rfc6056
—
port randomization algorithms
The rfc6056
algorithms are used in order to randomize
the port allocation of outgoing UDP packets, in order to provide protection
from a series of “blind” attacks based on the attacker's ability
to guess the sequence of ephemeral ports associated with outgoing packets. For
more information consult RFC 6056.
The individual algorithms are described below.
The following algorithms are available:
- bsd
- This is the default NetBSD port selection
algorithm, which starts from
anonportmax
and
proceeds decreasingly through the available ephemeral ports.
- random_start
- Select ports randomly from the available ephemeral ports. In case a
collision with a local port is detected, the algorithm proceeds
decreasingly through the sequence of ephemeral ports until a free port is
found. Note that the random port selection algorithms are not guaranteed
to find a free port.
- random_pick
- Select ports randomly from the available ephemeral ports. In case a
collision with a local port is detected the algorithm tries selecting a
new port randomly until a free port is found.
- hash
- Select ports using a md5(3)
hash of the local address, the foreign address, and the foreign port. Note
that in the case of a bind(2)
call some of this information might be unavailable and the port selection
is delayed until the time of a
connect(2) call, performed
either explicitly or up calling
sendto(2).
- doublehash
- Select ports using a md5(3)
hash of the local address, foreign address, and foreign port coupled with
a md5(3) hash of the same
components obtained using a separate table that is associated with a
subset of all outgoing connections. The same considerations regarding late
connection as in the case of hash apply.
- randinc
- Use random increments in order to select the next port.
The following sysctl controls are available for selecting the default port
randomization algorithm:
sysctl name |
Type |
Changeable |
net.inet.ip.anonportalgo.available |
string |
no |
net.inet.ip.anonportalgo.selected |
string |
yes |
net.inet6.ip6.anonportalgo.available |
string |
no |
net.inet6.ip6.anonportalgo.selected |
string |
yes |
The IP_PORTSEL
socket option at the
IPPROTO_IP
level and the
IPV6_PORTSEL
socket option at the
IPPROTO_IPV6
level can be used with a string argument
specifying the algorithm's name in order to select the port randomization
algorithm for a specific socket. For more info see
setsockopt(2).
The rfc6056
algorithms first appeared in
NetBSD 6.0.