From owner-freebsd-net@FreeBSD.ORG Thu Jan 27 07:51:17 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4D1E8106564A for ; Thu, 27 Jan 2011 07:51:17 +0000 (UTC) (envelope-from fernando.gont.netbook.win@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id F385E8FC17 for ; Thu, 27 Jan 2011 07:51:16 +0000 (UTC) Received: by ywp6 with SMTP id 6so509520ywp.13 for ; Wed, 26 Jan 2011 23:51:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:message-id:date:from:user-agent :mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=qMFpgrRSYO4QsRnJTx1vKaFfuKckYEVk+7VwARmg13k=; b=UiR4vqBxcAxvzJ0DQLJR0SxnERRsMJhdiVjAl0cxqN9WX0z0MHdBwkbfM+NePWpPuH hiYU5T6vtKUX55DKlXufVWQ5xeQtJrP9VFO/e5Z+jS58DVP22Tm7X1iQ/l70h3UTfSy/ 0sTuNL8EyefmnpxWRnFLknySqgruPYW4zpTWc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=kT9OKxtNSbp0vUZn8Hu6fTNy8waUmi+Cy4YPGtyzmP1DI99kns34ZEpMtJNWvNJ4dE PJ8QyyXLBRkUbXViiDcRthHsxw715JdJHNACOE29/G91s7Cfl63Dwyy6uZNY0nARzMd8 EkBqd4r4h1+fipTX4TYWWWW5ujTpFE+A/62p0= Received: by 10.91.26.24 with SMTP id d24mr2554785agj.160.1296112850404; Wed, 26 Jan 2011 23:20:50 -0800 (PST) Received: from [192.168.2.3] (122-172-17-190.fibertel.com.ar [190.17.172.122]) by mx.google.com with ESMTPS id w6sm260889anf.26.2011.01.26.23.20.45 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 26 Jan 2011 23:20:49 -0800 (PST) Sender: Fernando Gont Message-ID: <4D411CC6.1090202@gont.com.ar> Date: Thu, 27 Jan 2011 04:20:38 -0300 From: Fernando Gont User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.8) Gecko/20100802 Thunderbird/3.1.2 MIME-Version: 1.0 To: Ivo Vachkov References: In-Reply-To: X-Enigmail-Version: 1.1.1 OpenPGP: id=D076FFF1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: FreeBSD Net Subject: Re: Proposed patch for Port Randomization modifications according to RFC6056 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jan 2011 07:51:17 -0000 On 26/01/2011 08:28 a.m., Ivo Vachkov wrote: > I would like to propose a patch (against FreeBSD RELENG_8) to extend > the port randomization support in FreeBSD, according to RFC6056 > (https://www.rfc-editor.org/rfc/rfc6056.txt) > > Currently the patch implements: > - Algorithm 1 (default in FreeBSD 8) > - Algorithm 2 > - Algorithm 5 > from the aforementioned RFC6056. > > Any of those algorithms can be chosen with the sysctl variable > net.inet.ip.portrange.rfc6056_algorithm. > > I deliberately skipped Algorithm 3 and Algorithm 4, because I believe > usage of cryptographic hash functions will introduce unnecessary > latency in vital network operations. However, in case of expressed > interest, I will be glad to add those too. While my opinion may be biased (I'm a co-author of the aforementioned RFC), I'd strongly argue in favor of the hash-based algorithms. At the point in which you have a high connection-establishment rate with a specific destination endpoint, you want to reuse the chances of collisions. (IIRC, this is why the FreeBSD code at some point disabled port randomization when connections were being established at a high rate). As a datapoint, Linux ships with Algorithm #4 enabled by default. Thanks! Best regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1