[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Thank you, Comcast.

Subject: Thank you, Comcast.
From: blake at ispn.net (Blake Hudson)
Date: Fri, 26 Feb 2016 14:04:07 -0600
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]> <D2F5D3C1.129888%[email protected]> <[email protected]> <D2F611E3.12999B%[email protected]> <[email protected]>

Blake Hudson wrote on 2/26/2016 2:01 PM:
>
> Livingood, Jason wrote on 2/26/2016 1:32 PM:
>> On 2/26/16, 11:44 AM, "Blake Hudson" <blake at ispn.net 
>> <mailto:blake at ispn.net>> wrote:
>>
>>     Jason, how do you propose to block SSDP without also blocking
>>     legitimate traffic as well (since SSDP uses a port > 1024 and is
>>     used as part of the ephemeral port range on some devices) ?
>>
>>
>> As Roland suggested, very likely via UDP/1900. This will obviously be 
>> disclosed in advance to customers and tested thoroughly. I believe a 
>> few other ISPs have already taken this step.
>>
>>     And is this practice /Open Internet/ friendly?
>>
>>
>> Port blocking is considered a form of reasonable network management 
>> provided it can be justified by security or operational stability 
>> reasons. Of course it must also be transparently disclosed and so on.
>>
>> Jason
> The difference in blocking any of the existing ports on your list and 
> blocking UDP/1900 is that the ports on your list are all registered 
> ports. Port 1900 is not registered - a host may use port 1900 when 
> making an outbound connection to another host (lookup ephemeral port 
> range for more info) regardless of whether either host is using or 
> running an SSDP server. A block on port 1900 will result in blocking 
> legitimate customer traffic if the customer's device happened to 
> select port 1900 as parts of its ephemeral port range.
>
> To my knowledge, a current Windows, Linux, Apple device will not use 
> port 1900 as part of its ephemeral port range, but Wikipedia suggests 
> XP and older Windows operating systems will and I know that many NAT 
> routers will (which affects all clients behind that NAT router, 
> regardless of their OS). I have no idea what popular mobile clients 
> use for their ephemeral port ranges. I imagine the NAT routers will be 
> most common actors using ports outside of the IANA suggested ephemeral 
> port range. Do you suggest that it is "reasonable network management" 
> that users behind a NAT router have their 876th (1900 - 1024) UDP 
> connection attempt blocked?
>
> --Blake
Correction, I should have stated that the ports < 1024 were well-known. 
1900 is not a well-known port

References:
- Thank you, Comcast.
  - From: mcole.mailinglists at gmail.com (Maxwell Cole)
- Thank you, Comcast.
  - From: kmedcalf at dessus.com (Keith Medcalf)
- Thank you, Comcast.
  - From: Jason_Livingood at comcast.com (Livingood, Jason)
- Thank you, Comcast.
  - From: blake at ispn.net (Blake Hudson)
- Thank you, Comcast.
  - From: Jason_Livingood at comcast.com (Livingood, Jason)
- Thank you, Comcast.
  - From: blake at ispn.net (Blake Hudson)

Prev by Date: Thank you, Comcast.
Next by Date: Thank you, Comcast.
Previous by thread: Thank you, Comcast.
Next by thread: Thank you, Comcast.
Index(es):
- Date
- Thread