NAT devices not translating privileged ports
Fernando Gont
fernando.gont at edgeuno.com
Thu Jun 10 11:09:25 UTC 2021
Hi, Jean,
On Thu, 2021-06-10 at 06:54 -0400, Jean St-Laurent via NANOG wrote:
> Hi Fernando,
>
> NTP sounds simple but it could be very complex when you dig deep down
> and/or get lost in details.
> Here are 2 things to consider:
>
> 1. NTP clients can query NTP servers by using SRC UDP ports > 1024.
This is indeed the case we're addressing. The NTP spec mandates srt
port=123, even for client-to-server cases.
> In your case, it sounds like you want to achieve NTP server to NTP
> server, but you mention NTP clients behind NAT devices.
Nope. We simply recommend to randomize the source port for client-to-
server cases.
So in the quoted section we make the case that requiring src port=123
clients doesnt really make sense:
1) if the NAT translates the port, the server won-t see src 123 anyway
2) if the NAT doesn't translate the port, you won't be able to ahve
multiple NTP clients behind the same firewall.
> Can you give us more details on what kind of communication you need
> here? From what I understand client to server should work just fine
> with any NAT devices.
>
> Maybe you meant multiple NTP servers behind the same NAT to external
> NTP servers
Please let me know if what I wrote above clarifies our intent.
Thanks!
Regards,
--
Fernando Gont
Director of Information Security
EdgeUno, Inc.
PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531
More information about the NANOG
mailing list