Hi, Bjørn, On Thu, 2021-06-10 at 12:10 +0200, Bjørn Mork wrote:
Fernando Gont via NANOG <nanog@nanog.org> writes:
What has been reported to us is that some boxes do not translate the src port if it's a privileged port.
IN such scenarios, NTP implementations that always use src port=123, dst port=123 might be in trouble if there are multiple NTP clients behind the same NAT device....
This problem used to be very common for 500/udp. Ref https://datatracker.ietf.org/doc/html/rfc3715#section-2.3
THanks a lot for the link! -- this is indeed a good read. I'm curious if there exists something similar for UDP/123? FWIW, we have this IETF I-D on NTP port randomization: https://datatracker.ietf.org/doc/html/draft-ietf-ntp-port-randomization-06 , which has this section on the same kind of behavior, but for the NTP port: ---- cut here ---- 3.4. Effect on NAT devices Some NAT devices will not translate the source port of a packet when a privileged port number is employed. In networks where such NAT devices are employed, use of the NTP well-known port for the client port will essentially limit the number of hosts that may successfully employ NTP client implementations. In the case of NAT devices that will translate the source port even when a privileged port is employed, packets reaching the external realm of the NAT will not employ the NTP well-known port as the local port, since the local port will normally be translated by the NAT device possibly, but not necessarily, with a random port. ---- cut here ---- So I'm trying to find some reference that documents such behavior for the NTP case.... Thanks! Regards, -- Fernando Gont Director of Information Security EdgeUno, Inc. PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531