nanog mailing list archives
Re: NAT devices not translating privileged ports
From: Fernando Gont via NANOG <nanog () nanog org>
Date: Thu, 10 Jun 2021 10:40:27 +0000
Hi, Bjørn, On Thu, 2021-06-10 at 12:10 +0200, Bjørn Mork wrote:
Fernando Gont via NANOG <nanog () nanog org> writes:What has been reported to us is that some boxes do not translate the src port if it's a privileged port. IN such scenarios, NTP implementations that always use src port=123, dst port=123 might be in trouble if there are multiple NTP clients behind the same NAT device....This problem used to be very common for 500/udp. Ref https://datatracker.ietf.org/doc/html/rfc3715#section-2.3
THanks a lot for the link! -- this is indeed a good read. I'm curious if there exists something similar for UDP/123? FWIW, we have this IETF I-D on NTP port randomization: https://datatracker.ietf.org/doc/html/draft-ietf-ntp-port-randomization-06 , which has this section on the same kind of behavior, but for the NTP port: ---- cut here ---- 3.4. Effect on NAT devices Some NAT devices will not translate the source port of a packet when a privileged port number is employed. In networks where such NAT devices are employed, use of the NTP well-known port for the client port will essentially limit the number of hosts that may successfully employ NTP client implementations. In the case of NAT devices that will translate the source port even when a privileged port is employed, packets reaching the external realm of the NAT will not employ the NTP well-known port as the local port, since the local port will normally be translated by the NAT device possibly, but not necessarily, with a random port. ---- cut here ---- So I'm trying to find some reference that documents such behavior for the NTP case.... Thanks! Regards, -- Fernando Gont Director of Information Security EdgeUno, Inc. PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531
Current thread:
- NAT devices not translating privileged ports Fernando Gont (Jun 04)
- RE: NAT devices not translating privileged ports Jean St-Laurent via NANOG (Jun 04)
- Re: NAT devices not translating privileged ports Blake Hudson (Jun 04)
- Re: NAT devices not translating privileged ports Alvaro Pereira (Jun 07)
- Re: NAT devices not translating privileged ports Fernando Gont via NANOG (Jun 10)
- Re: NAT devices not translating privileged ports Blake Hudson (Jun 10)
- Re: NAT devices not translating privileged ports Blake Hudson (Jun 04)
- Re: NAT devices not translating privileged ports Fernando Gont via NANOG (Jun 10)
- Re: NAT devices not translating privileged ports Bjørn Mork (Jun 10)
- Re: NAT devices not translating privileged ports Fernando Gont via NANOG (Jun 10)
- RE: NAT devices not translating privileged ports Jean St-Laurent via NANOG (Jun 10)
- Re: NAT devices not translating privileged ports Fernando Gont via NANOG (Jun 10)
- RE: NAT devices not translating privileged ports Jean St-Laurent via NANOG (Jun 10)
- Re: NAT devices not translating privileged ports Fernando Gont via NANOG (Jun 10)
- RE: NAT devices not translating privileged ports Jean St-Laurent via NANOG (Jun 04)