Full Disclosure mailing list archives
Re: DNS and NAT (was: DNS and CheckPoint)
From: Ryan McBride <mcbride () openbsd org>
Date: Wed, 16 Jul 2008 16:07:21 +0900
Someone just drew my attention to this thread. On Thu, Jul 10, 2008 at 07:41:32PM -0400, Thomas Cross wrote:
We?ve also been wondering whether NAT devices ought to randomly assign UDP source ports, although no NAT vendor that we?re aware of has done this to date.
OpenBSD's packet filter, pf (also available in the other BSDs and a number of commercial products based on them), randomizes the source port by default for all NATed TCP and UDP connections using an rc4-based pseudo-random number generator, and has done so since 2000. We've been suggesting for quite some time that everyone randomize source ports (among other network values) wherever possible. Will the holdout vendors finally start doing this, or will they wait for yet another vulnerability that can be mitigated by it? -Ryan _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- DNS and NAT (was: DNS and CheckPoint) Thomas Cross (Jul 10)
- Re: DNS and NAT (was: DNS and CheckPoint) Riad S. Wahby (Jul 10)
- Re: DNS and NAT (was: DNS and CheckPoint) Thomas Cross (Jul 11)
- Re: DNS and NAT (was: DNS and CheckPoint) Valdis . Kletnieks (Jul 11)
- Re: DNS and NAT (was: DNS and CheckPoint) Riad S. Wahby (Jul 11)
- Re: DNS and NAT (was: DNS and CheckPoint) Marco Slaviero (Jul 16)
- Re: DNS and NAT (was: DNS and CheckPoint) Thomas Cross (Jul 11)
- Re: DNS and NAT (was: DNS and CheckPoint) Riad S. Wahby (Jul 10)
- Re: DNS and NAT (was: DNS and CheckPoint) Ryan McBride (Jul 16)
- <Possible follow-ups>
- Re: DNS and NAT (was: DNS and CheckPoint) Elazar Broad (Jul 11)
- Re: DNS and NAT (was: DNS and CheckPoint) Thomas Cross (Jul 14)