Annotation of src/share/man/man7/rfc6056.7, Revision 1.2.2.1
1.2.2.1 ! yamt 1: .\" $NetBSD: rfc6056.7,v 1.2 2011/09/24 18:47:59 wiz Exp $
1.1 christos 2: .\"
3: .\" Copyright (c) 2011
4: .\" The NetBSD Foundation. All rights reserved.
5: .\"
6: .\" This code is derived from software contributed to The NetBSD Foundation
7: .\" by Vlad Balan
8: .\".
9: .\" Redistribution and use in source and binary forms, with or without
10: .\" modification, are permitted provided that the following conditions
11: .\" are met:
12: .\" 1. Redistributions of source code must retain the above copyright
13: .\" notice, this list of conditions and the following disclaimer.
14: .\" 2. Redistributions in binary form must reproduce the above copyright
15: .\" notice, this list of conditions and the following disclaimer in the
16: .\" documentation and/or other materials provided with the distribution.
17: .\"
18: .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
19: .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20: .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21: .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
22: .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23: .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24: .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25: .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26: .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27: .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28: .\" SUCH DAMAGE.
29: .\"
30: .\"
31: .Dd August 25, 2011
32: .Dt RFC6056 7
33: .Os
34: .Sh NAME
35: .Nm rfc6056
36: .Nd port randomization algorithms
37: .Sh DESCRIPTION
38: The
1.2 wiz 39: .Nm
1.1 christos 40: algorithms are used in order to randomize the port allocation of outgoing UDP
41: packets, in order to provide protection from a series of
42: .Dq blind
43: attacks based on the
44: attacker's ability to guess the sequence of ephemeral ports associated
1.2 wiz 45: with outgoing packets.
46: For more information consult RFC 6056.
1.1 christos 47: .Pp
1.2.2.1 ! yamt 48: The individual algorithms are described below.
1.1 christos 49: .Ss The RFC 6056 algorithms
1.2.2.1 ! yamt 50: The following algorithms are available:
1.1 christos 51: .Bl -tag -width "random_start"
52: .It Sy bsd
53: This is the default
54: .Nx
55: port selection algorithm, which starts from
56: .Dv anonportmax
57: and proceeds decreasingly through the available ephemeral ports.
58: .It Sy random_start
59: Select ports randomly from the available ephemeral ports.
1.2 wiz 60: In case a collision with a local port is detected, the
61: algorithm proceeds decreasingly through the sequence of ephemeral
1.1 christos 62: ports until a free port is found.
63: Note that the random port selection algorithms are not guaranteed to find
64: a free port.
65: .It Sy random_pick
66: Select ports randomly from the available ephemeral ports.
67: In case a collision with a local port is detected the algorithm tries
68: selecting a new port randomly until a free port is found.
69: .It Sy hash
70: Select ports using a
71: .Xr md5 3
72: hash of the local address, the foreign address, and the foreign port.
73: Note that in the case of a
74: .Xr bind 2
75: call some of this information might be unavailable and the
76: port selection is delayed until the time of a
77: .Xr connect 2
78: call, performed either explicitly or up calling
79: .Xr sendto 2 .
80: .It Sy doublehash
81: Select ports using a
82: .Xr md5 3
1.2 wiz 83: hash of the local address, foreign address, and foreign port coupled with a
1.1 christos 84: .Xr md5 3
85: hash of the same components obtained using a separate table that is
86: associated with a subset of all outgoing connections.
87: The same considerations regarding late connection as in the case of hash apply.
88: .It Sy randinc
89: Use random increments in order to select the next port.
90: .El
91: .Sh SYSCTL CONTROLS
92: The following sysctl controls are available for selecting the default
93: port randomization algorithm:
1.2.2.1 ! yamt 94: .Bl -column "net.inet6.udp6.anonportalgo.available" "string" "Changeable"
1.1 christos 95: .It Sy sysctl name Ta Sy Type Ta Sy Changeable
1.2.2.1 ! yamt 96: .It net.inet.ip.anonportalgo.available Ta string Ta no
! 97: .It net.inet.ip.anonportalgo.selected Ta string Ta yes
! 98: .It net.inet6.ip6.anonportalgo.available Ta string Ta no
! 99: .It net.inet6.ip6.anonportalgo.selected Ta string Ta yes
1.1 christos 100: .El
101: .Sh SOCKET OPTIONS
1.2.2.1 ! yamt 102: The
! 103: .Dv IP_PORTSEL
! 104: socket option at the
! 105: .Dv IPPROTO_IP
! 106: level and the
! 107: .Dv IPV6_PORTSEL
! 108: socket option at the
! 109: .Dv IPPROTO_IPV6
1.1 christos 110: level can be used with a string argument specifying the algorithm's
111: name in order to select the port randomization algorithm
112: for a specific socket.
113: For more info see
114: .Xr setsockopt 2 .
115: .Sh SEE ALSO
116: .Xr setsockopt 2 ,
117: .Xr sysctl 3 ,
118: .Xr sysctl 7
119: .Sh HISTORY
120: The
121: .Nm
122: algorithms first appeared in
123: .Nx 6.0 .
CVSweb <webmaster@jp.NetBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to rfc6056.7 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [cvs.NetBSD.org] / src / share / man / man7