Re: NAT devices not translating privileged ports

[Fernando Gont via NANOG <nanog () nanog org>]

Hi, Jean,

On Thu, 2021-06-10 at 06:54 -0400, Jean St-Laurent via NANOG wrote:
> Hi Fernando,
>
> NTP sounds simple but it could be very complex when you dig deep down
> and/or get lost in details. 
> Here are 2 things to consider:
>
> 1. NTP clients can query NTP servers by using SRC UDP ports > 1024. 

This is indeed the case we're addressing. The NTP spec mandates srt
port=123, even for client-to-server cases.



> In your case, it sounds like you want to achieve NTP server to NTP
> server, but you mention NTP clients behind NAT devices. 

Nope. We simply recommend to randomize the source port for client-to-
server cases.

So in the quoted section we make the case that requiring src port=123
clients doesnt really make sense:
1) if the NAT translates the port, the server won-t see src 123 anyway
2) if the NAT doesn't translate the port, you won't be able to ahve
multiple NTP clients behind the same firewall.



> Can you give us more details on what kind of communication you need
> here? From what I understand client to server should work just fine
> with any NAT devices. 
>
> Maybe you meant multiple NTP servers behind the same NAT to external
> NTP servers

Please let me know if what I wrote above clarifies our intent.

Thanks!

Regards,
-- 
Fernando Gont
Director of Information Security
EdgeUno, Inc.
PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531