NAT devices not translating privileged ports
Fernando Gont
fernando.gont at edgeuno.com
Thu Jun 10 10:40:27 UTC 2021
Hi, Bjørn,
On Thu, 2021-06-10 at 12:10 +0200, Bjørn Mork wrote:
> Fernando Gont via NANOG <nanog at nanog.org> writes:
>
> > What has been reported to us is that some boxes do not translate
> > the
> > src port if it's a privileged port.
> >
> > IN such scenarios, NTP implementations that always use src
> > port=123,
> > dst port=123 might be in trouble if there are multiple NTP clients
> > behind the same NAT device....
>
> This problem used to be very common for 500/udp. Ref
> https://datatracker.ietf.org/doc/html/rfc3715#section-2.3
THanks a lot for the link! -- this is indeed a good read. I'm curious
if there exists something similar for UDP/123?
FWIW, we have this IETF I-D on NTP port randomization:
https://datatracker.ietf.org/doc/html/draft-ietf-ntp-port-randomization-06
, which has this section on the same kind of behavior, but for the NTP
port:
---- cut here ----
3.4. Effect on NAT devices
Some NAT devices will not translate the source port of a packet when
a privileged port number is employed. In networks where such NAT
devices are employed, use of the NTP well-known port for the client
port will essentially limit the number of hosts that may successfully
employ NTP client implementations.
In the case of NAT devices that will translate the source port even
when a privileged port is employed, packets reaching the external
realm of the NAT will not employ the NTP well-known port as the local
port, since the local port will normally be translated by the NAT
device possibly, but not necessarily, with a random port.
---- cut here ----
So I'm trying to find some reference that documents such behavior for
the NTP case....
Thanks!
Regards,
--
Fernando Gont
Director of Information Security
EdgeUno, Inc.
PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531
More information about the NANOG
mailing list