Proposed patch for Port Randomization modifications according
to RFC6056
Doug Barton
dougb at FreeBSD.org
Fri Jan 28 19:00:49 UTC 2011
On 01/28/2011 06:33, Ivo Vachkov wrote:
> Hello,
>
> I would like to thank for the help and for the recommendations.
>
> I attach second version of the patch, I proposed earlier, including
> following changes:
>
> 1) All RFC6056 algorithms are implemented.
> 2) Both IPv4 and IPv6 stacks are modified to use the new port
> randomization code.
> 3) There are two variables that can be modified via sysctl:
> - net.inet.ip.portrange.rfc6056_algorithm - which allows the super
> user to choose one out of the five possible algorithms.
> - net.inet.ip.portrange.rfc6056_algorithm5_tradeoff - which allows the
> super user to modify the trade-off value used in algorithm 5.
> All values are explicitly checked for correctness before usage.
> Default values for those variables represent current/legacy port
> randomization algorithm and proposed values in the RFC itself.
I haven't reviewed the patch in detail yet but I wanted to first thank
you for taking on this work, and being so responsive to Fernando's
request (which I agreed with, and you updated before I even had a chance
to say so). :)
My one comment so far is on the name of the sysctl's. There are 2
problems with sysctl/variable names that use an rfc title. The first is
that they are not very descriptive to the 99.9% of users who are not
familiar with that particular doc. The second is more esoteric, but if
the rfc is subsequently updated or obsoleted we're stuck with either an
anachronism or updating code (both of which have their potential areas
of confusion).
So in order to avoid this issue, and make it more consistent with the
existing:
net.inet.ip.portrange.randomtime
net.inet.ip.portrange.randomcps
net.inet.ip.portrange.randomized
How does net.inet.ip.portrange.randomalg sound? I would also suggest
that the second sysctl be named
net.inet.ip.portrange.randomalg.alg5_tradeoff so that one could do
'sysctl net.inet.ip.portrange.randomalg' and see both values. But I
won't quibble on that. :)
hth,
Doug
--
Nothin' ever doesn't change, but nothin' changes much.
-- OK Go
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
More information about the freebsd-net
mailing list