Hi, Jean,
On Thu, 2021-06-10 at 08:23 -0400, Jean St-Laurent wrote:
> Let's start with this example. When I click sync my clock in windows,
> this happened.
>
> On the inside or Private side
> 08:15:07.434344 IP 192.168.254.205.123 > 13.86.101.172.123: NTPv3,
> Client, length 48
>
On 6/10/2021 4:04 AM, Fernando Gont wrote:
Hi, Blake,
Thanks a lot for your comments! In-line
On Fri, 2021-06-04 at 11:13 -0500, Blake Hudson wrote:
Current gen Cisco ASA firewalls have logic so that if the connection
from a private host originated from a privileged source port, the
NAT
s that don't follow this behaviour, right?
Jean
-Original Message-
From: Fernando Gont
Sent: June 10, 2021 7:09 AM
To: j...@ddostest.me; nanog@nanog.org
Subject: Re: NAT devices not translating privileged ports
Hi, Jean,
On Thu, 2021-06-10 at 06:54 -0400, Jean St-Laurent via NANOG
Hi, Jean,
On Thu, 2021-06-10 at 06:54 -0400, Jean St-Laurent via NANOG wrote:
> Hi Fernando,
>
> NTP sounds simple but it could be very complex when you dig deep down
> and/or get lost in details.
> Here are 2 things to consider:
>
> 1. NTP clients can query NTP servers by using SRC UDP ports
Hi Fernando,
NTP sounds simple but it could be very complex when you dig deep down and/or
get lost in details.
Here are 2 things to consider:
1. NTP clients can query NTP servers by using SRC UDP ports > 1024.
2. NTP servers cannot query/sync/communicate to another NTP server when using
SRC
Hi, Bjørn,
On Thu, 2021-06-10 at 12:10 +0200, Bjørn Mork wrote:
> Fernando Gont via NANOG writes:
>
> > What has been reported to us is that some boxes do not translate
> > the
> > src port if it's a privileged port.
> >
> > IN such scenarios, NTP implementations that always use src
> >
Fernando Gont via NANOG writes:
> What has been reported to us is that some boxes do not translate the
> src port if it's a privileged port.
>
> IN such scenarios, NTP implementations that always use src port=123,
> dst port=123 might be in trouble if there are multiple NTP clients
> behind the
Hi, Jean,
On Fri, 2021-06-04 at 08:36 -0400, Jean St-Laurent wrote:
> I believe all devices will translate a privileged ports, but it won't
> translate to the same number on the other side. It will translate to
> an unprivileged port. Is it what you meant or really there are some
> devices that
Hi, Blake,
Thanks a lot for your comments! In-line
On Fri, 2021-06-04 at 11:13 -0500, Blake Hudson wrote:
> Current gen Cisco ASA firewalls have logic so that if the connection
> from a private host originated from a privileged source port, the
> NAT
> translation to public IP also uses
t; >
> > What are you trying to achieve?
> >
> > Jean
> >
> > -Original Message-
> > From: NANOG On Behalf Of
> Fernando Gont
> > Sent: June 4, 2021 3:00 AM
> > To: nanog@nanog.org
> > Subject: NAT devices not translating priv
Is it what you meant or really there are some devices that will not
translate at all a privileged port?
What are you trying to achieve?
Jean
-Original Message-
From: NANOG On Behalf Of Fernando
Gont
Sent: June 4, 2021 3:00 AM
To: nanog@nanog.org
Subject: NAT devices not translating pri
to achieve?
Jean
-Original Message-
From: NANOG On Behalf Of Fernando
Gont
Sent: June 4, 2021 3:00 AM
To: nanog@nanog.org
Subject: NAT devices not translating privileged ports
Folks,
While discussing port randomization (in the context of
https://www.ietf.org/archive/id/draft-ietf-ntp-port
Folks,
While discussing port randomization (in the context of
https://www.ietf.org/archive/id/draft-ietf-ntp-port-randomization-06.txt
), it has been raised to us that some NAT devices do not translate the
source port if the source port is a privileged port (<1024).
Any clues/examples of this
13 matches
Mail list logo
