Discussion:
code for RFC 6056 - man page rfc6056.7
(too old to reply)
Vlad Balan
2011-08-26 21:22:15 UTC
Permalink
.\" $NetBSD: rfc6056.7,v 1.00 2011/06/23 20:55:08 vlad Exp $
.\"
.\" Copyright (c) 1993
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the University nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\"
.Dd August 25, 2011
.Dt RFC6056 7
.Os
.Sh NAME
.Nm rfc6056
.Nd port randomization algorithms
.Sh DESCRIPTION
The
.Xr rfc6056 7
algorithms are used in order to randomize the port allocation of outgoing UDP
packets, in order to provide protection from a series of
.Dq blind
attacks based on the
attacker's ability to guess the sequence of ephemeral ports associated
with outgoing packets. For more information consult
.%R RFC 6056 .
.Pp
The individual algorithms are described below:
.Pp
.Ss The RFC 6056 algorithms
.Li The following algorithms are available:
.Bl -tag -width "random_start"
.It Sy bsd
This is the default
.Nx
port selection algorithm, which starts from
.Dv anonportmax
and proceeds decreasingly through the available ephemeral ports.
.It Sy random_start
Select ports randomly from the available ephemeral ports.
In case a collision with a local port is detected the
algorithm proceeds decreasingly through the sequence of ephemeral
ports until a free port is found.
Note that the random port selection algorithms are not guaranteed to find
a free port.
.It Sy random_pick
Select ports randomly from the available ephemeral ports.
In case a collision with a local port is detected the algorithm tries
selecting a new port randomly until a free port is found.
.It Sy hash
Select ports using a
.Xr md5 3
hash of the local address, the foreign address, and the foreign port.
Note that in the case of a
.Xr bind 2
call some of this information might be unavailable and the
port selection is delayed until the time of a
.Xr connect 2
call, performed either explicitly or up calling
.Xr sendto 2 .
.It Sy doublehash
Select ports using a
.Xr md5 3
hash of the local address, foreign address and foreign port coupled with a
.Xr md5 3
hash of the same components obtained using a separate table that is
associated with a subset of all outgoing connections.
The same considerations regarding late connection as in the case of hash apply.
.It Sy randinc
Use random increments in order to select the next port.
.El
.Sh SYSCTL CONTROLS
The following sysctl controls are available for selecting the default
port randomization algorithm:
.Bl -column "net.inet6.udp6.rfc6056.available" "string" "Changeable"
.It Sy sysctl name Ta Sy Type Ta Sy Changeable
.It net.inet.udp.rfc6056.available Ta string Ta no
.It net.inet.udp.rfc6056.selected Ta string Ta yes
.It net.inet6.udp6.rfc6056.available Ta string Ta no
.It net.inet6.udp6.rfc6056.selected Ta string Ta yes
.El
.Pp
.Sh SOCKET OPTIONS
The socket option
.Dv UDP_RFC6056ALGO
at the
.Dv IPPROTO_UDP
level can be used with a string argument specifying the algorithm's
name in order to select the port randomization algorithm
for a specific socket.
For more info see
.Xr setsockopt 2 .
.Sh SEE ALSO
.Xr setsockopt 2 ,
.Xr sysctl 3 ,
.Xr sysctl 7
.Sh HISTORY
The
.Nm
algorithms first appeared in
.Nx 6.0 .

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Vlad Balan
2011-08-27 16:38:48 UTC
Permalink
I changed the copyright to the NetBSD Foundation.

Regards,
Vlad

.\" $NetBSD: rfc6056.7,v 1.00 2011/06/23 20:55:08 vlad Exp $
.\"
.\" Copyright (c) 2011
.\" The NetBSD Foundation. All rights reserved.
.\"
.\" This code is derived from software contributed to The NetBSD Foundation
.\" by Vlad Balan
.\".
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\"
.Dd August 25, 2011
.Dt RFC6056 7
.Os
.Sh NAME
.Nm rfc6056
.Nd port randomization algorithms
.Sh DESCRIPTION
The
.Xr rfc6056 7
algorithms are used in order to randomize the port allocation of outgoing UDP
packets, in order to provide protection from a series of
.Dq blind
attacks based on the
attacker's ability to guess the sequence of ephemeral ports associated
with outgoing packets. For more information consult RFC 6056.
.Pp
The individual algorithms are described below:
.Pp
.Ss The RFC 6056 algorithms
.Li The following algorithms are available:
.Bl -tag -width "random_start"
.It Sy bsd
This is the default
.Nx
port selection algorithm, which starts from
.Dv anonportmax
and proceeds decreasingly through the available ephemeral ports.
.It Sy random_start
Select ports randomly from the available ephemeral ports.
In case a collision with a local port is detected the
algorithm proceeds decreasingly through the sequence of ephemeral
ports until a free port is found.
Note that the random port selection algorithms are not guaranteed to find
a free port.
.It Sy random_pick
Select ports randomly from the available ephemeral ports.
In case a collision with a local port is detected the algorithm tries
selecting a new port randomly until a free port is found.
.It Sy hash
Select ports using a
.Xr md5 3
hash of the local address, the foreign address, and the foreign port.
Note that in the case of a
.Xr bind 2
call some of this information might be unavailable and the
port selection is delayed until the time of a
.Xr connect 2
call, performed either explicitly or up calling
.Xr sendto 2 .
.It Sy doublehash
Select ports using a
.Xr md5 3
hash of the local address, foreign address and foreign port coupled with a
.Xr md5 3
hash of the same components obtained using a separate table that is
associated with a subset of all outgoing connections.
The same considerations regarding late connection as in the case of hash apply.
.It Sy randinc
Use random increments in order to select the next port.
.El
.Sh SYSCTL CONTROLS
The following sysctl controls are available for selecting the default
port randomization algorithm:
.Bl -column "net.inet6.udp6.rfc6056.available" "string" "Changeable"
.It Sy sysctl name Ta Sy Type Ta Sy Changeable
.It net.inet.udp.rfc6056.available Ta string Ta no
.It net.inet.udp.rfc6056.selected Ta string Ta yes
.It net.inet6.udp6.rfc6056.available Ta string Ta no
.It net.inet6.udp6.rfc6056.selected Ta string Ta yes
.El
.Pp
.Sh SOCKET OPTIONS
The socket option
.Dv UDP_RFC6056ALGO
at the
.Dv IPPROTO_UDP
level can be used with a string argument specifying the algorithm's
name in order to select the port randomization algorithm
for a specific socket.
For more info see
.Xr setsockopt 2 .
.Sh SEE ALSO
.Xr setsockopt 2 ,
.Xr sysctl 3 ,
.Xr sysctl 7
.Sh HISTORY
The
.Nm
algorithms first appeared in
.Nx 6.0 .

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...