version 1.1, 2011/09/24 17:04:38 |
version 1.2, 2011/09/24 18:47:59 |
|
|
.Nd port randomization algorithms |
.Nd port randomization algorithms |
.Sh DESCRIPTION |
.Sh DESCRIPTION |
The |
The |
.Xr rfc6056 7 |
.Nm |
algorithms are used in order to randomize the port allocation of outgoing UDP |
algorithms are used in order to randomize the port allocation of outgoing UDP |
packets, in order to provide protection from a series of |
packets, in order to provide protection from a series of |
.Dq blind |
.Dq blind |
attacks based on the |
attacks based on the |
attacker's ability to guess the sequence of ephemeral ports associated |
attacker's ability to guess the sequence of ephemeral ports associated |
with outgoing packets. For more information consult RFC 6056. |
with outgoing packets. |
|
For more information consult RFC 6056. |
.Pp |
.Pp |
The individual algorithms are described below: |
The individual algorithms are described below: |
.Pp |
|
.Ss The RFC 6056 algorithms |
.Ss The RFC 6056 algorithms |
.Li The following algorithms are available: |
.Li The following algorithms are available: |
.Bl -tag -width "random_start" |
.Bl -tag -width "random_start" |
Line 57 port selection algorithm, which starts f |
|
Line 57 port selection algorithm, which starts f |
|
and proceeds decreasingly through the available ephemeral ports. |
and proceeds decreasingly through the available ephemeral ports. |
.It Sy random_start |
.It Sy random_start |
Select ports randomly from the available ephemeral ports. |
Select ports randomly from the available ephemeral ports. |
In case a collision with a local port is detected the |
In case a collision with a local port is detected, the |
algorithm proceeds decreasingly through the sequence of ephemeral |
algorithm proceeds decreasingly through the sequence of ephemeral |
ports until a free port is found. |
ports until a free port is found. |
Note that the random port selection algorithms are not guaranteed to find |
Note that the random port selection algorithms are not guaranteed to find |
a free port. |
a free port. |
Line 80 call, performed either explicitly or up |
|
Line 80 call, performed either explicitly or up |
|
.It Sy doublehash |
.It Sy doublehash |
Select ports using a |
Select ports using a |
.Xr md5 3 |
.Xr md5 3 |
hash of the local address, foreign address and foreign port coupled with a |
hash of the local address, foreign address, and foreign port coupled with a |
.Xr md5 3 |
.Xr md5 3 |
hash of the same components obtained using a separate table that is |
hash of the same components obtained using a separate table that is |
associated with a subset of all outgoing connections. |
associated with a subset of all outgoing connections. |
Line 98 port randomization algorithm: |
|
Line 98 port randomization algorithm: |
|
.It net.inet6.udp6.rfc6056.available Ta string Ta no |
.It net.inet6.udp6.rfc6056.available Ta string Ta no |
.It net.inet6.udp6.rfc6056.selected Ta string Ta yes |
.It net.inet6.udp6.rfc6056.selected Ta string Ta yes |
.El |
.El |
.Pp |
|
.Sh SOCKET OPTIONS |
.Sh SOCKET OPTIONS |
The socket option |
The socket option |
.Dv UDP_RFC6056ALGO |
.Dv UDP_RFC6056ALGO |