Date: Mon, 12 Feb 2007 12:16:12 -0300 From: Fernando Gont <fernando@gont.com.ar> To: freebsd-net@freebsd.org Subject: Ephemeral port selection Message-ID: <200702121516.l1CFGHMX002994@venus.xmundo.net>
next in thread | raw e-mail | index | archive | help
Folks, Looking at FreeBSD's TCP implementation, I see that by default, ephemeral ports are selected from the range 49152-65535. This means that only 15K ports out of the available 65K port range are used for ephemeral port selection. This has at least two implications: * Ephemeral ports are easier to predict (as you are picking them from a smaller range) * There is a higher chance of facing the interoperability problems described in Mike Silbersack's presentation at EuroBSDCon 2005 (http://www.silby.com/eurobsdcon05/eurobsdcon_silbersack.pdf). A first and small proposal would be to change the range of ephemeral port numbers to use the range 1024-65535. An array of bits could be maintained in memory to avoid the selection of ports that are used for services (e.g., X). We have also been working on an alternative port randomization scheme, that would help to avoid the problems described in Mike's presentation. Our work on the subject is available at: http://www.gont.com.ar/drafts/port-randomization/draft-larsen-tsvwg-port-randomization-01.txt We would be willing to provide patches for these things if there is interest in implementing the proposed changes (extending the port range and possibly implementing the RFC1948-like scheme for ephemeral port selection). Any comments will be more than welcome. Thanks, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200702121516.l1CFGHMX002994>