IETF Logo Mail Archive

Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review of draft-ietf-ntp-alternative-port-02

Eliot Lear <lear@lear.ch> Wed, 08 December 2021 07:15 UTC

Return-Path: <lear@lear.ch>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C3DA3A0B09; Tue, 7 Dec 2021 23:15:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.741
X-Spam-Level:
X-Spam-Status: No, score=-2.741 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-1.852, SPF_PASS=-0.001, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=lear.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QvUc3nwVjxxZ; Tue, 7 Dec 2021 23:15:14 -0800 (PST)
Received: from upstairs.ofcourseimright.com (upstairs.ofcourseimright.com [185.32.222.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 832783A0B1F; Tue, 7 Dec 2021 23:15:11 -0800 (PST)
Received: from [IPV6:2001:420:c0c0:1011::5] ([IPv6:2001:420:c0c0:1011:0:0:0:5]) (authenticated bits=0) by upstairs.ofcourseimright.com (8.15.2/8.15.2/Debian-18) with ESMTPSA id 1B87Exjg3461261 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Wed, 8 Dec 2021 08:15:00 +0100
Authentication-Results: upstairs.ofcourseimright.com; dmarc=none (p=none dis=none) header.from=lear.ch
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lear.ch; s=upstairs; t=1638947702; bh=pUWUZw/nCT0yw8RF5EBIeovWnA6JjLiouoIyDLGkPRU=; h=Date:Subject:From:To:Cc:References:In-Reply-To:From; b=ecGqoL9rQzA7z7DnSgX+2EA0j/No6g8hWvX6rAchyqURErLhq4pufFJpAbyYtWHoG ttUtSUBQumWoYHUeXlf7gRgm0DgZegz3pW/MeAu5yC9b6ZCFtDS6m9lFIkP3Oyktbw I0R/8CVCKUIXbq/reA6TWfcMt8U12fKf1t3/AVVE=
Message-ID: <98f35559-b1ff-be8b-d06e-a034ccd4b610@lear.ch>
Date: Wed, 08 Dec 2021 08:14:57 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.3.2
Content-Language: en-US
From: Eliot Lear <lear@lear.ch>
To: "touch@strayalpha.com" <touch@strayalpha.com>, Miroslav Lichvar <mlichvar@redhat.com>
Cc: Steven Sommars <stevesommarsntp@gmail.com>, NTP WG <ntp@ietf.org>, TSVWG <tsvwg@ietf.org>, Magnus Westerlund <magnus.westerlund@ericsson.com>, Harlan Stenn <stenn@nwtime.org>, Martin Burnicki <martin.burnicki@meinberg.de>, Danny Mayer <mayer@pdmconsulting.net>, Joseph Touch via IANA-Port-Experts <iana-port-experts@icann.org>, draft-ietf-ntp-alternative-port.all@ietf.org, tsv-art <tsv-art@ietf.org>, Hal Murray <halmurray@sonic.net>
References: <20211204231206.A534228C17A@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <A803AF18-2BBD-4A54-9802-3EF693066E6C@strayalpha.com> <CAD4huA7RhF3xZJkdghz4yx3qk8uBjkfJv7Y_hDCvX1a=wATBkg@mail.gmail.com> <CACL_3VENkyebRf25W6EpW0yZY6ELYS41A4D_i+RnQE1M21P2hg@mail.gmail.com> <Ya3fLJCHUsm1wE28@localhost> <90723c26-0352-a4d1-f765-eb26b1522954@pdmconsulting.net> <bf78924b-69bc-760e-cc7f-e6896504e194@meinberg.de> <Ya81mYy8/EuH8ilY@localhost> <ABF8072B-C6C0-47F3-BD7B-BAFE927B5DE1@strayalpha.com> <d3d167ee-5a6d-0060-a350-6eb04ba0ae8b@lear.ch>
In-Reply-To: <d3d167ee-5a6d-0060-a350-6eb04ba0ae8b@lear.ch>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------Knp2EUHY8yUAEJI5sMt0t078"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/-7gRMxpQOHV8j7uQ0AWTLYuHxDs>
X-Mailman-Approved-At: Wed, 08 Dec 2021 07:08:57 -0800
Subject: Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review of draft-ietf-ntp-alternative-port-02
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2021 07:15:19 -0000

Just to follow this up, my point is that the version bit doesn't matter 
if the packets aren't getting to endpoints.  At that point we need to 
start thinking about what is best for the Internet, and there may well 
be a tradeoff here.  But it really depends on what the operational data 
looks like, in so much as we can get at it.

Eliot

On 07.12.21 20:43, Eliot Lear wrote:
>
> We have the following situation, as I understand it:
>
> There remain servers out there that are open to control packets, and 
> those packets are amplified at target NTP servers. Deployments have 
> mitigated the attack by placing a firewall rule that matches the frame 
> size of a normal NTP query, rather than enumerating the NTP servers 
> that they permit.  Do I have the situation correct?
>
> So we have a combination of a protocol weakness, open NTP servers, and 
> a common firewall rule set that won't let the right thing happen.  
> Does anyone know how common?
>
> Eliot
>
>
>
> On 07.12.21 17:31, touch@strayalpha.com wrote:
>>
>> —
>> Joe Touch, temporal epistemologist
>> www.strayalpha.com <http://www.strayalpha.com>
>>
>>> On Dec 7, 2021, at 2:21 AM, Miroslav Lichvar <mlichvar@redhat.com> 
>>> wrote:
>>>
>>> On Tue, Dec 07, 2021 at 10:23:10AM +0100, Martin Burnicki wrote:
>>>> I find it ridiculous to start using a new port for NTP because some 
>>>> admins
>>>> block the original, well-known port because many years ago there was a
>>>> possibility for DDoS for servers that weren't properly configured.
>>>
>>> That possibility still exists. It's a security issue in the protocol.
>>
>> Again, IMO, that’s why protocols (including NTP) have version numbers.
>>
>> I look forward to a new NTP version that addresses these issues, but 
>> it should run on the existing port.
>>
>> This is the *same* issue every protocol encounters for any vulnerability.
>>
>> Joe
>>

v2.23.0 | Report a Bug | By Email