| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1383872049.9412.124.camel@edumazet-glaptop2.roam.corp.google.com> Date: Thu, 07 Nov 2013 16:54:09 -0800 From: Eric Dumazet <eric.dumazet@...il.com> To: David Miller <davem@...emloft.net> Cc: netdev <netdev@...r.kernel.org> Subject: [RFC] tcp: randomize TCP source ports TCP does proper randomization of ports on active connections only if bind() is used between socket() and connect() If bind() is not specifically used, kernel performs autobind, and TCP autobind typically uses a sequential allocation for a given (dst address, dst port, src address) tuple. UDP autobind does a randomization, as part of the effort to make DNS more secure. TCP autobind uses a global sequential number (called @hint in source code) with a perturbation done by secure_ipv4_port_ephemeral(), so that the 'hint' of the next port is per (saddr, daddr, dport) tuple This was probably done to maximize port use and avoid hitting timewait sockets, but I think it should be OK to replace this stuff by a random selection to have more entropy in the various flow hashing functions, and in general higher security levels. TCP timestamps are now well deployed. Patch would be trivial, but I'd like to get some comments if you think this idea is wrong. Thanks ! -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists