Re: TCP and UDP Port 0 - Should an ISP or ITP Block it?
To be clear, UDP port 0 is not and probably shouldn't be blocked because some network gear and reporting tools may mistake a fragmented UDP PDU for port 0. That's an implementation error, but one that may be common enough to create issues for users. Blocking inbound TCP port 0 is something that I've personally done in dozens of ISP networks over more than a decade without a single reported issue. Scott Helms On Tue, Aug 25, 2020 at 7:39 PM narhiro <blackperl.narita9@gmail.com> wrote:
"Port 0 is a reserved port, which means it should not be used by applications. Network abuse has prompted the need to block this port."
"What about UDP IP fragmentation?"
I'm not sure I follow this. The IP packet will be fragmented with UDP inside it. When the IP packet gets put together the UDP PDU will have a port number. It's possible that some packet analyzers or network gear will improperly "see" a partial UDP flow as port 0 but that's a mischaracterization of the flow.
Scott Helms
Scott Helms
On Tue, Aug 25, 2020 at 8:17 AM Job Snijders <job@ntt.net> wrote:
On Tue, Aug 25, 2020 at 07:27:33AM -0400, K. Scott Helms wrote: I think a fairly easy thing to do is see what other large retail ISPs have done. Comcast, as an example, lists all of the ports they block and 0 is blocked. I do recommend that port 0 be blocked by all of the ISPs I work with and frankly Comcast's list is a pretty good one to use in general, though you will get some pushback on things like SMTP. https://www.xfinity.com/support/articles/list-of-blocked-ports
I may be reading the table incorrectly, but it seems to me Comcast is *not* blocking UDP port 0 according to the above URL?
Transit providers are a little bit different, but then again port 0 is also different since AFAIK it's never had a legitimate use case. It's always been a reserved port. I'd personally block it if I ran a transit, but I'd be more willing to open it up for one of my large customers (in a limited way) than I would on the retail side. https://www.iana.org/assignments/service-names-port-numbers/service-names-po...
What about UDP IP fragmentation?
Kind regards,
Job
K. Scott Helms wrote on 26/08/2020 13:55:
To be clear, UDP port 0 is not and probably shouldn't be blocked because some network gear and reporting tools may mistake a fragmented UDP PDU for port 0. That's an implementation error, but one that may be common enough to create issues for users. do you have data on this?
Nick
Nick, Data on blocking inbound TCP or the kinds of gear that mistakenly labels UDP fragments as DST port 0? Scott Helms On Wed, Aug 26, 2020 at 9:00 AM Nick Hilliard <nick@foobar.org> wrote:
K. Scott Helms wrote on 26/08/2020 13:55:
To be clear, UDP port 0 is not and probably shouldn't be blocked because some network gear and reporting tools may mistake a fragmented UDP PDU for port 0. That's an implementation error, but one that may be common enough to create issues for users. do you have data on this?
Nick
participants (2)
-
K. Scott Helms -
Nick Hilliard