Re: [Ntp] RFC 8633 (NTP BCP), Appendix A: "restrict source ..."

Martin Burnicki <> Tue, 06 July 2021 08:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 894263A1F47 for <>; Tue, 6 Jul 2021 01:55:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.737
X-Spam-Status: No, score=-4.737 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.338, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wOdidNd1y3jN for <>; Tue, 6 Jul 2021 01:55:48 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DE68A3A1F42 for <>; Tue, 6 Jul 2021 01:55:47 -0700 (PDT)
Received: from (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 2781C71C139D; Tue, 6 Jul 2021 10:55:45 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=d2021; t=1625561745; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=SEadD8G5rpkzZbyzN5w7qv+xmKLyZmljPHoMu+W7ZPk=; b=C07wyY7qjvMGGuFuoi4ONWa0A3E7Z6P5H4FT2HRtN71vFPF1acsszCNh0rFNhBRlg2H3rt VmCyVXH6H0MXSKOc/ejdqum20wMpyQN2Nm6hJPmtdVvEUrv3DnmqI9/IHtroCnn9G6eNSB Czd+BdgbhYuFnL1psF7doL4skbJJa+CJG0cTakszt1qAr/oxlNNBL9eRxsmmCmL69j9QgA /0X7j9v2R18vcAnmbHonmeKim9DlkWpLK0m65LG2VMbwjW8R5DZQel063H5/Sg0Ut+jCcy kRdNh2YG1PoBQKNCEXkejeW7HV35LWdl6Xi2zINq/sLljJdPO9+Lx9L5PrEmaw==
Received: from ( []) (using TLSv1.3 with cipher AEAD-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS; Tue, 6 Jul 2021 10:55:44 +0200 (CEST)
X-Footer: bWVpbmJlcmcuZGU=
Received: from localhost ([]) by with ESMTPSA (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)); Tue, 6 Jul 2021 10:55:44 +0200
To: Ulrich Windl <>
References: <YNRtXhduDjU4/0T9@localhost> <> <YNnSj8eXSyJ89Hwv@localhost> <> <YNrDGy2M2hpLz9zc@localhost> <>
Cc: "" <>
From: Martin Burnicki <>
Organization: Meinberg Funkuhren GmbH & Co. KG, Bad Pyrmont, Germany
Message-ID: <>
Date: Tue, 06 Jul 2021 10:55:43 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="68r0MTS24pmiEckBr61UY2Rc35qRUJDg1"
X-SM-outgoing: yes
Archived-At: <>
Subject: Re: [Ntp] RFC 8633 (NTP BCP), Appendix A: "restrict source ..."
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 06 Jul 2021 08:55:54 -0000

Hi Ulrich,

Ulrich Windl wrote:
> Hi!
> Reading RFC 8633, Appendix A, specifically A.2, I was confused a bit:
> The last line says "restrict source..." (and the preceding lines had "restrict default...").
> The point is that "default" is a literal keyword, but "source" is not (AFAIK).

Yes, "restrict source ..." it valid syntax, which has been introduced 
int ntpd 4.2.8, if I remember correctly.

The HTML docs of the current ntpd distribution says (in access.html):

"restrict source" configures a template restriction automatically added 
at runtime for each association, whether configured, ephemeral, or 
preemptable, and removed when the association is demobilized.

If I remember correctly, this was introduced to fix a problem e.g. with 
pool server entries. If you had a restrict line like

restrict default ... nopeer

then automatic associations e.g. due to the "pool" directive wasn't 

restrict source ...

now adds the specified permissions to such associations that are created 

Martin Burnicki

Senior Software Engineer

MEINBERG Funkuhren GmbH & Co. KG
Phone: +49 5281 9309-414

Lange Wand 9, 31812 Bad Pyrmont, Germany
Amtsgericht Hannover 17HRA 100322
Geschäftsführer/Managing Directors: Günter Meinberg, Werner Meinberg, 
Andre Hartmann, Heiko Gerstung