Re: [Ntp] [Tsv-art] Tsvart early review of draft-ietf-ntp-alternative-port-02
"touch@strayalpha.com" <touch@strayalpha.com> Sun, 05 December 2021 06:10 UTC
Return-Path: <touch@strayalpha.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B22C3A11A4; Sat, 4 Dec 2021 22:10:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.318
X-Spam-Level:
X-Spam-Status: No, score=-1.318 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PeZC0Zzxjq6X; Sat, 4 Dec 2021 22:10:17 -0800 (PST)
Received: from server217-1.web-hosting.com (server217-1.web-hosting.com [198.54.114.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5CE73A11A3; Sat, 4 Dec 2021 22:10:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=DOxFuwNXwJy0+2jaqcA+2z4qPYaCJ3j478xXEJYn5oA=; b=mC4MOpZ9cBL/QwNSRVN6jleiyw AJZrfRFT23srwnhxwIO7EXny2Okojpbbc8dldUm6p71Gwig8R5gjd/fd5hV3ZYb3c0YoDnWMKFBhg 4ivRSbSBfH1NDYwPCNrBe1D5fnyMzeyiagZlFSSNy+ZITz0a2ArxKycZUbMLOMVi8qrgRtkhkbYwZ VZ2u87ye8zRBLJ/28BOWoCCPcNRK2QwwvCwoL1/134KMnGj2jyC32pEXSHYaHlT9qgZZ1WwndwI/K 09ihC4NO8M2hjcie3BDOGgSLynxEX+CdslwGrZQ0eQHnl73QX7f41MkxoU2syMtCrUuYmqwTvK9+s 1w/x217w==;
Received: from cpe-172-114-237-88.socal.res.rr.com ([172.114.237.88]:62357 helo=smtpclient.apple) by server217.web-hosting.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <touch@strayalpha.com>) id 1mtkix-00FiKf-Ps; Sun, 05 Dec 2021 01:10:16 -0500
Content-Type: multipart/alternative; boundary="Apple-Mail=_E5869003-5FF0-4673-8ED5-7DFCA739B6A2"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.20.0.1.32\))
From: "touch@strayalpha.com" <touch@strayalpha.com>
In-Reply-To: <CAD4huA7RhF3xZJkdghz4yx3qk8uBjkfJv7Y_hDCvX1a=wATBkg@mail.gmail.com>
Date: Sat, 04 Dec 2021 22:10:10 -0800
Cc: Magnus Westerlund <magnus.westerlund@ericsson.com>, NTP WG <ntp@ietf.org>, TSVWG <tsvwg@ietf.org>, Joseph Touch via IANA-Port-Experts <iana-port-experts@icann.org>, draft-ietf-ntp-alternative-port.all@ietf.org, tsv-art <tsv-art@ietf.org>, Hal Murray <halmurray@sonic.net>
Message-Id: <ECE4E903-761C-469E-90F8-B3D3755A6CCB@strayalpha.com>
References: <20211204231206.A534228C17A@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <A803AF18-2BBD-4A54-9802-3EF693066E6C@strayalpha.com> <CAD4huA7RhF3xZJkdghz4yx3qk8uBjkfJv7Y_hDCvX1a=wATBkg@mail.gmail.com>
To: Steven Sommars <stevesommarsntp@gmail.com>
X-Mailer: Apple Mail (2.3693.20.0.1.32)
X-OutGoing-Spam-Status: No, score=-0.5
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/24T-3X__lw0d4PNFHAYugk3JdA8>
Subject: Re: [Ntp] [Tsv-art] Tsvart early review of draft-ietf-ntp-alternative-port-02
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Dec 2021 06:10:23 -0000
It’s not the rest of the community’s job to make sure your port is useful - it is yours (the NTP community’s). I.e., you gave one viable way forward: fix the filtering. I gave another - find a way around/through the filtering. Redundant port assignments are not a “simple” solution - they are an expensive one that you should not have not, IMO, earned access to, if for no other reason than “poor stewardship of what you already have”. Joe — Joe Touch, temporal epistemologist www.strayalpha.com > On Dec 4, 2021, at 9:00 PM, Steven Sommars <stevesommarsntp@gmail.com> wrote: > > NTP got a bad reputation as an amplification attack vector circa 2014. The offending NTP servers have largely been fixed; today few public servers will blindly amplify the Mode 7/monlist command (the major problem source). The organizations doing the filtering aren't receptive to suggestions that they alter/remove their filtering schemes. > > Those finding the alternate port distasteful could help by reaching out to the organizations doing the filtering and convincing them that changes are needed. > > I don't like the alternative port idea either, but see no other simple solution. Short of designing yet another time transfer protocol what would you suggest? > > > > > > > > > > > On Sat, Dec 4, 2021 at 8:08 PM touch@strayalpha.com <mailto:touch@strayalpha.com> <touch@strayalpha.com <mailto:touch@strayalpha.com>> wrote: > HI, Hal, > > Again, with ports team review hat on: > > Everything that happened below is equivalent to finding a zero-day or other kind of protocol error in any service. > > The fact that the current ’solution’ is to block that port isn’t new either. > > We don’t have resources to continually assign ‘fresh’ ports for services and I see no reason this one warrants an exception. > > There are other solutions here; if your own recommendations caused packets smaller than 48 to be dropped, then find a way to fragment and reassemble authenticated packets until you find out that larger ones get through. > > This is a protocol design problem, not a port assignment problem. > > Joe > > — > Joe Touch, temporal epistemologist > www.strayalpha.com <http://www.strayalpha.com/> > >> On Dec 4, 2021, at 3:12 PM, Hal Murray <halmurray@sonic.net <mailto:halmurray@sonic.net>> wrote: >> >> >> touch@strayalpha.com <mailto:touch@strayalpha.com> said: >>> FWIW, I don't see this assignment as appropriate. >> >> Without a new port, it will be close to impossible to widely deploy NTP >> security. >> >> >> Years ago (2013), NTP was used in a giant DDoS attack. That was due to a >> bug/oversight that had been around since the early NTP work. (I've tracked it >> back to 1989.) >> https://www.spamhaus.org/news/article/695/answers-about-recent-ddos <https://www.spamhaus.org/news/article/695/answers-about-recent-ddos> >> https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification <https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification> >> The Wikipedia chart could use another column -- the number of sites available. >> Almost all Linux or *BSD sites were running ntpd. >> >> The fix was trivial, but there are many essentially unattended sites running >> old versions of ntpd that will never get fixed. >> >> Many many many sites have quietly installed filters in their routers. Set and >> forget. >> >> A typical filter drops UDP traffic to port 123 with a length other than 48. >> That lets old unauthenticated NTP through but authenticated packets are longer >> and get dropped. >> >> To use authentication on the existing port would require removing those >> filters. Even if you could track down the right people, they would probably >> drag their feet until most of the sites running old unattended ntpd were fixed. >> >> An alternative would be to implement BCP 38. How long has that been in >> progress? >> >> -- >> These are my opinions. I hate spam. >> >> >> > > _______________________________________________ > ntp mailing list > ntp@ietf.org <mailto:ntp@ietf.org> > https://www.ietf.org/mailman/listinfo/ntp <https://www.ietf.org/mailman/listinfo/ntp> > _______________________________________________ > Tsv-art mailing list > Tsv-art@ietf.org > https://www.ietf.org/mailman/listinfo/tsv-art
- [Ntp] Tsvart early review of draft-ietf-ntp-alter… Magnus Westerlund via Datatracker
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… touch@strayalpha.com
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Danny Mayer
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Hal Murray
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… touch@strayalpha.com
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… C. M. Heard
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Steven Sommars
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… touch@strayalpha.com
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Danny Mayer
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… C. M. Heard
- Re: [Ntp] Tsvart early review of draft-ietf-ntp-a… Erik Kline
- [Ntp] Antw: [EXT] Re: [Tsv‑art] Tsvart early revi… Ulrich Windl
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Eliot Lear
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Salz, Rich
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Miroslav Lichvar
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Salz, Rich
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Eliot Lear
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Hal Murray
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Eliot Lear
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Danny Mayer
- Re: [Ntp] [IANA-Port-Experts] Tsvart early review… touch@strayalpha.com
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… touch@strayalpha.com
- [Ntp] Antw: Re: [tsvwg] Antw: [EXT] Re: [Tsv‑art]… Ulrich Windl
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Martin Burnicki
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… touch@strayalpha.com
- Re: [Ntp] [IANA-Port-Experts] Tsvart early review… Salz, Rich
- Re: [Ntp] [IANA-Port-Experts] Tsvart early review… Joe Touch
- Re: [Ntp] [IANA-Port-Experts] Tsvart early review… Salz, Rich
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Eliot Lear
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Hal Murray
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Eliot Lear
- [Ntp] Antw: [EXT] Re: [tsvwg] [Tsv‑art] Tsvart ea… Ulrich Windl
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… touch@strayalpha.com
- [Ntp] Antw: [EXT] Re: [tsvwg] [Tsv‑art] Tsvart ea… Ulrich Windl
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Eliot Lear
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Hal Murray
- Re: [Ntp] Antw: [EXT] Re: [tsvwg] [Tsv‑art] Tsvar… Watson Ladd