Date: Mon, 3 Mar 2008 00:43:07 -0600 (CST) From: Mike Silbersack <silby@silby.com> To: Fernando Gont <fernando@gont.com.ar> Cc: Rui Paulo <rpaulo@fnop.net>, freebsd-net@freebsd.org, Kevin Oberman <oberman@es.net> Subject: Re: Ephemeral port range (patch) Message-ID: <20080303002815.U37933@odysseus.silby.com> In-Reply-To: <200803020034.m220YJ6t018608@venus.xmundo.net> References: <Your message of "Sat, 01 Mar 2008 11:34:27 -0200." <200803011338.m21DcY9Z026418@venus.xmundo.net> <20080301224217.33F0A45047@ptavv.es.net> <200803020034.m220YJ6t018608@venus.xmundo.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 1 Mar 2008, Fernando Gont wrote: > I will also start working on the double-hash ephemeral port selection > algorithm described in the draft (this is, IMHO, the right approach to > ephemeral port randomization) > > Kind regards, > > -- > Fernando Gont Earlier in the week, I had commented (via private e-mail?) that I thought that Amit Klein's algorithm which I recently implemented in ip_id.c might be adapted to serve as an ephemeral port allocator. Now that I've thought more about it, I'm not as certain that it would fit well. I'll try to sketch out my ideas and see if I can figure out how it could fit. The double-hash concept sounds pretty good, but there's a major problem with it. If an application does a bind() to get a local port before doing a connect(), you don't know the remote IP or the remote port. There's a related "feature" in the BSD TCP stack that all local ports are considered equal; even for applications that do a connect() call and specify a remote IP/port, we do not let them use the same local port to two different remote IPs at the same time. This puts a limit on the total number of outgoing connections that one machine can have. -Mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080303002815.U37933>