xref: /netbsd-src/share/man/man7/rfc6056.7 (revision f1915787a7c8859c0b87ba6560f372c0b86aee5d) 
1.\"     $NetBSD: rfc6056.7,v 1.4 2012/07/01 17:00:32 wiz Exp $
2.\"
3.\" Copyright (c) 2011
4.\"     The NetBSD Foundation.  All rights reserved.
5.\"
6.\" This code is derived from software contributed to The NetBSD Foundation
7.\" by Vlad Balan
8.\".
9.\" Redistribution and use in source and binary forms, with or without
10.\" modification, are permitted provided that the following conditions
11.\" are met:
12.\" 1. Redistributions of source code must retain the above copyright
13.\"    notice, this list of conditions and the following disclaimer.
14.\" 2. Redistributions in binary form must reproduce the above copyright
15.\"    notice, this list of conditions and the following disclaimer in the
16.\"    documentation and/or other materials provided with the distribution.
17.\"
18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28.\" SUCH DAMAGE.
29.\"
30.\"
31.Dd August 25, 2011
32.Dt RFC6056 7
33.Os
34.Sh NAME
35.Nm rfc6056
36.Nd port randomization algorithms
37.Sh DESCRIPTION
38The
39.Nm
40algorithms are used in order to randomize the port allocation of outgoing UDP
41packets, in order to provide protection from a series of
42.Dq blind
43attacks based on the
44attacker's ability to guess the sequence of ephemeral ports associated
45with outgoing packets.
46For more information consult RFC 6056.
47.Pp
48The individual algorithms are described below.
49.Ss The RFC 6056 algorithms
50The following algorithms are available:
51.Bl -tag -width "random_start"
52.It Sy bsd
53This is the default
54.Nx
55port selection algorithm, which starts from
56.Dv anonportmax
57and proceeds decreasingly through the available ephemeral ports.
58.It Sy random_start
59Select ports randomly from the available ephemeral ports.
60In case a collision with a local port is detected, the
61algorithm proceeds decreasingly through the sequence of ephemeral
62ports until a free port is found.
63Note that the random port selection algorithms are not guaranteed to find
64a free port.
65.It Sy random_pick
66Select ports randomly from the available ephemeral ports.
67In case a collision with a local port is detected the algorithm tries
68selecting a new port randomly until a free port is found.
69.It Sy hash
70Select ports using a
71.Xr md5 3
72hash of the local address, the foreign address, and the foreign port.
73Note that in the case of a
74.Xr bind 2
75call some of this information might be unavailable and the
76port selection is delayed until the time of a
77.Xr connect 2
78call, performed either explicitly or up calling
79.Xr sendto 2 .
80.It Sy doublehash
81Select ports using a
82.Xr md5 3
83hash of the local address, foreign address, and foreign port coupled with a
84.Xr md5 3
85hash of the same components obtained using a separate table that is
86associated with a subset of all outgoing connections.
87The same considerations regarding late connection as in the case of hash apply.
88.It Sy randinc
89Use random increments in order to select the next port.
90.El
91.Sh SYSCTL CONTROLS
92The following sysctl controls are available for selecting the default
93port randomization algorithm:
94.Bl -column "net.inet6.udp6.anonportalgo.available" "string" "Changeable"
95.It Sy sysctl name                   Ta Sy Type Ta Sy Changeable
96.It net.inet.ip.anonportalgo.available   Ta string  Ta no
97.It net.inet.ip.anonportalgo.selected    Ta string  Ta yes
98.It net.inet6.ip6.anonportalgo.available Ta string  Ta no
99.It net.inet6.ip6.anonportalgo.selected  Ta string  Ta yes
100.El
101.Sh SOCKET OPTIONS
102The
103.Dv IP_PORTSEL
104socket option at the
105.Dv IPPROTO_IP
106level and the
107.Dv IPV6_PORTSEL
108socket option at the
109.Dv IPPROTO_IPV6
110level can be used with a string argument specifying the algorithm's
111name in order to select the port randomization algorithm
112for a specific socket.
113For more info see
114.Xr setsockopt 2 .
115.Sh SEE ALSO
116.Xr setsockopt 2 ,
117.Xr sysctl 3 ,
118.Xr sysctl 7
119.Sh HISTORY
120The
121.Nm
122algorithms first appeared in
123.Nx 6.0 .
124