summaryrefslogtreecommitdiff
path: root/static/netbsd/man7/rfc6056.7
diff options
context:
space:
mode:
Diffstat (limited to 'static/netbsd/man7/rfc6056.7')
-rw-r--r--static/netbsd/man7/rfc6056.7123
1 files changed, 123 insertions, 0 deletions
diff --git a/static/netbsd/man7/rfc6056.7 b/static/netbsd/man7/rfc6056.7
new file mode 100644
index 00000000..4041837c
--- /dev/null
+++ b/static/netbsd/man7/rfc6056.7
@@ -0,0 +1,123 @@
+.\" $NetBSD: rfc6056.7,v 1.4 2012/07/01 17:00:32 wiz Exp $
+.\"
+.\" Copyright (c) 2011
+.\" The NetBSD Foundation. All rights reserved.
+.\"
+.\" This code is derived from software contributed to The NetBSD Foundation
+.\" by Vlad Balan
+.\".
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"
+.Dd August 25, 2011
+.Dt RFC6056 7
+.Os
+.Sh NAME
+.Nm rfc6056
+.Nd port randomization algorithms
+.Sh DESCRIPTION
+The
+.Nm
+algorithms are used in order to randomize the port allocation of outgoing UDP
+packets, in order to provide protection from a series of
+.Dq blind
+attacks based on the
+attacker's ability to guess the sequence of ephemeral ports associated
+with outgoing packets.
+For more information consult RFC 6056.
+.Pp
+The individual algorithms are described below.
+.Ss The RFC 6056 algorithms
+The following algorithms are available:
+.Bl -tag -width "random_start"
+.It Sy bsd
+This is the default
+.Nx
+port selection algorithm, which starts from
+.Dv anonportmax
+and proceeds decreasingly through the available ephemeral ports.
+.It Sy random_start
+Select ports randomly from the available ephemeral ports.
+In case a collision with a local port is detected, the
+algorithm proceeds decreasingly through the sequence of ephemeral
+ports until a free port is found.
+Note that the random port selection algorithms are not guaranteed to find
+a free port.
+.It Sy random_pick
+Select ports randomly from the available ephemeral ports.
+In case a collision with a local port is detected the algorithm tries
+selecting a new port randomly until a free port is found.
+.It Sy hash
+Select ports using a
+.Xr md5 3
+hash of the local address, the foreign address, and the foreign port.
+Note that in the case of a
+.Xr bind 2
+call some of this information might be unavailable and the
+port selection is delayed until the time of a
+.Xr connect 2
+call, performed either explicitly or up calling
+.Xr sendto 2 .
+.It Sy doublehash
+Select ports using a
+.Xr md5 3
+hash of the local address, foreign address, and foreign port coupled with a
+.Xr md5 3
+hash of the same components obtained using a separate table that is
+associated with a subset of all outgoing connections.
+The same considerations regarding late connection as in the case of hash apply.
+.It Sy randinc
+Use random increments in order to select the next port.
+.El
+.Sh SYSCTL CONTROLS
+The following sysctl controls are available for selecting the default
+port randomization algorithm:
+.Bl -column "net.inet6.udp6.anonportalgo.available" "string" "Changeable"
+.It Sy sysctl name Ta Sy Type Ta Sy Changeable
+.It net.inet.ip.anonportalgo.available Ta string Ta no
+.It net.inet.ip.anonportalgo.selected Ta string Ta yes
+.It net.inet6.ip6.anonportalgo.available Ta string Ta no
+.It net.inet6.ip6.anonportalgo.selected Ta string Ta yes
+.El
+.Sh SOCKET OPTIONS
+The
+.Dv IP_PORTSEL
+socket option at the
+.Dv IPPROTO_IP
+level and the
+.Dv IPV6_PORTSEL
+socket option at the
+.Dv IPPROTO_IPV6
+level can be used with a string argument specifying the algorithm's
+name in order to select the port randomization algorithm
+for a specific socket.
+For more info see
+.Xr setsockopt 2 .
+.Sh SEE ALSO
+.Xr setsockopt 2 ,
+.Xr sysctl 3 ,
+.Xr sysctl 7
+.Sh HISTORY
+The
+.Nm
+algorithms first appeared in
+.Nx 6.0 .
generated by cgit v1.2.3 (git 2.46.0) at 2026-05-15 12:45:36 +0000