Date: Fri, 28 Jan 2011 11:00:40 -0800 From: Doug Barton <dougb@FreeBSD.org> To: Ivo Vachkov <ivo.vachkov@gmail.com> Cc: FreeBSD Net <freebsd-net@freebsd.org>, bz@freebsd.org Subject: Re: Proposed patch for Port Randomization modifications according to RFC6056 Message-ID: <4D431258.8040704@FreeBSD.org> In-Reply-To: <AANLkTinvg5tft8xockuuV9g5QYd36ko9qO4YCvy5bkJ1@mail.gmail.com> References: <AANLkTi=rF%2BCYiNG7PurPtrwn-AMT9cYEe90epGAJDwDq@mail.gmail.com> <4D411CC6.1090202@gont.com.ar> <AANLkTinvg5tft8xockuuV9g5QYd36ko9qO4YCvy5bkJ1@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 01/28/2011 06:33, Ivo Vachkov wrote: > Hello, > > I would like to thank for the help and for the recommendations. > > I attach second version of the patch, I proposed earlier, including > following changes: > > 1) All RFC6056 algorithms are implemented. > 2) Both IPv4 and IPv6 stacks are modified to use the new port > randomization code. > 3) There are two variables that can be modified via sysctl: > - net.inet.ip.portrange.rfc6056_algorithm - which allows the super > user to choose one out of the five possible algorithms. > - net.inet.ip.portrange.rfc6056_algorithm5_tradeoff - which allows the > super user to modify the trade-off value used in algorithm 5. > All values are explicitly checked for correctness before usage. > Default values for those variables represent current/legacy port > randomization algorithm and proposed values in the RFC itself. I haven't reviewed the patch in detail yet but I wanted to first thank you for taking on this work, and being so responsive to Fernando's request (which I agreed with, and you updated before I even had a chance to say so). :) My one comment so far is on the name of the sysctl's. There are 2 problems with sysctl/variable names that use an rfc title. The first is that they are not very descriptive to the 99.9% of users who are not familiar with that particular doc. The second is more esoteric, but if the rfc is subsequently updated or obsoleted we're stuck with either an anachronism or updating code (both of which have their potential areas of confusion). So in order to avoid this issue, and make it more consistent with the existing: net.inet.ip.portrange.randomtime net.inet.ip.portrange.randomcps net.inet.ip.portrange.randomized How does net.inet.ip.portrange.randomalg sound? I would also suggest that the second sysctl be named net.inet.ip.portrange.randomalg.alg5_tradeoff so that one could do 'sysctl net.inet.ip.portrange.randomalg' and see both values. But I won't quibble on that. :) hth, Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D431258.8040704>