Re: [Ntp] NAT devices not translating privileged ports

Miroslav Lichvar <> Thu, 10 June 2021 14:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AC8BC3A42DF for <>; Thu, 10 Jun 2021 07:44:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.796
X-Spam-Status: No, score=-2.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JQbAp8E30PSs for <>; Thu, 10 Jun 2021 07:44:55 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3C82C3A42DD for <>; Thu, 10 Jun 2021 07:44:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=mimecast20190719; t=1623336294; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=XJkirvCFAVsEqdzhYhROkSyUtahC4/UhKPCxcflRMTY=; b=ULwOca2bmr+qN2zYVWzdSO3o4KzugdBlCGtpgSodSjrG0J4yScAVh0RHVRy1tiI3lPfkBf PizTmNJHhwjntCeu0n2SuOJbiEaKHtWew1oTPCubBP6EJ8RK4gHE17U+bfsUACQmR4TXxn C6gmsfPEfkj5+L3dKzd30ZxnciFakfY=
Received: from ( []) (Using TLS) by with ESMTP id us-mta-236-WU5JYO3mP9-3GexOY6rDJA-1; Thu, 10 Jun 2021 10:44:51 -0400
X-MC-Unique: WU5JYO3mP9-3GexOY6rDJA-1
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 141831054F9D; Thu, 10 Jun 2021 14:44:51 +0000 (UTC)
Received: from localhost ( []) by (Postfix) with ESMTPS id 62AE7100760F; Thu, 10 Jun 2021 14:44:50 +0000 (UTC)
Date: Thu, 10 Jun 2021 16:44:48 +0200
From: Miroslav Lichvar <>
To: Fernando Gont <>
Cc: "" <>
Message-ID: <YMIlYGE2UcX5951O@localhost>
References: <> <YL3ZC6lgSOZE/s3Z@localhost> <>
MIME-Version: 1.0
In-Reply-To: <>
X-Scanned-By: MIMEDefang 2.84 on
Authentication-Results:; auth=pass smtp.auth=CUSA124A263
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Archived-At: <>
Subject: Re: [Ntp] NAT devices not translating privileged ports
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 10 Jun 2021 14:44:57 -0000

On Thu, Jun 10, 2021 at 09:37:43AM +0000, Fernando Gont wrote:
> I'm now considering whether we'd be better off removing the whole
> Section 3.4.? i.e., remove this:

That would work for me.

There is an effect of NAT that could be mentioned if you are
considering some replacement for the text. NATs typically have a
shorter timeout for UDP sessions that the client polling interval, so
if there are multiple clients using the same server behind NAT, their
source port from the server's point of view will be randomized even if
their local port is the same.

> ---- cut here ----
>  3.4.  Effect on NAT devices
>   Some NAT devices will not translate the source port of a packet when
>   a privileged port number is employed.  In networks where such NAT
>   devices are employed, use of the NTP well-known port for the client
>   port will essentially limit the number of hosts that may successfully
>   employ NTP client implementations.
>   In the case of NAT devices that will translate the source port even
>   when a privileged port is employed, packets reaching the external
>   realm of the NAT will not employ the NTP well-known port as the local
>   port, since the local port will normally be translated by the NAT
>   device possibly, but not necessarily, with a random port.
> ---- cut here ----

Miroslav Lichvar