IETF Logo Mail Archive

Re: [Ntp] I-D Action: draft-ietf-ntp-port-randomization-04.txt

Harlan Stenn <stenn@nwtime.org> Sat, 27 June 2020 00:55 UTC

Return-Path: <stenn@nwtime.org>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E8353A079D for <ntp@ietfa.amsl.com>; Fri, 26 Jun 2020 17:55:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.89
X-Spam-Level:
X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_SPF_HELO_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NZs_VCSV9nAC for <ntp@ietfa.amsl.com>; Fri, 26 Jun 2020 17:55:35 -0700 (PDT)
Received: from chessie.everett.org (chessie.everett.org [66.220.13.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BECB3A0793 for <ntp@ietf.org>; Fri, 26 Jun 2020 17:55:35 -0700 (PDT)
Received: from [10.208.75.157] (075-139-194-196.res.spectrum.com [75.139.194.196]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by chessie.everett.org (Postfix) with ESMTPSA id 49twKF2D6yzL7d; Sat, 27 Jun 2020 00:55:29 +0000 (UTC)
To: Miroslav Lichvar <mlichvar@redhat.com>
Cc: ntp@ietf.org
References: <159178254834.16829.7558806224371600143@ietfa.amsl.com> <d250dc2c-ac88-25c0-1850-a6f9105822e7@nwtime.org> <20200622085914.GE22085@localhost> <c0f5d644-8eb0-ae03-2385-fe8fda9d4d3f@nwtime.org> <20200622093954.GF22085@localhost>
From: Harlan Stenn <stenn@nwtime.org>
Autocrypt: addr=stenn@nwtime.org; keydata= mQGNBFI2xmQBDACrPayw18eU4pIwCvKh7k0iMkAV9cvzs49kBppM+xoH+KKj4QWmkKELD39H ngQnT3RkKsTLlwxyLqPdUmeQNAY2M5fsOK+OF6EvwLPK9hbmE3Wx2moX+sbEUxJ2VzFhKSKb OPZALXwk1XxL0qBedz0xHYcDwaSAZZkEFXURv2pDIdrmnoUnq2gdC8GpoFJiXoUaCLSYzzaY ac4Njw7Mue8IqfzRQb70aMjXl/qmsmfmEVAyGXywDdc/ler4XSgiuYOV7Kf69bj9PFZZSMdJ MWgEyZH6lJ0TU5ccR2zp5ZRmWzQQkxJMyH2th7q0Nmz3aX4A0K4yE0Ba9/5Dr7ctpF15BrMF aEo4s5lwI6tUnkgMWo265mMzCz4mAPV/ac0w0OXQg7r9E2r0+dRapnzUlG43D0JLDqDr9uRR L6IrRQqoCWUC75lfmPYQYSlaTJaK68r3lXd0z1cXJUgVtEL5H3/Z71R2B20twcQVAnw2iIH6 L5vdrsIjHrMmkqRVbs9nNyEAEQEAAbQ5SGFybGFuIFN0ZW5uIChOZXR3b3JrIFRpbWUgRm91 bmRhdGlvbikgPHN0ZW5uQG53dGltZS5vcmc+iQG5BBMBAgAjBQJSNsblAhsvBwsJCAcDAgEG FQgCCQoLBBYCAwECHgECF4AACgkQyIwAt1pH+kBlzgv/QOg70vdj8wU/z97UPdlbxtN4THAB gfSX4N0VPKT5fjX1tFhuXZQAOv7wedR3Trh7TGteyg33TBAFf9A42mXZKi1IxAiQG118Hd8I 51rXwnugURIYQaIyQI+vbchRbwVyz+mVLTI/h6FdbsVzT4UFmir+ZMkb/XeZPu0HItk4OZHE 6hk+TuTiCnlqlCPLq371fXV54VOb91WZYD8EQFtK02QHGHsQqWvapdphiDVpYehmsPyiTESq NMKLVtjtyPkQ6S7QF3slSg+2q3j8lyxEA78Yl0MSFNU8B/BtKgzWP2itBOfi+rtUKg+jOY1V /s2uVk2kq2QmHJ/s5k5ldy3qVvoTpxvwBe0+EoBocTHYt+xxp0mTM6YY1xLiQpLznzluqg9z qtejX1gZOF4mgLiBIrhXzed3zsAazhTp5rNb1kn0brZFh6JC5Wk941eilnA4LqX8AWo0lmwo eb+mpwZK/5lNdage/anpVqft9wJ/8EcvST9TLUO4fPrmT3d/0LpWuQGNBFI2xmQBDADXLsBk I7CSa5UXlrNVFJQHER1VxRBKqjWWCh/8Qv9v3p3NrIc2UnhoZ1uWQ2voBGty5Xfy9k4afV5k WwDyRDUIb7PX+Tj4HjVVr7qvnOVe/0KzZpNq0Azd0ggFbsM+8mydktHIwJykW0NUsGwPRYuD OA0Lro0ohb5IiCt3sSQi1X1hYjo7O1Vmn8Gy/XYOnhnMux+5zDPO2yTkCNX5PocYi9IJJy6p Mq1yQV4Y2Dl8KtQzvtq55vCUxx6n0MMzFViGwNW6F4ge9ItO4tDScsgowDrHa208ehwOpv/i wjf93lCClQ6vaKmOBX872K/tdY/hwhxPPjgl1bcrOwMRYVemOPPehwnXH5bwclk1hvDQdkJQ 5pJOkE4VCryTF/iDAt4g2QnHocUwt3b6/ChUUWmj2GZ22OR12rbnCtLedwp0DpViKPUCQHBO vpgXdzE/L9zWar9fqM0EREMgfWbsJc9028qluCcFLIN1gYsq4cC+YGAcOu7HOI5orBBV4m9j XfsAEQEAAYkDPgQYAQIACQUCUjbGZAIbLgGpCRDIjAC3Wkf6QMDdIAQZAQIABgUCUjbGZAAK CRDfCQ/G52/8P/uWDACe7OEM+VETDRqjQgAwzX+RjCVPvtgrqc1SExS0fV7i1mUUxr/B8io3 Y1cRHFoFKmedxf8prHZq316Md5u4egjFdTT6ZqEqkK0hvv+i0pRpCa5EX9VIStcJStomZp8F cY34grA+EOWITaLQ4qNZUP7rf2e7gq1ubQTj7uLr6HZZvMZ5em+IvrOWEuWDI6yOiI6px04w RDfkoR2h6kgdw4V0PT4NjK9WYYKrVCf1bjLlVImNBEcXfvlUTrIYO8y6ptvoUsBQky5pQRvP 99Pn42WfyLy50aII6+vyudD4T0yLjXAz4KteUttxtIte64m/F9/7GEIZAxTUcLyOq/7bP4le h39jBckwc62iYzeK/VkU/bMMh2D68Z3QylMnhhcW27BcgQHPKsHhmFa2SNytYcuQiSdf9+pj 4i32ETz1nJAvYAAqgTF/0PL+8ZNQoEpe/n9woMKrlZrqD4EgFmhQ3bNVhlaXz1nuTZDrwPt1 yMxBuUNbCF4jFnaruwrSiGTRoIfUZQwAjQglahrV4/mcjfnvbNoseHX0PKd9q+wjg7MIjWqr f2CI8Fa6MdanqwYphz43I2yXANKFZuMWsWqyQYlvGuPUlUUcAL3stp24RkzDB1Q+JS0IZJST T2JSu0aTfUdWVNqr2UI19eX+zxbOTckSi3Ng14ezG8ZX194ZH10b8JzntQOwmA20pd5JDhug zQfASER+CZDiPPcQ4mvC4y7rMrfV6XGQbDynC3ekDxo8SC5SvjaczXMwXg6SZ8iFtEWmEwW9 r7zPjjIPDrX8w5LXBgxArM5o/HbERpc2EdAvMh1D7LC0SvmoE7fBKxsicVBe4h6vXjEZ+LLr /wuZiBld9OnxAUIpwptbBspO6WKTQYvgFH2OeDG27hiE5P4Xs4WSp5j9ez8OVB1iZnA2nCQ+ tNTjO8c+C/P92vPLx5+bpGRXTXMNaLh34PS3ZsYoUDkKZNhczRZUWJ7nynSbeeyF+QW7SLwA qY7O7dyk9LFTsfJqRQJ7tWnIAjJPCwmSgQ8Kl0UJ
Message-ID: <459ea875-ec2c-dc72-c728-cb7a29854cf6@nwtime.org>
Date: Fri, 26 Jun 2020 17:55:28 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To: <20200622093954.GF22085@localhost>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/2uRAZ6ZhZkGhWUFsaIe7DpvDGYk>
Subject: Re: [Ntp] I-D Action: draft-ietf-ntp-port-randomization-04.txt
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Jun 2020 00:55:40 -0000

On 6/22/2020 2:39 AM, Miroslav Lichvar wrote:
> On Mon, Jun 22, 2020 at 02:08:55AM -0700, Harlan Stenn wrote:
>> On 6/22/2020 1:59 AM, Miroslav Lichvar wrote:
>>> It depends on the UDP connection tracking timeout and the client's
>>> polling interval. A typical polling interval is longer than a typical
>>> tracking timeout, so the effect shouldn't be significant on average.
>>
>> I'm not sure exactly what you mean by "the UDP connection tracking timeout".
> 
> A stateful firewall is tracking connections. That includes NTP
> requests and responses. As it doesn't have an infinite amount of
> memory, it needs to drop the connections after some time. For UDP
> connections that timeout tends to be very short, e.g. two minutes.
> 
> I thought you implied with your question that port randomization will
> significantly increase the number of connections that the firewall
> will need to track.
> 
> What problem do you see with firewalls and port randomization?
> 
> ...

My primary concern about this document is that it seems to come from a
specific and limited point of view, and to me its tenor is one of
dictating an over-reaching "policy" instead of providing "mechanism".  I
think the draft should offer information and direction, from a wider
perspective.

Specifically, when I asked a network wizard about why he disagrees with
this proposal he tells me:

> Because on-host is a relatively unusual place for a firewall to be
> run, and most enterprises run firewalls elsewhere, and don't run
> them on-host because it is "so hard".  Enterprises are SO resistant
> to doing this that new technologies such as "microsegemntation" and
> "{smart, artificial intelligent, etc} firewall" that use other
> capabilities, such as a hypervisor's virtual networking subsystem
> (see VMware NSX) to force network security upon a VM.  This has the
> upside of being something that the VM itself cannot modify or drop.
> Unfortunately, it is mostly only for VM's, as a bare metal host
> does not have a virtual netwoork stack sitting on its network
> port anxiously filtering its packets.
>
> In more conventional designs, you will tend to have a dedicated
> firewall at network edge (to your upstream), and/or maybe at the
> router interface/default gateway for a host.
>
> Stateful filtering is mostly a game for software firewalls and
> software routers.  You need to maintain state; the silicon to do
> this is horribly pricey.
>
> However, I can do 10G line rate filtering on a switch with just a
> few commands (8.8.x is just example public IP space):
>
> ip access-list storage1-out
> 1000 permit ip 10.249.2.0 0.0.0.255 any
> ...
> 1190 permit tcp 8.8.64.72 0.0.0.3 eq smtp any
> 1200 permit udp 8.8.64.76 0.0.0.3 eq ntp any
> ...
> 1310 permit icmp any any
> 1320 deny every
> exit
>
> Now this configuration would happen to allow source port
> randomization, because within my network with the source
> "8.8.64.76/30:123" is guaranteed to be the NTP servers, but in a
> less-controlled environment such as where you are using pool,
> you would omit the source IP range and do something like
>
> 1200 permit udp any eq ntp any eq ntp
>
> which permits ntpd to work but doesn't allow scanning of random UDP
> services by an external site using a source port of :123.

and his last sentence carries the kicker.  This proposal effectively
cost-shifts filtering to hosts, and prevents efficient use of filtering
technologies on edge switches.  His line works to offer time service to
others, as allowed packets are only to port 123.  This draft RFC would
require the external firewall to open all incoming udp traffic from port
123, and would require a stateful firewall on all machines receiving
that traffic.

He believes that as currently written, if people implement this by
default they will not be able to block unwanted traffic at the least
expensive place and could easily allow a bad guy to port scan you, if
the bad guy launched his port-scanning from UDP 123.  Therefore as
written, this proposal will *decrease* overall security because of how
it cost-shifts.

-- 
Harlan Stenn <stenn@nwtime.org>
http://networktimefoundation.org - be a member!

v2.23.0 | Report a Bug | By Email