BCP 156

RFC 6056

Recommendations for Transport-Protocol Port Randomization, January 2011

File formats:
icon for text file icon for PDF icon for HTML icon for inline errata
Status:
BEST CURRENT PRACTICE
Authors:
M. Larsen
F. Gont
Stream:
IETF
Source:
tsvwg (wit)

Cite this BCP: TXT  |  XML

Discuss this RFC: Send questions or comments to the mailing list iesg@ietf.org

Other actions: View Errata  |  Submit Errata  |  Find IPR Disclosures from the IETF  |  View History of RFC


Abstract

During the last few years, awareness has been raised about a number of "blind" attacks that can be performed against the Transmission Control Protocol (TCP) and similar protocols. The consequences of these attacks range from throughput reduction to broken connections or data corruption. These attacks rely on the attacker's ability to guess or know the five-tuple (Protocol, Source Address, Destination Address, Source Port, Destination Port) that identifies the transport protocol instance to be attacked. This document describes a number of simple and efficient methods for the selection of the client port number, such that the possibility of an attacker guessing the exact value is reduced. While this is not a replacement for cryptographic methods for protecting the transport-protocol instance, the aforementioned port selection algorithms provide improved security with very little effort and without any key management overhead. The algorithms described in this document are local policies that may be incrementally deployed and that do not violate the specifications of any of the transport protocols that may benefit from them, such as TCP, UDP, UDP-lite, Stream Control Transmission Protocol (SCTP), Datagram Congestion Control Protocol (DCCP), and RTP (provided that the RTP application explicitly signals the RTP and RTCP port numbers). This memo documents an Internet Best Current Practice.


For the definition of Status, see RFC 2026.

For the definition of Stream, see RFC 8729.




Advanced Search