Thank you, Comcast.

Blake Hudson blake at ispn.net
Fri Feb 26 20:04:07 UTC 2016


Blake Hudson wrote on 2/26/2016 2:01 PM:
>
> Livingood, Jason wrote on 2/26/2016 1:32 PM:
>> On 2/26/16, 11:44 AM, "Blake Hudson" <blake at ispn.net 
>> <mailto:blake at ispn.net>> wrote:
>>
>>     Jason, how do you propose to block SSDP without also blocking
>>     legitimate traffic as well (since SSDP uses a port > 1024 and is
>>     used as part of the ephemeral port range on some devices) ?
>>
>>
>> As Roland suggested, very likely via UDP/1900. This will obviously be 
>> disclosed in advance to customers and tested thoroughly. I believe a 
>> few other ISPs have already taken this step.
>>
>>     And is this practice /Open Internet/ friendly?
>>
>>
>> Port blocking is considered a form of reasonable network management 
>> provided it can be justified by security or operational stability 
>> reasons. Of course it must also be transparently disclosed and so on.
>>
>> Jason
> The difference in blocking any of the existing ports on your list and 
> blocking UDP/1900 is that the ports on your list are all registered 
> ports. Port 1900 is not registered - a host may use port 1900 when 
> making an outbound connection to another host (lookup ephemeral port 
> range for more info) regardless of whether either host is using or 
> running an SSDP server. A block on port 1900 will result in blocking 
> legitimate customer traffic if the customer's device happened to 
> select port 1900 as parts of its ephemeral port range.
>
> To my knowledge, a current Windows, Linux, Apple device will not use 
> port 1900 as part of its ephemeral port range, but Wikipedia suggests 
> XP and older Windows operating systems will and I know that many NAT 
> routers will (which affects all clients behind that NAT router, 
> regardless of their OS). I have no idea what popular mobile clients 
> use for their ephemeral port ranges. I imagine the NAT routers will be 
> most common actors using ports outside of the IANA suggested ephemeral 
> port range. Do you suggest that it is "reasonable network management" 
> that users behind a NAT router have their 876th (1900 - 1024) UDP 
> connection attempt blocked?
>
> --Blake
Correction, I should have stated that the ports < 1024 were well-known. 
1900 is not a well-known port



More information about the NANOG mailing list