net.inet.ip.portrange.randomized=1 hurts

[Barney Wolff]

On Thu, Jun 03, 2004 at 02:19:43AM -0500, Mike Silbersack wrote:
> 
> On Wed, 2 Jun 2004, Don Lewis wrote:
> 
> > Randomizing DNS query IDs without repeating any particular ID too
> > quickly is a similar problem.  I contributed some code to for this to
> > BIND version 8 a number of years ago.  See the nsid stuff in
> > /usr/src/contrib/bind/bin/named/ns_main.c.  There are some comments
> > preceeding the code that explain the background and how it is supposed
> > to work.  Something like this might be suitable for port number
> > allocation, though the potentially long time that a given port number
> > might be in use would complicate things.
> 
> I just thought more about the issue at hand, and I think that changing the
> randomization algorithm is probably not worth the effort.  Instead, we'll
> have to fix the server-side TIME_WAIT problem Dmitry is experiencing.
> The simple reason is that any other OS which uses randomized ephemeral
> ports will tickle the exact same port recycling problem, so reverting our
> client behavior isn't a long-term solution.

The randomization algorithm is definitely wrong, and will need to be fixed.
What's needed, as pointed out above, is a random *shuffle* not simply a
random choice.  The random choice as the code does now encounters the
birthday paradox, resulting in re-use of a port number in sqrt(N) picks,
meaning on average the re-use interval is 128, given the default 16384
range.  That's far too short.

The justified response to user complaints is "send patches" and I'm
willing to try, if no-one else is working on it.

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.