RE: [ntpwg] [dhcwg] Re: Network Time Protocol (NTP) OptionsforDHCPv6
"Benoit Lourdelet (blourdel)" <blourdel@cisco.com> Mon, 26 November 2007 09:20 UTC
Return-path: <dhcwg-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Iwa8Y-0001Md-1u; Mon, 26 Nov 2007 04:20:18 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Iwa8W-0001MY-N9 for dhcwg@ietf.org; Mon, 26 Nov 2007 04:20:16 -0500
Received: from ams-iport-1.cisco.com ([144.254.224.140]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Iwa8P-0008ST-Jp for dhcwg@ietf.org; Mon, 26 Nov 2007 04:20:16 -0500
X-IronPort-AV: E=Sophos;i="4.21,466,1188770400"; d="scan'208";a="158743984"
Received: from ams-dkim-1.cisco.com ([144.254.224.138]) by ams-iport-1.cisco.com with ESMTP; 26 Nov 2007 10:20:09 +0100
Received: from ams-core-1.cisco.com (ams-core-1.cisco.com [144.254.224.150]) by ams-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id lAQ9K8C3023106; Mon, 26 Nov 2007 10:20:09 +0100
Received: from xbh-ams-331.emea.cisco.com (xbh-ams-331.cisco.com [144.254.231.71]) by ams-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id lAQ9JlZx013290; Mon, 26 Nov 2007 09:19:57 GMT
Received: from xmb-ams-333.cisco.com ([144.254.231.78]) by xbh-ams-331.emea.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 26 Nov 2007 10:19:49 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [ntpwg] [dhcwg] Re: Network Time Protocol (NTP) OptionsforDHCPv6
Date: Mon, 26 Nov 2007 10:20:59 +0100
Message-ID: <A05118C6DF9320488C77F3D5459B17B706531DD7@xmb-ams-333.emea.cisco.com>
In-Reply-To: <474A4E69.8040408@ntp.isc.org>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [ntpwg] [dhcwg] Re: Network Time Protocol (NTP) OptionsforDHCPv6
Thread-Index: Acgv5xN1csyjGVFgRQ6q0vpw0iqvrwAIz83g
References: <200711260009.lAQ092va059077@drugs.dv.isc.org> <EF06E977-C3D9-4EDF-A126-6CD888BA8F36@fugue.com> <014d01c82fc6$6b1ecd70$6401a8c0@tsg1> <5C093633-A256-4059-AA10-1800F62F522A@fugue.com> <017901c82fd4$9cad3b70$6401a8c0@tsg1> <E0F01D6C-3FB6-4150-9722-32CFF3079327@fugue.com> <018501c82fd7$9ff707e0$6401a8c0@tsg1><A6BDB3D6-4CDA-4BC1-ADF0-1845E539DD4C@fugue.com> <474A4E69.8040408@ntp.isc.org>
From: "Benoit Lourdelet (blourdel)" <blourdel@cisco.com>
To: mayer@ntp.isc.org
X-OriginalArrivalTime: 26 Nov 2007 09:19:49.0039 (UTC) FILETIME=[7E385BF0:01C8300D]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=4686; t=1196068809; x=1196932809; c=relaxed/simple; s=amsdkim1002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=blourdel@cisco.com; z=From:=20=22Benoit=20Lourdelet=20(blourdel)=22=20<blourdel@cisco.com> |Subject:=20RE=3A=20[ntpwg]=20[dhcwg]=20Re=3A=20Network=20Time=20Protocol =20(NTP)=20OptionsforDHCPv6 |Sender:=20; bh=VgZcgdwKR6Q7mH/nvrI5hD58K3bkGYFzB8MIEJ5/LS4=; b=e9HyNGZvnHmqZR7Ilhec3SAfii89wpGZdiJbjF01sV0Bm0/BgFG6F9WBa9kRCWyk/RAnwJM3 uuOyk8m3pDqkCRDWs6tgFqFGHLOfC3A529vGQ7RSf2Fl0pgCVo5OS26k;
Authentication-Results: ams-dkim-1; header.From=blourdel@cisco.com; dkim=pass ( sig from cisco.com/amsdkim1002 verified; );
X-Spam-Score: -3.7 (---)
X-Scan-Signature: a7d2e37451f7f22841e3b6f40c67db0f
Cc: ntpwg@lists.ntp.org, dhcwg@ietf.org, Ted Lemon <mellon@fugue.com>, "Richard Gayraud (rgayraud)" <rgayraud@cisco.com>
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Errors-To: dhcwg-bounces@ietf.org
Danny, I want to highlight that the UWisc/Netgear happened without DHCP and I suspect that a similar incident may happen again. DHCP as you described it could be an amplification factor but with millions of CPE wrongly configured there is no need of DHCP to have things going wrong. Correctly deployed, an off-the-shelf SOHO router should not have any server hardcoded -You will never prevent people from doing bad thing on a CPE router anyway - and should receive its IP services server (including NTP) from the provider. For all other cases, Enterprise where the DHCP server is managed by IT people of the same administrative domain and ISP settop boxes with DHCP managed with the Telcos, an DHCPv6 NTP hardcoded address is not going to hurt anybody as a DHCP Client wont use an expired IP service address for ever. Mandating the use of site local address may complicate deployments in the case of company mergers in the initial stage. Again, the DHCP server is managed by people of the same administrative domain that are supposed to configure it with correct IP addresses. The way NTP is deployed in many SP networks is to use a hierarchy of NTP server, so that the NTP server is very close to NTP Client. In many case the client is pointing to an NTP server in the same Point Of Presence. In enterprise deployments, if IT bothers relying on NTP, they will deploy their own NTP servers and wont rely on public NTP servers. Needless to say that top of the hierarchy enterprise NTP servers wont use DHCP for configuration. Benoit > -----Original Message----- > From: ntpwg-bounces+blourdel=cisco.com@lists.ntp.org > [mailto:ntpwg-bounces+blourdel=cisco.com@lists.ntp.org] On > Behalf Of Danny Mayer > Sent: Monday, November 26, 2007 5:41 AM > To: Ted Lemon > Cc: ntpwg@lists.ntp.org; dhcwg@ietf.org; Richard Gayraud (rgayraud) > Subject: Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NTP) > OptionsforDHCPv6 > > Ted, > > Let me try and outline the problem again and please come up > with an idea which solves this. > > 1) The DHCP environment is divided into essentially two > groups: Hardware like Netgear and Linksys routers and > Software like ISC's DHCP Server and Nominum's Dynamic > Configuration Server. IETF doesn't allow you to create a > protocol which differentiate between these cases. > > The software side of the DHCP implementations are usually run > by organizations for their internal use and are actively > maintained. I have few worries about these since it's easy to > deal with (relatively > speaking) errors that the sysadmins make. > > The SOHO routers are different since the DHCP servers are > built into the firmware and shipped in their 10's of > thousands to individuals and small businesses who want > wireless connections and routers but don't want to be in the > business of configuring and maintaining them. > > So let's say Acme Routers ships a router with a builtin DHCP > server which provides NTP server addresses to provide to the > DHCP clients and they put just one address in it. Now say > Starbucks gets all excited about how cheap they are and buys > them for all their coffee stores. Now you have DHCP providing > and amplication DDOS attack as all of those people sitting > there laptops are all set up with the same NTP server address > and sending NTP packets to the same NTP server. Note that in > the UWisc/Netgear incident it was the NTP server built into > the router that was the problem but it was only one server. > Here we are having the router distributing the address to > other systems which then do the dirty work and you'd get 10 > times the effect of a Netgear incident. This is the problem > that I'm trying to solve or rather mitigate. > > I refer you to the UWisc/Netgear incident paper that Dave > Mills and Dave Plonka wrote: > http://www.eecis.udel.edu/~mills/database/papers/ptti/ptti04a.pdf > The brief slide version is here: > http://www.eecis.udel.edu/~mills/database/brief/ptti/ptti04.pdf > It also discusses the loads on a number of other servers > inclusing NIST and USNO > > PHK's incident with D-Link is written up here: > http://news.bbc.co.uk/2/hi/technology/4906138.stm > > I await your suggestions on how to prevent the routers > becoming amplifiers via DHCP to bombarding NTP servers. > > Danny > _______________________________________________ > ntpwg mailing list > ntpwg@lists.ntp.org > https://lists.ntp.org/mailman/listinfo/ntpwg > _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] Network Time Protocol (NTP) Options for D… Benoit Lourdelet (blourdel)
- [dhcwg] RE: [ntpwg] Network Time Protocol (NTP) O… Benoit Lourdelet (blourdel)
- [dhcwg] Re: [ntpwg] Network Time Protocol (NTP) O… Danny Mayer
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… Bud Millwood
- [dhcwg] Re: [ntpwg] Digital Evidence Standards an… Shane Kerr
- [dhcwg] RE: [ntpwg] Network Time Protocol (NTP) O… Mark Elliot
- [dhcwg] Re: [ntpwg] Network Time Protocol (NTP) O… Harlan Stenn
- [dhcwg] Re: [ntpwg] Network Time Protocol (NTP) O… Brian Utterback
- [dhcwg] Re: [ntpwg] Network Time Protocol (NTP) O… Brian Utterback
- [dhcwg] Re: [ntpwg] Network Time Protocol (NTP) O… David L. Mills
- [dhcwg] Re: [ntpwg] Network Time Protocol (NTP) O… Brian Utterback
- [dhcwg] Re: [ntpwg] Network Time Protocol (NTP) O… David L. Mills
- [dhcwg] Re: [ntpwg] Network Time Protocol (NTP) O… TS Glassey
- [dhcwg] Re: [ntpwg] Network Time Protocol (NTP) O… Brian Utterback
- [dhcwg] Re: [ntpwg] Network Time Protocol (NTP) O… David L. Mills
- [dhcwg] Digital Evidence Standards and a statemen… TS Glassey
- [dhcwg] Re: [ntpwg] Digital Evidence Standards an… TS Glassey
- [dhcwg] Re: Digital Evidence Standards and a stat… David L. Mills
- [dhcwg] Re: [ntpwg] Network Time Protocol (NTP) O… Danny Mayer
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… Ted Lemon
- [dhcwg] Re: [ntpwg] Network Time Protocol (NTP) O… Danny Mayer
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… Ralph Droms
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… Danny Mayer
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… Danny Mayer
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… David W. Hankins
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… Danny Mayer
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… Danny Mayer
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… Danny Mayer
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… Danny Mayer
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… David L. Mills
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… Ted Lemon
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… Brian Utterback
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… Brian Utterback
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… Ted Lemon
- RE: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… Benoit Lourdelet (blourdel)
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… Danny Mayer
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… David W. Hankins
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… David W. Hankins
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… David W. Hankins
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… Ralph Droms
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… TS Glassey
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… David L. Mills
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… Danny Mayer
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… David L. Mills
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Harlan Stenn
- RE: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… Benoit Lourdelet (blourdel)
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… Brian Utterback
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Brian Utterback
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… TS Glassey
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… TS Glassey
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… Ted Lemon
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Mark Stapp
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… David W. Hankins
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… David W. Hankins
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… David L. Mills
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… David L. Mills
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Danny Mayer
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… TS Glassey
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… Danny Mayer
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Danny Mayer
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Danny Mayer
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Ted Lemon
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Danny Mayer
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Brian Utterback
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… TS Glassey
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Brian Utterback
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… TS Glassey
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Brian Utterback
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… TS Glassey
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Ted Lemon
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Mark Andrews
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Ted Lemon
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Ted Lemon
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… TS Glassey
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… TS Glassey
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Brian Utterback
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… TS Glassey
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Ted Lemon
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… TS Glassey
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Ted Lemon
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Brian Utterback
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Ted Lemon
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… TS Glassey
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Danny Mayer
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Mark Andrews
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… TS Glassey
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Danny Mayer
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Ted Lemon
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Brian Utterback
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Brian Utterback
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Danny Mayer
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… TS Glassey
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… TS Glassey
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… TS Glassey
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Ted Lemon
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Danny Mayer
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Danny Mayer
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Mark Andrews
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Bud Millwood
- RE: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Benoit Lourdelet (blourdel)
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… M. Warner Losh
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Brian Utterback
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Danny Mayer
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… TS Glassey
- RE: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Benoit Lourdelet (blourdel)
- RE: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… anthony.flavin
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… David W. Hankins
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… David W. Hankins
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… David W. Hankins
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Mark Stapp
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Ted Lemon
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… TS Glassey
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Ted Lemon
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Danny Mayer
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… David L. Mills
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… David L. Mills
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Brian Utterback
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… Danny Mayer
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Danny Mayer
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Danny Mayer
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Danny Mayer
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… David W. Hankins
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Mark Stapp
- Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NT… Ted Lemon
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… David L. Mills
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Ted Lemon
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Brad Knowles
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Danny Mayer
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Hal Murray
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Brad Knowles
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Brad Knowles
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Ted Lemon
- RE: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… anthony.flavin
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… David W. Hankins
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Josh Littlefield
- RE: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Brzozowski, John
- Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Ted Lemon
- Re: [dhcwg] Network Time Protocol (NTP) Options f… Bud Millwood
- Re: [dhcwg] Network Time Protocol (NTP) Options f… Mark Stapp
- Re: [dhcwg] Network Time Protocol (NTP) Options f… Ted Lemon
- RE: [ntpwg] [dhcwg] Re: Network Time Protocol (NT… Woundy, Richard
- Re: [dhcwg] Network Time Protocol (NTP) Options f… Danny Mayer
- RE: [ntpwg] [dhcwg] Network Time Protocol (NTP) O… Richard Gayraud (rgayraud)
- Re: [ntpwg] [dhcwg] Network Time Protocol (NTP) O… Brian Utterback
- Re: [ntpwg] [dhcwg] Network Time Protocol (NTP) O… Brad Knowles
- RE: [ntpwg] [dhcwg] Network Time Protocol (NTP) O… anthony.flavin
- Re: [ntpwg] [dhcwg] Network Time Protocol (NTP) O… Danny Mayer