Re: [Ntp] NTS Hackathon coordination
Miroslav Lichvar <mlichvar@redhat.com> Wed, 27 March 2019 09:31 UTC
Return-Path: <mlichvar@redhat.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7826D12028A for <ntp@ietfa.amsl.com>; Wed, 27 Mar 2019 02:31:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ha7d3o0-pGL4 for <ntp@ietfa.amsl.com>; Wed, 27 Mar 2019 02:31:45 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BA72120288 for <ntp@ietf.org>; Wed, 27 Mar 2019 02:31:45 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B8004BCD24; Wed, 27 Mar 2019 09:31:44 +0000 (UTC)
Received: from localhost (holly.tpb.lab.eng.brq.redhat.com [10.43.134.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C4A5E26FAE; Wed, 27 Mar 2019 09:31:43 +0000 (UTC)
Date: Wed, 27 Mar 2019 10:31:42 +0100
From: Miroslav Lichvar <mlichvar@redhat.com>
To: Daniel Franke <dfoxfranke@gmail.com>
Cc: Hal Murray <hmurray@megapathdsl.net>, ntp@ietf.org
Message-ID: <20190327093142.GH16488@localhost>
References: <20190322223210.1181540605C@ip-64-139-1-69.sjc.megapath.net> <CAJm83bCkJ+yOe_P=ZefZS8ve1sNft7n6fLK3sRnLfBdME2kwhg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAJm83bCkJ+yOe_P=ZefZS8ve1sNft7n6fLK3sRnLfBdME2kwhg@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Wed, 27 Mar 2019 09:31:44 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/FV4EQxQ33iZKMYxAtNrrMYINYto>
Subject: Re: [Ntp] NTS Hackathon coordination
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2019 09:31:47 -0000
On Sat, Mar 23, 2019 at 12:37:55PM +0100, Daniel Franke wrote: > We need to get the word out to network operators to stop filtering in this > manner (and that if they really must filter, they should limit it to mode 7 > packets). And mode 6 packets, which still seem to be enabled by default in the implementations that support it. > As a (hopefully) temporary measure, implementers should make it > easy for users to serve NTP on an alternate port in addition to 123, and > use Port Negotiation in NTS-KE to advertise it. There should be no need for > any spec changes or IANA actions to accommodate this behavior; since we > have the negotiation mechanism, there is no need for a registered port and > administrators can pick anything not in use by another service. That won't work with firewalls which have whitelisted UDP ports. This is a common practice in some environments. (Stateful firewalls can't get the number from the encrypted NTS-KE.) I think we should specify an alternative port for NTP, where modes 6 and 7 are not allowed. The port 123 is doomed. It's increasingly difficult to find an ISP that doesn't block the port. Some large network operators seem to limit rate of packets using that port. Two of my public servers recently became unusable for this reason. Nobody cares. Blocking and rate limiting of the port is probably the main reason why the number of public servers is still dropping 5 years after the amplification attacks started. -- Miroslav Lichvar
- Re: [Ntp] NTS Hackathon coordination Miroslav Lichvar
- Re: [Ntp] NTS Hackathon coordination Hal Murray
- Re: [Ntp] NTS Hackathon coordination Martin Langer
- [Ntp] NTS Hackathon coordination Karen O'Donoghue
- Re: [Ntp] NTS Hackathon coordination Dieter Sibold
- Re: [Ntp] NTS Hackathon coordination Hal Murray
- Re: [Ntp] NTS Hackathon coordination Hal Murray
- Re: [Ntp] NTS Hackathon coordination Daniel Franke
- Re: [Ntp] NTS Hackathon coordination Watson Ladd
- Re: [Ntp] NTS Hackathon coordination Miroslav Lichvar
- [Ntp] Antw: Re: NTS Hackathon coordination Ulrich Windl
- Re: [Ntp] NTS Hackathon coordination Sanjeev Gupta
- Re: [Ntp] NTS Hackathon coordination Gary E. Miller
- Re: [Ntp] NTS Hackathon coordination Gary E. Miller
- Re: [Ntp] NTS Hackathon coordination Sanjeev Gupta
- Re: [Ntp] NTS Hackathon coordination Gary E. Miller
- [Ntp] Fw: NTS Hackathon coordination Gary E. Miller
- Re: [Ntp] Fw: NTS Hackathon coordination Miroslav Lichvar
- Re: [Ntp] Fw: NTS Hackathon coordination Gary E. Miller
- Re: [Ntp] NTS Hackathon coordination Martin Langer
- Re: [Ntp] NTS Hackathon coordination Christer Weinigel
- Re: [Ntp] NTS Hackathon coordination Christer Weinigel