Re: [Ntp] Fwd: New Version Notification for draft-ietf-ntp-port-randomization-02.txt
Miroslav Lichvar <mlichvar@redhat.com> Tue, 21 April 2020 09:38 UTC
Return-Path: <mlichvar@redhat.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EFB83A0AAC for <ntp@ietfa.amsl.com>; Tue, 21 Apr 2020 02:38:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.201
X-Spam-Level:
X-Spam-Status: No, score=-0.201 tagged_above=-999 required=5 tests=[DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c-Z30aVgUTjw for <ntp@ietfa.amsl.com>; Tue, 21 Apr 2020 02:38:07 -0700 (PDT)
Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB6093A0AAA for <ntp@ietf.org>; Tue, 21 Apr 2020 02:38:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1587461886; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=uitqfywKV1GdyOL6mdFIrMZXO4X2uj3tao0idmxSqaA=; b=X95n7mAjrWyCAC0OtZF4OrkPSUBwUqd96kJSB5A0JBH4+cJUzVjIP6xkFfe46rYEwr9Kk+ nhGZ3/ILiVoKEUG8zCsn+fV52pWbL759M52DNvF+EWVAYUaCNz3vvRFJtO7WYVofPXA6JF 9IxEPfBLyWmnbDhz3KO90owS4FKOKls=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-392-AYxsX4JpMZKJPoc8dEb6JA-1; Tue, 21 Apr 2020 05:38:04 -0400
X-MC-Unique: AYxsX4JpMZKJPoc8dEb6JA-1
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 6E23F18C35A2; Tue, 21 Apr 2020 09:38:03 +0000 (UTC)
Received: from localhost (holly.tpb.lab.eng.brq.redhat.com [10.43.134.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EC4705DA66; Tue, 21 Apr 2020 09:38:00 +0000 (UTC)
Date: Tue, 21 Apr 2020 11:37:59 +0200
From: Miroslav Lichvar <mlichvar@redhat.com>
To: Steven Sommars <stevesommarsntp@gmail.com>
Cc: Fernando Gont <fgont@si6networks.com>, "ntp-chairs@ietf.org" <ntp-chairs@ietf.org>, "ntp@ietf.org" <ntp@ietf.org>
Message-ID: <20200421093759.GB4396@localhost>
References: <158706113942.27424.5328137517371748525@ietfa.amsl.com> <bb5a098c-e842-da1a-01d2-65d6d064f5cd@si6networks.com> <CAD4huA4FRGW4csX21K7Dst00rOuRubMHrXLieFd9JPyAUV4rxQ@mail.gmail.com>
MIME-Version: 1.0
In-Reply-To: <CAD4huA4FRGW4csX21K7Dst00rOuRubMHrXLieFd9JPyAUV4rxQ@mail.gmail.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/BHkCF41PeYz75kBTW8NZk74NgK8>
Subject: Re: [Ntp] Fwd: New Version Notification for draft-ietf-ntp-port-randomization-02.txt
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Apr 2020 09:38:11 -0000
On Thu, Apr 16, 2020 at 07:06:33PM -0500, Steven Sommars wrote: > Question: The draft doesn't enumerate the NTP modes of concern. Is Mode 3 > specifically covered? In the section "4. Update to RFC5905" the updated text says in which modes randomization shouldn't be applied (modes 1, 2, 5) and that it should be applied in the other cases (i.e. modes 3, 4). Do you think the "other" modes need to be listed? > Off-path attacks for Mode 3/Mode 4 exchanges are already difficult since > the Mode 3 (request) transmit time stamp must > be returned in the Mode 4 (response) message. That depends on the implementation. For instance, a vulnerability was recently published for the "reference" implementation that it has highly predictable transmit timestamps, which makes an off-path attack taking control over the client's clock practical, even when the client is using multiple servers. If it randomized the port, the attack wouldn't be practical. > If predictable transmit time > stamps are a concern then a random transmit time stamp > (a la Chrony) can be used. Yes, that would prevent the attack, but as the draft explains port randomization is a mitigation at a different layer than the application protocol and is recommended by BCP 156. > Comment: Some older NTP server implementation tracked per-client usage > based on > client IP + source port. Which server implementation did that? > Port randomization will increase the apparent > number of clients tracked. > I don't know if this is a server performance issue, just wanted to mention > it. As NAT is widely used and the typical timeout for UDP connection tracking seems shorter than typical polling interval, I don't think the port randomization will make it significantly worse. > 3.2. Effects on Path Selection > > "If the clients changed their source port with each request, packets in > different exchanges would take different paths." > > s/would/could/ Ok, makes sense. > "The measured delay and offset would be less stable..." > > The measured delay is the RTT; sum of request delay and response > delay. Occasionally the request and response delays > on different client UDP ports differ by +delay and -delta respectively. > There is no "best" sample to choose since the RTT is > nearly constant. I'm not sure I follow here. If for example between the server and client there were four paths A, B, C, D with delays 10, 20, 30, 40 ms respectively, it's possible that the request and response would go only over A+D or B+C? > 3.3 Filtering of NTP traffic > > "Implementation of port randomization for non-symmetrical modes allows for > simple differentiation of NTP requests and responses" > > Such differentiation is only possible if the the use of port > randomization is universal. Right, but some ISPs didn't care and blocked all incoming packets with destination port 123. It was a common issue reported by users, e.g. one client in local network oddly not working (the one that doesn't have port remapped in NAT to a different port) or ntpdate working only with the -q option (which enables on port randomization). -- Miroslav Lichvar
- [Ntp] Fwd: New Version Notification for draft-iet… Fernando Gont
- Re: [Ntp] Fwd: New Version Notification for draft… Steven Sommars
- Re: [Ntp] Fwd: New Version Notification for draft… Miroslav Lichvar
- Re: [Ntp] Fwd: New Version Notification for draft… Steven Sommars
- Re: [Ntp] Fwd: New Version Notification for draft… Miroslav Lichvar