Re: [tsvwg] UDP source ports for HTTP/3 and QUIC

"Black, David" <David.Black@dell.com> Tue, 20 July 2021 19:03 UTC

Return-Path: <David.Black@dell.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 983C33A2FD8 for <tsvwg@ietfa.amsl.com>; Tue, 20 Jul 2021 12:03:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.552
X-Spam-Level:
X-Spam-Status: No, score=-2.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dell.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9VQAWUnukaAg for <tsvwg@ietfa.amsl.com>; Tue, 20 Jul 2021 12:03:30 -0700 (PDT)
Received: from mx0b-00154904.pphosted.com (mx0b-00154904.pphosted.com [148.163.137.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5364F3A2F46 for <tsvwg@ietf.org>; Tue, 20 Jul 2021 12:02:51 -0700 (PDT)
Received: from pps.filterd (m0170397.ppops.net [127.0.0.1]) by mx0b-00154904.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16KJ0C95004395; Tue, 20 Jul 2021 15:02:42 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dell.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=smtpout1; bh=DSm/krrH2qwHpervR3ntNRR0zknuhcvs/QppIhSnb+o=; b=WquG0sF86OyTsy6Tc5SXyHicr88AZsJJaiGe8bMK98moNRVmkvQN91fabmhhvBVh+dbo Jrtcl9gUJwn6kJKC9pJyRL4XQPkT1Fn5msmCSnxNUzj6CKx5lqhYVGZGsLmzXLTsMP8W RjDegbfS+Fl4klrlUdt3zMuf0wmLs4vs+uzv59Ku9ANSqc1fdbslqUqXDH+kjdjpPKiv PIfmKlrw0zYwlFtJ7rbXfdyeAJJFim0BlP5Xd1Cfw4kPINwhGzloZUC/eEJbp4UJnEcV BMb1HGLByL34dgdEnEvx87vf2+qJNbCg6+m39OJ/9zVhBf7BnvNZifZ1ZU/092n9e8Nr Zw==
Received: from mx0b-00154901.pphosted.com (mx0b-00154901.pphosted.com [67.231.157.37]) by mx0b-00154904.pphosted.com with ESMTP id 39vysyg3n7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 15:02:42 -0400
Received: from pps.filterd (m0144104.ppops.net [127.0.0.1]) by mx0b-00154901.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16KJ0MxC091356; Tue, 20 Jul 2021 15:02:41 -0400
Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2171.outbound.protection.outlook.com [104.47.55.171]) by mx0b-00154901.pphosted.com with ESMTP id 39wqv7ax2s-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 20 Jul 2021 15:02:41 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TVG00gQOe9SVqUUPoTJ6QrlZUyf00BMjrSqdwkxLgM2qWCvfAhfvU5vwvKaYp28FsxtNWCYL/dpfLv33qLg4945fNd4KLh1WxUMwamJTg01L53ObdJUsrI55Vs1S6fO9HCYa+fuMAesAkghjoWuWxQMSVm5AKwyrnQETOPQCt3TseFIyppapX3WerNn81xxY6Aoo8ht4nvrn6T15lccyyCHaEB6mmoNGBboeJWIfmvqHgJ/V8/gaigxcrfs+JZ6IMrdW+rFggy/xdKmVb4w0OKlu7RSjYwxUDiT4nMMpqzkQ5JsVx1GOpGMTF4PNa1H3OSGrZz2GmQ2/bLBBv1byWA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DSm/krrH2qwHpervR3ntNRR0zknuhcvs/QppIhSnb+o=; b=iqLZI+h5HWAae/i4+SLa7SrrDaMoZe3FOaP3a+Y+9QROgZZSIYkw0WNJmMl9226biH/gxN63UunM72YJkYUhHoe1LT1mqvmqxa5ZPbvcs1bZiHLkoIeBy9KXak1Dm/FoiMpNKT1E8E/AOvYdnXGHaOErt4p0TvBIE0gW0KVXrLNdsKGIXt4lyoqJiB28Bf8GvApzLvpTRs7sDojavVRlO4dFNd7m16QEw60gcixvFHA1pnjrnPCcOOGVu0y6FqxxYCCqzLJ/CQ+D1MHEUY98ZTyshyMreZ5z5PTDKJSBdwggjq4dhybWyDbTONbYEELoJ+gMgIJwJsJESs9I2RFgJw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=dell.com; dmarc=pass action=none header.from=dell.com; dkim=pass header.d=dell.com; arc=none
Received: from MN2PR19MB4045.namprd19.prod.outlook.com (2603:10b6:208:1e4::9) by MN2PR19MB3597.namprd19.prod.outlook.com (2603:10b6:208:188::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.22; Tue, 20 Jul 2021 19:02:38 +0000
Received: from MN2PR19MB4045.namprd19.prod.outlook.com ([fe80::95f9:b5b3:56ae:4362]) by MN2PR19MB4045.namprd19.prod.outlook.com ([fe80::95f9:b5b3:56ae:4362%7]) with mapi id 15.20.4331.034; Tue, 20 Jul 2021 19:02:38 +0000
From: "Black, David" <David.Black@dell.com>
To: "Holland, Jake" <jholland@akamai.com>, Joseph Touch <touch@strayalpha.com>, Mark Nottingham <mnot@mnot.net>
CC: "tsvwg@ietf.org" <tsvwg@ietf.org>, "Black, David" <David.Black@dell.com>
Thread-Topic: [tsvwg] UDP source ports for HTTP/3 and QUIC
Thread-Index: AQHXfRWTZzzPNpBh0k6ullxufsYrSatLOJoAgAAHd4CAALWUAIAAOrNQ
Date: Tue, 20 Jul 2021 19:02:38 +0000
Message-ID: <MN2PR19MB4045E5063CE13DDE39D5BE8683E29@MN2PR19MB4045.namprd19.prod.outlook.com>
References: <3985895D-D420-4995-831E-332E33693B79@mnot.net> <CF409524-96F3-412A-A8DB-E4EFFDD9F4E7@mnot.net> <E62515E7-38FD-4197-8CF0-2D196FB6D6C4@strayalpha.com> <16CD883B-9561-41A5-97E0-43EF3618333C@mnot.net> <8235BE77-7849-49A3-A709-EB32EB039982@strayalpha.com> <AA5B1FC1-E0E8-488F-AE2E-F21696AD0A06@akamai.com>
In-Reply-To: <AA5B1FC1-E0E8-488F-AE2E-F21696AD0A06@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Enabled=True; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_SiteId=945c199a-83a2-4e80-9f8c-5a91be5752dd; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Owner=david.black@emc.com; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_SetDate=2021-07-20T18:30:05.7591083Z; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Name=External Public; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Application=Microsoft Azure Information Protection; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_ActionId=e048c306-0eb4-4ec7-a46e-a6dc5ebe88d4; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Extended_MSFT_Method=Manual
authentication-results: akamai.com; dkim=none (message not signed) header.d=none;akamai.com; dmarc=none action=none header.from=dell.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a8365cd6-3a54-4711-8792-08d94bb0f13d
x-ms-traffictypediagnostic: MN2PR19MB3597:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <MN2PR19MB359765DAAB82537DCD5817F183E29@MN2PR19MB3597.namprd19.prod.outlook.com>
x-exotenant: 2khUwGVqB6N9v58KS13ncyUmMJd8q4
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: l9Uw5jI/LnUuFIHuKzOn98/y7hhFlPkt0XxUyoAozMva7+Mw00DgL0lw8SbKusJYmQu7FGaF/a7CadWGPEw3ZJOO7/jKG7suKVr/PR2cWua8oV/m6dmPD5hy9OycoiaV6a9gPbtAWOZA5tz2orKphutCeMLfo5SMLvzJ38OrI5ZYd7T0K7gR3T25e9EnaVVFgc9mVCaiStY2FRgvN+8GVQbmcnbsAPJ6oDOv/lOJ/9pVZxbNdw9OFqht5gTNEIzZAZ+gw+7ZOb96OnD8MyeCW9M02a0hFd5qtR+jwUhGL35RTUCKck3xm/Vj5ohHpAIACF5vyweId7GXdzAV1WfdJdW4UAvVGjjIsjTuJarJu1IMxXHHNAIAMNwHbdrNqjKFEkFnsiheXYCh54xAnqbaeusl0KItruMGNB+gezDvk/HGclRNuAD5N6RqsqcEjDxu1XlCgNM6EjM1YCu8QXdrEmO0Sx6XP9fdq6PTlVeIxlg3MudV5ZMs9lcvfOs2mBoLmuKzUakZFkErmlDYBWAhmbB3l0gbZeFhlpAttPNWl5dabJFtQyKiKm1MklBEcW/liYtlWpj1/3vgEju4tpekKsNRdttuF6pq1ztuYYryYBwsseJOugu6KUY+8nz9GJEFNj7f1h0ICv3xJhdT+eKBL2MC2rm3OQiOW/Rdr/PeNcw3jgc+NcmCIZf6U4jutMRmJPpfhIvZsw1piXSWqBaNPw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR19MB4045.namprd19.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(366004)(396003)(346002)(376002)(136003)(71200400001)(8676002)(107886003)(4326008)(66574015)(5660300002)(66946007)(66476007)(33656002)(8936002)(26005)(76116006)(66556008)(83380400001)(64756008)(9686003)(122000001)(478600001)(66446008)(2906002)(6506007)(53546011)(7696005)(786003)(316002)(110136005)(86362001)(55016002)(52536014)(38100700002)(186003)(54906003)(38070700004); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?WE9sYmdkR3VoT2Q1UEl4UDBhQldNeFhrVVN1cTZveTRBNFlTd0cyNDR2UHNs?= =?utf-8?B?RlUwWExyODRlUk1JUnkwek9ROWphSnNmZGFFblA3TERqWFBrNEpjZDFMZXk4?= =?utf-8?B?VDhNUEFzS0d4Y05XVUh5djRTWUVaMmdrSHN4alJ3ME16YkcxWFBURUZBWTBj?= =?utf-8?B?NHAyNEtKUVNtTzBxSGEvTGsveFQwWDN0QW1xbDBhdlcxVUQ2VmdRSmpaTUZE?= =?utf-8?B?UFNtbHg3S3NQNWhyUTV5M1FEYUZEdTBQSmN0R0NPOE04UkJlZW05Wmc4bVRO?= =?utf-8?B?RFhXVndPeWg1L3RQWEdiUDNsZTZpRkpzRlhEZHJRWldoZ0xzZERKLzd4UVpz?= =?utf-8?B?cTNnRHRZT3hDclhYZ2QyZ0IyVHNGL1pFZS80N1cvV01ndE5BQTQvKzQydG1s?= =?utf-8?B?Mm0wNUljZnU0MjdGVlZyNTZyWjR1RVoyR3lxS0ptWlhoSGgrc3VDZmt1QUMr?= =?utf-8?B?cFJsWjF4cGJ4bXpNS21xZVd5amZIK2dsOGl0dGxlUjI3RkNVOWVGZ2VNUm1p?= =?utf-8?B?bS9oT0FDZjRvTFFEY0E0UFBuc25BUTV6Nm5QR2ZRRmYvSHoxVEVrdWVsWC9i?= =?utf-8?B?cGRjZ3NvT3VWcEdZK2w5ZExOcTQ0M3FtMmJISDREeXBySnFrSmtzWjF0dTl1?= =?utf-8?B?Ni9ITmtNSUJzenFPOTB3MEdPT0VrNDZHeWI2eWJ0dEo0anRzNFlCQ3Bvcmcx?= =?utf-8?B?Q1k3TmhLNHJ3MGd2VVVXdUpjN1FrYWh6YzhIUE1icGliYjdETlI4c3lFM2s4?= =?utf-8?B?WWhpREdiYzRqenFOUmVCWmpXb1BnMUFrcnhrQW5UaUlsRDYvdGZyVlQ1dlc3?= =?utf-8?B?aUlBMWE4eWlEbVAwcW56NE9wU2lLNGJOK3ByR3RCYStPcVlta1lLdHVpWDdy?= =?utf-8?B?SzlZUlUyTVlMZW5vZWJKR2d5N3NRcUpVbm9qOXRHSXlwSlpIN1Q1WVBLOE9w?= =?utf-8?B?dGc0STNJdnNkQVl3OGo0YndKYnRvR243Z0RnMGNrbE1WcVB2c2xrUElZK1lE?= =?utf-8?B?cUU1YUplQkQxbUxMdVQ3OU1Gdmc3UWcxamk3UmpRdEdOOEkzWlJXeGh5ODdB?= =?utf-8?B?QjZDeEJwWXJSbGRPZHBENk5kZ0FsRHl3ZWM0Z0k0aThCa2Q5VHlhVnVjNmNY?= =?utf-8?B?TWdYdm5YazF4cG1CTkNCM2dQbFpkS1U0WkRYb05yWmxPWW40R1BtQ3lDVy9p?= =?utf-8?B?bmwyd1BodDZpUHc4TTN5QkREVU1rcTZncWozVEF3WTZMZkNNajh3VlV6OVE1?= =?utf-8?B?MnlFbXF6WWtSNFRBQlluUCs5a1p4TVZGWFkxVkNSVzFFbVhVRjZKbzk1Y09v?= =?utf-8?B?eDVNS0pmb2JCUU4zWHkrdkdaU1FKK0ErY3pUTzVnc2ZKQmxUTTVzUDU0bUJ6?= =?utf-8?B?aWpMNDhGdURUUXlKeGxIZnlSTVVZTzZDK2Fja1NDYzBPK2FZODcyMFVlQm0w?= =?utf-8?B?SG5hTVNIdjhCL2tkV2pQRmg5bFRwWGJVUzJLMmIyWGQvMERaK1UrbDB6WDhQ?= =?utf-8?B?S2wvdEJBZ3Z4dnd1Rko2Kzg0T3hUZHRKZGMrUzhacm9LQUw4RlgxUDFiSjdv?= =?utf-8?B?OWJjazYwME1PNnMwWWZoN0tpemRBS3RMNWVYT1RQRXBFTzNXTElsQlU1Mnh1?= =?utf-8?B?M2JyTDNmMTVVZHR2ZTZFeGhycGQ5OGttRGlHNmtxZGlDeGZ5ODkzaFFTa1Zj?= =?utf-8?B?elhRYUQ1enc2QVBoMHhpNWNOOEtYSkNJZmtKTDRXSzVKSFdTN3N3cWRsUTlN?= =?utf-8?Q?vbSUPdXLHAq+sScjjwnn910Gg/crsHpkgC/ORlU?=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: Dell.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR19MB4045.namprd19.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a8365cd6-3a54-4711-8792-08d94bb0f13d
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jul 2021 19:02:38.1721 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 945c199a-83a2-4e80-9f8c-5a91be5752dd
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 0/2XaqXxSZUfFb9/fZ3QRFPLOruQ2VXg8icodO/1Sy2hh5AoKrdav7ixgLV+XyBibzbEW7Z1iWWseqaprIkj5w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR19MB3597
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-07-20_13:2021-07-19, 2021-07-20 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 bulkscore=0 phishscore=0 malwarescore=0 mlxlogscore=999 lowpriorityscore=0 suspectscore=0 mlxscore=0 clxscore=1011 spamscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107200123
X-Proofpoint-GUID: QIio2QZjk7G1aBMUpQS0RELSCGHLNsLG
X-Proofpoint-ORIG-GUID: QIio2QZjk7G1aBMUpQS0RELSCGHLNsLG
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 bulkscore=0 suspectscore=0 phishscore=0 mlxscore=0 spamscore=0 mlxlogscore=999 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107200122
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/S4bp4dUuKlURMXuPDsP84YcuBVc>
Subject: Re: [tsvwg] UDP source ports for HTTP/3 and QUIC
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jul 2021 19:03:39 -0000

Explaining as an individual, not WG chair ... TL;DR - +1 on Jake's comments, his understanding matches mine.

Providing some more detail ...

> As I understand the proposal, it's to say "these source ports
> happen to match common attack targets that are listening ports
> for other protocols, and thus commonly get special handling to
> help avoid reflection attacks against those servers".

+1 - this is about documenting "running code" that discards traffic that uses one of those UDP source ports.

>> There’s no precedence for that decision and no registry where
>> those values would be indicated. 
>
> The proposal here is to create such a registry.

I definitely agree that a new registry is wanted/warranted, and I agree with Joe's objections to adding this information to the existing registry for ports.

Creating the new registry would require an RFC that lays out the rules for adding a port to the new registry.  I support that approach as I think there ought to be IETF consensus on what the criteria are for adding a port to that new registry.

... and responding to a question from Jake ...

> My main reservation here is that I'm not sure I understand why
> the listening ports are special--a volumetric reflection attack
> using servers for amplification would be just as effective with
> random source ports as long as it can fill the pipes for the
> victim's IP, wouldn't it?

The attacks of concern are 3rd party amplification attacks that are launched by an attacker sending small requests to a plethora of "foo" servers with the victim's IP address used as the source IP for the requests.  The "foo" servers have amplification properties in that a small request results in a large response, and the resulting plethora of large responses inundates the victim.

The "foo" servers of relevance to this discussion use a fixed value for the UDP source port in their (large) responses, hence a source port filtering rule that discards matching traffic blocks this sort of attack.  If something other than a "foo" server uses that UDP source port, its traffic is at risk of getting discarded, so the purpose of the registry is to warn against use of UDP source ports that risk this sort of traffic discard.

Thanks, --David

-----Original Message-----
From: tsvwg <tsvwg-bounces@ietf.org> On Behalf Of Holland, Jake
Sent: Tuesday, July 20, 2021 11:00 AM
To: Joseph Touch; Mark Nottingham
Cc: tsvwg@ietf.org
Subject: Re: [tsvwg] UDP source ports for HTTP/3 and QUIC


[EXTERNAL EMAIL] 

From: Joseph Touch <touch@strayalpha.com>
> Date: Mon,2021-07-19 at 9:10 PM
> On Jul 19, 2021, at 8:43 PM, Mark Nottingham <mnot@mnot.net> wrote:
> Well, there’s no consensus on reserving ports as source ports
> UNLESS that is the port on which the service listens. I.e.,
> IANA ports are defined as listening ports and are thus used
> in packets emitted from that listener.

From reading the links in the original message, I didn't think
the idea here was to reserve source ports, exactly.

As I understand the proposal, it's to say "these source ports
happen to match common attack targets that are listening ports
for other protocols, and thus commonly get special handling to
help avoid reflection attacks against those servers".

> There should be no prohibition on using any port number for
> source unless a listen exists on that port.

As I understood it, it's not a prohibition on using those ports,
it's a warning that if you use them, many servers are likely to
block you and likely to continue to do so until further notice
(at least until they have a better answer deployed).

> There’s no precedence for that decision and no registry where
> those values would be indicated. 

The proposal here is to create such a registry.

Of course we don't need precedent to do something that's a good
idea, but the burden of proof is lower if there's some sense in
which there's good precedents showing how doing something like
it in the past has helped things.

I would argue there's plenty of such examples for both
"document how the internet works in practice" (especially when
it has diverged from a design from 30+ years ago that didn't
anticipate modern security issues like reflection attacks) and
for "create a registry to list things that can help people
avoid unpleasant surprises".

My main reservation here is that I'm not sure I understand why
the listening ports are special--a volumetric reflection attack
using servers for amplification would be just as effective with
random source ports as long as it can fill the pipes for the
victim's IP, wouldn't it?

I thought the real problem is that protocol design needs to
avoid generating more traffic than was sent to them before the
server has proved 2-way connectivity to someone who requested
it?  I don't quite get how blocking source ports can fill that
hole.

But with that said, it's interesting that people are doing this,
and if it's the best operational fix for *some* problem, it seems
worth documenting to me, if only selfishly so I can understand
where it's helpful.

-Jake