From owner-freebsd-net@FreeBSD.ORG Wed Jun 2 21:27:29 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3664E16A4CF for ; Wed, 2 Jun 2004 21:27:29 -0700 (PDT) Received: from gw.catspoiler.org (217-ip-163.nccn.net [209.79.217.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id AD01E43D46 for ; Wed, 2 Jun 2004 21:27:28 -0700 (PDT) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.12.11/8.12.11) with ESMTP id i534RAdh003365; Wed, 2 Jun 2004 21:27:18 -0700 (PDT) (envelope-from truckman@FreeBSD.org) Message-Id: <200406030427.i534RAdh003365@gw.catspoiler.org> Date: Wed, 2 Jun 2004 21:27:10 -0700 (PDT) From: Don Lewis To: dmitry@atlantis.dp.ua In-Reply-To: <20040602093940.N99493@atlantis.atlantis.dp.ua> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii cc: freebsd-net@FreeBSD.org Subject: Re: net.inet.ip.portrange.randomized=1 hurts X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Jun 2004 04:27:29 -0000 On 2 Jun, Dmitry Pryanishnikov wrote: > > Hello! > >> Date: Tue, 1 Jun 2004 19:07:35 -0500 (CDT) >> From: Mike Silbersack >> >> On Tue, 1 Jun 2004, Andre Oppermann wrote: >> >>> A port should not be reused this fast. Maybe the randomness isn't >>> so random after all and choses the same port over again and again? >> >>We use arc4random, so I don't think that's likely, but it is possible. > > OK, I would like to provide some statistics based on FTP server log. > In the following table, first column is the total number of PORT commands > per FTP session, second is the number of PORT commands between the first and > second occurence of reused port (which is the cause of "425" error), third > column is the interval between those occurences in secons: > > Total # of PORT comm. Interval, # of PORT Interval, sec > > 558 35 50 > 336 50 20 > 165 160 55 > > So, it doesn't seem to me that random number generator works badly, but any > randomness doesn't _guarantee_ that port number won't repeat within 2*MSL > seconds, does it? Also I have heard of algorithms (but can't recollect now) > that actually guarantee non-repeatness of the large portion (up > to the interval range) of pseudo-random sequence. If we had such an algorihm > for random port allocation, we won't get reused ports so often (by default, > portrange.hilast=65535 and portrange.hifirst=49152, so theoretically we would > have 16383 non-repeated port numbers before the first repeat). Randomizing DNS query IDs without repeating any particular ID too quickly is a similar problem. I contributed some code to for this to BIND version 8 a number of years ago. See the nsid stuff in /usr/src/contrib/bind/bin/named/ns_main.c. There are some comments preceeding the code that explain the background and how it is supposed to work. Something like this might be suitable for port number allocation, though the potentially long time that a given port number might be in use would complicate things.