From owner-freebsd-net@FreeBSD.ORG  Mon Mar  3 06:43:10 2008
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B3ED6106566B
	for <freebsd-net@freebsd.org>; Mon,  3 Mar 2008 06:43:10 +0000 (UTC)
	(envelope-from silby@silby.com)
Received: from relay00.pair.com (relay00.pair.com [209.68.5.9])
	by mx1.freebsd.org (Postfix) with SMTP id 416EA8FC19
	for <freebsd-net@freebsd.org>; Mon,  3 Mar 2008 06:43:09 +0000 (UTC)
	(envelope-from silby@silby.com)
Received: (qmail 62488 invoked from network); 3 Mar 2008 06:43:08 -0000
Received: from unknown (HELO localhost) (unknown)
	by unknown with SMTP; 3 Mar 2008 06:43:08 -0000
X-pair-Authenticated: 209.68.2.70
Date: Mon, 3 Mar 2008 00:43:07 -0600 (CST)
From: Mike Silbersack <silby@silby.com>
To: Fernando Gont <fernando@gont.com.ar>
In-Reply-To: <200803020034.m220YJ6t018608@venus.xmundo.net>
Message-ID: <20080303002815.U37933@odysseus.silby.com>
References: <Your message of "Sat, 01 Mar 2008 11:34:27 -0200."
	<200803011338.m21DcY9Z026418@venus.xmundo.net>
	<20080301224217.33F0A45047@ptavv.es.net>
	<200803020034.m220YJ6t018608@venus.xmundo.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: Rui Paulo <rpaulo@fnop.net>, freebsd-net@freebsd.org,
	Kevin Oberman <oberman@es.net>
Subject: Re: Ephemeral port range (patch) 
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Mar 2008 06:43:10 -0000


On Sat, 1 Mar 2008, Fernando Gont wrote:

> I will also start working on the double-hash ephemeral port selection 
> algorithm described in the draft (this is, IMHO, the right approach to 
> ephemeral port randomization)
>
> Kind regards,
>
> --
> Fernando Gont

Earlier in the week, I had commented (via private e-mail?) that I thought 
that Amit Klein's algorithm which I recently implemented in ip_id.c might 
be adapted to serve as an ephemeral port allocator.  Now that I've thought 
more about it, I'm not as certain that it would fit well.  I'll try to 
sketch out my ideas and see if I can figure out how it could fit.

The double-hash concept sounds pretty good, but there's a major problem 
with it.  If an application does a bind() to get a local port before doing 
a connect(), you don't know the remote IP or the remote port.

There's a related "feature" in the BSD TCP stack that all local ports are 
considered equal; even for applications that do a connect() call and 
specify a remote IP/port, we do not let them use the same local port to 
two different remote IPs at the same time.  This puts a limit on the total 
number of outgoing connections that one machine can have.

-Mike