nanog mailing list archives
Re: TCP and UDP Port 0 - Should an ISP or ITP Block it?
From: Pim van Stam <pim () vanstam-ict nl>
Date: Tue, 25 Aug 2020 14:40:43 +0200
On 25 Aug 2020, at 14:27, K. Scott Helms <kscott.helms () gmail com> wrote: Job, Comcast is blocking it. From the table on that page. "Port 0 is a reserved port, which means it should not be used by applications. Network abuse has prompted the need to block this port." "What about UDP IP fragmentation?" I'm not sure I follow this. The IP packet will be fragmented with UDP inside it. When the IP packet gets put together the UDP PDU will have a port number. It's possible that some packet analyzers or network gear will improperly "see" a partial UDP flow as port 0 but that's a mischaracterization of the flow.
a. some systems show UDP fragments as UDP port 0. So if the filter also handles fragments as UDP port 0, then you have a problem b. if you don’t reassemble UDP fragments and filter on port number, like 11212 (memcache) or 389 (ldap), then fragments will be forwarded and still be a problem I think in general you can say that problems with UDP port 0 are in fact fragments. Ohter opinions on this? Best regards, Pim van Stam
Scott Helms Scott Helms On Tue, Aug 25, 2020 at 8:17 AM Job Snijders <job () ntt net> wrote:On Tue, Aug 25, 2020 at 07:27:33AM -0400, K. Scott Helms wrote:I think a fairly easy thing to do is see what other large retail ISPs have done. Comcast, as an example, lists all of the ports they block and 0 is blocked. I do recommend that port 0 be blocked by all of the ISPs I work with and frankly Comcast's list is a pretty good one to use in general, though you will get some pushback on things like SMTP. https://www.xfinity.com/support/articles/list-of-blocked-portsI may be reading the table incorrectly, but it seems to me Comcast is *not* blocking UDP port 0 according to the above URL?Transit providers are a little bit different, but then again port 0 is also different since AFAIK it's never had a legitimate use case. It's always been a reserved port. I'd personally block it if I ran a transit, but I'd be more willing to open it up for one of my large customers (in a limited way) than I would on the retail side. https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtmlWhat about UDP IP fragmentation? Kind regards, Job
Current thread:
- TCP and UDP Port 0 - Should an ISP or ITP Block it? Douglas Fischer (Aug 25)
- Re: TCP and UDP Port 0 - Should an ISP or ITP Block it? K. Scott Helms (Aug 25)
- Re: TCP and UDP Port 0 - Should an ISP or ITP Block it? Job Snijders (Aug 25)
- Re: TCP and UDP Port 0 - Should an ISP or ITP Block it? K. Scott Helms (Aug 25)
- Re: TCP and UDP Port 0 - Should an ISP or ITP Block it? Mike Hammett (Aug 25)
- Re: TCP and UDP Port 0 - Should an ISP or ITP Block it? Pim van Stam (Aug 25)
- Re: TCP and UDP Port 0 - Should an ISP or ITP Block it? Töma Gavrichenkov (Aug 25)
- Re: TCP and UDP Port 0 - Should an ISP or ITP Block it? Job Snijders (Aug 25)
- Re: TCP and UDP Port 0 - Should an ISP or ITP Block it? K. Scott Helms (Aug 25)
- Re: TCP and UDP Port 0 - Should an ISP or ITP Block it? Job Snijders (Aug 25)
- Message not available
- Re: TCP and UDP Port 0 - Should an ISP or ITP Block it? John Kristoff (Aug 25)
- Re: TCP and UDP Port 0 - Should an ISP or ITP Block it? Tom Beecher (Aug 25)
- Re: TCP and UDP Port 0 - Should an ISP or ITP Block it? K. Scott Helms (Aug 25)
- Message not available
- Re: TCP and UDP Port 0 - Should an ISP or ITP Block it? K. Scott Helms (Aug 26)
- Re: TCP and UDP Port 0 - Should an ISP or ITP Block it? Nick Hilliard (Aug 26)
- Re: TCP and UDP Port 0 - Should an ISP or ITP Block it? K. Scott Helms (Aug 26)
- Re: TCP and UDP Port 0 - Should an ISP or ITP Block it? Töma Gavrichenkov (Aug 25)