Re: Do we actually need dynamic ports?

[Markku Savela <msa@burp.tkv.asdf.org>]

> From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

> When I say I want to add selector X to an existing SA, I am not asking you
> to open up a security hole. I am saying something like "I believe that we
> have opened up an FTP session on port X and I want to protect it." You
> should be able to decide, based on local policy, whether you accept the
> widening of the SA. And note that 'widening' does not necessarily imply a
> range of ports; it could simply be a list of non-contiguous ports that does
> not cover your precious RPC traffic.

Yes, if you can statically express in your policy the allowed
"widening", something like (or whatever)

  remote_port=21 = FTP_SA ("widenrange=2000-4000")

Then there is no problem. However, the problem was, that there was no
preknowledge about the possible port that was to be added. So, if other
site gets to decide on the port, widening could hit on any port. After
packets come in using FTP_SA and get accepted, there is nothing after
that which would verify that they would end up with the FTP
application, instead any service on the port is free game.

> So I am not asking you to add new rules to your SPD. I am asking you to
> create an instantiation of a template rule which already existed in your
> SPD, and which is subject to dynamic session data.

Ahh, you mean my node "sniffs" the FTP traffic and finds the port
there, and this port gets opened? Perhaps this is sufficient, if the
widening is bound to connection (e.g. both remote and local port are
included).

I'm only concerned whether all aspects of this widening have been
considered.