IETF Logo Mail Archive

Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NTP) Options for DHCPv6

"David L. Mills" <mills@udel.edu> Wed, 21 November 2007 19:09 UTC

Return-path: <dhcwg-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IuuxC-0003pw-Q4; Wed, 21 Nov 2007 14:09:42 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IuuxB-0003pq-Ko for dhcwg@ietf.org; Wed, 21 Nov 2007 14:09:41 -0500
Received: from whimsy.udel.edu ([128.4.2.3]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IuuxA-0004LQ-E2 for dhcwg@ietf.org; Wed, 21 Nov 2007 14:09:41 -0500
Received: by whimsy.udel.edu (Postfix, from userid 62) id C41B216B8; Wed, 21 Nov 2007 19:09:39 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on whimsy.udel.edu
X-Spam-Level:
X-Spam-Status: No, score=-2.1 required=4.1 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.1.1
Received: from [128.4.2.6] (backroom.udel.edu [128.4.2.6]) by whimsy.udel.edu (Postfix) with ESMTP id 66BC2161A; Wed, 21 Nov 2007 19:09:35 +0000 (UTC)
Message-ID: <4744826C.3070000@udel.edu>
Date: Wed, 21 Nov 2007 19:09:32 +0000
From: "David L. Mills" <mills@udel.edu>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)
X-Accept-Language: en-us, en
To: DHC WG <dhcwg@ietf.org>, "ntpwg@lists.ntp.org" <ntpwg@lists.ntp.org>
Subject: Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NTP) Options for DHCPv6
References: <A05118C6DF9320488C77F3D5459B17B7062ED3C6@xmb-ams-333.emea.cisco.com> <4733482A.7020302@sun.com> <A05118C6DF9320488C77F3D5459B17B70634E4E5@xmb-ams-333.emea.cisco.com> <473D0C34.4030507@ntp.org> <1195185173.26090.4.camel@uma> <474114E3.9040309@ntp.org> <474198BA.3000109@sun.com> <1195484306.9159.13.camel@uma> <20071119225643.GI14750@isc.org>
In-Reply-To: <20071119225643.GI14750@isc.org>
X-Sanitizer: This message has been sanitized!
X-Sanitizer-URL: http://mailtools.anomy.net/
X-Sanitizer-Rev: UDEL-ECECIS: Sanitizer.pm, v 1.64 2002/10/22 MIME-Version: 1.0
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a7d2e37451f7f22841e3b6f40c67db0f
Cc:
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Errors-To: dhcwg-bounces@ietf.org

David,

The true story of the U. Wisconsiin incident, along with others at NIST 
and USNO, is in: Mills, D.L., J. Levine, R. Schmidt and D. Plonka. 
Coping with overload on the Network Time Protocol public servers. Proc. 
Precision Time and Time Interval (PTTI) Applications and Planning 
Meeting (Washington DC, December 2004), 5-16. The paper is also on the 
web: www.eecis.udel.edu/~mills/papers.html.

So far as I know, Netgear had no plans to sue U. Wisconsin or the ISP. 
However, my very strong advice to U. Wisconsin was to sue Netgear. The 
incidents are what prompted the in-your-face practices in the latest 
SNTP RFC, as well as the traffic grooming and Kiss-o'Death response in 
recent NTP distributions.

I don't know what the argument is about with respect to IPV4 and NAT. I 
would assume best practice would be for the firewall to run NTP and 
provide its nonroutable IPv4 address behind the firewall. In principle, 
it could hand out a routable IPv4 (or IPv6) address of an outside server 
and translate only the return address. Frankly, I would rather the SOHO 
do broadcast, rather than be stung by a raft of clients.

Dave

David W. Hankins wrote:

> On Mon, Nov 19, 2007 at 08:58:26AM -0600, Ted Lemon wrote:
>
>> There's no reason why this option should use FQDNs while the other fifty
>> use IP addresses, and there are a number of good reasons not to send
>> FQDNs, the first and most obvious of which is that they take up more
>> space in the packet, and space in the packet is very limited.
>
>
> There is a concern of which I am aware among the NTP users community
> concerning a recent catastrophic event which I think I am reading
> in the subtext of this thread. Lets find out.
>
> A SOHO router manufacturer latched onto the IPv4 address (not the
> domain name) of a particular open-to-the-public NTP clock. The
> IPv4 address was hard-coded into their firmware.
>
> Upon the release of this product, said clock was slowly subjected to
> what grew into an Entire-Internet scale distributed DDOS.
>
> The operator responsible for the NTP device at said IPv4 address was
> not willing nor capable of continuing to supply free bandwidth and
> hardened NTP servers to meet this SOHO router manufacturer's global
> clocking needs, certainly not free of charge, and ultimately had to
> readdress his clock. I seem to recall he was actually sued by the
> SOHO router manufacturer, because all their SOHO routers suddenly
> started spitting errors and misbehaving when this free service was
> withheld, but my memory is beyond its limits at this point.
>
>
> So it is possible that the community may strongly desire an otherwise
> unusual number of intermediaries between /etc/ntp.conf and the IPv4
> addresses they determine.
>
> DHCP is an excellent solution, because it is likely that this SOHO
> router was in fact obtaining its own IP address via DHCPv4, so if
> it also received its clock via DHCPv4 rather than being hard-
> coded, there would never have been a problem to solve.
>
> IPv4 addresses via DHCP are possibly a worse solution, however,
> because if it does deliver fixed IPv4 addresses to clients, then a NAT
> box acting as a home gateway is a greater operational danger than the
> above; imagine if this SOHO router manufacturer had decided to deliver
> the fixed IPv4 address they had selected via DHCPv4 to all its
> NAT-side clients, in all homes its clones resided, worldwide.
>
>
> So if the DHCP protocol field required RFC1035 syntax, an IPv4 address
> becomes an illegal configuration format, and that may be a desirable
> outcome to a segment of the operational community that is concerned
> with the historic stickyness of their IPv4 addresses, and the tendency
> to get sued for publishing one.
>
> I do not make a judgement at this time, but I would like to caution
> the NTP community that additional intermediaries will not necessarily
> correct bad behaviour. In example, putting your clock's location in
> DNS resolution into A/AAAA records does not mean a SOHO router
> manufacturer can not / will not resolve those addresses and then
> hard-code them into products.
>
> I would also like to suggest that some of these concerns may be
> mitigated by tracking Ralph Drom's recent 'container option' draft,
> wherein a SOHO router may dynamically receive from an 'upstream'
> DHCPv6 server the configuration values it should give 'downstream'
> DHCPv6 clients.
>
> I'm not aware of an equivalent for DHCPv4 however.
>
>
> So cautioned, I personally leave it up to the NTP community to
> prove to us exactly to what extent it is genuinely useful to have
> such intermediaries as DNS (or even DHCP, even if I consider that
> a given) involved.
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> ntpwg mailing list
> ntpwg@lists.ntp.org
> https://lists.ntp.org/mailman/listinfo/ntpwg



_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email