Re: [Ntp] NAT devices not translating privileged ports

Fernando Gont <fernando.gont@edgeuno.com> Thu, 10 June 2021 09:37 UTC

Return-Path: <fernando.gont@edgeuno.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A8733A3BD1 for <ntp@ietfa.amsl.com>; Thu, 10 Jun 2021 02:37:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=edgeuno.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ceiGsWegUAEs for <ntp@ietfa.amsl.com>; Thu, 10 Jun 2021 02:37:47 -0700 (PDT)
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12on2110.outbound.protection.outlook.com [40.107.243.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 143953A3BCF for <ntp@ietf.org>; Thu, 10 Jun 2021 02:37:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KK2DABa1scdqvWaAPQMpvAyaSeZSWW+GxjnsZE3b9xvVlOpxSaJ9giWp+NFpgwni8+eepHgzcqTFzOS1XM+EoOCHtH6tdtxFONLr7YL8vGhlmEcy841QB2yYafARTsBigsHFVV67kZMZObuStncs+cjwwIlOswG9EZkApzfsm8+re4pIzDCdqe8fBtQwL+ZdzBbUR2J5FXRe/zkxxoZaEoqNN1af9y7hln5Yw/T9ko7/9kcbTPfwP5YHoXYGLmPLvvZP+kCn4CRB+QtQY7gLTsfjW4l0EQ1zNFetZaonr51JgDU02UkqeV6sDYnahTPMGs/y/LZX6H4GRF/AVSBuYg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LvcUtvFITsOgkgzqJkA3K3qRigiX8ZtiKTbPhP+79hY=; b=kH8/IjVU4Rn0PTq1DRbjPP0UPwdnWy8IaepAIyhqDkKK+PCMy7AAb6O09p6JnLKtQ3CI0iK2HVyE7rERHWFmIY5KEYT6mSIiRpw2eMAYej4/RxLtse6Rbl0UDMqbsIKNFkU/4tSZv/T4NAMouBV9lfa6r434uH9cx//hWjqtJmIO8nqO+9Y3Llw0IjyvYzcJBzpqVS5BrPepuDBRUqEo1Up8XIlAGYh0zGAC4wRBcSh23Nhck9kkT21K/7ku/c6puIVmaXjjmrxokqqs6jizmQhIa4eXrXusPIRafwhBMFHLoUbI94PWBHFmD0Y2bgbGGHAZgvKGLhOl2KJ9CHDi2g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=edgeuno.com; dmarc=pass action=none header.from=edgeuno.com; dkim=pass header.d=edgeuno.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=edgeuno.onmicrosoft.com; s=selector1-edgeuno-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LvcUtvFITsOgkgzqJkA3K3qRigiX8ZtiKTbPhP+79hY=; b=gTEAILNArRQtVw9TZUozs/Zv6jwmcmhLD/zZ/dz+Zyxy1P76+HCGpTOswEI668nKB8a3wYTu6CIIKjSUxemISVlqmzIJN8ZuLDvCRR23V3yMR03P87cx6Xuj5Dkh4JtQbcorfi1bSlt924lyUWsEpNpi2N+Nk4uPLMyXD3Bk9s0=
Received: from SJ0PR05MB7514.namprd05.prod.outlook.com (2603:10b6:a03:2eb::6) by BYAPR05MB6360.namprd05.prod.outlook.com (2603:10b6:a03:e3::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.12; Thu, 10 Jun 2021 09:37:43 +0000
Received: from SJ0PR05MB7514.namprd05.prod.outlook.com ([fe80::59c9:fcf7:eeea:1148]) by SJ0PR05MB7514.namprd05.prod.outlook.com ([fe80::59c9:fcf7:eeea:1148%8]) with mapi id 15.20.4219.021; Thu, 10 Jun 2021 09:37:43 +0000
From: Fernando Gont <fernando.gont@edgeuno.com>
To: "mlichvar@redhat.com" <mlichvar@redhat.com>
CC: "ntp@ietf.org" <ntp@ietf.org>
Thread-Topic: [Ntp] NAT devices not translating privileged ports
Thread-Index: AQHXWQ+VQYrrwO1800KuhiMn+IdurasIPICAgATJ5IA=
Date: Thu, 10 Jun 2021 09:37:43 +0000
Message-ID: <65698f4e5c19022dbfce4de37671b9744c44bdd9.camel@edgeuno.com>
References: <c576bad79151f48543179594b4ea2bc46c85cdb6.camel@edgeuno.com> <YL3ZC6lgSOZE/s3Z@localhost>
In-Reply-To: <YL3ZC6lgSOZE/s3Z@localhost>
Accept-Language: es-AR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Evolution 3.36.5-0ubuntu1
authentication-results: redhat.com; dkim=none (message not signed) header.d=none;redhat.com; dmarc=none action=none header.from=edgeuno.com;
x-originating-ip: [186.19.8.47]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2852be77-9b49-4159-e12a-08d92bf365af
x-ms-traffictypediagnostic: BYAPR05MB6360:
x-microsoft-antispam-prvs: <BYAPR05MB6360F1F7CF6170B6A362D896E5359@BYAPR05MB6360.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: t/vl9RAtWdZYvRYtbXRt6S6ZNs4e33GTr4lJj/m0W8ht9msyb4SbrZ55iinv2Y5SFJyER+ycdR3Ibe+ghRAyQMINHMVDogtvIJODC0l073C5r073WBCxYIgOP9k0I8/e0/lNnmHscXwEwp2sn3TIv+4Y6EGuCeiBmTl1Otkm2gyRdqURX4GlQuzm6H7q6d6+qE1BsmLjP5GJutnXfWtE5MGoDvwc6gdCoJfybKmDW1AIxNVf/S8STKwX0h0ZYwNsuFfuggPsSt9xNgWryywJ8KFSu2mRXzfXo2MChQzJG3MjBc7CaXWcIsafyMUyujw9ZDDqvFkh+d+XHFyDlDvDcbrLV0HSzp/+mn7xv5yimuZLWmJZe4VbpFyyTl/vPCq0l5YfK0VWufvxDBW+A2VW2xEg5CpCPzIN7rwHMbMKxUam8icUgXBK6WBZNT0yzt0AEhP41atd3SWdySB9XQLr+haMTddlYpqDVm0oPpjGXhOm7+0aWYgjew9WJzSE+01ssWnaI5UJ+98+yIL90+NejbFWxTYozaw0B0+8GSv1Wwl/F2+eBQKeskqXsWywHsLUFyxQpcw2jq5Pb9CHjUeqnYCwnL0eUkswb2oiKrXgwHSCqi26sfubP/lweOUSID1IUOjbQTMEC/m6ASc2hWc93QTkI3G1dYNPIKg+PSd2C/CGRINYh4FvZLkBQDxDjSH/U7DCEPlZOs1UeOD7QtFWZG3F0uuY5eYiuJmmVdBYqKE=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR05MB7514.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(366004)(39840400004)(376002)(136003)(396003)(8676002)(6512007)(36756003)(91956017)(6916009)(44832011)(6486002)(8936002)(76116006)(66556008)(71200400001)(86362001)(966005)(64756008)(66476007)(66446008)(186003)(5660300002)(66946007)(478600001)(316002)(2906002)(26005)(122000001)(6506007)(83380400001)(4326008)(38100700002)(2616005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?VWhlYm9mcm85SnhmUUxucWhkMkhhR0pkQ0VMZVdFb0g1R0VjNnJ0d3lXWTh0?= =?utf-8?B?WitpYThwalB5KzdiaUdMd1pnaEYvbUVBaUlEOGFLeWtMS3lmZ1UzMUZCT0Nz?= =?utf-8?B?MDdyekcvSXpCOVVaeHVvSWdLam9lY0FEanQ5VFE1UG9SV3Y1V1RJMXFVVlRC?= =?utf-8?B?MDBUck1ZR1IvM2poMTRhVlI1ZTJQcVBQWUVPUmtmQTdZUGQ1YjZvTzVjNVJj?= =?utf-8?B?cHd0ejBXaThyTThhSVl4WmRPTkc3UzhaU2VVSG5FM0JuUm1iR1dEa0VkbHFj?= =?utf-8?B?MzRYWW9xdERsQ2JLWkJRd3d1eEQ0K2dzeU5KWW4xK29qK3NFZVVJRDR5SUF6?= =?utf-8?B?SWRCQjhrRTM4d3Z1c29Oa2RPK1A4ekRpS1k0MWh2WTZRaHVYbW9oVnFvUEVO?= =?utf-8?B?NlB2NnkvdWd4R2ZIcDV1cndqTE4xSGdDNEtKeXIvNEhhTUk1WWNZNEw0TmxN?= =?utf-8?B?bFdUVmhyOXErY2JsMEdFSWR0N0N6aXVFNW9WRVk4RG1YUTViSy9LZzlLWm5o?= =?utf-8?B?OUg4RXBPMGhNNGZDT3JWUXFJSDlrOTRVM3RTSXNqRXVRRmVTQ2VZeHNhZmll?= =?utf-8?B?K1g3V045UFE1ckMyQXBmVkRyK0ZFRTBBSDNKUHVIK0NNS1hieDFZamp4WDdk?= =?utf-8?B?ZmdCZ0xNdjZwSlhMSjFvNEF6V0swRmhQekxkZjNhLzJqWDI4NWsyTkt5UnRy?= =?utf-8?B?VDRodndyWFgwWnNxUm1iM29iR3lveCtJZmNtb3FrclVYSEZBeWRYU2owS0d3?= =?utf-8?B?L1c4Uy93VWZYM3E4bXl1aEZ1aDMrdEpyTFlKS1E0TDNaVlRsY3o0YmVaY1ZM?= =?utf-8?B?NU9aa2dqVTFCUGJCU2U0dUw1TkdMVFFxdDJUUE9EdmJjalVIcGFHUlhPcFRC?= =?utf-8?B?a0RiUmhRaCtUUmVxRG9naDlzdEdESllHQy9pZFBkbVM1Nzd2djJFaG9EWlFJ?= =?utf-8?B?dHYzYjFoR00wQ3ZaRUZCdnpiS1RDV1NZdmIvcmZuTEhUVjhyeEFqZGwxZE1Q?= =?utf-8?B?NW5GLytoYnZGT2YxMEhPUDI5T0d5dkZld0xDS1BhRGRjOTNFcFQ1VVVKbitZ?= =?utf-8?B?eFNaNWVkQ21Fdm5ORzVlcklkdEpHMG8wbHZQOHh3cXIrNHg1UzE3TkpzTnlC?= =?utf-8?B?UWVVWmxEaXloYUQ1RWtVQVR1TWVwbFdwUXZGNTJNWnhydEwySkhzelZrTWov?= =?utf-8?B?ZmQ2TG1QMy9WZ2xabEE1Y3pyS1hNTTRKV0M5bWVnU1hXWUs3bTJuQTYvL3NH?= =?utf-8?B?U2pjWWJILzQ1QnlaTjNvenU5Uit1YlU2RnptaHdKVTMwZU5QQWx2TmZ0YjBy?= =?utf-8?B?N1JWVnF5SmN1SzFNOEI0QjBHbXlYWGRFWGJqWUtDcEQyMUVkRVdRUk01Z2cv?= =?utf-8?B?VnFlYldZWVpKanpiVnBSQThybHFzbm9xUE5JT2gySXpNUS80VGtXTk1wSzVC?= =?utf-8?B?OW1xOG9QVEN4WTNDWDNqZWxmQ3l6Vk5aZHJ6eXB6a0JMRHgvQ3F4cjlubFFS?= =?utf-8?B?WGRPdm1jY3dZU1lEM1VZbEUrUzg1OUJDM0RGNHE4SERNRWFwNTcxUzVGTyt5?= =?utf-8?B?WVJRc2ZUV0hCTitHS1IxTVo1Qld3ajEwVklQUTlMOTlWTVFjNnI1U1REVnJk?= =?utf-8?B?NVBWRk1OUWZmR0FCSmNrdDczQ3ZaaVFVUWowdFREQXhLWU4wTEJPbXNLTkRH?= =?utf-8?B?QjVKUEQ3cHhQaHFzZWU2V2lzUDV1czZWTjBJN0JXRDUvR09WcWJ3YTI5REtR?= =?utf-8?Q?45Sjqk1Y7wdN6pi5w9FqWF5BBsY3DOJwG9yfa24?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <94EA0760501C414ABCD140880BE0868D@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: edgeuno.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR05MB7514.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2852be77-9b49-4159-e12a-08d92bf365af
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jun 2021 09:37:43.1971 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 20879dba-fabf-45da-8300-60b8ce560217
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 0p5xx0v1vHjKElgUP5fxMetmjZwQZwUvRtnH9jgi0qz2WlPcUrPKeeh1WKnMmPR/dneRyHetxs+OtkRy9z/Imi1UuH738JVYz30jUDEo+5I=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB6360
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/iQk8A4U3ZEJ0W5gtHm9MPjnc-Rs>
Subject: Re: [Ntp] NAT devices not translating privileged ports
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jun 2021 09:37:50 -0000

Hi, Miro,

On Mon, 2021-06-07 at 10:30 +0200, Miroslav Lichvar wrote:
> On Fri, Jun 04, 2021 at 07:02:29AM +0000, Fernando Gont wrote:
> > As part of the IESG review of the ntp port randomization draft 
> > (
> > https://www.ietf.org/archive/id/draft-ietf-ntp-port-randomization-06.txt
> > ), we were asked if we could provide a reference for the NAT
> > devices do
> > not translate the source port if the source port is a privileged
> > port
> > (<1024).
> > 
> > Any clues/examples of this type of NATs?
> 
> I don't remember seeing something like that.
> 
> An issue specific to NAT and the anti-DDoS mitigations is that when
> multiple clients are using the same server, only one can have the
> publicly visible port 123 at a time. If that port is blocked in a
> firewall elsewhere in the network, it causes weird behavior, when NTP
> sometimes work and sometime does not.

I'm now considering whether we'd be better off removing the whole
Section 3.4.? i.e., remove this:


---- cut here ----
 3.4.  Effect on NAT devices

  Some NAT devices will not translate the source port of a packet when
  a privileged port number is employed.  In networks where such NAT
  devices are employed, use of the NTP well-known port for the client
  port will essentially limit the number of hosts that may successfully
  employ NTP client implementations.

  In the case of NAT devices that will translate the source port even
  when a privileged port is employed, packets reaching the external
  realm of the NAT will not employ the NTP well-known port as the local
  port, since the local port will normally be translated by the NAT
  device possibly, but not necessarily, with a random port.
---- cut here ----

Thoughts?

Thanks!

Regards,
-- 
Fernando Gont
Director of Information Security
EdgeUno, Inc.
PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531