IETF Logo Mail Archive

Re: [Ntp] comments on draft-mlichvar-ntp-ntpv5-03 / Extension fields

Miroslav Lichvar <mlichvar@redhat.com> Mon, 29 November 2021 09:58 UTC

Return-Path: <mlichvar@redhat.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06EC93A101D for <ntp@ietfa.amsl.com>; Mon, 29 Nov 2021 01:58:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.802
X-Spam-Level:
X-Spam-Status: No, score=-2.802 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.701, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ko9xEa2Bgh5q for <ntp@ietfa.amsl.com>; Mon, 29 Nov 2021 01:58:11 -0800 (PST)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6450B3A0595 for <ntp@ietf.org>; Mon, 29 Nov 2021 01:58:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1638179890; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=US3X5Rl7gczR+z1/gHonTS4Lp+JsTo8AA8G2XpE45sQ=; b=carSHnucBjORCVvGqk0GhL3W+kEJ4peVJ7Sqj/Y1E2qQqa2w6yYCJhH12CA51HgcQ/Sd7Q PPZh571lBYLOmW+xjTAu9qMyPewxU5Lb6YnQxCFSRLY3qXyvR/9XXubntpNFoTVuJaiHuQ /UA+jBmYoj+rYgba4PnyrsguhNUjEcM=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-44-CBcAeOeUMam58ZgpcDkddg-1; Mon, 29 Nov 2021 04:58:06 -0500
X-MC-Unique: CBcAeOeUMam58ZgpcDkddg-1
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 0A7C31023F4D; Mon, 29 Nov 2021 09:58:06 +0000 (UTC)
Received: from localhost (holly.tpb.lab.eng.brq.redhat.com [10.43.134.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5288C794A1; Mon, 29 Nov 2021 09:58:04 +0000 (UTC)
Date: Mon, 29 Nov 2021 10:58:02 +0100
From: Miroslav Lichvar <mlichvar@redhat.com>
To: Dan Drown <dan-ntp@drown.org>
Cc: ntp@ietf.org
Message-ID: <YaSkKrfdgJmOfKyJ@localhost>
References: <20211123131501.Horde.ErUH7VWw3Nr2PFkAGzGIEuI@mail.drown.org> <20211125214748.Horde.K2Fa5qir5iPLYRvfQJBMx8m@mail.drown.org> <20211126214820.Horde.ErbRZcjuVf-yEn55FGUhEZP@mail.drown.org>
MIME-Version: 1.0
In-Reply-To: <20211126214820.Horde.ErbRZcjuVf-yEn55FGUhEZP@mail.drown.org>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/DTUztUvJQvhGUpf_B2fxtJkiI-c>
Subject: Re: [Ntp] comments on draft-mlichvar-ntp-ntpv5-03 / Extension fields
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Nov 2021 09:58:13 -0000

On Fri, Nov 26, 2021 at 09:48:20PM -0600, Dan Drown wrote:
> After a day of thinking about my proposal above, I have the following
> concerns:
> 
> * The added packet size, 20+4 bytes is very large for NTP

What would you consider the maximum acceptable size? Please note that
only clients serving time to other servers would need to use it.
Clients that don't serve time, which I think is the most common case,
don't need to care about loops.

As you pointed out, it should be even much larger if we want a lower
false positive rate. But it doesn't have to be transmitted all at
once. The client could get it in multiple parts over multiple requests
(e.g. 4 or 8). This would add a delay to the loop detection.

> * I need to consider compatibility between NTPv4 refid and v5 extension.
> Specifically, what translations happen when switching between versions

Most of the information would be lost if an NTPv4 server was in the
chain. This would be common in the beginning. For NTPv4->NTPv5
compatibility, we could specify a mapping of the 32-bit refids to the
bloom filter.

> * The 1% false positive rate would be a problem when you have a set of
> servers each with 10,000+ clients

Right. It needs to be much lower.

> * Packet logging for monitoring and management would be challenging

You mean manually checking whether a server is in the filter?

> * Operators would probably want some way to make this more deterministic,
> maybe a configured local ref id

It could be saved to disk to not change across service restarts.

> I'm doubting if a bloom filter is the right choice for NTP loop detection.

Are there any other reasonable options?

Maybe a combined approach using 32-bit or 64-bit IDs for detecting
loops between two servers and a slowly updated bloom filter to detect
loops over a larger number of servers?

-- 
Miroslav Lichvar

v2.23.0 | Report a Bug | By Email