On 26/01/2011 08:28 a.m., Ivo Vachkov wrote: > I would like to propose a patch (against FreeBSD RELENG_8) to extend > the port randomization support in FreeBSD, according to RFC6056 > (https://www.rfc-editor.org/rfc/rfc6056.txt) > > Currently the patch implements: > - Algorithm 1 (default in FreeBSD 8) > - Algorithm 2 > - Algorithm 5 > from the aforementioned RFC6056. > > Any of those algorithms can be chosen with the sysctl variable > net.inet.ip.portrange.rfc6056_algorithm. > > I deliberately skipped Algorithm 3 and Algorithm 4, because I believe > usage of cryptographic hash functions will introduce unnecessary > latency in vital network operations. However, in case of expressed > interest, I will be glad to add those too.
While my opinion may be biased (I'm a co-author of the aforementioned RFC), I'd strongly argue in favor of the hash-based algorithms. At the point in which you have a high connection-establishment rate with a specific destination endpoint, you want to reuse the chances of collisions. (IIRC, this is why the FreeBSD code at some point disabled port randomization when connections were being established at a high rate). As a datapoint, Linux ships with Algorithm #4 enabled by default. Thanks! Best regards, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"