IETF Logo Mail Archive

Re: [Ntp] NTS IANA request

"kodonog@pobox.com" <kodonog@gmail.com> Fri, 07 June 2019 03:23 UTC

Return-Path: <kodonog@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00BB6120157 for <ntp@ietfa.amsl.com>; Thu, 6 Jun 2019 20:23:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.988
X-Spam-Level:
X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_PDS_FROM_2_EMAILS=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8sM3ZibV0pS7 for <ntp@ietfa.amsl.com>; Thu, 6 Jun 2019 20:23:40 -0700 (PDT)
Received: from mail-qt1-x836.google.com (mail-qt1-x836.google.com [IPv6:2607:f8b0:4864:20::836]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E600B12010D for <ntp@ietf.org>; Thu, 6 Jun 2019 20:23:39 -0700 (PDT)
Received: by mail-qt1-x836.google.com with SMTP id y57so733434qtk.4 for <ntp@ietf.org>; Thu, 06 Jun 2019 20:23:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version; bh=Inag4MZgf9DX+hNAjyGEY9b85FhkqfSQftH8MPyESQc=; b=EQmlA2qs7/wgaSicrHWL6l/ATlnsuKrcDjGOhJfcZmDXiiKkW6c8vNCXjyZQK7d6C3 r6p4L67l2jVB8ao40OwjlyRfq0FI5lPEQc8frGuJjQBip34Vi3A0n0RoLeFItAS+n1Gu naJ+40YjxouqLMbnt2O/YNanecXN0vmmutJDTT0pbPdd/5Opx5JwuO9iEsMJuQYbZR9v OGfWWwRqG5G1b3kqIha+SQk9shotJb0N1QoVWi7elniv6YhPAjgg8L5hXbVNxDF+tVUt GC0QCBAc+5TaDmD+rEV9jwSeEWluOwdciNfSrrXfkhs5CWznsq/q76fw/dqpjovy2tY+ iePg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version; bh=Inag4MZgf9DX+hNAjyGEY9b85FhkqfSQftH8MPyESQc=; b=kpEnq3sEtt+ESAxvf+DiwHc2BueB4BDDHtyGFb530fRqlXV6KRufvUocPRsG1Cb0OC 35aJxARPQPr03moy+0z8lvUH4vFLqiWWEfIwuQ45jMwFnt8liw1BK/3P9fkLHA/z9qL4 /N0s0Qc+SHLxR5+5uLoBGFV8IQ+E5bgXRiClufFULqkl06P1tKtb0pF1kw9EfAfdm+DZ j+dXp51Z6SWy2Pyd7PgaadlEfzcPS9f9LcyhlFpEbUFMx+WAfSB2iAETfaJJ1VqwSE/x qCHx+p3nBCfcLfJEEOW2TAjbGwymWdXyLaEhHLlnvRtBHhqMidwrLgJYW13H/p1ouLt5 nPmA==
X-Gm-Message-State: APjAAAV92JTeq++KxjW2w6HUk75r592F0DeTbMeRY95nEJd73CQzDAa1 2TJ3vS7wZqYiM2IReZY7gaPLww==
X-Google-Smtp-Source: APXvYqxQK8OFc7YvCJCHNl8rZCPtKqKOM8anHNu2/4Y/YCfbo1eJX5DORjxm12jMZL4RDi2Hh3+WdA==
X-Received: by 2002:aed:3547:: with SMTP id b7mr23546297qte.161.1559877819043; Thu, 06 Jun 2019 20:23:39 -0700 (PDT)
Received: from [192.168.1.126] (d-65-99-124-221.va.cpe.atlanticbb.net. [65.99.124.221]) by smtp.gmail.com with ESMTPSA id v126sm432122qkh.86.2019.06.06.20.23.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 06 Jun 2019 20:23:34 -0700 (PDT)
From: "kodonog@pobox.com" <kodonog@gmail.com>
To: Harlan Stenn <stenn@nwtime.org>
Cc: ntp@ietf.org
Date: Thu, 06 Jun 2019 23:23:33 -0400
X-Mailer: MailMate (1.12.5r5635)
Message-ID: <0CAA3A39-12CB-4A23-A3E3-A9934FED312C@gmail.com>
In-Reply-To: <14042f44-6cf0-0c23-c0d1-777ea7580cbc@nwtime.org>
References: <CAN2QdAH9Uh_wYSEizgYTjd4Q6VFQT+tvH8dnbPgKKc59+vEfng@mail.gmail.com> <a123d81b-4994-9e35-58eb-6845cf439f91@nwtime.org> <20190605164753.6e71fcaa@rellim.com> <03055E77-EB42-494E-A231-039C4603E256@akamai.com> <CAJm83bDYZ+vcwkhFEf2YCAVwKcSm7rEgbuB0Wwsvm5XVVAMjuQ@mail.gmail.com> <C8E4189E-E3A1-4926-AF0F-93BE9C7255C8@akamai.com> <CAJm83bBkU91st1CFAsx+JCLpxXyWOQnSTY9sXeuA96R8pqXdCA@mail.gmail.com> <14042f44-6cf0-0c23-c0d1-777ea7580cbc@nwtime.org>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/2RiBaiFmVPcFmFucumxPk6iyAQo>
X-Mailman-Approved-At: Thu, 06 Jun 2019 20:33:45 -0700
Subject: Re: [Ntp] NTS IANA request
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jun 2019 03:23:42 -0000

Harlan,

As we have discussed privately, this type of email response is not 
helpful.
Please limit your comments on the mailing list to specific technical 
concerns.

Thank you!
Karen

On 6 Jun 2019, at 17:42, Harlan Stenn wrote:

> As best as I can tell, the following is total rubbish.
>
> H
>
> On 6/6/2019 11:28 AM, Daniel Franke wrote:
>> As a slight tangent, we never concluded the discussion as to what
>> we're going to do about the fact that so many ISPs are dropping
>> 123/udp traffic with payloads larger than 48 bytes. I think we got as
>> far as concluding:
>>
>> 1. We're never going to persuade enough ISPs to change their policy,
>> making 123/udp basically doomed.
>> 2. NTS-KE's port negotiation record gives us all the mechanism we 
>> need
>> in order to run NTP-with-NTS over an alternate port.
>>
>> But that left an unresolved question: do we allocate a fixed 
>> alternate
>> UDP port, or should servers ask the OS for a dynamic port and then 
>> use
>> NTS-KE to advertise whatever the OS assigns to them? Both choices 
>> have
>> firewall-related drawbacks. If we use a fixed port, we risk landing
>> ourselves right back in the same situation we're in today with 123. 
>> At
>> minimum, to protect ourselves from this, the NTF would have to commit
>> to adding some code to ntpd such that it will refuse to ever send 
>> mode
>> 6 or 7 responses over the new port no matter what configuration the
>> user gives it. (Yes, mode 6 too, because mode 6 still amplifies, just
>> not as severely as mode 7 does). If we use a dynamic port, then it
>> becomes much harder for ISPs to block us, but it also becomes harder
>> for corporate firewalls with a default-deny-all policy to let us
>> through.
>>
>> On Thu, Jun 6, 2019 at 1:06 PM Salz, Rich <rsalz@akamai.com> wrote:
>>>
>>>>    I'm strongly opposed to modifying NTS-KE to involve sending a 
>>>> STARTTLS
>>>     as a first step of the handshake. I don't want to make a 
>>> breaking
>>>     change to a protocol that's passed WGLC and has four 
>>> interoperating
>>>     implementations in order to accommodate a protocol that has 
>>> never been
>>>     implemented and whose specification consists of three vague 
>>> sentences
>>>     in an unadopted and expired I-D.
>>>
>>> I wasn't strongly advocating either mechanism, just trying to 
>>> explain how things could share a port if that's what we wanted to 
>>> do.
>>>
>>> For the record, since I see no definition of NTP/TLS, I am in favor 
>>> of assigning 123/TCP to NTS.
>>>
>>>
>>
>> _______________________________________________
>> ntp mailing list
>> ntp@ietf.org
>> https://www.ietf.org/mailman/listinfo/ntp
>>
>
> -- 
> Harlan Stenn, Network Time Foundation
> http://nwtime.org - be a Member!
>
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp

v2.23.0 | Report a Bug | By Email