Re: Do we actually need dynamic ports?

[Markku Savela <msa@xxxxxxxxxxxxxxxxx>]

> From: Jan Vilhuber <vilhuber@xxxxxxxxx>

> > Those aren't the options. The options are "FTP" or "all ports".  "All
> > ports" is understandable.
> >
> 
> Yes, but may not be what the local security policy OUGHT to be. It's
> too wide.

But, the question is: how is this widening going to happen? If it is
some message which IKE receives from the other side "add this port to
this SA", then we effectively have "all ports open".

Say I have policy

  remote_port=21 -> FTP_SA
  remote_port=111 -> RPC_SA

now I connect to some site with FTP, and this hostile site "widens"
the FTP SA to allow traffic with port=111. Now, this other random site
suddently has full access to my RPC stuff... Not GOOD!

If there is any widening, it must be happening under control of my
host (and even then there is a difficulty of verifying that this
automatic widening does not open up any other holes...).

=> I'm still of opinion that any automatic messing with policy
selectors or policy specifications is dangerous.

At least, if you do that, you have to convince that operation does not
open any security holes in any situation.