From owner-freebsd-net@FreeBSD.ORG Sun Mar 2 00:34:34 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9E454106566C for ; Sun, 2 Mar 2008 00:34:34 +0000 (UTC) (envelope-from fernando@gont.com.ar) Received: from smtp1.xmundo.net (smtp1.xmundo.net [201.216.232.80]) by mx1.freebsd.org (Postfix) with ESMTP id 4D2298FC16 for ; Sun, 2 Mar 2008 00:34:34 +0000 (UTC) (envelope-from fernando@gont.com.ar) Received: from venus.xmundo.net (venus.xmundo.net [201.216.232.56]) by smtp1.xmundo.net (Postfix) with ESMTP id 5E06F5A7461; Sat, 1 Mar 2008 22:34:37 -0200 (ARDT) Received: from notebook.gont.com.ar (201-254-62-65.speedy.com.ar [201.254.62.65] (may be forged)) (authenticated bits=0) by venus.xmundo.net (8.13.8/8.13.8) with ESMTP id m220YJ6t018608; Sat, 1 Mar 2008 22:34:19 -0200 Message-Id: <200803020034.m220YJ6t018608@venus.xmundo.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Sat, 01 Mar 2008 22:22:58 -0200 To: "Kevin Oberman" From: Fernando Gont In-Reply-To: <20080301224217.33F0A45047@ptavv.es.net> References: <20080301224217.33F0A45047@ptavv.es.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (venus.xmundo.net [201.216.232.56]); Sat, 01 Mar 2008 22:34:34 -0200 (ARDT) Cc: Rui Paulo , freebsd-net@freebsd.org Subject: Re: Ephemeral port range (patch) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Mar 2008 00:34:34 -0000 At 08:42 p.m. 01/03/2008, Kevin Oberman wrote: > > This patch changes the default ephemeral port range from 49152-65535 > > to 1024-65535. This makes it harder for an attacker to guess the > > ephemeral ports (as the port number space is larger). Also, it makes > > the chances of port number collisions smaller. > > > (http://www.ietf.org/internet-drafts/draft-ietf-tsvwg-port-randomization-01.txt) > > > > This patch also includes my previous patch that eliminated duplicated > > code in in_pcb_bind(). > >The idea is good, but 1024 is way too low. Things like rpc and the like >use ports well above 1024. Notably, 6000 and above are used by X. Maybe >10000 would be OK. Maybe not, though. I see that gnuserv and gkrellmd >both use ports about 1000. (gnuserv uses 30871 and gkrellmd uses 19150.) Other UNIX-like systems use that "low" port range. e.g., OpenBSD uses the range 1024-49151. The idea is would be to define a bit string in which you can specify those ports that should not be used as ephemeral ports (I will send this patch soon). (This is described in the IETF internet-draft I referenced, too). I will also start working on the double-hash ephemeral port selection algorithm described in the draft (this is, IMHO, the right approach to ephemeral port randomization) Kind regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1