Proposed patch for Port Randomization modifications according
 to RFC6056
    Doug Barton 
    dougb at FreeBSD.org
       
    Fri Jan 28 19:00:49 UTC 2011
    
    
  
On 01/28/2011 06:33, Ivo Vachkov wrote:
> Hello,
>
> I would like to thank for the help and for the recommendations.
>
> I attach second version of the patch, I proposed earlier, including
> following changes:
>
> 1) All RFC6056 algorithms are implemented.
> 2) Both IPv4 and IPv6 stacks are modified to use the new port
> randomization code.
> 3) There are two variables that can be modified via sysctl:
> - net.inet.ip.portrange.rfc6056_algorithm - which allows the super
> user to choose one out of the five possible algorithms.
> - net.inet.ip.portrange.rfc6056_algorithm5_tradeoff - which allows the
> super user to modify the trade-off value used in algorithm 5.
> All values are explicitly checked for correctness before usage.
> Default values for those variables represent current/legacy port
> randomization algorithm and proposed values in the RFC itself.
I haven't reviewed the patch in detail yet but I wanted to first thank 
you for taking on this work, and being so responsive to Fernando's 
request (which I agreed with, and you updated before I even had a chance 
to say so). :)
My one comment so far is on the name of the sysctl's. There are 2 
problems with sysctl/variable names that use an rfc title. The first is 
that they are not very descriptive to the 99.9% of users who are not 
familiar with that particular doc. The second is more esoteric, but if 
the rfc is subsequently updated or obsoleted we're stuck with either an 
anachronism or updating code (both of which have their potential areas 
of confusion).
So in order to avoid this issue, and make it more consistent with the 
existing:
net.inet.ip.portrange.randomtime
net.inet.ip.portrange.randomcps
net.inet.ip.portrange.randomized
How does net.inet.ip.portrange.randomalg sound? I would also suggest 
that the second sysctl be named 
net.inet.ip.portrange.randomalg.alg5_tradeoff so that one could do 
'sysctl net.inet.ip.portrange.randomalg' and see both values. But I 
won't quibble on that. :)
hth,
Doug
-- 
	Nothin' ever doesn't change, but nothin' changes much.
			-- OK Go
	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/
    
    
More information about the freebsd-net
mailing list