124 lines
4.4 KiB
Groff
124 lines
4.4 KiB
Groff
.\" $NetBSD: rfc6056.7,v 1.4 2012/07/01 17:00:32 wiz Exp $
|
|
.\"
|
|
.\" Copyright (c) 2011
|
|
.\" The NetBSD Foundation. All rights reserved.
|
|
.\"
|
|
.\" This code is derived from software contributed to The NetBSD Foundation
|
|
.\" by Vlad Balan
|
|
.\".
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\"
|
|
.Dd August 25, 2011
|
|
.Dt RFC6056 7
|
|
.Os
|
|
.Sh NAME
|
|
.Nm rfc6056
|
|
.Nd port randomization algorithms
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm
|
|
algorithms are used in order to randomize the port allocation of outgoing UDP
|
|
packets, in order to provide protection from a series of
|
|
.Dq blind
|
|
attacks based on the
|
|
attacker's ability to guess the sequence of ephemeral ports associated
|
|
with outgoing packets.
|
|
For more information consult RFC 6056.
|
|
.Pp
|
|
The individual algorithms are described below.
|
|
.Ss The RFC 6056 algorithms
|
|
The following algorithms are available:
|
|
.Bl -tag -width "random_start"
|
|
.It Sy bsd
|
|
This is the default
|
|
.Nx
|
|
port selection algorithm, which starts from
|
|
.Dv anonportmax
|
|
and proceeds decreasingly through the available ephemeral ports.
|
|
.It Sy random_start
|
|
Select ports randomly from the available ephemeral ports.
|
|
In case a collision with a local port is detected, the
|
|
algorithm proceeds decreasingly through the sequence of ephemeral
|
|
ports until a free port is found.
|
|
Note that the random port selection algorithms are not guaranteed to find
|
|
a free port.
|
|
.It Sy random_pick
|
|
Select ports randomly from the available ephemeral ports.
|
|
In case a collision with a local port is detected the algorithm tries
|
|
selecting a new port randomly until a free port is found.
|
|
.It Sy hash
|
|
Select ports using a
|
|
.Xr md5 3
|
|
hash of the local address, the foreign address, and the foreign port.
|
|
Note that in the case of a
|
|
.Xr bind 2
|
|
call some of this information might be unavailable and the
|
|
port selection is delayed until the time of a
|
|
.Xr connect 2
|
|
call, performed either explicitly or up calling
|
|
.Xr sendto 2 .
|
|
.It Sy doublehash
|
|
Select ports using a
|
|
.Xr md5 3
|
|
hash of the local address, foreign address, and foreign port coupled with a
|
|
.Xr md5 3
|
|
hash of the same components obtained using a separate table that is
|
|
associated with a subset of all outgoing connections.
|
|
The same considerations regarding late connection as in the case of hash apply.
|
|
.It Sy randinc
|
|
Use random increments in order to select the next port.
|
|
.El
|
|
.Sh SYSCTL CONTROLS
|
|
The following sysctl controls are available for selecting the default
|
|
port randomization algorithm:
|
|
.Bl -column "net.inet6.udp6.anonportalgo.available" "string" "Changeable"
|
|
.It Sy sysctl name Ta Sy Type Ta Sy Changeable
|
|
.It net.inet.ip.anonportalgo.available Ta string Ta no
|
|
.It net.inet.ip.anonportalgo.selected Ta string Ta yes
|
|
.It net.inet6.ip6.anonportalgo.available Ta string Ta no
|
|
.It net.inet6.ip6.anonportalgo.selected Ta string Ta yes
|
|
.El
|
|
.Sh SOCKET OPTIONS
|
|
The
|
|
.Dv IP_PORTSEL
|
|
socket option at the
|
|
.Dv IPPROTO_IP
|
|
level and the
|
|
.Dv IPV6_PORTSEL
|
|
socket option at the
|
|
.Dv IPPROTO_IPV6
|
|
level can be used with a string argument specifying the algorithm's
|
|
name in order to select the port randomization algorithm
|
|
for a specific socket.
|
|
For more info see
|
|
.Xr setsockopt 2 .
|
|
.Sh SEE ALSO
|
|
.Xr setsockopt 2 ,
|
|
.Xr sysctl 3 ,
|
|
.Xr sysctl 7
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
algorithms first appeared in
|
|
.Nx 6.0 .
|