Re: no port randomization with dig over IPv6 on mac os
At Fri, 7 Dec 2018 08:48:36 -0800, Warren Kumari wrote: > > * Jakob Dhondt: > > > > > I have just noticed that when using dig (different versions) on Mac OS > > > (High Sierra) over IPv6 the source port is not randomized. > > > Hmmm. I’d never noticed that, but I certainly wouldn’t have expected it - > I’m also wondering *how* it is doing this — to increment by 2 it sounds > like there is state being kept - perhaps dig simply relies on the kernel > for the source port and isn’t randomizing at all ( and so the difference is > actually OS difference, and not dig differences? dig directly uses a lower-level network API and handles anything above it by itself (I guess that's because it wants to handle some invalid cases like QID mismatch), so it's not surprising that it simply leaves things like port randomization to the OS kernel. I don't know if it intentionally skips randomization, though - probably not, but that doesn't matter much in practice either. -- JINMEI, Tatuya ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: no port randomization with dig over IPv6 on mac os
On Fri, Dec 7, 2018 at 5:19 AM Ralph Seichter wrote: > * Jakob Dhondt: > > > I have just noticed that when using dig (different versions) on Mac OS > > (High Sierra) over IPv6 the source port is not randomized. Hmmm. I’d never noticed that, but I certainly wouldn’t have expected it - I’m also wondering *how* it is doing this — to increment by 2 it sounds like there is state being kept - perhaps dig simply relies on the kernel for the source port and isn’t randomizing at all ( and so the difference is actually OS difference, and not dig differences? > > I may be having a senior moment, but don't IPv6 privacy extensions cover > address randomization rather than port randomization? > Yes, but this has nothing to do with v6 privacy addresses - they are orthogonal... W > -Ralph > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: no port randomization with dig over IPv6 on mac os
* Jakob Dhondt: > I have just noticed that when using dig (different versions) on Mac OS > (High Sierra) over IPv6 the source port is not randomized. I may be having a senior moment, but don't IPv6 privacy extensions cover address randomization rather than port randomization? -Ralph ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
no port randomization with dig over IPv6 on mac os
Dear list, I have just noticed that when using dig (different versions) on Mac OS (High Sierra) over IPv6 the source port is not randomized. Instead, the port is incremented by 2 every time I execute the dig command. Is this a known issue? I have tried to reproduce this behavior on Linux where, with both IPv4 and IPv6, port randomization seems to be working. Kind regards, Jakob -- SWITCH Jakob Dhondt, Security Engineer, SWITCH-CERT Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland phone +41 44 268 15 15, direct +41 44 268 16 23 jakob.dho...@switch.ch, www.switch.ch Security-News: securityblog.switch.ch ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users