Re: [Ntp] NAT devices not translating privileged ports

Fernando Gont <fernando.gont@edgeuno.com> Fri, 11 June 2021 01:57 UTC

Return-Path: <fernando.gont@edgeuno.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED6023A1770 for <ntp@ietfa.amsl.com>; Thu, 10 Jun 2021 18:57:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=edgeuno.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ztV8hpRE87u for <ntp@ietfa.amsl.com>; Thu, 10 Jun 2021 18:57:06 -0700 (PDT)
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2094.outbound.protection.outlook.com [40.107.93.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EAC7C3A2359 for <ntp@ietf.org>; Thu, 10 Jun 2021 18:57:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Q7043GTkX7zHtuD6p2SoQRZY1ut9xGTwVxZUsRiln3sql9xqmB4uBpJIocT2z2U6+qjJZdTk7s08GOm0RX9ofm4Hj75Z3WTeTR91G7QJ6oEwRcxm/uw1qztFKRvvG3MxJFD6ar5Vh5NCMRMQbM/SuQIEpfRAvUiDrf/gBfhvkMVKMxsSsPTo2IbG7ElLTU13Ouw8/UbOZqOKJCc2Uaie1li+0tNZDh9iEJwgfN8qlAzfQkaqsWQHDOeEIiDO40e1JaaQfOPM0PxuuMo+cvtso8bFB4jcsCytD3eukc1ui6oa6sAftDaFxU4pwRwFvxuQ62nieuYIxuFpL2gupEfrww==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7O1jfi5TMNsZWUYNjar02qGLn/z9j1A8IzoS/i/nUPA=; b=iHUO5muOvIVvEUdlMUcNI8yU6Fs93SpdUrsTFOOpkMNl5W60osi6t93h7CFtZQtLU/FLtOK+egS9ttsH1dtomhy24+mWUuuAfmNxw5LsdLzQCQv5YGb5lMKnyV9graE8xRwVtDagvGr/OljzDilmlWcw31y/LHm77qS+l12jl3oh54srKdqPgm7T5gMg6g82pXBUckFHres/crxW2Z5KIHyjwzC4TQBEnJtnfqPR4d9zOFP+dBxzjfstaKQvHmGxRhjEksSVo7N9DrJ/FCa0w0Aib3yPrntnwiVnLunba9vJuIENRKG/IsL/jtN8JVr8CV7aoko9EaOixEO5CGMTWw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=edgeuno.com; dmarc=pass action=none header.from=edgeuno.com; dkim=pass header.d=edgeuno.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=edgeuno.onmicrosoft.com; s=selector1-edgeuno-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7O1jfi5TMNsZWUYNjar02qGLn/z9j1A8IzoS/i/nUPA=; b=DaqoKkpZiO2JrvIWXxI7lw6J1nbi6Hp+2VBXeu8CufklP4VWg2UCSjWKtUBy4Bx8hxg1ShkXUfA3jZ5RMCvpMq7YgOVVlruzkO37n0RvuWOKYDxFEpl5WHh4ThuMTWoYafCax1czfXXU8/foi6YznhnD2oGrUyriigqp4wnC9+Q=
Received: from SJ0PR05MB7514.namprd05.prod.outlook.com (2603:10b6:a03:2eb::6) by BYAPR05MB4245.namprd05.prod.outlook.com (2603:10b6:a03::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.17; Fri, 11 Jun 2021 01:56:59 +0000
Received: from SJ0PR05MB7514.namprd05.prod.outlook.com ([fe80::59c9:fcf7:eeea:1148]) by SJ0PR05MB7514.namprd05.prod.outlook.com ([fe80::59c9:fcf7:eeea:1148%8]) with mapi id 15.20.4219.024; Fri, 11 Jun 2021 01:56:59 +0000
From: Fernando Gont <fernando.gont@edgeuno.com>
To: "mlichvar@redhat.com" <mlichvar@redhat.com>
CC: "ntp@ietf.org" <ntp@ietf.org>
Thread-Topic: [Ntp] NAT devices not translating privileged ports
Thread-Index: AQHXWQ+VQYrrwO1800KuhiMn+IdurasIPICAgATJ5ICAAFXPAIAAu80A
Date: Fri, 11 Jun 2021 01:56:59 +0000
Message-ID: <7e988847cc5f28226f4a935c7eb390accef98209.camel@edgeuno.com>
References: <c576bad79151f48543179594b4ea2bc46c85cdb6.camel@edgeuno.com> <YL3ZC6lgSOZE/s3Z@localhost> <65698f4e5c19022dbfce4de37671b9744c44bdd9.camel@edgeuno.com> <YMIlYGE2UcX5951O@localhost>
In-Reply-To: <YMIlYGE2UcX5951O@localhost>
Accept-Language: es-AR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Evolution 3.36.5-0ubuntu1
authentication-results: redhat.com; dkim=none (message not signed) header.d=none;redhat.com; dmarc=none action=none header.from=edgeuno.com;
x-originating-ip: [186.19.8.47]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f149c60a-259a-4502-723f-08d92c7c3346
x-ms-traffictypediagnostic: BYAPR05MB4245:
x-microsoft-antispam-prvs: <BYAPR05MB4245794F2CF14427D4E086CEE5349@BYAPR05MB4245.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: g8HdqkTyo6GuZ3J6xm6MjWxlSCXP729U8B8b9jl+wHkhKA5E+Q2MkpHCKsArA4zMxzjTpuXkED2m7XEqz1WK7tZlerym35w6tDjlNtrWcYTcAbN3VaE8o2Rj3xSJ1fb7M4M6wIVHrHWG7I6QIml68qsCI9GcgFyrcTCu8RTh9dTLsaKdOw3fiqBtUiftpTqMeh/B2tvmNHxdyvFp27fSFbLgj81Su1AOEe5m5D7/jXL8lbBNfdIuY4+GwORMqr9/VIRIyh9JvCCH7l4PXWyhiJb9Sou3Zehuwtos8KOcVdoZ6ET/VpHWo4nlEjXsqLNuJ5RwbL8vo6VLGAuJlC0U5vKCnCHKqXGuyDffkyY00h2WGfRtZL7yWorCm3BZ63/zMcTeyPTGLoNaneXkqs8lULH7iW/S7p5NF/8eVMrVxHkCh7LAq09eDz0TyRJTVrqQJrHYEArgydnKb54qPCzxb4+pTICQGOLSExZsWCLSESVfQozPUrb7/oB0O9/WrrB2DoiDdMekIdQ2Ls3GXnCOD98Ks843CjmUJuuySYe724Ipy7u4z9XfekcMiB0EDbGGkbwCwsvkvoJMrKjgIitlBt6j34b6MkO941yOkI6R1RU=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR05MB7514.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(39840400004)(346002)(396003)(366004)(376002)(316002)(4326008)(5660300002)(8936002)(6512007)(8676002)(186003)(66946007)(91956017)(83380400001)(44832011)(66476007)(76116006)(66446008)(66556008)(64756008)(122000001)(2616005)(478600001)(6916009)(71200400001)(38100700002)(6486002)(36756003)(86362001)(26005)(6506007)(2906002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?VU1Rd3puY3dWY0pMSEhEcDZ3VmtxYjY0N0t6R01XT1FvMG5ibXNtL0FjT05n?= =?utf-8?B?UTJScENOQ2hraktqVTlFTWxDWlNyc1BqYk9ZV2RJMXUyUmV3cjdHWTRGNGdO?= =?utf-8?B?UmhaUXBzbU9vTS8wbCtXWXJkbGVnV2srVlJuV3FOZlQ1bm92UkFCUmJEeENm?= =?utf-8?B?cnB6VUJyVnJGR3g5YlpsRWgrMk5pQ1E2SU4xTnF2TEZPK2lPc3I4K2lJZWxs?= =?utf-8?B?U3pjSTdBRTRrNWM0cEprWlM4dk1ObVZ4SDBONW5VV1h2dmRFRHRud0tZalJn?= =?utf-8?B?QzlDeFFqdzM3NjNzbld4QzJxalhrMEpqNUZNa0xkbEFPT2dtSnJKYzlvVmtJ?= =?utf-8?B?a3F2VTMybjl4c2ZSRmJDSzhsZlQrV29QYmNTdm9oTGJWMEVEYmJuWmU4cWpt?= =?utf-8?B?QjhmT0Fxa3BCWkJKYVJYWlVKTWhiKzdjck5ZZm1hbDZ2ZGxoQnpuRHFJQ1BZ?= =?utf-8?B?V3Q1enBXQ012bm44VnRtYmF2dlRETVdwWnNiaFovRjJUcVpLclpIOGR1Wjhq?= =?utf-8?B?d05wZDlyYWgwMDB6OUszSGE1QlFnYlArT05jS2dmZG1NMm1qRTE5ek5zOWk4?= =?utf-8?B?YW1hRWxYQnBhYnNUeEQ1R0g1cnVjU1czM3FkWUhiWS91UmlSR1BuUERQYXdG?= =?utf-8?B?WGdlUDZqQU95bEw1RUFua29BNW9EWWZMNEhTL0F6ZkxJZDV3YnpHRU1QbXFU?= =?utf-8?B?Mlg5OTRMZm85OUMzbjA1OEkvZnhkWm8xZG84Njl5V0QyUThpRnEyQmFVcEZ0?= =?utf-8?B?U1V1ZVB0N1hYbXkyNUkzREpMT3VkazBNTE9xMXphKzMzSHhjbVNSZllkakR4?= =?utf-8?B?dVBVem1nRyszRW5uWkF6TDVHS05mUWJKZysydHErUDQzREE4RnBCRDJxRmVF?= =?utf-8?B?Q20wcXpSenE3RUdLeEt6SytVODZteHlYTmFWMUZlbTJMOGZrOVkySTJZQzZl?= =?utf-8?B?RTNRS0pVc2c3RjArSXZTTnhPMWpPQm9DN0M5K0ZXdjZaU1cvOWhSNFM5dXpS?= =?utf-8?B?TXhOek45Q3NXcFdmQ3ZMekU2YlFpM2RkWUtoMTYzc0hoKzB0c1VxMnJFcU5Z?= =?utf-8?B?Z0QrcVlzK3VSWlhJN3ZqY0kweUpyYWJLWDd3enpPQitoZDNLS0I3SHE5N1ZL?= =?utf-8?B?S3hrZjlrUThoYTFxaFhESlpES2I5emg5ZFBzRkNnZE5UYitSSCtBTlJVRXBV?= =?utf-8?B?Q0N2dEVhY1Vtc0Nqc3p5SXY5MlhZeklRdC9NZU5YMEEvVEhzRjRXQWpLRzhL?= =?utf-8?B?SVMxZEJXRFR4UFMrK2wxNDZ0SG1uM2ZGNGYwOUhRSFdINnZzRUpDeDZuZXZU?= =?utf-8?B?VzN3MmNQaTRnQ3NxODZoYUVRQS9sa0lySnhMWFdTZ21uMGlEQlI5NTN6UG9P?= =?utf-8?B?QUZqSFpLTjlIUm9qWk1ETldSSGRQQVlkclpVZ05seXdVWVFGbEUxMXk2VE0y?= =?utf-8?B?MHEwMFpLdE5WeFN2K05sd1VQaExJcVdDZkFLTGN0dzFCK1hHNVVwdWZaYm9G?= =?utf-8?B?THdsakF5Ty9YWDEwdnpuWFAvdWJmSll4RW9oUi9CVGtVbWd1TXA0R0J4cTk5?= =?utf-8?B?MWo0aHVWWWdJZE5xT2hBNll3NHE1OVU1bmY3VXZFVDE3S1FvWDBSSUlyOWxn?= =?utf-8?B?WjFYdk5rbHVtcjZkRnowWXZDcGIwTlphbVhkMjBJL28zclF5RHlEUWNzNW00?= =?utf-8?B?YXFud3J1TnRnMkhHYWdQa0wvSDltWXVmQUtvcnlad2F3UGJzbE80a0l4MFJm?= =?utf-8?Q?yvRiQIDLuDFX0VzRnweiA2CeFmi+ehtqECkz5pl?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <D90BBDE9159839478E48C5EEC4698C34@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: edgeuno.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR05MB7514.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f149c60a-259a-4502-723f-08d92c7c3346
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jun 2021 01:56:59.5685 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 20879dba-fabf-45da-8300-60b8ce560217
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 1Hp9To/M50Fj914LDxom8WBFWTyU4Npt/L3771zVXZ0ZcYKqH0z2BJq/i89gToORfdwHK2WNjd7S6TSbPlDeGxwVf24DqJq5LPMthGke1CI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB4245
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/PYZPwFF1HJLKp37hUiFM1bfMjZY>
Subject: Re: [Ntp] NAT devices not translating privileged ports
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jun 2021 01:57:08 -0000

Hi, Miro,

On Thu, 2021-06-10 at 16:44 +0200, Miroslav Lichvar wrote:
> On Thu, Jun 10, 2021 at 09:37:43AM +0000, Fernando Gont wrote:
> > I'm now considering whether we'd be better off removing the whole
> > Section 3.4.? i.e., remove this:
> 
> That would work for me.
> 
> There is an effect of NAT that could be mentioned if you are
> considering some replacement for the text. NATs typically have a
> shorter timeout for UDP sessions that the client polling interval, so
> if there are multiple clients using the same server behind NAT, their
> source port from the server's point of view will be randomized even
> if
> their local port is the same.


Are you assuming that if there's a "collision" at the NAT, the NAT will
change the service port to some other port?


In any case,

1) noting this would b tricky: it has been noted that in some of those
cases, the NAT may randomize the port, but from the same pool
(privileged vs non-privileged ports).

2) Since the behavior probably varies from one implementation to
another, and since I'm not sure it would be easy to reference such
behavior, I wonder if we'd be better off simply removing the text....

Thanks!

Regards,
-- 
Fernando Gont
Director of Information Security
EdgeUno, Inc.
PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531