The draft is (maybe intentionally?) vague on the issues - what evil real life
attacks is this "protecting" from?

Martin

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

It's protecting stupid protocols like DNS that are only secured by 16bit
entropy in the UDP case.

Joerg

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

I implemented it over two years ago and sent the small patches to
tech-net (July 2008). I can toggle it with a sysctl tunable. I was told
others were going to implement it differently. I asked core about it in
October 2008 too.



--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

On Mar 16, 3:30pm, Stephane Bortzmeyer wrote:
} On Sun, Oct 24, 2010 at 07:28:30PM +0200,
} Geert Hendrickx <***@telenet.be> wrote
} a message of 25 lines which said:
}
} > ipfilter/ipnat can do source port randomisation on NetBSD (since the
} > Kaminsky DNS issue).
}
} I must confess it is a bit terse to me. Does it mean that you need to
} enable the firewall on the NetBSD machine, and scramble packets which
} were generated with a predictable port number? It seems odd. (Unless
} you refer only to NetBSD-as-a-router, while I was talking about
} NetBSD-as-a-host.)

This would be more NetBSD-as-a-router.

} Also, ipnat(8) and ipnat(5), on a 5.0.1 machine, do not seem to
} explain about how to do it (and Google was not my friend here).

If you're using ipnat, you don't need to do anything. It's
automatic on NetBSD 4.0.1 or later.

NOTE: I believe that all reasonably recent versions of named
automatically use port randomisation. Beyond this, I don't know what
real world benefits port randomisation brings, if any, for the vast
majority of hosts. ipnat was changed to do port randomisation because
otherwise it would have turned named queries into sequential ports when
named was behind NetBSD-as-a-router.

}-- End of excerpt from Stephane Bortzmeyer

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

On Sun, Oct 24, 2010 at 02:52:43PM -0700,
OK. So there is indeed no solution for NetBSD-as-a-host.
They do but my main concern was not about the DNS but about TCP-based
services (SSH, BGP, etc).
I refer you to the soon-to-be-RFC
<ftp://ftp.rfc-editor.org/in-notes/internet-drafts/draft-ietf-tsvwg-port-randomization-09.txt>. I
copy here the survey of all free Unices:


Appendix A. Survey of the algorithms in use by some popular
implementations

A.1. FreeBSD

FreeBSD 8.0 implements Algorithm 1, and in response to this document
now uses a 'min_port' of 10000 and a 'max_port' of 65535. [FreeBSD]

A.2. Linux

Linux 2.6.15-53-386 implements Algorithm 3, with MD5 as the hash
algorithm. If the algorithm is faced with the corner-case scenario
described in Section 3.5, Algorithm 1 is used instead [Linux].

A.3. NetBSD

NetBSD 5.0.1 does not obfuscate its ephemeral port numbers. It
selects ephemeral port numbers from the range 49152-65535, starting
from port 65535, and decreasing the port number for each ephemeral
port number selected [NetBSD].

A.4. OpenBSD

OpenBSD 4.2 implements Algorithm 1, with a 'min_port' of 1024 and a
'max_port' of 49151. [OpenBSD]

A.5. OpenSolaris

OpenSolaris 2009.06 implements Algorithm 1, with a 'min_port' of
32768 and a 'max_port' of 65535. [OpenSolaris]


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de