RFC6056(7) Miscellaneous Information Manual RFC6056(7)

rfc6056port randomization algorithms

The rfc6056 algorithms are used in order to randomize the port allocation of outgoing UDP packets, in order to provide protection from a series of “blind” attacks based on the attacker's ability to guess the sequence of ephemeral ports associated with outgoing packets. For more information consult RFC 6056.

The individual algorithms are described below.

The following algorithms are available:

This is the default NetBSD port selection algorithm, which starts from anonportmax and proceeds decreasingly through the available ephemeral ports.
Select ports randomly from the available ephemeral ports. In case a collision with a local port is detected, the algorithm proceeds decreasingly through the sequence of ephemeral ports until a free port is found. Note that the random port selection algorithms are not guaranteed to find a free port.
Select ports randomly from the available ephemeral ports. In case a collision with a local port is detected the algorithm tries selecting a new port randomly until a free port is found.
Select ports using a md5(3) hash of the local address, the foreign address, and the foreign port. Note that in the case of a bind(2) call some of this information might be unavailable and the port selection is delayed until the time of a connect(2) call, performed either explicitly or up calling sendto(2).
Select ports using a md5(3) hash of the local address, foreign address, and foreign port coupled with a md5(3) hash of the same components obtained using a separate table that is associated with a subset of all outgoing connections. The same considerations regarding late connection as in the case of hash apply.
Use random increments in order to select the next port.

The following sysctl controls are available for selecting the default port randomization algorithm:

net.inet.ip.anonportalgo.available string no
net.inet.ip.anonportalgo.selected string yes
net.inet6.ip6.anonportalgo.available string no
net.inet6.ip6.anonportalgo.selected string yes

The IP_PORTSEL socket option at the IPPROTO_IP level and the IPV6_PORTSEL socket option at the IPPROTO_IPV6 level can be used with a string argument specifying the algorithm's name in order to select the port randomization algorithm for a specific socket. For more info see setsockopt(2).

setsockopt(2), sysctl(3), sysctl(7)

The rfc6056 algorithms first appeared in NetBSD 6.0.

August 25, 2011 NetBSD 11.0