xref: /netbsd-src/share/man/man7/rfc6056.7 (revision f1915787a7c8859c0b87ba6560f372c0b86aee5d)

.\"     $NetBSD: rfc6056.7,v 1.4 2012/07/01 17:00:32 wiz Exp $
.\"
.\" Copyright (c) 2011
.\"     The NetBSD Foundation.  All rights reserved.
.\"
.\" This code is derived from software contributed to The NetBSD Foundation
.\" by Vlad Balan
.\".
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\"
.Dd August 25, 2011
.Dt RFC6056 7
.Os
.Sh NAME
.Nm rfc6056
.Nd port randomization algorithms
.Sh DESCRIPTION
The
.Nm
algorithms are used in order to randomize the port allocation of outgoing UDP
packets, in order to provide protection from a series of
.Dq blind
attacks based on the
attacker's ability to guess the sequence of ephemeral ports associated
with outgoing packets.
For more information consult RFC 6056.
.Pp
The individual algorithms are described below.
.Ss The RFC 6056 algorithms
The following algorithms are available:
.Bl -tag -width "random_start"
.It Sy bsd
This is the default
.Nx
port selection algorithm, which starts from
.Dv anonportmax
and proceeds decreasingly through the available ephemeral ports.
.It Sy random_start
Select ports randomly from the available ephemeral ports.
In case a collision with a local port is detected, the
algorithm proceeds decreasingly through the sequence of ephemeral
ports until a free port is found.
Note that the random port selection algorithms are not guaranteed to find
a free port.
.It Sy random_pick
Select ports randomly from the available ephemeral ports.
In case a collision with a local port is detected the algorithm tries
selecting a new port randomly until a free port is found.
.It Sy hash
Select ports using a
.Xr md5 3
hash of the local address, the foreign address, and the foreign port.
Note that in the case of a
.Xr bind 2
call some of this information might be unavailable and the
port selection is delayed until the time of a
.Xr connect 2
call, performed either explicitly or up calling
.Xr sendto 2 .
.It Sy doublehash
Select ports using a
.Xr md5 3
hash of the local address, foreign address, and foreign port coupled with a
.Xr md5 3
hash of the same components obtained using a separate table that is
associated with a subset of all outgoing connections.
The same considerations regarding late connection as in the case of hash apply.
.It Sy randinc
Use random increments in order to select the next port.
.El
.Sh SYSCTL CONTROLS
The following sysctl controls are available for selecting the default
port randomization algorithm:
.Bl -column "net.inet6.udp6.anonportalgo.available" "string" "Changeable"
.It Sy sysctl name                   Ta Sy Type Ta Sy Changeable
.It net.inet.ip.anonportalgo.available   Ta string  Ta no
.It net.inet.ip.anonportalgo.selected    Ta string  Ta yes
.It net.inet6.ip6.anonportalgo.available Ta string  Ta no
.It net.inet6.ip6.anonportalgo.selected  Ta string  Ta yes
.El
.Sh SOCKET OPTIONS
The
.Dv IP_PORTSEL
socket option at the
.Dv IPPROTO_IP
level and the
.Dv IPV6_PORTSEL
socket option at the
.Dv IPPROTO_IPV6
level can be used with a string argument specifying the algorithm's
name in order to select the port randomization algorithm
for a specific socket.
For more info see
.Xr setsockopt 2 .
.Sh SEE ALSO
.Xr setsockopt 2 ,
.Xr sysctl 3 ,
.Xr sysctl 7
.Sh HISTORY
The
.Nm
algorithms first appeared in
.Nx 6.0 .