IETF Logo Mail Archive

Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review of draft-ietf-ntp-alternative-port-02

Eliot Lear <lear@lear.ch> Thu, 09 December 2021 07:52 UTC

Return-Path: <lear@lear.ch>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C55AD3A03EE; Wed, 8 Dec 2021 23:52:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.742
X-Spam-Level:
X-Spam-Status: No, score=-2.742 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, NICE_REPLY_A=-1.852, SPF_PASS=-0.001, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=lear.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xZ9Dzcz1lLH2; Wed, 8 Dec 2021 23:51:58 -0800 (PST)
Received: from upstairs.ofcourseimright.com (upstairs.ofcourseimright.com [185.32.222.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 539473A03F4; Wed, 8 Dec 2021 23:51:56 -0800 (PST)
Received: from [IPV6:2001:420:c0c0:1011::1] ([IPv6:2001:420:c0c0:1011:0:0:0:1]) (authenticated bits=0) by upstairs.ofcourseimright.com (8.15.2/8.15.2/Debian-18) with ESMTPSA id 1B97pjmn4177883 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Thu, 9 Dec 2021 08:51:45 +0100
Authentication-Results: upstairs.ofcourseimright.com; dmarc=none (p=none dis=none) header.from=lear.ch
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lear.ch; s=upstairs; t=1639036306; bh=A8EhKMLfMV6ji9hvmu+rTwM5kA09Vf+U65kVzN6Epqs=; h=Date:To:Cc:References:From:Subject:In-Reply-To:From; b=ibYX+9sPeojB2aEOV557/283Kf9/QGOB3gRj+hnW9c2liuN0+Jxb24V2BYVJYtsOf iKbml66XHOHFI8uHeA3fYKc+v4w/VvsucK9M9O1T4Ifk1YOf6m6sIg5K1lmTgCKG7o 8RpXkqsGCOAReudhDqIjrq+vUGSpeKSB3v858+0Y=
Message-ID: <159160c7-e595-349f-aff9-35cc60b02413@lear.ch>
Date: Thu, 09 Dec 2021 08:51:41 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.3.2
Content-Language: en-US
To: "touch@strayalpha.com" <touch@strayalpha.com>
Cc: Miroslav Lichvar <mlichvar@redhat.com>, Steven Sommars <stevesommarsntp@gmail.com>, NTP WG <ntp@ietf.org>, TSVWG <tsvwg@ietf.org>, Harlan Stenn <stenn@nwtime.org>, Danny Mayer <mayer@pdmconsulting.net>, tsv-art <tsv-art@ietf.org>
References: <20211204231206.A534228C17A@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <A803AF18-2BBD-4A54-9802-3EF693066E6C@strayalpha.com> <CAD4huA7RhF3xZJkdghz4yx3qk8uBjkfJv7Y_hDCvX1a=wATBkg@mail.gmail.com> <CACL_3VENkyebRf25W6EpW0yZY6ELYS41A4D_i+RnQE1M21P2hg@mail.gmail.com> <Ya3fLJCHUsm1wE28@localhost> <90723c26-0352-a4d1-f765-eb26b1522954@pdmconsulting.net> <bf78924b-69bc-760e-cc7f-e6896504e194@meinberg.de> <Ya81mYy8/EuH8ilY@localhost> <ABF8072B-C6C0-47F3-BD7B-BAFE927B5DE1@strayalpha.com> <d3d167ee-5a6d-0060-a350-6eb04ba0ae8b@lear.ch> <98f35559-b1ff-be8b-d06e-a034ccd4b610@lear.ch> <EA1F9DA1-6C73-4BA6-9566-BEA09E3C6165@strayalpha.com>
From: Eliot Lear <lear@lear.ch>
In-Reply-To: <EA1F9DA1-6C73-4BA6-9566-BEA09E3C6165@strayalpha.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------Czs5RNp4STQrFrAS6L50ds0v"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/4glFZRFpvOPWg9M-UC9-c1wT1XE>
Subject: Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review of draft-ietf-ntp-alternative-port-02
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Dec 2021 07:52:04 -0000

Hi Joe

On 08.12.21 18:23, touch@strayalpha.com wrote:
> Hi, Eliot,
>
> Packets ARE getting to endpoints.
>
> If the issue is that packets of certain *sizes* aren’t getting there, 
> then NTP should find a way around that using the current port. The 
> fact that the existing port is being filtered is on them. Moving to 
> another port simply invites firewall managers to add that number to 
> their current NTP filters.

I'm not sold either way.

Yes, as a rule we do not allocate new ports for existing services.  
There are two reasons for that rule: first, it encourages sloppy design 
of the form ("I'll fix it later") and second and more importantly, we 
simply don't have so many ports to go around.

But this is a fundamental service, and the default behavior for clients 
will simply be to not authenticate.  And that would make NTP an 
attractive nuisance if those port filters are likely to stay.  That's a 
big if.

It is simply not reasonable, however, to require that NTP packets 
comport to a particular size in order to evade a combination of broken 
firewall policies and unbending IANA policies

Miroslav, one question I would like to understand is whether those drops 
involve typical packets used to sync clocks or if those are control 
packets.  In other words, are clocks not syncing because of the drops?

Eliot

v2.23.0 | Report a Bug | By Email