Re: randomize source port

[Darren Reed <darrenr%netbsd.org@localhost>]

Steven M. Bellovin wrote:
> ...
> How easy would it be to do a timing test?  For example, assume a simple
> program that just counted how many UDP ports it could bind to in ten
> seconds?  I expect some impact, but not a big one; arc4 is very cheap,
> but measurement is always good.
>   

Semi-related to this, I've been looking at this at work.
On a Sun Ultra20, I think it was ~2,000,000/second.
Compared with the libc random on Solaris, which was
10 or 100x that number.

But really it isn't how many per second you can do but
how much CPU it takes to do one and how much CPU
you have left for other things.

For example, with NAT using arc4random, it couldn't
hope to create 2,000,000 sessions per second.

I think you'd be lucky to be doing 200,000 bind()'s per
second to new ports :)


> More seriously -- when at boot time does urandom have enough entropy to
> seed the PRNG?  I've had problems on some server systems with things
> like that.
>   

arc4random, as per libkern, reseeds itself either every 5 minutes or 16k 
calls.

If arc4random is too CPU intensive, is it worth using libc's rand and 
seeding
that automatically in the kernel as we do with arc4random?

Darren