Cybertelecom
Cybertelecom
Federal Internet Law & Policy
An Educational Project
Internet Ports & Port Blocking Dont be a FOOL; The Law is Not DIY
- Network Neutrality
- VoIP Blocking

Internet Addresses
- DNS
- History
- NTIA & Fed Activity
- ICANN
- Root Servers
- ccTLDs
- - .us
- - -.kids.us
- gTLDs
- - .gov
- - .edu
- - .mil
- - .xxx
- WHOIS
- WGIG
- ENUM
- IP Numbers
- - IPv6
- BGP
- NATs
- Ports
- Security
- Trademark
- AntiCybersquatter Consumer Protection Act
- Gripe Sites
- Truth in Domain Names

Ports

Hosts (computers, end users) on the Internet are addressed with IP number addresses.

A particular host may be running multiple applications and multiple sessions. The specific session or application that the computer should deliver the packet to is identified by a port number. [RFC 793 Sec. 2.7 ("To identify the separate data streams that a TCP may handle, the TCP provides a port identifier.")] [RFC 6335 Sec. 3 ("Ports serve two purposes: first, they provide a demultiplexing identifier to differentiate transport sessions between the same pair of endpoints, and second, they may also identify the application protocol and associated service to which processes connect.")]

The destination port number and the source port number are part of the transport protocol header in the Transmission Control Protocol, User Datagram Protocol, or equivalent. [RFC 6335] [BITAG 2.2]

The combination of port numbers and IP addresses will uniquely identify a "session." [RFC 6335 Sec. 3 ("Ports are 16-bit numbers, and the combination of source and destination port numbers together with the IP addresses of the communicating end systems uniquely identifies a session of a given transport protocol.")] [BITAG 2.2 ("In the architecture of the Internet, communication between two systems is identified by five fields: (1) the source IP address, (2) the destination IP address, (3) the transport protocol in use, (4) the source port, and (5) the destination port used by the transport protocol")]

Different applications are assigned different port numbers. These numbers are assigned by IANA Internet Port Number Assignments IANA. [RFC 6335]

There are several different ranges of port numbers: [RFC 6335 Sec. 6] [BITAG 2.2]

An application or service may be "port-agile," with the ability to switch the ports that the service utilizes (where services are port-agile and able to switch utilization of port numbers, the effectiveness of port blocking may be limited).

Example

Joe wants to view a webpage. Webservers listen on the Well Known Port 80. Joe will therefore send a request to the IP address of the webserver with the port number of 80. The webserver needs to know how to respond. Joe will provide a source IP address of his computer along with a Dynamic Port number in order to uniquely identify session. For example, Joe's computer may pick the Dynamic Port Number 37277. Receiving this request from Joe, the webserver will reply, using Joe's IP address as the destination IP address and 37277 as the destination port number. Each session and each user will be identified by unique IP addresses (unique to the specific host) and unique port numbers (unique to the service or session on the computer). [BITAG 2.2]

Port Blocking

Traffic Management

Traffic can be managed in several different ways, using targeted information from an Internet packet.

Traffic can be managed using the source or destination IP address, the source or destination port number, the Internet protocol version, or...... Traffic can also be managed either through refusing to interconnect or refusing to augment interconnection capacity, thereby creating congestion and effectively blocking traffic.

The network operator can manage the traffic by blocking (a.k.a. filtering) it, redirecting it, changing its priority, changing its routing, or other. This discussion will focus on blocking, but other techniques are viable as well.

"Port blocking allows an application to prevent other applications from performing specific binds to the ports within a specified range. " Microsoft Technet Windows TCP/IP Ephemeral, Reserved, and Blocked Port Behavior

Incentives

Network Operators may have the incentive to manage their network. They may wish to block malicious and damaging traffic. They may have the incentive to block unwanted traffic over their network, including traffic which competes with the network's other services (for example, OTT VoIP competing with the network service providers telephone service, or OTT Video competing with the network service providers MVPD Cable Video service). In effect, Network Service Providers have an incentive to create barriers to market entry to rival competing services.

However, generally, demand for OTT applications drives demand for broadband services (see virtuous circle); blocking OTT applications degrades demand for broadband services.

End Users may have the incentive to know what applications and services they can use over their Internet access. They also may have the incentive to be protected from malicious traffic.

Application Service Providers have an incentive to know what resources are available on different networks, in order to know whether their applications will work, how to engineer their applications, and whether their investments in their services will produce a ROI.

Regulators have the incentive to promote the delivery of communications services to consumers. In post-liberalization policy, it is accepted that consumer welfare is achieved best through a competitive services market. Blocking ports in order to block competitive services, creating barriers to market entry, therefore is contrary to a policy that is seeking to achieve consumer welfare through competitive entrants. Further, as seen with the Computer Inquiries, the regulator sees its mission as ensuring that the communications infrastructure supports the needs and demands of the end users; a network frustrating end users by denying their use of desired applications and services is therefore contrary to that mission.

Ability: Port Blocking

Blocking a port may degrade the performance of applications and services to which that port is assigned. The impact of the port blocking depends upon which ports are blocked, the application or service, and location of the port blocking.

Some service providers offer end-users the ability to opt-out of having ports blocked on their network service.

A number of typically blocked ports and the reason that they are blocked are listed below.

The magnitude of the ability of a network service provider to achieve its incentives through port blocking depends in part on the degree to which the network is a terminating monopoly and the value of its network effect (the size of its customer base).

Location of Port Blocking

Ports are part of TCP or UDP. [RFC 793 Sec. 2.1] Processing of ports can be done at the router.

Port blocking is typically implemented at

  • The border router where the network interconnects with other networks;
    • Pros:
      • Potentially keeps malicious traffic from entering network
      • Easier to administer
    • Con: Does not keep customers of that network from sending traffic to each other
  • The aggregation router where the network provides access to end users; or
  • The end users CPE
    • Cons: More difficult to administer; end user may be operating their own CPE

VoIP Port Blocking

International VoIP Blocking | VoIP Blocking |

Detection of Port Blocking

See also Statistics | Assessment | Forensics

Disclosure of Port Blocking

Port Assignment Table

Port Assignment Blocked (reason blocked)
20 FTP
23 Telnet
25 SMTP
42  
69 TFTP
80 HTTP
111 SUNRPC
135 NetBIOS

136 NetBIOS
137 NetBIOS
138 NetBIOS
139 NetBIOS
161 SNMP
162 SNMPTRAP
445 Microsoft-DS
515  
593  
1034  
  • UDP Port Panama reportedly ordered blocked in order to block VoIP
1035  
  • UDP Port Panama reportedly ordered blocked in order to block VoIP
1433 MS-SQL
1434 MSSQL
1900 MS-DS/NetBios
2002 Cisco Secure Access Control Server
2048 CISCO IOS Webcache
2090  
  • UDP Port Panama reportedly ordered blocked in order to block VoIP

2091  
  • UDP Port Panama reportedly ordered blocked in order to block VoIP

2745  

3127  

 

4156  
  • Blocked Ports , Infinity Internet (TCP Upstream created by Linux Slapper worm)

4444  

5000  
  • UDP Port Panama reportedly ordered blocked in order to block VoIP

5060 SIP

5554  

6346  

6777  

6801  
  • UDP Port Panama reportedly ordered blocked in order to block VoIP

6802  
  • UDP Port Panama reportedly ordered blocked in order to block VoIP

6803  
  • UDP Port Panama reportedly ordered blocked in order to block VoIP

8040  

8998  

9900  
  • UDP Port Panama reportedly ordered blocked in order to block VoIP

9901  
  • UDP Port Panama reportedly ordered blocked in order to block VoIP

9996  

10080  

12080  
  • UDP Port Panama reportedly ordered blocked in order to block VoIP

12120  
  • UDP Port Panama reportedly ordered blocked in order to block VoIP

12122  
  • UDP Port Panama reportedly ordered blocked in order to block VoIP

22555  
  • UDP Port Panama reportedly ordered blocked in order to block VoIP

26133  
  • UDP Port Panama reportedly ordered blocked in order to block VoIP

27374  

30582  
  • UDP Port Panama reportedly ordered blocked in order to block VoIP

35061  
  • UDP Port Panama reportedly ordered blocked in order to block VoIP

38000  
  • UDP Port Panama reportedly ordered blocked in order to block VoIP

38100  
  • UDP Port Panama reportedly ordered blocked in order to block VoIP

38200  
  • UDP Port Panama reportedly ordered blocked in order to block VoIP

41170  

47563  
  • UDP Port Panama reportedly ordered blocked in order to block VoIP

48310  
  • UDP Port Panama reportedly ordered blocked in order to block VoIP

51200  
  • UDP Port Panama reportedly ordered blocked in order to block VoIP

51201  
  • UDP Port Panama reportedly ordered blocked in order to block VoIP

56464  

57375  

     

Documents

Links

Network Ports Policies

 

© Cybertelecom ::