Re: [Ntp] NTP port randomization: per-association vs. per-request basis?
Watson Ladd <watsonbladd@gmail.com> Tue, 28 January 2020 03:22 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 283973A0C13 for <ntp@ietfa.amsl.com>; Mon, 27 Jan 2020 19:22:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3rDqyNRx9kJE for <ntp@ietfa.amsl.com>; Mon, 27 Jan 2020 19:22:48 -0800 (PST)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17A133A0C11 for <ntp@ietf.org>; Mon, 27 Jan 2020 19:22:48 -0800 (PST)
Received: by mail-lj1-x22f.google.com with SMTP id r19so13173253ljg.3 for <ntp@ietf.org>; Mon, 27 Jan 2020 19:22:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iHCSSwuvwvJ7JNMkgX3nyhSGZRjG5KKnfmpJ3oADW1I=; b=sjM5NpS1g5uaYtKl517Awqa6r5sMDp+5RpdKDCzsSm7gOOcxZv+fbBefBc+jdqqLS2 Zi2EUQG1lG2MG+8JQAgbl/Wk5lAHlh2J/f3eHnTx6iW77Q5GSq1fwCH/ikIVFRBXIcqX TjPmT+pxIIGXxC2SB9VKl2cmUFi1I7lcjnbrR/rWe6tNKWPLncm9QeREf3Ks91qvfktM zr9yQ/06pWcNwdH2AqcfuGq6QslS+gftWZJ7FCUV5hGyzd7ZrjsjW6XfHGiPiI2r1jJT l7hpmSu4n5jMveLNcp6M9QKlf4sElQ5cGUlU/iuCGDGXtjt8ZcxEkSnNT/7KNPXYbnRS gGEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iHCSSwuvwvJ7JNMkgX3nyhSGZRjG5KKnfmpJ3oADW1I=; b=njIPoiH5TFGPuxWT3AKnzHIjmp99QX3bKvK7MpFTZsbY/NVuVsO5c+RqlltysPACuM hO/0PaS6juNPcnzlOmUdUwhDa23zv1wIeUZ0JV2+vFaoe98XHOSXpmq86K9QRrDwYIEK Ak/Zyfy2v6OWF5DYr3MYIblLq+3f7ZUyM8biQxhuYJ0ZgkjMmp721nKMKzRTxnC34mRJ Ve2koJkhojsx4NYDexeUou7+b06eMf2bqZaIkfp5M4DaowtjpDdSSLUdR8mzfv+6Y0Dl pOYBCKfs9hGUxaE3tKMt8KkX4MzWUkXCJK7U8Je0yCTkE2fYwBPgUgtTqwywdJ43Fz6t xfQw==
X-Gm-Message-State: APjAAAXbQrp16jJeFKFNfBaLYa0AvonbNruMvNxX4uMsMW2rlhE/f9Nk v2CVDRI6sOf/dWqeMKig28KQ+PkHDBV8wRPJkNdMZM3x
X-Google-Smtp-Source: APXvYqwSH+djSOgFl5G5PxJ4huE6trcgsedMvJGuCzLMwvOrTRJIDoG965P6h97s/eE1k8XvY+zYLjjoQ1PaOM2v/R0=
X-Received: by 2002:a2e:98ca:: with SMTP id s10mr12117086ljj.160.1580181766066; Mon, 27 Jan 2020 19:22:46 -0800 (PST)
MIME-Version: 1.0
References: <07a6ac74-44bb-0e2f-fdd0-ee80df45468b@si6networks.com>
In-Reply-To: <07a6ac74-44bb-0e2f-fdd0-ee80df45468b@si6networks.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Mon, 27 Jan 2020 19:22:34 -0800
Message-ID: <CACsn0cnKY2Kn76kmhhTrYAE5eZ8nv5gMS6DrRAY8OJTt4X4q=g@mail.gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Cc: NTP WG <ntp@ietf.org>, Miroslav Lichvar <mlichvar@redhat.com>, Guillermo Gont <ggont@si6networks.com>
Content-Type: multipart/alternative; boundary="000000000000d8d512059d2abc03"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/kDfCA_Euwk-zBJmSeLDTEtPffFw>
Subject: Re: [Ntp] NTP port randomization: per-association vs. per-request basis?
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2020 03:22:50 -0000
On Mon, Jan 27, 2020, 6:32 PM Fernando Gont <fgont@si6networks.com> wrote: > Folks, > > A while ago Miroslav raised a few questions > (https://mailarchive.ietf.org/arch/msg/ntp/9VDGNerkFM5E0rCmzuf019rfclo/) > on this list. In order to get a better idea of what's the wg's feeling > about them, I'm re-raising them in separate emails. > > The current version of the I-D recommends the (more conservative) port > randomization on a per-association basis. However, he raised the > question regarding whether it would make sense to recommend per-request > port randomization, based on these arguments: > > - It seems to be the current practice. From the implementations > that I'm familiar with and that use a random source port, each one > opens a new socket for each request, at least by default. On my > public servers I see that most clients do change their port over > time. > > - It doesn't seem like a good idea to require a client to keep its > port open when it's not waiting for a response. If it received a > valid response, or didn't receive a valid response in few seconds > after sending the request, it should close the port. > > - The port number may be discoverable by other means, so it should > change frequently. For example, the attacker could try sending > packets to all ports and observe which one changed a value reported > by the client in a monitoring protocol (e.g. mode 6). If the > attacker can determine the port number, which cannot be prevented in > the general case, the time for which it is useful for attacks should > be limited. > My one consideration is that per-packet randomization may interact badly with ECMP by directing each packet to a different server in setups using ECMP for reliability. I don't know how big a concern this is: I'm not an expert in the relevant area. > Thoughts? > > Thanks! > > Cheers, > -- > Fernando Gont > SI6 Networks > e-mail: fgont@si6networks.com > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 > > > > > _______________________________________________ > ntp mailing list > ntp@ietf.org > https://www.ietf.org/mailman/listinfo/ntp >
- [Ntp] NTP port randomization: per-association vs.… Fernando Gont
- Re: [Ntp] NTP port randomization: per-association… Watson Ladd