IETF Logo Mail Archive

Re: [Ntp] [EXT] Re: I-D Action: draft-ietf-ntp-alternative-port-00.txt

Steven Sommars <stevesommarsntp@gmail.com> Mon, 02 November 2020 04:48 UTC

Return-Path: <stevesommarsntp@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1924D3A0DEF for <ntp@ietfa.amsl.com>; Sun, 1 Nov 2020 20:48:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KOlAKvKuBY1p for <ntp@ietfa.amsl.com>; Sun, 1 Nov 2020 20:48:33 -0800 (PST)
Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 827363A0DCA for <ntp@ietf.org>; Sun, 1 Nov 2020 20:48:30 -0800 (PST)
Received: by mail-io1-xd2a.google.com with SMTP id k21so13657675ioa.9 for <ntp@ietf.org>; Sun, 01 Nov 2020 20:48:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1CrL4lSoisJQmy/GnZ7ANn7nGfZy91ioBCI/odaoDzc=; b=tgbL5dA3y+Ua7k5Xv0XP/N7AlDMib6cbgjz7wsc0PreIf1ABfiWGprGxFiMZulaV68 /QjlngS8tuZrMMla00UoDcdP6eIT/+ZNKudkCr61bW0UtGSN7OQZftZOQlFgrSOSt3i1 j+B+QJx9mGzxyHvKGAeZ8621924+V3Edck57E32wq98CTYXlhae5w3o2IViru2gNXeme f7TkUwnkB6EnBKa3CxDampRbmmCHT0DnrxAdCPXMibHRrO4XkJC8JQB9JWbKddwSQJdo 0ERV4iQYkZ2m4A/JbLt+xHGvptFMfJsIsgTK9n53l//maFKhvwASYoI4bCKIje1JHEaJ FPEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1CrL4lSoisJQmy/GnZ7ANn7nGfZy91ioBCI/odaoDzc=; b=NIqbTpKCeg4W7mAM+WYbWi97pTnb46+HoYF4i/BlNffIK4tnj4SShdK+qWd7JqwfVC ShuHJ9E8W3tFRhR7urOb9ib/SHOHQSltuYOyIPU3eih8qIKJrMl8w774ikrLZQ18OfcA L8KXakI4KiPkgCjq/hAztNOHaANnO5SBYGTPCFpK/DfKMTQg0/I++JT8iuSAka25N9Ia Ycl2mz4EIFBxZobqin2gHPxPlAOzO/qfzVrjpzrwOLPfbcUJR0skKgJJX1ekrfd+QzGT lYshnDT8eD77ACQpNNkwTamqzattMbarHkidyyRZ8NGZVsC5MeHInHpl4E+0TvbHTH3p d8Rg==
X-Gm-Message-State: AOAM531Rjq9+lozYBGh5mFXONlroseI14Miz/6ytlO9eaTM7t3jWOQpm x3nqtasGY9+vmc9WJer152aUhM7vYhUPbjxxw50YNde6TZE=
X-Google-Smtp-Source: ABdhPJx1TmB1v1HLBmE2YRqclyWWlmPxTXQLpcNl/RAx/BusXCqfRpe8JEUcUef8nYvK/nnaWp1UFBa21iG84VG2BHs=
X-Received: by 2002:a02:350a:: with SMTP id k10mr9407951jaa.119.1604292509110; Sun, 01 Nov 2020 20:48:29 -0800 (PST)
MIME-Version: 1.0
References: <160251475240.1475.18009830719976625294@ietfa.amsl.com> <CAD4huA5UiS+yAjASKcj9FjWDuSCiVF4rEajZfkyzBSF61-yfvw@mail.gmail.com> <20201026173637.GE580262@localhost> <CAD4huA6h8Nt5z=HnUQZUq8m6tXkPMe3boZK7gXJEPRnKnPB_9w@mail.gmail.com> <5F9BBD6D020000A10003C44F@gwsmtp.uni-regensburg.de>
In-Reply-To: <5F9BBD6D020000A10003C44F@gwsmtp.uni-regensburg.de>
From: Steven Sommars <stevesommarsntp@gmail.com>
Date: Sun, 01 Nov 2020 22:48:17 -0600
Message-ID: <CAD4huA4FUx8xZHWCtgDd7h+xozZv2+g9URDHodyJxV0S-0yRwg@mail.gmail.com>
To: "ntp@ietf.org" <ntp@ietf.org>
Cc: Miroslav Lichvar <mlichvar@redhat.com>, Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>
Content-Type: multipart/alternative; boundary="0000000000001f169d05b3187574"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/DaZFULI9ZqCy3LFfX3HYGHmqAws>
Subject: Re: [Ntp] [EXT] Re: I-D Action: draft-ietf-ntp-alternative-port-00.txt
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Nov 2020 04:48:36 -0000

The NTP mode 7 monlist command has been used since 2013/2014 for DDoS
attacks.
As a countermeasure UDP port 123 traffic was/is filtered (dropped) on the
Internet by Zayo,
Telia, AT&T, CenturyLink and others.

NTP filtering interferes with NTS and the NTP pool on some paths.

Remote access to the monlist and other mode 6/7 commands has since been
reduced, removed, modified or
administratively disabled on many (probably most) public NTP servers.  I
have not found any current,
specific technical reasons why NTP filtering is still in place.  The ISPs I
contacted gave only vague
references to the monlist issue, if they responded at all.

   Miroslav: NTS doesn't prevent the port from reflecting traffic
Won't NTS simplify mitigation?   I thought crypto overhead would throttle
attacks in software
implementations.

   Ulrich: Rate limiting in case of NTP means "random packet dropping"?
Rate limiting is outside the scope of Miroslav's draft.  So I won't make a
proposal here.

   Miroslav: Is a 1:1 reflection property normally considered to be a
security issue?
I thought UDP reflection attacks were still an issue.   See this 2017
article: https://blog.cloudflare.com/reflections-on-reflections/


Since RFC8915(NTS) has been published and since popular NTP implementations
include NTS support
perhaps ISPs will see increasing end-user dissatisfaction and eliminate or
refine the port 123NTP
filtering.  I doubt it though.  The alternate port seems necessary for
widespread NTS deployment.

Will the Internet treat ALTPORT NTP/NTS nicely, without the type of
filtering seen on port 123?
I don't know.


Steve Sommars

v2.23.0 | Report a Bug | By Email