Module Name: src
Committed By: christos
Date: Sat Sep 24 17:04:38 UTC 2011
Modified Files:
src/share/man/man7: Makefile
Added Files:
src/share/man/man7: rfc6056.7
Log Message:
add new rfc6056.7, from vlad
To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 src/share/man/man7/Makefile
cvs rdiff -u -r0 -r1.1 src/share/man/man7/rfc6056.7
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/share/man/man7/Makefile
diff -u src/share/man/man7/Makefile:1.27 src/share/man/man7/Makefile:1.28
--- src/share/man/man7/Makefile:1.27 Fri Mar 18 11:21:57 2011
+++ src/share/man/man7/Makefile Sat Sep 24 13:04:38 2011
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.27 2011/03/18 15:21:57 jruoho Exp $
+# $NetBSD: Makefile,v 1.28 2011/09/24 17:04:38 christos Exp $
# @(#)Makefile 8.1 (Berkeley) 6/5/93
# missing: eqnchar.7 man.7 ms.7 term.7
MAN= ascii.7 c.7 environ.7 glob.7 hier.7 hostname.7 intro.7 mailaddr.7 \
- module.7 nls.7 operator.7 orders.7 pkgsrc.7 release.7 security.7 \
- script.7 setuid.7 signal.7 sticky.7 symlink.7 sysctl.7 \
+ module.7 nls.7 operator.7 orders.7 pkgsrc.7 release.7 rfc6056.7 \
+ security.7 script.7 setuid.7 signal.7 sticky.7 symlink.7 sysctl.7 \
tests.7
MLINKS+=c.7 c78.7 \
Added files:
Index: src/share/man/man7/rfc6056.7
diff -u /dev/null src/share/man/man7/rfc6056.7:1.1
--- /dev/null Sat Sep 24 13:04:38 2011
+++ src/share/man/man7/rfc6056.7 Sat Sep 24 13:04:38 2011
@@ -0,0 +1,120 @@
+.\" $NetBSD: rfc6056.7,v 1.1 2011/09/24 17:04:38 christos Exp $
+.\"
+.\" Copyright (c) 2011
+.\" The NetBSD Foundation. All rights reserved.
+.\"
+.\" This code is derived from software contributed to The NetBSD Foundation
+.\" by Vlad Balan
+.\".
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"
+.Dd August 25, 2011
+.Dt RFC6056 7
+.Os
+.Sh NAME
+.Nm rfc6056
+.Nd port randomization algorithms
+.Sh DESCRIPTION
+The
+.Xr rfc6056 7
+algorithms are used in order to randomize the port allocation of outgoing UDP
+packets, in order to provide protection from a series of
+.Dq blind
+attacks based on the
+attacker's ability to guess the sequence of ephemeral ports associated
+with outgoing packets. For more information consult RFC 6056.
+.Pp
+The individual algorithms are described below:
+.Pp
+.Ss The RFC 6056 algorithms
+.Li The following algorithms are available:
+.Bl -tag -width "random_start"
+.It Sy bsd
+This is the default
+.Nx
+port selection algorithm, which starts from
+.Dv anonportmax
+and proceeds decreasingly through the available ephemeral ports.
+.It Sy random_start
+Select ports randomly from the available ephemeral ports.
+In case a collision with a local port is detected the
+algorithm proceeds decreasingly through the sequence of ephemeral
+ports until a free port is found.
+Note that the random port selection algorithms are not guaranteed to find
+a free port.
+.It Sy random_pick
+Select ports randomly from the available ephemeral ports.
+In case a collision with a local port is detected the algorithm tries
+selecting a new port randomly until a free port is found.
+.It Sy hash
+Select ports using a
+.Xr md5 3
+hash of the local address, the foreign address, and the foreign port.
+Note that in the case of a
+.Xr bind 2
+call some of this information might be unavailable and the
+port selection is delayed until the time of a
+.Xr connect 2
+call, performed either explicitly or up calling
+.Xr sendto 2 .
+.It Sy doublehash
+Select ports using a
+.Xr md5 3
+hash of the local address, foreign address and foreign port coupled with a
+.Xr md5 3
+hash of the same components obtained using a separate table that is
+associated with a subset of all outgoing connections.
+The same considerations regarding late connection as in the case of hash apply.
+.It Sy randinc
+Use random increments in order to select the next port.
+.El
+.Sh SYSCTL CONTROLS
+The following sysctl controls are available for selecting the default
+port randomization algorithm:
+.Bl -column "net.inet6.udp6.rfc6056.available" "string" "Changeable"
+.It Sy sysctl name Ta Sy Type Ta Sy Changeable
+.It net.inet.udp.rfc6056.available Ta string Ta no
+.It net.inet.udp.rfc6056.selected Ta string Ta yes
+.It net.inet6.udp6.rfc6056.available Ta string Ta no
+.It net.inet6.udp6.rfc6056.selected Ta string Ta yes
+.El
+.Pp
+.Sh SOCKET OPTIONS
+The socket option
+.Dv UDP_RFC6056ALGO
+at the
+.Dv IPPROTO_UDP
+level can be used with a string argument specifying the algorithm's
+name in order to select the port randomization algorithm
+for a specific socket.
+For more info see
+.Xr setsockopt 2 .
+.Sh SEE ALSO
+.Xr setsockopt 2 ,
+.Xr sysctl 3 ,
+.Xr sysctl 7
+.Sh HISTORY
+The
+.Nm
+algorithms first appeared in
+.Nx 6.0 .
