operates an "innocent" server to
which the client connects, it is easy to obtain a reference point for which the client connects, it is easy to obtain a reference point for
skipping to change at page 13, line 12 skipping to change at page 13, line 12
In order to address the security issues discussed in Section 1 and In order to address the security issues discussed in Section 1 and
Section 2.2, a number of systems have implemented simple ephemeral Section 2.2, a number of systems have implemented simple ephemeral
port number randomization, as follows: port number randomization, as follows:
/* Ephemeral port selection function */ /* Ephemeral port selection function */
num_ephemeral = max_ephemeral - min_ephemeral + 1; num_ephemeral = max_ephemeral - min_ephemeral + 1;
next_ephemeral = min_ephemeral + (random() % num_ephemeral); next_ephemeral = min_ephemeral + (random() % num_ephemeral);
count = num_ephemeral; count = num_ephemeral;
do { do {
if(resulting five-tuple is unique) if(check_suitable_port(port))
return next_ephemeral; return next_ephemeral;
if (next_ephemeral == max_ephemeral) { if (next_ephemeral == max_ephemeral) {
next_ephemeral = min_ephemeral; next_ephemeral = min_ephemeral;
} else { } else {
next_ephemeral++; next_ephemeral++;
} }
count--; count--;
} while (count > 0); } while (count > 0);
skipping to change at page 14, line 36 skipping to change at page 14, line 36
The following pseudo-code illustrates another algorithm for selecting The following pseudo-code illustrates another algorithm for selecting
a random port number, in which in the event a local instance-id a random port number, in which in the event a local instance-id
collision is detected, another port number is selected randomly: collision is detected, another port number is selected randomly:
/* Ephemeral port selection function */ /* Ephemeral port selection function */
num_ephemeral = max_ephemeral - min_ephemeral + 1; num_ephemeral = max_ephemeral - min_ephemeral + 1;
next_ephemeral = min_ephemeral + (random() % num_ephemeral); next_ephemeral = min_ephemeral + (random() % num_ephemeral);
count = num_ephemeral; count = num_ephemeral;
do { do {
if(resulting five-tuple is unique) if(check_suitable_port(port))
return next_ephemeral; return next_ephemeral;
next_ephemeral = min_ephemeral + (random() % num_ephemeral); next_ephemeral = min_ephemeral + (random() % num_ephemeral);
count--; count--;
} while (count > 0); } while (count > 0);
return ERROR; return ERROR;
Figure 3 Figure 3
skipping to change at page 16, line 19 skipping to change at page 16, line 19
num_ephemeral = max_ephemeral - min_ephemeral + 1; num_ephemeral = max_ephemeral - min_ephemeral + 1;
offset = F(local_IP, remote_IP, remote_port, secret_key); offset = F(local_IP, remote_IP, remote_port, secret_key);
count = num_ephemeral; count = num_ephemeral;
do { do {
port = min_ephemeral + port = min_ephemeral +
(next_ephemeral + offset) % num_ephemeral; (next_ephemeral + offset) % num_ephemeral;
next_ephemeral++; next_ephemeral++;
if(resulting five-tuple is unique) if(check_suitable_port(port))
return port; return port;
count--; count--;
} while (count > 0); } while (count > 0);
return ERROR; return ERROR;
Figure 4 Figure 4
skipping to change at page 18, line 19 skipping to change at page 18, line 19
/* Ephemeral port selection function */ /* Ephemeral port selection function */
num_ephemeral = max_ephemeral - min_ephemeral + 1; num_ephemeral = max_ephemeral - min_ephemeral + 1;
offset = F(local_IP, remote_IP, remote_port, secret_key1); offset = F(local_IP, remote_IP, remote_port, secret_key1);
index = G(local_IP, remote_IP, remote_port, secret_key2); index = G(local_IP, remote_IP, remote_port, secret_key2);
count = num_ephemeral; count = num_ephemeral;
do { do {
port = min_ephemeral + (offset + table[index]) % num_ephemeral; port = min_ephemeral + (offset + table[index]) % num_ephemeral;
table[index]++; table[index]++;
if(resulting five-tuple is unique) if(check_suitable_port(port))
return port; return port;
count--; count--;
} while (count > 0); } while (count > 0);
return ERROR; return ERROR;
Figure 5 Figure 5
skipping to change at page 20, line 18 skipping to change at page 20, line 18
/* Ephemeral port selection function */ /* Ephemeral port selection function */
num_ephemeral = max_ephemeral - min_ephemeral + 1; num_ephemeral = max_ephemeral - min_ephemeral + 1;
count = num_ephemeral; count = num_ephemeral;
do { do {
next_ephemeral = next_ephemeral + (random() % N) + 1; next_ephemeral = next_ephemeral + (random() % N) + 1;
port = min_ephemeral + (next_ephemeral % num_ephemeral); port = min_ephemeral + (next_ephemeral % num_ephemeral);
if(resulting five-tuple is unique) if(check_suitable_port(port))
return port; return port;
count--; count--;
} while (count > 0); } while (count > 0);
return ERROR; return ERROR;
Figure 6 Figure 6
This algorithm aims at at producing a monotonically-increasing This algorithm aims at at producing a monotonically-increasing
skipping to change at page 27, line 12 skipping to change at page 27, line 12
can remove this section before publication of this document as an can remove this section before publication of this document as an
RFC. RFC.
7. Acknowledgements 7. Acknowledgements
The offset function was inspired by the mechanism proposed by Steven The offset function was inspired by the mechanism proposed by Steven
Bellovin in [RFC1948] for defending against TCP sequence number Bellovin in [RFC1948] for defending against TCP sequence number
attacks. attacks.
The authors would like to thank (in alphabetical order) Mark Allman, The authors would like to thank (in alphabetical order) Mark Allman,
Matthias Bethke, Stephane Bortzmeyer, Brian Carpenter, Vincent Jari Arkko, Matthias Bethke, Stephane Bortzmeyer, Brian Carpenter,
Deffontaines, Ralph Droms, Lars Eggert, Pasi Eronen, Gorry Fairhurst, Vincent Deffontaines, Ralph Droms, Lars Eggert, Pasi Eronen, Gorry
Adrian Farrel, Guillermo Gont, Alfred Hoenes, Avshalom Houri, Charlie Fairhurst, Adrian Farrel, Guillermo Gont, Alfred Hoenes, Avshalom
Kaufman, Amit Klein, Carlos Pignataro, Tim Polk, Kacheong Poon, Pasi Houri, Charlie Kaufman, Amit Klein, Carlos Pignataro, Tim Polk,
Sarolahti, Randall Stewart, Joe Touch, Michael Tuexen, and Dan Wing Kacheong Poon, Pasi Sarolahti, Randall Stewart, Joe Touch, Michael
for their valuable feedback on earlier versions of this document. Tuexen, and Dan Wing for their valuable feedback on earlier versions
of this document.
The authors would like to thank FreeBSD's Mike Silbersack for a very The authors would like to thank FreeBSD's Mike Silbersack for a very
fruitful discussion about ephemeral port selection techniques. fruitful discussion about ephemeral port selection techniques.
Fernando Gont would like to thank Carolina Suarez for her love and
support.
8. References 8. References
8.1. Normative References 8.1. Normative References
[RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768,
August 1980. August 1980.
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, [RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, September 1981. RFC 793, September 1981.
skipping to change at page 32, line 9 skipping to change at page 32, line 9
A.5. OpenSolaris A.5. OpenSolaris
OpenSolaris 2009.06 implements Algorithm 1, with a 'min_port' of OpenSolaris 2009.06 implements Algorithm 1, with a 'min_port' of
32768 and a 'max_port' of 65535. [OpenSolaris] 32768 and a 'max_port' of 65535. [OpenSolaris]
Appendix B. Changes from previous versions of the draft (to be removed Appendix B. Changes from previous versions of the draft (to be removed
by the RFC Editor before publication of this document as a by the RFC Editor before publication of this document as a
RFC RFC
B.1. Changes from draft-ietf-tsvwg-port-randomization-06 B.1. Changes from draft-ietf-tsvwg-port-randomization-07
o Addresses Jari Arkko's DISCUSS.
B.2. Changes from draft-ietf-tsvwg-port-randomization-06
o Fixes the writeo in the port number range. o Fixes the writeo in the port number range.
o Fixes the requirements on the random() function. o Fixes the requirements on the random() function.
o Other miscellaneous edits (resulting from IESG feedback. o Other miscellaneous edits (resulting from IESG feedback.
B.2. Changes from draft-ietf-tsvwg-port-randomization-05 B.3. Changes from draft-ietf-tsvwg-port-randomization-05
o Addresses AD review feedback from Lars Eggert. o Addresses AD review feedback from Lars Eggert.
o Addresses AD review feedback from Lars Eggert. o Addresses AD review feedback from Lars Eggert.
B.3. Changes from draft-ietf-tsvwg-port-randomization-04 B.4. Changes from draft-ietf-tsvwg-port-randomization-04
o Fixes nits. o Fixes nits.
B.4. Changes from draft-ietf-tsvwg-port-randomization-03 B.5. Changes from draft-ietf-tsvwg-port-randomization-03
o Addresses WGLC comments from Mark Allman. See: o Addresses WGLC comments from Mark Allman. See:
http://www.ietf.org/mail-archive/web/tsvwg/current/msg09149.html http://www.ietf.org/mail-archive/web/tsvwg/current/msg09149.html
B.5. Changes from draft-ietf-tsvwg-port-randomization-02 B.6. Changes from draft-ietf-tsvwg-port-randomization-02
o Added clarification of what we mean by "port randomization". o Added clarification of what we mean by "port randomization".
o Addresses feedback sent on-list and off-list by Mark Allman. o Addresses feedback sent on-list and off-list by Mark Allman.
o Added references to [Allman] and [CPNI-TCP]. o Added references to [Allman] and [CPNI-TCP].
B.6. Changes from draft-ietf-tsvwg-port-randomization-01 B.7. Changes from draft-ietf-tsvwg-port-randomization-01
o Added Section 2.3. o Added Section 2.3.
o Added discussion of "lazy binding in Section 3.5. o Added discussion of "lazy binding in Section 3.5.
o Added discussion of obtaining the number of outgoing connections. o Added discussion of obtaining the number of outgoing connections.
o Miscellaneous editorial changes o Miscellaneous editorial changes
B.7. Changes from draft-ietf-tsvwg-port-randomization-00 B.8. Changes from draft-ietf-tsvwg-port-randomization-00
o Added Section 3.1. o Added Section 3.1.
o Changed Intended Status from "Standards Track" to "BCP". o Changed Intended Status from "Standards Track" to "BCP".
o Miscellaneous editorial changes. o Miscellaneous editorial changes.
B.8. Changes from draft-larsen-tsvwg-port-randomization-02 B.9. Changes from draft-larsen-tsvwg-port-randomization-02
o Draft resubmitted as draft-ietf. o Draft resubmitted as draft-ietf.
o Included references and text on protocols other than TCP. o Included references and text on protocols other than TCP.
o Added the second variant of the simple port randomization o Added the second variant of the simple port randomization
algorithm algorithm
o Reorganized the algorithms into different sections o Reorganized the algorithms into different sections
o Miscellaneous editorial changes. o Miscellaneous editorial changes.
B.9. Changes from draft-larsen-tsvwg-port-randomization-01 B.10. Changes from draft-larsen-tsvwg-port-randomization-01
o No changes. Draft resubmitted after expiration. o No changes. Draft resubmitted after expiration.
B.10. Changes from draft-larsen-tsvwg-port-randomization-00 B.11. Changes from draft-larsen-tsvwg-port-randomization-00
o Fixed a bug in expressions used to calculate number of ephemeral o Fixed a bug in expressions used to calculate number of ephemeral
ports ports
o Added a survey of the algorithms in use by popular TCP o Added a survey of the algorithms in use by popular TCP
implementations implementations
o The whole document was reorganized o The whole document was reorganized
o Miscellaneous editorial changes o Miscellaneous editorial changes
B.11. Changes from draft-larsen-tsvwg-port-randomisation-00 B.12. Changes from draft-larsen-tsvwg-port-randomisation-00
o Document resubmitted after original document by M. Larsen expired o Document resubmitted after original document by M. Larsen expired
in 2004 in 2004
o References were included to current WG documents of the TCPM WG o References were included to current WG documents of the TCPM WG
o The document was made more general, to apply to all transport o The document was made more general, to apply to all transport
protocols protocols
o Miscellaneous editorial changes o Miscellaneous editorial changes
 End of changes. 25 change blocks. 
41 lines changed or deleted 55 lines changed or added

This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/