From owner-freebsd-net@FreeBSD.ORG Fri Jan 28 19:00:49 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5D94010656B8 for ; Fri, 28 Jan 2011 19:00:49 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx22.fluidhosting.com [204.14.89.5]) by mx1.freebsd.org (Postfix) with ESMTP id 5AE788FC1D for ; Fri, 28 Jan 2011 19:00:46 +0000 (UTC) Received: (qmail 23098 invoked by uid 399); 28 Jan 2011 19:00:42 -0000 Received: from localhost (HELO doug-optiplex.ka9q.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 28 Jan 2011 19:00:42 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <4D431258.8040704@FreeBSD.org> Date: Fri, 28 Jan 2011 11:00:40 -0800 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.2.13) Gecko/20101212 Thunderbird/3.1.7 MIME-Version: 1.0 To: Ivo Vachkov References: <4D411CC6.1090202@gont.com.ar> In-Reply-To: X-Enigmail-Version: 1.1.2 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD Net , bz@freebsd.org Subject: Re: Proposed patch for Port Randomization modifications according to RFC6056 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jan 2011 19:00:49 -0000 On 01/28/2011 06:33, Ivo Vachkov wrote: > Hello, > > I would like to thank for the help and for the recommendations. > > I attach second version of the patch, I proposed earlier, including > following changes: > > 1) All RFC6056 algorithms are implemented. > 2) Both IPv4 and IPv6 stacks are modified to use the new port > randomization code. > 3) There are two variables that can be modified via sysctl: > - net.inet.ip.portrange.rfc6056_algorithm - which allows the super > user to choose one out of the five possible algorithms. > - net.inet.ip.portrange.rfc6056_algorithm5_tradeoff - which allows the > super user to modify the trade-off value used in algorithm 5. > All values are explicitly checked for correctness before usage. > Default values for those variables represent current/legacy port > randomization algorithm and proposed values in the RFC itself. I haven't reviewed the patch in detail yet but I wanted to first thank you for taking on this work, and being so responsive to Fernando's request (which I agreed with, and you updated before I even had a chance to say so). :) My one comment so far is on the name of the sysctl's. There are 2 problems with sysctl/variable names that use an rfc title. The first is that they are not very descriptive to the 99.9% of users who are not familiar with that particular doc. The second is more esoteric, but if the rfc is subsequently updated or obsoleted we're stuck with either an anachronism or updating code (both of which have their potential areas of confusion). So in order to avoid this issue, and make it more consistent with the existing: net.inet.ip.portrange.randomtime net.inet.ip.portrange.randomcps net.inet.ip.portrange.randomized How does net.inet.ip.portrange.randomalg sound? I would also suggest that the second sysctl be named net.inet.ip.portrange.randomalg.alg5_tradeoff so that one could do 'sysctl net.inet.ip.portrange.randomalg' and see both values. But I won't quibble on that. :) hth, Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/