Updated: 2022/Sep/29
Please read Privacy Policy. It's for your privacy.
RFC6056(7) Miscellaneous Information Manual RFC6056(7)
NAME
rfc6056 - port randomization algorithms
DESCRIPTION
The rfc6056 algorithms are used in order to randomize the port allocation
of outgoing UDP packets, in order to provide protection from a series of
"blind" attacks based on the attacker's ability to guess the sequence of
ephemeral ports associated with outgoing packets. For more information
consult RFC 6056.
The individual algorithms are described below.
The RFC 6056 algorithms
The following algorithms are available:
bsd This is the default NetBSD port selection algorithm, which
starts from anonportmax and proceeds decreasingly through
the available ephemeral ports.
random_start Select ports randomly from the available ephemeral ports.
In case a collision with a local port is detected, the
algorithm proceeds decreasingly through the sequence of
ephemeral ports until a free port is found. Note that the
random port selection algorithms are not guaranteed to find
a free port.
random_pick Select ports randomly from the available ephemeral ports.
In case a collision with a local port is detected the
algorithm tries selecting a new port randomly until a free
port is found.
hash Select ports using a md5(3) hash of the local address, the
foreign address, and the foreign port. Note that in the
case of a bind(2) call some of this information might be
unavailable and the port selection is delayed until the
time of a connect(2) call, performed either explicitly or
up calling sendto(2).
doublehash Select ports using a md5(3) hash of the local address,
foreign address, and foreign port coupled with a md5(3)
hash of the same components obtained using a separate table
that is associated with a subset of all outgoing
connections. The same considerations regarding late
connection as in the case of hash apply.
randinc Use random increments in order to select the next port.
SYSCTL CONTROLS
The following sysctl controls are available for selecting the default
port randomization algorithm:
sysctl name Type Changeable
net.inet.ip.anonportalgo.available string no
net.inet.ip.anonportalgo.selected string yes
net.inet6.ip6.anonportalgo.available string no
net.inet6.ip6.anonportalgo.selected string yes
SOCKET OPTIONS
The IP_PORTSEL socket option at the IPPROTO_IP level and the IPV6_PORTSEL
socket option at the IPPROTO_IPV6 level can be used with a string
argument specifying the algorithm's name in order to select the port
randomization algorithm for a specific socket. For more info see
setsockopt(2).
SEE ALSO
setsockopt(2), sysctl(3), sysctl(7)
HISTORY
The rfc6056 algorithms first appeared in NetBSD 6.0.
NetBSD 10.99 August 25, 2011 NetBSD 10.99