Proposed patch for Port Randomization modifications according
to RFC6056
Ivo Vachkov
ivo.vachkov at gmail.com
Fri Jan 28 19:57:22 UTC 2011
On Fri, Jan 28, 2011 at 9:00 PM, Doug Barton <dougb at freebsd.org> wrote:
> On 01/28/2011 06:33, Ivo Vachkov wrote:
>>
>> Hello,
>>
>> I would like to thank for the help and for the recommendations.
>>
>> I attach second version of the patch, I proposed earlier, including
>> following changes:
>>
>> 1) All RFC6056 algorithms are implemented.
>> 2) Both IPv4 and IPv6 stacks are modified to use the new port
>> randomization code.
>> 3) There are two variables that can be modified via sysctl:
>> - net.inet.ip.portrange.rfc6056_algorithm - which allows the super
>> user to choose one out of the five possible algorithms.
>> - net.inet.ip.portrange.rfc6056_algorithm5_tradeoff - which allows the
>> super user to modify the trade-off value used in algorithm 5.
>> All values are explicitly checked for correctness before usage.
>> Default values for those variables represent current/legacy port
>> randomization algorithm and proposed values in the RFC itself.
>
> I haven't reviewed the patch in detail yet but I wanted to first thank you
> for taking on this work, and being so responsive to Fernando's request
> (which I agreed with, and you updated before I even had a chance to say so).
> :)
>
> My one comment so far is on the name of the sysctl's. There are 2 problems
> with sysctl/variable names that use an rfc title. The first is that they are
> not very descriptive to the 99.9% of users who are not familiar with that
> particular doc. The second is more esoteric, but if the rfc is subsequently
> updated or obsoleted we're stuck with either an anachronism or updating code
> (both of which have their potential areas of confusion).
>
> So in order to avoid this issue, and make it more consistent with the
> existing:
>
> net.inet.ip.portrange.randomtime
> net.inet.ip.portrange.randomcps
> net.inet.ip.portrange.randomized
>
> How does net.inet.ip.portrange.randomalg sound? I would also suggest that
> the second sysctl be named net.inet.ip.portrange.randomalg.alg5_tradeoff so
> that one could do 'sysctl net.inet.ip.portrange.randomalg' and see both
> values. But I won't quibble on that. :)
>
I have no objections with this. Since this is my first attempt to
contribute something back to the community I decided to see how it's
done before. So I found:
net.inet.tcp.rfc1323
net.inet.tcp.rfc3465
net.inet.tcp.rfc3390
net.inet.tcp.rfc3042
which probably led me in a wrong direction :)
I understand your point and agree with it. However, my somewhat
limited understanding of the sysctl internal organization is telling
me that tree node does not support values. Am I wrong? If my reasoning
is correct, maybe I can create the sysctl variables with the following
names:
- net.inet.ip.portrange.randomalg (Tree Node)
- net.inet.ip.portrange.randomalg.alg[orithm] (Leaf Node, to store the
selected algorithm)
- net.inet.ip.portrange.randomalg.alg5_tradeoff (Leaf Node, to store
the Algorithm 5 trade-off value)
Ivo Vachkov
More information about the freebsd-net
mailing list