IETF Logo Mail Archive

Re: Blocking packets from suspicious ports

Carsten Bormann <cabo@tzi.org> Wed, 04 May 2022 07:49 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FFA6C157B40 for <quic@ietfa.amsl.com>; Wed, 4 May 2022 00:49:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4ZFu1_9owm9k for <quic@ietfa.amsl.com>; Wed, 4 May 2022 00:48:57 -0700 (PDT)
Received: from gabriel-smtp.zfn.uni-bremen.de (gabriel-smtp.zfn.uni-bremen.de [134.102.50.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7CCDC157B3F for <quic@ietf.org>; Wed, 4 May 2022 00:48:56 -0700 (PDT)
Received: from smtpclient.apple (p5089ad4f.dip0.t-ipconnect.de [80.137.173.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-smtp.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4KtTVF3XV5zDCg6; Wed, 4 May 2022 09:48:53 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\))
Subject: Re: Blocking packets from suspicious ports
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <20220504065344.GA26036@1wt.eu>
Date: Wed, 04 May 2022 09:48:52 +0200
Cc: Christian Huitema <huitema@huitema.net>, Paul Vixie <paul=40redbarn.org@dmarc.ietf.org>, IETF QUIC WG <quic@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <098A8520-0935-4D13-875C-97EBB50CB347@tzi.org>
References: <6830cf87-e1b6-14bb-7b10-9341fdb6d941@huitema.net> <1b686f1e-912d-5c02-cf5f-a8afbdd924bb@redbarn.org> <20220503032335.GB20878@1wt.eu> <e8c90e2b-e0f1-82ca-8243-2b41412de513@huitema.net> <20220504040937.GA25251@1wt.eu> <c29d88ab-20f2-45d3-6398-bbc5be8e7246@huitema.net> <20220504065344.GA26036@1wt.eu>
To: Willy Tarreau <w@1wt.eu>
X-Mailer: Apple Mail (2.3696.80.82.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/vx9ECjlkMcfbPlpkGGIgvX-_Y58>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 May 2022 07:49:01 -0000

On 4. May 2022, at 08:53, Willy Tarreau <w@1wt.eu> wrote:
> 
> […] This has
> contributed to making active FTP unpopular, and nowadays it has become
> safe to block SYN from sources < 1024 at the edge. UDP doesn't have such
> a thing as a SYN flag and it's critical that traffic cannot be made
> symmetrical, or there's no more infrastructure filtering and only
> application level filtering.

Instead of collecting wafting lists of undesirable ports, would it make sense to more architecturally partition port numbers between those used by servers and those used by clients?
Outside of specific applications (that could do with specific port number lists), we used to use ephemeral ports for clients, but not for servers.
If servers predominantly reflect on their server ports, and server ports don’t reach victim server ports, that would be a win.

Grüße, Carsten

v2.23.0 | Report a Bug | By Email