[En-Nut-Discussion] local tcp port randomisation
Harald Kipp
harald.kipp at egnite.de
Tue Jul 3 09:39:46 CEST 2012
Hi Ole,
On 02.07.2012 23:54, Ole Reinhardt wrote:
> http://lists.egnite.de/pipermail/en-nut-discussion/2005-November/005290.html
Obviously I missed that one. Thanks for bringing it back to our attention.
I think, that the server was buggy, because it doesn't handle the new SYN correctly. Though, I'm not sure.
Anyway, the current Nut/OS implementation is problematic for several reasons. In the first place it is too easy for any attacker to guess the IP/port combination. It should be randomized, see RFC6056.
> a) it has a bug (local port number might overflow) and then would result
> in local ports between 1 and 4096
This is indeed bad, but even our current implementation doesn't follow IANA recommendations, which proposes 49152 to 65535 for ephemeral ports.
http://en.wikipedia.org/wiki/Ephemeral_port
On the other hand, reducing the range will make guessing the port number easier. RFC6056 recommends to use 1024 to 65535. But that would require to keep a list of reserved ports, what we definitely don't want.
I'd suggest the following:
* Use timer ticks to select the start value _and_ the increment. Other algorithms like MD5 would add too much code.
* Use the IANA proposed range.
For example:
ticks = (uint16_t) NutGetMillis();
if (first)
port = ticks;
else
port += ticks & 0x000F;
port |= 0xC000;
> Does anybody has noticed problems with the current implementation yet?
Never, but that shouldn't stop us from fixing it.
Regards,
Harald
More information about the En-Nut-Discussion
mailing list