[187846] in North American Network Operators' Group
Re: Thank you, Comcast.
daemon@ATHENA.MIT.EDU (Blake Hudson)
Fri Feb 26 15:04:29 2016
X-Original-To: nanog@nanog.org
To: nanog@nanog.org
From: Blake Hudson <blake@ispn.net>
Date: Fri, 26 Feb 2016 14:04:07 -0600
In-Reply-To: <56D0AF01.6040303@ispn.net>
Errors-To: nanog-bounces@nanog.org
Blake Hudson wrote on 2/26/2016 2:01 PM:
>
> Livingood, Jason wrote on 2/26/2016 1:32 PM:
>> On 2/26/16, 11:44 AM, "Blake Hudson" <blake@ispn.net
>> <mailto:blake@ispn.net>> wrote:
>>
>> Jason, how do you propose to block SSDP without also blocking
>> legitimate traffic as well (since SSDP uses a port > 1024 and is
>> used as part of the ephemeral port range on some devices) ?
>>
>>
>> As Roland suggested, very likely via UDP/1900. This will obviously be
>> disclosed in advance to customers and tested thoroughly. I believe a
>> few other ISPs have already taken this step.
>>
>> And is this practice /Open Internet/ friendly?
>>
>>
>> Port blocking is considered a form of reasonable network management
>> provided it can be justified by security or operational stability
>> reasons. Of course it must also be transparently disclosed and so on.
>>
>> Jason
> The difference in blocking any of the existing ports on your list and
> blocking UDP/1900 is that the ports on your list are all registered
> ports. Port 1900 is not registered - a host may use port 1900 when
> making an outbound connection to another host (lookup ephemeral port
> range for more info) regardless of whether either host is using or
> running an SSDP server. A block on port 1900 will result in blocking
> legitimate customer traffic if the customer's device happened to
> select port 1900 as parts of its ephemeral port range.
>
> To my knowledge, a current Windows, Linux, Apple device will not use
> port 1900 as part of its ephemeral port range, but Wikipedia suggests
> XP and older Windows operating systems will and I know that many NAT
> routers will (which affects all clients behind that NAT router,
> regardless of their OS). I have no idea what popular mobile clients
> use for their ephemeral port ranges. I imagine the NAT routers will be
> most common actors using ports outside of the IANA suggested ephemeral
> port range. Do you suggest that it is "reasonable network management"
> that users behind a NAT router have their 876th (1900 - 1024) UDP
> connection attempt blocked?
>
> --Blake
Correction, I should have stated that the ports < 1024 were well-known.
1900 is not a well-known port
