<!doctype html public "-//W3C//DTD W3 HTML//EN">
<html><head><style type="text/css"><!--
blockquote, dl, ul, ol, li { padding-top: 0 ; padding-bottom: 0 }
--></style><title>Re: [e2e] Port numbers in the network
layer?</title></head><body>
<div>At 9:32 PM +0200 4/25/13, Detlef Bosau wrote:</div>
<blockquote type="cite" cite>Am 25.04.2013 14:52, schrieb John
Day:<br>
<blockquote type="cite" cite>Re: [e2e] Port numbers in the network
layer?</blockquote>
<blockquote type="cite" cite>The question is why is a protocol-id
field required in some protocols and not others.</blockquote>
<blockquote type="cite" cite><br></blockquote>
<blockquote type="cite" cite>If it is to identify the protocol in the
layer above, then how many thousand SCTP instances can I identify on
top of a single IP instance. If it identifies the protocol, then
that should be possible. Obviously it isn't what it is intended
for.<br>
</blockquote>
</blockquote>
<blockquote type="cite" cite><br>
So, what is, concisely, the problem and your proposed
solution?</blockquote>
<div><br></div>
<div>Problem? What problem? No one suggested there was a
problem.</div>
<div><br></div>
<div>The question was about the distinction between protocol-id fields
and port-ids. I explained the difference and what the function
of the protocol-id field was as opposed to the purpose of source and
destination port-ids. It is the case that the protocol-id field
does have the rather disturbing property of requiring an (N)-protocol
to have information about (N+1)-protocols, while port-ids
provide better isolation.</div>
<div><br></div>
<div>One of the implications of Watson's work is that port-id and
connection-endpoint-ids should be distinct. This has a number of
benefits.</div>
<div><br></div>
<blockquote type="cite" cite><br>
Up to know, each individual TCP connection is uniquely identified by
an address quadruple (node 1, port 1, node 2, port2).<br>
</blockquote>
<blockquote type="cite" cite>Why doesn't this work?</blockquote>
<div><br></div>
<div>For what value of "work"? ;-)</div>
<div><br></div>
<div>The current practice in TCP has certain security problems.
These stem from the fact that port-ids and connection-endpoint ids are
conflated and the use of well-known ports. The TCP server
must rely on source port to distinguish connections to a well-known
port. This is a number it did not generate and can be spoofed
and hence creates a security vulnerability.</div>
<div><br></div>
<blockquote type="cite" cite><br></blockquote>
<blockquote type="cite" cite>And which solution works
better?</blockquote>
<div><br></div>
<div>Taking the lessons from delta-t noted above and eliminating the
need for well-known ports avoids a number of security
vulnerabilities.</div>
<div><br></div>
<div>see<font face="Times New Roman" color="#000000"> G. Boddapati, L.
Chitkushev, J. Day, and I. Matta "Assessing the Security of a
Clean-Slate Internet Architecture," Seventh Workshop on Secure
Network Protocols (NPSec) October 30th, 2012.</font></div>
</body>
</html>