On Tue, Jan 22, 2013 at 4:52 PM, Dan Wing <dwing@cisco.com> wrote:
draft-donley-behave-deterministic-cgn provides that functionality in an attempt to help randomize ports (see RFC6056). However, because the ports are fixed and there are relatively few ports, an attacker can determine the ports by causing the victim to open a bunch of TCP connections. This can be done by a bunch of "img src" tags in an HTML-encoded email message, among other mechanisms. If the hashing causes no logging, it creates a new requirement for a strong audit trail of the CGN configuration.
I thought this was desirable behavior for a CGN since effective port prediction facilitates p2p nat traversal? Bear in mind that Windows XP uses a dynamic port range between 1024 and 5000 and allocates them linearly. Small range and trivially predictable. Were it practical to use this knowledge for much more than denial of service I tend to think we'd have noticed by now. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004