Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-4980

SNAT Source Port Randomization


    • Icon: Feature Request Feature Request
    • Resolution: Done
    • Icon: Critical Critical
    • openshift-4.17
    • None
    • SDN
    • None
    • False
    • None
    • False
    • Not Selected

      1. Proposed title of this feature request

      SNAT Source Port Randomization

      2. What is the nature and description of the request?

      The current behavior in Nokia's deployment (NCS20 FP2): for SNAT the same source port is kept (i.e. translated 1:1 from internal to external). This is seen as a security breach and this port is blocked on management firewall level.

      There is a flag in NCS Ingress SNAT (at the Linux Stack) that can configure the port to be randomize in the IP tables (RFC-6056).

      Request suggestions:

      • Use ports 40K-60K (the number of used connections per CNF fits within this range)
      • Add a CLI command to clear the Randomization and start over the port randomization

      3. Why does the customer need this? (List the business requirements here)

      For security reasons, the customer blocks used source ports for 72 hours. In NCS, we are using the same source port during SNAT that is violating this security requirement. The ask is to randomize the source port after SNAT to avoid source port blocking.

      How the 72hrs is used:

      • once a connection (IP, port) is terminated after FIN, the FW will block the IP/Port for 72 hours.
      • The connection is block without any report to NCS
      • The FW include logs for blocked ports

      4. List any affected packages or components.


            mcurry@redhat.com Marc Curry
            mcurry@redhat.com Marc Curry
            0 Vote for this issue
            6 Start watching this issue