From owner-freebsd-net@FreeBSD.ORG Wed Oct 31 14:49:34 2007 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C709816A469; Wed, 31 Oct 2007 14:49:34 +0000 (UTC) (envelope-from matus.harvan@inf.ethz.ch) Received: from xsmtp1.ethz.ch (xsmtp1.ethz.ch [82.130.70.13]) by mx1.freebsd.org (Postfix) with ESMTP id 4DC1F13C465; Wed, 31 Oct 2007 14:49:34 +0000 (UTC) (envelope-from matus.harvan@inf.ethz.ch) Received: from xfe2.d.ethz.ch ([82.130.124.42]) by xsmtp1.ethz.ch with Microsoft SMTPSVC(6.0.3790.3959); Wed, 31 Oct 2007 15:49:16 +0100 Received: from styx.inf.ethz.ch ([129.132.74.245]) by xfe2.d.ethz.ch over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Wed, 31 Oct 2007 15:49:15 +0100 Received: by styx.inf.ethz.ch (Postfix, from userid 1001) id D8C7E49AC91; Wed, 31 Oct 2007 15:49:15 +0100 (CET) Date: Wed, 31 Oct 2007 15:49:15 +0100 From: Matus Harvan To: "Bruce M. Simpson" Message-ID: <20071031144915.GE1165@styx.ethz.ch> References: <20070909201837.GA18107@inf.ethz.ch> <20071026154057.GG1049@styx.ethz.ch> <4722AEB3.1010208@FreeBSD.org> <20071029150424.GA68594@lor.one-eyed-alien.net> <4726395B.8080905@FreeBSD.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="5xSkJheCpeK0RUEJ" Content-Disposition: inline In-Reply-To: <4726395B.8080905@FreeBSD.org> User-Agent: Mutt/1.5.16 (2007-06-09) X-OriginalArrivalTime: 31 Oct 2007 14:49:15.0962 (UTC) FILETIME=[357BF1A0:01C81BCD] Cc: freebsd-net@FreeBSD.org, Brooks Davis , Max Laier Subject: Re: UDP catchall X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Oct 2007 14:49:34 -0000 --5xSkJheCpeK0RUEJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Oct 29, 2007 at 07:49:47PM +0000, Bruce M. Simpson wrote: > Brooks Davis wrote: >> While I think this idea has some merit, I think we specifically want >> the current wildcard ability to allow for a system that requires >> minimal configuration. The problem with a range is that it doesn't >> allow disjoint sets and it requires that if you really do want all the >> ports you need to produce a list of currently allocated ports to avoid >> allocating. A more (over)engineered solution holds some attraction, but >> I'm not yet convinced the fact that it could exist precludes the current >> implementation. >=20 > Actually I concur with you on this point, based solely on the disjoint se= ts=20 > point. A slightly different argument: What if you set a certain port range for catchall and an application then tries to bind to one of these ports? Should the whole port range be reserved for the catchall socket or should an application be alllowed to "take" on of the ports. The latter seems more practical to me. But then there would be no point in changing from the wildcard ability to a port range functionality. > Another vector of attack would be to put the relay functionality into PF,= =20 > which can do the packet matching. However this of course suffers from the= =20 > problem that if you just want a plain old UDP socket for mtund, you won't= =20 > get that unless you go to the inpcb layer anyway. >=20 > But who says mtund needs to use sockets for its traffic relay? There is= =20 > definite appeal in *not* doing it in the socket layer at all -- an=20 > adaptation of pf's log socket may suffice... For UDP catchall this would suffice. However, we should also prevent the kernel from sending back a (icmp) notification that the port in question was closed. How could this be done with pf's log socket or bpf? Blackhole functionality would have to be enabled? This would then seem to me more of a hack than doing this in the socket layer. Matus --5xSkJheCpeK0RUEJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD4DBQFHKJXr43LQWDWf0QIRAjkqAJdyKhb1+XX7InxgjrRuvzd+QqKUAJ9SnTNL DfQUTQiDTeZsPYwXABXxJA== =h4P4 -----END PGP SIGNATURE----- --5xSkJheCpeK0RUEJ--