Re: [Ntp] NAT devices not translating privileged ports

Fernando Gont <fernando.gont@edgeuno.com> Fri, 11 June 2021 02:10 UTC

Return-Path: <fernando.gont@edgeuno.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 197E93A23B0 for <ntp@ietfa.amsl.com>; Thu, 10 Jun 2021 19:10:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=edgeuno.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7mgEuzTUOCio for <ntp@ietfa.amsl.com>; Thu, 10 Jun 2021 19:10:13 -0700 (PDT)
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2107.outbound.protection.outlook.com [40.107.93.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7A463A23AF for <ntp@ietf.org>; Thu, 10 Jun 2021 19:10:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dBUIy3haISZ74JmNWNoO7fBZLo0V5eWMb4BFyG83aIM3R4P2sy9Y5fBn+D3wswv/En9hv+nFdQAGBOQZUY/Wtil9TYUkYhIwSh+blmEyV83BqJRGDBN5trxjvVG6Fli7hFMPf1vzH25rM4892aC6V5UctW1Y189eQ2stM6WkcbJhOCOaLQWv+nQzjRkCgr6qoqm+Vmoviu0JMPO9k+CG6ltDW/B9Tg01OYiqFQudqqfk2S9Uo6NTaPgl4S5PM43wJ5n9DTGlI/g1KvwGJxwj+BoJKxseVwmKPgrzj66Cljne3PI1pl+XSwnF4FoDsvchWXL0L8bRnZQS9X2+JPj+OQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2Z+C/uHpkpDwMVVYJ1gwWXZWM4fBFfBboktb55nz1Yk=; b=jae9zaWuyS2vPtbO3vvAO4+15y+ZRdsJolt0tYQZbE5P1ZujjiLmWG+s8qN4Nhi5jd8eA6/GrGSHqY1w7qregsS1FfwfdZ2qOdVDj1CHHqzTYVcb33b7NyK75UcuTpGhKpr22EmrEN4rpDdLrDjNPSNi/bJTQxU3dcLSLTpbfXsAXXe8CeqQgx8iZQrEA/j7U2+UDDpfKsgHsL+SDRUQ5h8dKyskUisV7LTrs7HMfTTmOWEGscMuXY4u0D/bb7fIL9lthPIqYxCjIuMB5h0q7H/8EYABlwJAod5KhGZtXwYR2Um6Wv/rGxCXiR+k5nDW5Y8I67pUc0dzbpqmZrQJog==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=edgeuno.com; dmarc=pass action=none header.from=edgeuno.com; dkim=pass header.d=edgeuno.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=edgeuno.onmicrosoft.com; s=selector1-edgeuno-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2Z+C/uHpkpDwMVVYJ1gwWXZWM4fBFfBboktb55nz1Yk=; b=Q4g9eyczdD0ixuHGFGUzbApo0IvSTzfgVfx8ADS75JzQohZDdlzT46EFjUWBmhu//z/ZF9wnQR4Zq4MRoNkrs/qBggZLqeSFQxtPMjyC2YMgM8rB7gHoGMCr2Fx5DRR5V1Fd4PixJU4uqxNUGmkhLESdXts5dcFw6gEh/oLisEQ=
Received: from SJ0PR05MB7514.namprd05.prod.outlook.com (2603:10b6:a03:2eb::6) by BY5PR05MB7190.namprd05.prod.outlook.com (2603:10b6:a03:1da::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.19; Fri, 11 Jun 2021 02:10:11 +0000
Received: from SJ0PR05MB7514.namprd05.prod.outlook.com ([fe80::59c9:fcf7:eeea:1148]) by SJ0PR05MB7514.namprd05.prod.outlook.com ([fe80::59c9:fcf7:eeea:1148%8]) with mapi id 15.20.4219.024; Fri, 11 Jun 2021 02:10:11 +0000
From: Fernando Gont <fernando.gont@edgeuno.com>
To: "halmurray+ietf@sonic.net" <halmurray+ietf@sonic.net>
CC: "ntp@ietf.org" <ntp@ietf.org>
Thread-Topic: [Ntp] NAT devices not translating privileged ports
Thread-Index: AQHXXiCOxSv8NtB7uUexPVEqEg+BsqsOEY2A
Date: Fri, 11 Jun 2021 02:10:10 +0000
Message-ID: <2f0887079a475fbcc1107a534d906b7d4a859e9a.camel@edgeuno.com>
References: <20210610174624.7F6AB40605C@ip-64-139-1-69.sjc.megapath.net>
In-Reply-To: <20210610174624.7F6AB40605C@ip-64-139-1-69.sjc.megapath.net>
Accept-Language: es-AR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Evolution 3.36.5-0ubuntu1
authentication-results: sonic.net; dkim=none (message not signed) header.d=none;sonic.net; dmarc=none action=none header.from=edgeuno.com;
x-originating-ip: [186.19.8.47]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2d8fac1b-28c1-4b45-ad97-08d92c7e0b0b
x-ms-traffictypediagnostic: BY5PR05MB7190:
x-microsoft-antispam-prvs: <BY5PR05MB7190A78AFDA39E9347CCDEAFE5349@BY5PR05MB7190.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: RGIhcXzR8Bxl3tnfZ05FtHeUOA6BqPrh2BfS5Ivt7hl+cjfwLRuxvipjMnhGkLGHYmrLxVXxQnRGMko/9irruD1XlOY0F26waLaEtdArZrX2xhi7/VDOVdIsOXRASI9mKKIGuEHJawUdNigmDfjQZDeHCMDw9+mY4n8JXIYEFWDYDqW6bfFXu64JrlRaKfHMV4c9wnQPJg11i54LGvbJe90gmZcnJd0vB2E3uP+o0sXWSkVZ/fHkBwJdf65P45e8au1HWG2ixEZBs56k2ZFosffINuX0mwA0LNpzzKNL87/11usN12DOhwSEzvsFCfj5EPHOlMgqNhc43F8YJ865Sf3yxYVtjMBLMvXJwh6o+sR67CUEhfBGSz3k/wS240SPqaS53MwOffnKA2wrF/WN61KwS4UQbVJcXMNww5xICiinIh84TEgCNCwNjTCS7a1cSjhKSohhiovSyfgEJzPEbxx1QkmVDTYXhW2Kkb+BMichHBQALj2LIoCXjcn2O0W7BRYLQXu3Fo8mOWlE5bsmlBgavp395ENZW0mljkbClKGreYRv0OZF6s0ZBtlqvYJ4vAnGpSFn8D7X4GKYv4v9I9zAi/7etyZ/OPXNRQp9PslOqA3yVgZmpMhngLuWuOsUb+d9OZoGriYhswylvaeCPXs40q7jdbMFt5wtsQ0mjg5qqpVWkFf77EpMAh+9ZFCLrbZGo5YN7LGbfXD2Qgt8xQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR05MB7514.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(39840400004)(366004)(346002)(136003)(396003)(83380400001)(8676002)(6486002)(26005)(4326008)(5660300002)(66556008)(71200400001)(6506007)(8936002)(2906002)(2616005)(76116006)(64756008)(66476007)(38100700002)(478600001)(66946007)(6512007)(91956017)(186003)(966005)(86362001)(36756003)(316002)(122000001)(44832011)(66446008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?cVhDb3h4M0FDOHBadEt4aDlYMFBuSmd4ZlRqV1Yvb2xUMmNVRzdPak11NGhv?= =?utf-8?B?ZVpCMDBsWDRNcm5nQzBjQnNOQVZIOEVkaEVGTGZ4bzdkRVVQdldxVFFxQmhG?= =?utf-8?B?K2daeUJLUjVrQzBZeHlYTWt3aWhJZUJyL2VsNW9xWXBRKzNpL3p3KzNZYUFY?= =?utf-8?B?UkF4UXpJazJMV0h0Ukw3TllyYnhzMjBtYVkyQTlIWkN4Zmw0UlFtVUNta05y?= =?utf-8?B?dmx4dVppQ0Y2aURlb1dCempHR0ZWWi83a0JONTRobTlNQ1hNc2tPTW1wZ3Bk?= =?utf-8?B?SWw3YXhBL1Y4R0k2alFGVFJDM2ZQRzFYZ1VKc0VUZGl5WEJMZCtNb0xYVU11?= =?utf-8?B?Zi9iVUZMWlp3Q241c3dvVTlrclpVa3lyWllmN3NLU1cwbGV2K2lINjE4RWhO?= =?utf-8?B?b01HejBBZlRQN0E5UTJPRUVaNXcyRnNSZ2NNRUx6SFMya0Vpdngyb010em9m?= =?utf-8?B?dGRLR1huWDFsYXdscklHQ3RtSHpMaUtZMjRmTWVKam1YL2EwSThtajVkelFq?= =?utf-8?B?TC9GRThBejNsbWF0bFZGS3N5dkxvaVJCci9zcmlIemFPLzhjeUEyWnlNV0hS?= =?utf-8?B?aElDcHFKSXlUYWtrT3VZVTJjekFZZExwaGJGVlhvTm9Mc05VSXJFaWJQOVBh?= =?utf-8?B?RHBzQTJ6ZVk3ZEFORjRIQnNqeEFMRFhiQ1hrTms5M0pBOGQzdVd3Ykh0Mjk4?= =?utf-8?B?UzVtdDI2MHRVenh2M2pmaTZMcU9CTm54YzlXT3pTYjJtZW9pZDZzSnhrZVdT?= =?utf-8?B?ODNaUEZVdVNnMjZpVjlsc3lSdUtsMzhQNFJaZlRqZmpQdXZGT3RrR0Zna0xn?= =?utf-8?B?U3NxUHNIODgwdTd5UEFyUks3RU03dXFkcEIxekR1RDRiY2NTNTgza29QNzV4?= =?utf-8?B?bS9KWTFyd2FxTEo5VkpidUoyMWJpUXNiY1R4VVlkOUNwU0Ria3ByeWtSNG82?= =?utf-8?B?R2p4T21vc2RmSXkzbnRBd2Q5QTR5d3NGejBuRjJJaWpHTVZwSVJ3ZUx6TUIv?= =?utf-8?B?UWMzL3FmZkgrUmduS0xBajNjUWJrZkRuOVFXTGJSVU1EcnA4WUxySTYySkdu?= =?utf-8?B?WTNOTGk5ajVPWGtvMW90M0FBN1J3L1FzUk55bXNrTDNmSkNlWlN0VXEzemtG?= =?utf-8?B?b3phaytvU3dWbFczaC9DTEJaeksyRHRwNk5qNk1GUEs1QnhGTWd5Mlk4cjZT?= =?utf-8?B?SHJaTWNrKzJ5RDhXRENkeGdzMUFta0JjNk1kZW90KzhMTnFXRlhvMjJlcmJn?= =?utf-8?B?ck1YVGxsaGZDS2pnQWRab3VQbVRtV1dacUwyb1RlOW53dG9OZngxUHpCUTA1?= =?utf-8?B?UjJ0cWt1OU45cFY5bmlpemRSWjA5WG1aTlpuL2MvNHlrSmVJRVdRb2FkYTEx?= =?utf-8?B?M1AvVmJsZVo5TUxVV2crbkdCWnIwRENBOG1KL28xNm00eFRhNEdNaG50RU44?= =?utf-8?B?cC94a3o4VW55R08rRFgvWXNyMVJpN0VNSG4yeEg2V0hSU2hxaUE4bFQ3TmdJ?= =?utf-8?B?OUhxWG5NUGxpcm5PWmZPMGlEc2xhTnJOZlU1YzFFWFFjRnRTUkdwZWZSVWFx?= =?utf-8?B?dUZYWGhWTkFtNVVKdjh3NExWeWdTODJrbEFGUXZPSTlScEEySTJrcmlTV0xP?= =?utf-8?B?R1NybjhvdGNpanExeWxaT3JpMGlGOUYreVcwbGFaazhnMnQ0R1U1OXdnN0tU?= =?utf-8?B?ZFJ1dUlrcXFmK3BXMS9DUlFza1ozdGZFYlZzRG5tMjVzOHp0eTlvSytXL2h2?= =?utf-8?Q?dt7wyHTkLAf1TGIvabkkKgaYsc5/6p+SxNLHRQy?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <2EAA9E863261C44EB0A7530317F695F6@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: edgeuno.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR05MB7514.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2d8fac1b-28c1-4b45-ad97-08d92c7e0b0b
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jun 2021 02:10:11.0082 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 20879dba-fabf-45da-8300-60b8ce560217
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: LZUAHOrlx8LJpytclTLudcCF/5/3NdF9TSVGeLvhHzEykj4Z+EraYy39V/V9agF94D7IoZGkAxwO2qg2GP5boXNDK1QERq1dJ0ke4tlUeRE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR05MB7190
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/Xy-bTqOtYk_GHF7DsIFiMmKgqJA>
Subject: Re: [Ntp] NAT devices not translating privileged ports
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jun 2021 02:10:18 -0000

On Thu, 2021-06-10 at 10:46 -0700, Hal Murray wrote:
> fernando.gont=40edgeuno.com@dmarc.ietf.org said:
> > I'm now considering whether we'd be better off removing the whole
> > Section
> > 3.4.? i.e., remove this: 
> 
> I agree that we could drop it, but it I didn't know about that quirk
> and it 
> seems a shame to discard information that isn't otherwise documented
> or well 
> known.

The behavior that we describe in our document seems similar to the one
for 500/udp: https://datatracker.ietf.org/doc/html/rfc3715#section-2.3

However, I haven;'t been able to find a similar reference for UDP/123..
  :-(



> Maybe move it to an appendix?
> 
> Does any NTP code depend on the source port being 123?  I think
> NTPsec has an 
> option to require it but I've never used it.  It might be useful to
> filter out 
> broken software but won't help with security.
> 

I guess it all depends on whether they apply the robustness principle ("be liberal in what you accept..."). HOwever, in the current NAPT-dominated world, a server that were to enforce that check would essentially prevent service to a large number of NTP clients:  both because some clients already perform port randomization, but also because in the event of collisions, NAPTs will rewrite the ports....

Thanks!

Regards,
-- 
Fernando Gont
Director of Information Security
EdgeUno, Inc.
PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531