Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 01 Mar 2008 22:22:58 -0200
From:      Fernando Gont <fernando@gont.com.ar>
To:        "Kevin Oberman" <oberman@es.net>
Cc:        Rui Paulo <rpaulo@fnop.net>, freebsd-net@freebsd.org
Subject:   Re: Ephemeral port range (patch) 
Message-ID:  <200803020034.m220YJ6t018608@venus.xmundo.net>
In-Reply-To: <20080301224217.33F0A45047@ptavv.es.net>
References:  <Your message of "Sat, 01 Mar 2008 11:34:27 -0200." <200803011338.m21DcY9Z026418@venus.xmundo.net> <20080301224217.33F0A45047@ptavv.es.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
At 08:42 p.m. 01/03/2008, Kevin Oberman wrote:

> > This patch changes the default ephemeral port range from 49152-65535
> > to 1024-65535. This makes it harder for an attacker to guess the
> > ephemeral ports (as the port number space is larger). Also, it makes
> > the chances of port number collisions smaller.
> > 
> (http://www.ietf.org/internet-drafts/draft-ietf-tsvwg-port-randomization-01.txt)
> >
> > This patch also includes my previous patch that eliminated duplicated
> > code in in_pcb_bind().
>
>The idea is good, but 1024 is way too low. Things like rpc and the like
>use ports well above 1024. Notably, 6000 and above are used by X. Maybe
>10000 would be OK. Maybe not, though. I see that gnuserv and gkrellmd
>both use ports about 1000. (gnuserv uses 30871 and gkrellmd uses 19150.)

Other UNIX-like systems use that "low" port range. e.g., OpenBSD uses 
the range 1024-49151. The idea is would be to define a bit string in 
which you can specify those ports that should not be used as 
ephemeral ports (I will send this patch soon). (This is described in 
the IETF internet-draft I referenced, too).

I will also start working on the double-hash ephemeral port selection 
algorithm described in the draft (this is, IMHO, the right approach 
to ephemeral port randomization)

Kind regards,

--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200803020034.m220YJ6t018608>