NAT devices not translating privileged ports

Fernando Gont fernando.gont at edgeuno.com
Thu Jun 10 10:40:27 UTC 2021


Hi, Bjørn,

On Thu, 2021-06-10 at 12:10 +0200, Bjørn Mork wrote:
> Fernando Gont via NANOG <nanog at nanog.org> writes:
> 
> > What has been reported to us is that some boxes do not translate
> > the
> > src port if it's a privileged port.
> > 
> > IN such scenarios, NTP implementations that always use src
> > port=123,
> > dst port=123 might be in trouble if there are multiple NTP clients
> > behind the same NAT device....
> 
> This problem used to be very common for 500/udp.  Ref
> https://datatracker.ietf.org/doc/html/rfc3715#section-2.3

THanks a lot for the link! -- this is indeed a good read.  I'm curious
if there exists something similar for UDP/123?


FWIW, we have this IETF I-D on NTP port randomization: 
https://datatracker.ietf.org/doc/html/draft-ietf-ntp-port-randomization-06
 , which has this section on the same kind of behavior, but for the NTP
port:

---- cut here ----
3.4.  Effect on NAT devices

  Some NAT devices will not translate the source port of a packet when
  a privileged port number is employed.  In networks where such NAT
  devices are employed, use of the NTP well-known port for the client
  port will essentially limit the number of hosts that may successfully
  employ NTP client implementations.

  In the case of NAT devices that will translate the source port even
  when a privileged port is employed, packets reaching the external
  realm of the NAT will not employ the NTP well-known port as the local
  port, since the local port will normally be translated by the NAT
  device possibly, but not necessarily, with a random port.
---- cut here ----

So I'm trying to find some reference that documents such behavior for
the NTP case....

Thanks!

Regards,
-- 
Fernando Gont
Director of Information Security
EdgeUno, Inc.
PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531






More information about the NANOG mailing list