Thank you, Comcast.
blake at ispn.net
Fri Feb 26 20:04:07 UTC 2016
Blake Hudson wrote on 2/26/2016 2:01 PM:
> Livingood, Jason wrote on 2/26/2016 1:32 PM:
>> On 2/26/16, 11:44 AM, "Blake Hudson" <blake at ispn.net
>> <mailto:blake at ispn.net>> wrote:
>> Jason, how do you propose to block SSDP without also blocking
>> legitimate traffic as well (since SSDP uses a port > 1024 and is
>> used as part of the ephemeral port range on some devices) ?
>> As Roland suggested, very likely via UDP/1900. This will obviously be
>> disclosed in advance to customers and tested thoroughly. I believe a
>> few other ISPs have already taken this step.
>> And is this practice /Open Internet/ friendly?
>> Port blocking is considered a form of reasonable network management
>> provided it can be justified by security or operational stability
>> reasons. Of course it must also be transparently disclosed and so on.
> The difference in blocking any of the existing ports on your list and
> blocking UDP/1900 is that the ports on your list are all registered
> ports. Port 1900 is not registered - a host may use port 1900 when
> making an outbound connection to another host (lookup ephemeral port
> range for more info) regardless of whether either host is using or
> running an SSDP server. A block on port 1900 will result in blocking
> legitimate customer traffic if the customer's device happened to
> select port 1900 as parts of its ephemeral port range.
> To my knowledge, a current Windows, Linux, Apple device will not use
> port 1900 as part of its ephemeral port range, but Wikipedia suggests
> XP and older Windows operating systems will and I know that many NAT
> routers will (which affects all clients behind that NAT router,
> regardless of their OS). I have no idea what popular mobile clients
> use for their ephemeral port ranges. I imagine the NAT routers will be
> most common actors using ports outside of the IANA suggested ephemeral
> port range. Do you suggest that it is "reasonable network management"
> that users behind a NAT router have their 876th (1900 - 1024) UDP
> connection attempt blocked?
Correction, I should have stated that the ports < 1024 were well-known.
1900 is not a well-known port
More information about the NANOG