Recommendations for Transport-Protocol Port Randomization
RFC 6056
Document | Type |
RFC - Best Current Practice
(January 2011; Errata)
Also known as BCP 156
|
|
---|---|---|---|
Authors | Michael Larsen , Fernando Gont | ||
Last updated | 2020-01-21 | ||
Replaces | draft-larsen-tsvwg-port-randomization | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized with errata bibtex | ||
Reviews | |||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 6056 (Best Current Practice) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Lars Eggert | ||
IESG note | James Polk (jmpolk@cisco.com) is the Document Shepherd. | ||
Send notices to | (None) |
Internet Engineering Task Force (IETF) M. Larsen Request for Comments: 6056 Tieto BCP: 156 F. Gont Category: Best Current Practice UTN/FRH ISSN: 2070-1721 January 2011 Recommendations for Transport-Protocol Port Randomization Abstract During the last few years, awareness has been raised about a number of "blind" attacks that can be performed against the Transmission Control Protocol (TCP) and similar protocols. The consequences of these attacks range from throughput reduction to broken connections or data corruption. These attacks rely on the attacker's ability to guess or know the five-tuple (Protocol, Source Address, Destination Address, Source Port, Destination Port) that identifies the transport protocol instance to be attacked. This document describes a number of simple and efficient methods for the selection of the client port number, such that the possibility of an attacker guessing the exact value is reduced. While this is not a replacement for cryptographic methods for protecting the transport-protocol instance, the aforementioned port selection algorithms provide improved security with very little effort and without any key management overhead. The algorithms described in this document are local policies that may be incrementally deployed and that do not violate the specifications of any of the transport protocols that may benefit from them, such as TCP, UDP, UDP-lite, Stream Control Transmission Protocol (SCTP), Datagram Congestion Control Protocol (DCCP), and RTP (provided that the RTP application explicitly signals the RTP and RTCP port numbers). Status of This Memo This memo documents an Internet Best Current Practice. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on BCPs is available in Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6056. Larsen & Gont Best Current Practice [Page 1] RFC 6056 Port Randomization Recommendations January 2011 Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English. Larsen & Gont Best Current Practice [Page 2] RFC 6056 Port Randomization Recommendations January 2011 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Ephemeral Ports . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Traditional Ephemeral Port Range . . . . . . . . . . . . . 5 2.2. Ephemeral Port Selection . . . . . . . . . . . . . . . . . 6 2.3. Collision of instance-ids . . . . . . . . . . . . . . . . 7 3. Obfuscating the Ephemeral Port Selection . . . . . . . . . . . 8 3.1. Characteristics of a Good Algorithm for the Obfuscation of the Ephemeral Port Selection . . . . . . . 8 3.2. Ephemeral Port Number Range . . . . . . . . . . . . . . . 10 3.3. Algorithms for the Obfuscation of the Ephemeral Port Selection . . . . . . . . . . . . . . . . . . . . . . . . 11 3.3.1. Algorithm 1: Simple Port Randomization Algorithm . . . 11Show full document text