Date: Fri, 04 Mar 2011 16:39:36 -0800 From: Doug Barton <dougb@FreeBSD.org> To: "Bjoern A. Zeeb" <bz@FreeBSD.org> Cc: FreeBSD Net <freebsd-net@freebsd.org>, Ivo Vachkov <ivo.vachkov@gmail.com> Subject: Re: Proposed patch for Port Randomization modifications according to RFC6056 Message-ID: <4D718648.801@FreeBSD.org> In-Reply-To: <alpine.BSF.2.00.1103031222160.6104@ai.fobar.qr> References: <AANLkTi=rF%2BCYiNG7PurPtrwn-AMT9cYEe90epGAJDwDq@mail.gmail.com> <4D411CC6.1090202@gont.com.ar> <AANLkTinvg5tft8xockuuV9g5QYd36ko9qO4YCvy5bkJ1@mail.gmail.com> <4D431258.8040704@FreeBSD.org> <AANLkTimhZ_pxTGt958AX8m=%2BS=g2hqsst=GH1a99D0g1@mail.gmail.com> <4D437B13.1070405@FreeBSD.org> <AANLkTim4=xa0rfoLgt-ao30XoZkLZ1hMYzE6LsrLNcbM@mail.gmail.com> <4D518FB3.3040503@FreeBSD.org> <4D6AB2BD.50208@gont.com.ar> <4D6AB636.3030708@FreeBSD.org> <alpine.BSF.2.00.1103031222160.6104@ai.fobar.qr>
next in thread | previous in thread | raw e-mail | index | archive | help
On 03/04/2011 16:21, Bjoern A. Zeeb wrote: > On Sun, 27 Feb 2011, Doug Barton wrote: >> As for default algorithm, is there any reason not to make it 4? > > Yes, it's expensive both computation time and stack wise. Last I put > MD5ctxs on the stack I was told that it was previously avoided do to > stack limits. I haven't seen complaints on lists about it but it > possibly still true for small embedded. > > I'd also like to see a proper benchmark before switching the default > on both state of the art and a soekris kind class of machine. We expect people doing embedded work to make all kinds of adjustments, I can't see any reason why this shouldn't be one of them. Modern general-purpose machines have more than enough resources to handle this. That said, maybe we need a knob like EMBEDDED to more easily handle some of these issues. I could see an default of alg 4 but something less computationally intensive ifdef EMBEDDED. > That said I messed with the patch to avoid the two copies of the > algorithms (so it will not be 4 soon). I know it compiles but I have > yet to test it. I'd love to hear opinions. The #ifdef INET6/INETs > are ugly but we'll see those a lot more and need to figure out > differnt ways to our code was written the last 10 years. > > http://people.freebsd.org/~bz/20110303-01-rfc6056.diff > > The patch also includes a bugfix for the ipv6 case wrt to > "un-binding" on error. Cool! I'll try to test this new patch this weekend. Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D718648.801>