Re: [Ntp] I-D Action: draft-ietf-ntp-alternative-port-00.txt
Miroslav Lichvar <mlichvar@redhat.com> Mon, 26 October 2020 17:36 UTC
Return-Path: <mlichvar@redhat.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 447923A0DEC for <ntp@ietfa.amsl.com>; Mon, 26 Oct 2020 10:36:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ppL-qguBTdJr for <ntp@ietfa.amsl.com>; Mon, 26 Oct 2020 10:36:47 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 844543A0DED for <ntp@ietf.org>; Mon, 26 Oct 2020 10:36:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1603733806; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=/iTXtMYXLA/Mf56479OmbRJ3p/54d4ukXje2Lh051IE=; b=fydSIoA5tEUJDoHsJWHGxjHFdqOi84tMS6UeMrbA9SuQNegzCbV4i6T/POjXqSRrZFM+In 1q3Ig8GmHawnS7SbesRYMz5bLKPnBoARpgBRKGod2gx9zlosSRMHGhga3a+y+3a+or8aGL z0WQlHFdFOswo1drEn206HSm6WgOnv0=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-106-kk35qc_WOSqG_2WNBDYaRQ-1; Mon, 26 Oct 2020 13:36:41 -0400
X-MC-Unique: kk35qc_WOSqG_2WNBDYaRQ-1
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id DB33C1800D4A; Mon, 26 Oct 2020 17:36:39 +0000 (UTC)
Received: from localhost (holly.tpb.lab.eng.brq.redhat.com [10.43.134.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3BB605577D; Mon, 26 Oct 2020 17:36:39 +0000 (UTC)
Date: Mon, 26 Oct 2020 18:36:37 +0100
From: Miroslav Lichvar <mlichvar@redhat.com>
To: Steven Sommars <stevesommarsntp@gmail.com>
Cc: NTP WG <ntp@ietf.org>
Message-ID: <20201026173637.GE580262@localhost>
References: <160251475240.1475.18009830719976625294@ietfa.amsl.com> <CAD4huA5UiS+yAjASKcj9FjWDuSCiVF4rEajZfkyzBSF61-yfvw@mail.gmail.com>
MIME-Version: 1.0
In-Reply-To: <CAD4huA5UiS+yAjASKcj9FjWDuSCiVF4rEajZfkyzBSF61-yfvw@mail.gmail.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/Cp7ADiC4Nw0Jc56bygVldpZsaIc>
Subject: Re: [Ntp] I-D Action: draft-ietf-ntp-alternative-port-00.txt
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2020 17:36:49 -0000
On Sat, Oct 24, 2020 at 11:40:56AM -0500, Steven Sommars wrote: > (comment) The ALTPORT could be used for NTS only (my preference). However I > don't object to ALTPORT being used for both NTS and RFC5905 as described in > this draft. As the problems with blocking and rate-limiting are not specific to NTS-protected NTP packets, I think it would be nice to provide a workaround for all servers and clients, not just those that are using NTS. I don't think we can expect NTS to be instantly adopted everywhere. > Abstract: "in order to make NTP safe for the Internet." > NTP behavior is improved, but since it is UDP based there is still > opportunity for abuse. Do you suggest to reword the abstract to mention only that it makes NTP amplification-free? > Section 1. "Over time, network operators have been observed to implement > the following mitigations" > - The mitigations are undocumented, path/operator dependent and may change > over time. Ok. I'll try to improve that section. > Section 1. "The number of public servers in the pool.ntp.org project has > dropped in large part due to the mitigations (citation?)." > I am unaware of a good citation. Several threads in > https://community.ntppool.org/ describe problems with NTP Pool monitoring, > i.e., unexpected low monitoring scores. > Some incidents resulted in machines being temporarily or permanently > removed from the NTP pool. > I doubt there is data to back up the "in large part" comment. Maybe we could at least say that the number of servers dropped due to the attacks, no matter why exactly were the servers removed? The graph at this page clearly shows when it started: https://www.ntppool.org/zone > Section 2. > "The client SHOULD be switching between the two ports until a valid > response is received." > to > The client SHOULD alternate between the two ports until a valid response > is received. Ok. > Are there any issues with an NTP server keeping state information for both > clients at both (IP, port 123) and (IP,ALTPORT)? I suspect it would be an unnecessary complication wasting memory. > E.g., Client sends queries on the two ports, server receives both. Does > the server consider these to be two clients or one? I think it should still count as one address, which can have multiple clients. Servers usually don't care about the client's port, so I don't see a reason why they would want to care about the server's port. Before the server port, it would make more sense to consider the server address on multihomed hosts. The server port should just limit the responses to those that don't cause amplification. Thanks, -- Miroslav Lichvar
- [Ntp] I-D Action: draft-ietf-ntp-alternative-port… internet-drafts
- Re: [Ntp] I-D Action: draft-ietf-ntp-alternative-… Steven Sommars
- Re: [Ntp] I-D Action: draft-ietf-ntp-alternative-… Miroslav Lichvar
- Re: [Ntp] I-D Action: draft-ietf-ntp-alternative-… Steven Sommars
- Re: [Ntp] I-D Action: draft-ietf-ntp-alternative-… Miroslav Lichvar
- [Ntp] Antw: [EXT] Re: I-D Action: draft-ietf-ntp-… Ulrich Windl
- Re: [Ntp] [EXT] Re: I-D Action: draft-ietf-ntp-al… Steven Sommars
- Re: [Ntp] [EXT] Re: I-D Action: draft-ietf-ntp-al… Harlan Stenn
- Re: [Ntp] [EXT] Re: I-D Action: draft-ietf-ntp-al… Miroslav Lichvar
- Re: [Ntp] [EXT] Re: I-D Action: draft-ietf-ntp-al… Steven Sommars