From owner-freebsd-net@FreeBSD.ORG Fri Jan 28 19:57:22 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2D9AC106564A; Fri, 28 Jan 2011 19:57:22 +0000 (UTC) (envelope-from ivo.vachkov@gmail.com) Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id A4D338FC13; Fri, 28 Jan 2011 19:57:21 +0000 (UTC) Received: by qyk36 with SMTP id 36so3598908qyk.13 for ; Fri, 28 Jan 2011 11:57:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=la0D3C2XoQ0b68JzYanta6T4KyuQziPKukZu8X5Hsqc=; b=oVxzLzB7avB8jrUNQm6JEtJJkQ0vOJmAgH9jFQACsNczKjodGDWOLcxX7BiHS0epXv TpAerv4tZUYx0PHIJw17kogXk3kYXe8uUfgU+qc25/5ZVSQrzTkiUNJrihgXMxbrFfiO zGjMkm4TbF5mX394X0li/sKAwyJ/S0/wfEOG0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=GHI7BNHUYWJg3R6RAJADyglA//AwqfLlSJHuzdaEQ9Q+5rtaZWlh/cFYoWw9sWjkBI NHoP2QOnW7SmUld2MbCxjV/YerzGgAqthhn9vCKxyfZZ/b1pMbLSI6RB/cBG6dqtdfxs 9lKfjgmPWh2770ldnkyQ/eZeHbku0BvY+Xows= Received: by 10.224.89.85 with SMTP id d21mr3328465qam.162.1296244640695; Fri, 28 Jan 2011 11:57:20 -0800 (PST) MIME-Version: 1.0 Received: by 10.220.193.9 with HTTP; Fri, 28 Jan 2011 11:57:00 -0800 (PST) In-Reply-To: <4D431258.8040704@FreeBSD.org> References: <4D411CC6.1090202@gont.com.ar> <4D431258.8040704@FreeBSD.org> From: Ivo Vachkov Date: Fri, 28 Jan 2011 21:57:00 +0200 Message-ID: To: Doug Barton Content-Type: text/plain; charset=UTF-8 Cc: FreeBSD Net , bz@freebsd.org Subject: Re: Proposed patch for Port Randomization modifications according to RFC6056 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jan 2011 19:57:22 -0000 On Fri, Jan 28, 2011 at 9:00 PM, Doug Barton wrote: > On 01/28/2011 06:33, Ivo Vachkov wrote: >> >> Hello, >> >> I would like to thank for the help and for the recommendations. >> >> I attach second version of the patch, I proposed earlier, including >> following changes: >> >> 1) All RFC6056 algorithms are implemented. >> 2) Both IPv4 and IPv6 stacks are modified to use the new port >> randomization code. >> 3) There are two variables that can be modified via sysctl: >> - net.inet.ip.portrange.rfc6056_algorithm - which allows the super >> user to choose one out of the five possible algorithms. >> - net.inet.ip.portrange.rfc6056_algorithm5_tradeoff - which allows the >> super user to modify the trade-off value used in algorithm 5. >> All values are explicitly checked for correctness before usage. >> Default values for those variables represent current/legacy port >> randomization algorithm and proposed values in the RFC itself. > > I haven't reviewed the patch in detail yet but I wanted to first thank you > for taking on this work, and being so responsive to Fernando's request > (which I agreed with, and you updated before I even had a chance to say so). > :) > > My one comment so far is on the name of the sysctl's. There are 2 problems > with sysctl/variable names that use an rfc title. The first is that they are > not very descriptive to the 99.9% of users who are not familiar with that > particular doc. The second is more esoteric, but if the rfc is subsequently > updated or obsoleted we're stuck with either an anachronism or updating code > (both of which have their potential areas of confusion). > > So in order to avoid this issue, and make it more consistent with the > existing: > > net.inet.ip.portrange.randomtime > net.inet.ip.portrange.randomcps > net.inet.ip.portrange.randomized > > How does net.inet.ip.portrange.randomalg sound? I would also suggest that > the second sysctl be named net.inet.ip.portrange.randomalg.alg5_tradeoff so > that one could do 'sysctl net.inet.ip.portrange.randomalg' and see both > values. But I won't quibble on that. :) > I have no objections with this. Since this is my first attempt to contribute something back to the community I decided to see how it's done before. So I found: net.inet.tcp.rfc1323 net.inet.tcp.rfc3465 net.inet.tcp.rfc3390 net.inet.tcp.rfc3042 which probably led me in a wrong direction :) I understand your point and agree with it. However, my somewhat limited understanding of the sysctl internal organization is telling me that tree node does not support values. Am I wrong? If my reasoning is correct, maybe I can create the sysctl variables with the following names: - net.inet.ip.portrange.randomalg (Tree Node) - net.inet.ip.portrange.randomalg.alg[orithm] (Leaf Node, to store the selected algorithm) - net.inet.ip.portrange.randomalg.alg5_tradeoff (Leaf Node, to store the Algorithm 5 trade-off value) Ivo Vachkov