Discussion:
no port randomization with dig over IPv6 on mac os
Jakob Dhondt
2018-12-07 12:26:51 UTC
Permalink
Dear list,

I have just noticed that when using dig (different versions) on Mac OS
(High Sierra) over IPv6 the source port is not randomized. Instead, the
port is incremented by 2 every time I execute the dig command. Is this a
known issue? I have tried to reproduce this behavior on Linux where,
with both IPv4 and IPv6, port randomization seems to be working.

Kind regards,

Jakob
--
SWITCH
Jakob Dhondt, Security Engineer, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 15, direct +41 44 268 16 23
***@switch.ch, www.switch.ch
Security-News: securityblog.switch.ch


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Ralph Seichter
2018-12-07 13:19:23 UTC
Permalink
Post by Jakob Dhondt
I have just noticed that when using dig (different versions) on Mac OS
(High Sierra) over IPv6 the source port is not randomized.
I may be having a senior moment, but don't IPv6 privacy extensions cover
address randomization rather than port randomization?

-Ralph
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Warren Kumari
2018-12-07 16:48:36 UTC
Permalink
Post by Ralph Seichter
Post by Jakob Dhondt
I have just noticed that when using dig (different versions) on Mac OS
(High Sierra) over IPv6 the source port is not randomized.
Hmmm. I’d never noticed that, but I certainly wouldn’t have expected it -
I’m also wondering *how* it is doing this — to increment by 2 it sounds
like there is state being kept - perhaps dig simply relies on the kernel
for the source port and isn’t randomizing at all ( and so the difference is
actually OS difference, and not dig differences?
Post by Ralph Seichter
I may be having a senior moment, but don't IPv6 privacy extensions cover
address randomization rather than port randomization?
Yes, but this has nothing to do with v6 privacy addresses - they are
orthogonal...

W
Post by Ralph Seichter
-Ralph
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
--
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
---maf
神明達哉
2018-12-07 17:36:47 UTC
Permalink
At Fri, 7 Dec 2018 08:48:36 -0800,
Post by Warren Kumari
Post by Jakob Dhondt
I have just noticed that when using dig (different versions) on Mac OS
(High Sierra) over IPv6 the source port is not randomized.
Hmmm. I’d never noticed that, but I certainly wouldn’t have expected it -
I’m also wondering *how* it is doing this — to increment by 2 it sounds
like there is state being kept - perhaps dig simply relies on the kernel
for the source port and isn’t randomizing at all ( and so the difference is
actually OS difference, and not dig differences?
dig directly uses a lower-level network API and handles anything above
it by itself (I guess that's because it wants to handle some invalid
cases like QID mismatch), so it's not surprising that it simply leaves
things like port randomization to the OS kernel. I don't know if it
intentionally skips randomization, though - probably not, but that
doesn't matter much in practice either.

--
JINMEI, Tatuya
Tony Finch
2018-12-10 14:56:45 UTC
Permalink
Post by Warren Kumari
I’m also wondering *how* it is doing this — to increment by 2 it sounds
like there is state being kept - perhaps dig simply relies on the kernel
for the source port and isn’t randomizing at all ( and so the difference is
actually OS difference, and not dig differences?
Yes. It's also a protocol family difference, because Mac OS does randomize
over IPv4. (Not doing so over IPv6 must be a bug....)

There are sysctls:

net.inet.tcp.randomize_ports: 0
net.inet.udp.randomize_ports: 1

The net.inet sysctls for UDP and TCP should also apply to inet6...

Tony.
--
f.anthony.n.finch <***@dotat.at> http://dotat.at/
Malin, Hebrides: South or southeast 5 to 7, occasionally gale 8 in Hebrides,
perhaps gale 8 later in Malin. Moderate or rough, becoming rough or very
rough. Occasional rain. Good, occasionally poor.
Jakob Dhondt
2018-12-11 08:29:38 UTC
Permalink
Hi all,

thanks for your answers!

Cheers,

Jakob
Post by Tony Finch
Post by Warren Kumari
I’m also wondering *how* it is doing this — to increment by 2 it sounds
like there is state being kept - perhaps dig simply relies on the kernel
for the source port and isn’t randomizing at all ( and so the difference is
actually OS difference, and not dig differences?
Yes. It's also a protocol family difference, because Mac OS does randomize
over IPv4. (Not doing so over IPv6 must be a bug....)
net.inet.tcp.randomize_ports: 0
net.inet.udp.randomize_ports: 1
The net.inet sysctls for UDP and TCP should also apply to inet6...
Tony.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
--
SWITCH
Jakob Dhondt, Security Engineer, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 15, direct +41 44 268 16 23
***@switch.ch, www.switch.ch
Security-News: securityblog.switch.ch
Loading...