net.inet.ip.portrange.randomized=1 hurts
Don Lewis
truckman at FreeBSD.org
Wed Jun 2 21:27:29 PDT 2004
On 2 Jun, Dmitry Pryanishnikov wrote:
>
> Hello!
>
>> Date: Tue, 1 Jun 2004 19:07:35 -0500 (CDT)
>> From: Mike Silbersack <silby at silby.com>
>>
>> On Tue, 1 Jun 2004, Andre Oppermann wrote:
>>
>>> A port should not be reused this fast. Maybe the randomness isn't
>>> so random after all and choses the same port over again and again?
>>
>>We use arc4random, so I don't think that's likely, but it is possible.
>
> OK, I would like to provide some statistics based on FTP server log.
> In the following table, first column is the total number of PORT commands
> per FTP session, second is the number of PORT commands between the first and
> second occurence of reused port (which is the cause of "425" error), third
> column is the interval between those occurences in secons:
>
> Total # of PORT comm. Interval, # of PORT Interval, sec
>
> 558 35 50
> 336 50 20
> 165 160 55
>
> So, it doesn't seem to me that random number generator works badly, but any
> randomness doesn't _guarantee_ that port number won't repeat within 2*MSL
> seconds, does it? Also I have heard of algorithms (but can't recollect now)
> that actually guarantee non-repeatness of the large portion (up
> to the interval range) of pseudo-random sequence. If we had such an algorihm
> for random port allocation, we won't get reused ports so often (by default,
> portrange.hilast=65535 and portrange.hifirst=49152, so theoretically we would
> have 16383 non-repeated port numbers before the first repeat).
Randomizing DNS query IDs without repeating any particular ID too
quickly is a similar problem. I contributed some code to for this to
BIND version 8 a number of years ago. See the nsid stuff in
/usr/src/contrib/bind/bin/named/ns_main.c. There are some comments
preceeding the code that explain the background and how it is supposed
to work. Something like this might be suitable for port number
allocation, though the potentially long time that a given port number
might be in use would complicate things.
More information about the freebsd-net
mailing list