Date: Thu, 27 Jan 2011 04:20:38 -0300 From: Fernando Gont <fernando@gont.com.ar> To: Ivo Vachkov <ivo.vachkov@gmail.com> Cc: FreeBSD Net <freebsd-net@freebsd.org> Subject: Re: Proposed patch for Port Randomization modifications according to RFC6056 Message-ID: <4D411CC6.1090202@gont.com.ar> In-Reply-To: <AANLkTi=rF%2BCYiNG7PurPtrwn-AMT9cYEe90epGAJDwDq@mail.gmail.com> References: <AANLkTi=rF%2BCYiNG7PurPtrwn-AMT9cYEe90epGAJDwDq@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 26/01/2011 08:28 a.m., Ivo Vachkov wrote: > I would like to propose a patch (against FreeBSD RELENG_8) to extend > the port randomization support in FreeBSD, according to RFC6056 > (https://www.rfc-editor.org/rfc/rfc6056.txt) > > Currently the patch implements: > - Algorithm 1 (default in FreeBSD 8) > - Algorithm 2 > - Algorithm 5 > from the aforementioned RFC6056. > > Any of those algorithms can be chosen with the sysctl variable > net.inet.ip.portrange.rfc6056_algorithm. > > I deliberately skipped Algorithm 3 and Algorithm 4, because I believe > usage of cryptographic hash functions will introduce unnecessary > latency in vital network operations. However, in case of expressed > interest, I will be glad to add those too. While my opinion may be biased (I'm a co-author of the aforementioned RFC), I'd strongly argue in favor of the hash-based algorithms. At the point in which you have a high connection-establishment rate with a specific destination endpoint, you want to reuse the chances of collisions. (IIRC, this is why the FreeBSD code at some point disabled port randomization when connections were being established at a high rate). As a datapoint, Linux ships with Algorithm #4 enabled by default. Thanks! Best regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D411CC6.1090202>