Search RFCs
Discuss this RFC: Send questions or comments to the mailing listiesg@ietf.org
Other actions:View Errata | Submit Errata | Find IPR Disclosures from the IETF | View History of RFC
Abstract
During the last few years, awareness has been raised about a numberof "blind" attacks that can be performed against the TransmissionControl Protocol (TCP) and similar protocols. The consequences ofthese attacks range from throughput reduction to broken connectionsor data corruption. These attacks rely on the attacker's ability toguess or know the five-tuple (Protocol, Source Address, DestinationAddress, Source Port, Destination Port) that identifies the transportprotocol instance to be attacked. This document describes a numberof simple and efficient methods for the selection of the client portnumber, such that the possibility of an attacker guessing the exactvalue is reduced. While this is not a replacement for cryptographicmethods for protecting the transport-protocol instance, theaforementioned port selection algorithms provide improved securitywith very little effort and without any key management overhead. Thealgorithms described in this document are local policies that may beincrementally deployed and that do not violate the specifications ofany of the transport protocols that may benefit from them, such asTCP, UDP, UDP-lite, Stream Control Transmission Protocol (SCTP),Datagram Congestion Control Protocol (DCCP), and RTP (provided thatthe RTP application explicitly signals the RTP and RTCP portnumbers). This memo documents an Internet Best Current Practice.
For the definition ofStatus,seeRFC 2026.
For the definition ofStream, seeRFC 8729.