NAME
rfc6056 —
port randomization
algorithms
DESCRIPTION
The
rfc6056 algorithms are used in order to randomize the port
allocation of outgoing UDP packets, in order to provide protection from a
series of “blind” attacks based on the attacker's ability to guess
the sequence of ephemeral ports associated with outgoing packets. For more
information consult RFC 6056.
The individual algorithms are described below.
The RFC 6056 algorithms
The following algorithms are available:
-
-
- bsd
- This is the default NetBSD port
selection algorithm, which starts from
anonportmax
and proceeds decreasingly through the available ephemeral ports.
-
-
- random_start
- Select ports randomly from the available ephemeral ports.
In case a collision with a local port is detected, the algorithm proceeds
decreasingly through the sequence of ephemeral ports until a free port is
found. Note that the random port selection algorithms are not guaranteed
to find a free port.
-
-
- random_pick
- Select ports randomly from the available ephemeral ports.
In case a collision with a local port is detected the algorithm tries
selecting a new port randomly until a free port is found.
-
-
- hash
- Select ports using a
md5(3) hash of the local
address, the foreign address, and the foreign port. Note that in the case
of a bind(2) call some of this
information might be unavailable and the port selection is delayed until
the time of a connect(2)
call, performed either explicitly or up calling
sendto(2).
-
-
- doublehash
- Select ports using a
md5(3) hash of the local
address, foreign address, and foreign port coupled with a
md5(3) hash of the same
components obtained using a separate table that is associated with a
subset of all outgoing connections. The same considerations regarding late
connection as in the case of hash apply.
-
-
- randinc
- Use random increments in order to select the next
port.
SYSCTL CONTROLS
The following sysctl controls are available for selecting the default port
randomization algorithm:
sysctl name |
Type |
Changeable |
net.inet.ip.anonportalgo.available |
string |
no |
net.inet.ip.anonportalgo.selected |
string |
yes |
net.inet6.ip6.anonportalgo.available |
string |
no |
net.inet6.ip6.anonportalgo.selected |
string |
yes |
SOCKET OPTIONS
The
IP_PORTSEL
socket option at the
IPPROTO_IP
level and the
IPV6_PORTSEL
socket option at the
IPPROTO_IPV6
level can be used with a string argument
specifying the algorithm's name in order to select the port randomization
algorithm for a specific socket. For more info see
setsockopt(2).
SEE ALSO
setsockopt(2),
sysctl(3),
sysctl(7)
HISTORY
The
rfc6056 algorithms first appeared in
NetBSD 6.0.