IETF Logo Mail Archive

Re: [Ntp] NTS IANA request

"Majdi S. Abbas" <msa@latt.net> Fri, 07 June 2019 20:08 UTC

Return-Path: <msa@latt.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76A5C120140 for <ntp@ietfa.amsl.com>; Fri, 7 Jun 2019 13:08:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jXStsRLqaOgP for <ntp@ietfa.amsl.com>; Fri, 7 Jun 2019 13:08:34 -0700 (PDT)
Received: from puck.nether.net (puck.nether.net [204.42.254.5]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A29421200B2 for <ntp@ietf.org>; Fri, 7 Jun 2019 13:08:34 -0700 (PDT)
Received: by puck.nether.net (Postfix, from userid 504) id 0AB23540BE0; Fri, 7 Jun 2019 16:08:33 -0400 (EDT)
Date: Fri, 07 Jun 2019 16:08:33 -0400
From: "Majdi S. Abbas" <msa@latt.net>
To: Daniel Franke <dfoxfranke@gmail.com>
Cc: "Salz, Rich" <rsalz@akamai.com>, "ntp@ietf.org" <ntp@ietf.org>, "Gary E. Miller" <gem@rellim.com>
Message-ID: <20190607200832.GA19127@puck.nether.net>
References: <CAN2QdAH9Uh_wYSEizgYTjd4Q6VFQT+tvH8dnbPgKKc59+vEfng@mail.gmail.com> <a123d81b-4994-9e35-58eb-6845cf439f91@nwtime.org> <20190605164753.6e71fcaa@rellim.com> <03055E77-EB42-494E-A231-039C4603E256@akamai.com> <CAJm83bDYZ+vcwkhFEf2YCAVwKcSm7rEgbuB0Wwsvm5XVVAMjuQ@mail.gmail.com> <C8E4189E-E3A1-4926-AF0F-93BE9C7255C8@akamai.com> <CAJm83bBkU91st1CFAsx+JCLpxXyWOQnSTY9sXeuA96R8pqXdCA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAJm83bBkU91st1CFAsx+JCLpxXyWOQnSTY9sXeuA96R8pqXdCA@mail.gmail.com>
X-Message-Flag: Follow up
User-Agent: Mutt/1.11.4 (2019-03-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/6vJfw69LYH-A_Sjy3AlDYt_O5XU>
Subject: Re: [Ntp] NTS IANA request
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jun 2019 20:08:36 -0000

On Thu, Jun 06, 2019 at 02:28:28PM -0400, Daniel Franke wrote:
> As a slight tangent, we never concluded the discussion as to what
> we're going to do about the fact that so many ISPs are dropping
> 123/udp traffic with payloads larger than 48 bytes. I think we got as
> far as concluding:

	At least in the case of two major carriers that did deploy
filters early on, that's not actually what they are doing.

	They're peeking at a specific offset to look for large monlist
replies.  They were absolutely not filtering all NTP traffic above 48
bytes; and I have not seen that behavior in production networks.
(Such a filter is actually difficult to implement since it has to work
in hardware that exists in linecards already.  It's easier to peek at
a specific offset than decode size and do a comparison the value.)

	Another large carrier, run by some pretty sharp folks, simply
rate limits large NTP payloads, but does not deny it. This should be
fine for key exchange or some sort of other initial session setup.

	I only ran into issues with one of them -- which they corrected
when I had a conversation with them about it.

> 1. We're never going to persuade enough ISPs to change their policy,
> making 123/udp basically doomed.

	I'm not sure where this came from, but it hasn't been my 
experience.  In fact even the folks who came in with pretty heavy
handed filters a few years ago, have backed off quite a bit as users
have corrected their configurations.

> 2. NTS-KE's port negotiation record gives us all the mechanism we need
> in order to run NTP-with-NTS over an alternate port.

	I'm not sure that's necessary, or sufficient.  

> But that left an unresolved question: do we allocate a fixed alternate
> UDP port, or should servers ask the OS for a dynamic port and then use
> NTS-KE to advertise whatever the OS assigns to them? Both choices have
> firewall-related drawbacks. If we use a fixed port, we risk landing
> ourselves right back in the same situation we're in today with 123. At
> minimum, to protect ourselves from this, the NTF would have to commit
> to adding some code to ntpd such that it will refuse to ever send mode
> 6 or 7 responses over the new port no matter what configuration the
> user gives it. (Yes, mode 6 too, because mode 6 still amplifies, just
> not as severely as mode 7 does). If we use a dynamic port, then it
> becomes much harder for ISPs to block us, but it also becomes harder
> for corporate firewalls with a default-deny-all policy to let us
> through.

	I don't believe there's much of a firewall issue at all,
since I haven't seen a blanket "lt 1024" permit in.... years.  Either
specific services are permitted, or application level proxies are
employed... but nobody magically "trusts" system ports any more, and
has not in a very long time.

	--msa

v2.23.0 | Report a Bug | By Email