Re: [Ntp] [Tsv-art] Tsvart early review of draft-ietf-ntp-alternative-port-02
Hal Murray <halmurray@sonic.net> Sat, 04 December 2021 23:12 UTC
Return-Path: <halmurray@sonic.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D398C3A0C12; Sat, 4 Dec 2021 15:12:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5mURvq-4y6HX; Sat, 4 Dec 2021 15:12:53 -0800 (PST)
Received: from d.mail.sonic.net (d.mail.sonic.net [64.142.111.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 083983A0C0C; Sat, 4 Dec 2021 15:12:52 -0800 (PST)
Received: from 107-137-68-211.lightspeed.sntcca.sbcglobal.net (107-137-68-211.lightspeed.sntcca.sbcglobal.net [107.137.68.211]) (authenticated bits=0) by d.mail.sonic.net (8.15.1/8.15.1) with ESMTPSA id 1B4NC62L015452 (version=TLSv1.2 cipher=DHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Sat, 4 Dec 2021 15:12:07 -0800
Received: from hgm (localhost [IPv6:::1]) by 107-137-68-211.lightspeed.sntcca.sbcglobal.net (Postfix) with ESMTP id A534228C17A; Sat, 4 Dec 2021 15:12:06 -0800 (PST)
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.7.1
To: touch@strayalpha.com
cc: Hal Murray <halmurray@sonic.net>, Magnus Westerlund <magnus.westerlund@ericsson.com>, draft-ietf-ntp-alternative-port.all@ietf.org, tsv-art <tsv-art@ietf.org>, ntp@ietf.org, tsvwg@ietf.org, iana-port-experts@icann.org
From: Hal Murray <halmurray@sonic.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Sat, 04 Dec 2021 15:12:06 -0800
Message-Id: <20211204231206.A534228C17A@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
X-Sonic-CAuth: UmFuZG9tSVaO2TNDkqUXjjOuChQlXlAXZ+Go5uQBbiFV9WpcCF9hWL6cPwZR6nwVHpKr0G0itnewwxFCEWMNOcYVPS+TtyJC1b/lbPhp3AI=
X-Sonic-ID: C;UHyQmVdV7BGysK6h84YYMw== M;XsLDmVdV7BGysK6h84YYMw==
X-Sonic-Spam-Details: -1.5/5.0 by cerberusd
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/A62SrnD3iYClFRbkNSLnigVPb8w>
Subject: Re: [Ntp] [Tsv-art] Tsvart early review of draft-ietf-ntp-alternative-port-02
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Dec 2021 23:12:58 -0000
touch@strayalpha.com said: > FWIW, I don't see this assignment as appropriate. Without a new port, it will be close to impossible to widely deploy NTP security. Years ago (2013), NTP was used in a giant DDoS attack. That was due to a bug/oversight that had been around since the early NTP work. (I've tracked it back to 1989.) https://www.spamhaus.org/news/article/695/answers-about-recent-ddos https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification The Wikipedia chart could use another column -- the number of sites available. Almost all Linux or *BSD sites were running ntpd. The fix was trivial, but there are many essentially unattended sites running old versions of ntpd that will never get fixed. Many many many sites have quietly installed filters in their routers. Set and forget. A typical filter drops UDP traffic to port 123 with a length other than 48. That lets old unauthenticated NTP through but authenticated packets are longer and get dropped. To use authentication on the existing port would require removing those filters. Even if you could track down the right people, they would probably drag their feet until most of the sites running old unattended ntpd were fixed. An alternative would be to implement BCP 38. How long has that been in progress? -- These are my opinions. I hate spam.
- [Ntp] Tsvart early review of draft-ietf-ntp-alter… Magnus Westerlund via Datatracker
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… touch@strayalpha.com
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Danny Mayer
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Hal Murray
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… touch@strayalpha.com
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… C. M. Heard
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Steven Sommars
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… touch@strayalpha.com
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Danny Mayer
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… C. M. Heard
- Re: [Ntp] Tsvart early review of draft-ietf-ntp-a… Erik Kline
- [Ntp] Antw: [EXT] Re: [Tsv‑art] Tsvart early revi… Ulrich Windl
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Eliot Lear
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Salz, Rich
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Miroslav Lichvar
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Salz, Rich
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Eliot Lear
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Hal Murray
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Eliot Lear
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Danny Mayer
- Re: [Ntp] [IANA-Port-Experts] Tsvart early review… touch@strayalpha.com
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… touch@strayalpha.com
- [Ntp] Antw: Re: [tsvwg] Antw: [EXT] Re: [Tsv‑art]… Ulrich Windl
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Martin Burnicki
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… touch@strayalpha.com
- Re: [Ntp] [IANA-Port-Experts] Tsvart early review… Salz, Rich
- Re: [Ntp] [IANA-Port-Experts] Tsvart early review… Joe Touch
- Re: [Ntp] [IANA-Port-Experts] Tsvart early review… Salz, Rich
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Eliot Lear
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Hal Murray
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Eliot Lear
- [Ntp] Antw: [EXT] Re: [tsvwg] [Tsv‑art] Tsvart ea… Ulrich Windl
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… touch@strayalpha.com
- [Ntp] Antw: [EXT] Re: [tsvwg] [Tsv‑art] Tsvart ea… Ulrich Windl
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Eliot Lear
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Hal Murray
- Re: [Ntp] Antw: [EXT] Re: [tsvwg] [Tsv‑art] Tsvar… Watson Ladd