tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: randomize source port



Steven M. Bellovin wrote:
...
How easy would it be to do a timing test?  For example, assume a simple
program that just counted how many UDP ports it could bind to in ten
seconds?  I expect some impact, but not a big one; arc4 is very cheap,
but measurement is always good.

Semi-related to this, I've been looking at this at work.
On a Sun Ultra20, I think it was ~2,000,000/second.
Compared with the libc random on Solaris, which was
10 or 100x that number.

But really it isn't how many per second you can do but
how much CPU it takes to do one and how much CPU
you have left for other things.

For example, with NAT using arc4random, it couldn't
hope to create 2,000,000 sessions per second.

I think you'd be lucky to be doing 200,000 bind()'s per
second to new ports :)


More seriously -- when at boot time does urandom have enough entropy to
seed the PRNG?  I've had problems on some server systems with things
like that.

arc4random, as per libkern, reseeds itself either every 5 minutes or 16k calls.

If arc4random is too CPU intensive, is it worth using libc's rand and seeding
that automatically in the kernel as we do with arc4random?

Darren



Home | Main Index | Thread Index | Old Index