IETF Logo Mail Archive

Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review of draft-ietf-ntp-alternative-port-02

"C. M. Heard" <heard@pobox.com> Sun, 05 December 2021 01:30 UTC

Return-Path: <heard@pobox.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83F5C3A0D4D; Sat, 4 Dec 2021 17:30:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pobox.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id llCueV_ep5FB; Sat, 4 Dec 2021 17:30:44 -0800 (PST)
Received: from pb-smtp20.pobox.com (pb-smtp20.pobox.com [173.228.157.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2F5C3A0D4F; Sat, 4 Dec 2021 17:30:42 -0800 (PST)
Received: from pb-smtp20.pobox.com (unknown [127.0.0.1]) by pb-smtp20.pobox.com (Postfix) with ESMTP id 99AB0171F9D; Sat, 4 Dec 2021 20:30:40 -0500 (EST) (envelope-from heard@pobox.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=pobox.com; h= mime-version:references:in-reply-to:from:date:message-id:subject :to:cc:content-type; s=sasl; bh=TEMcO/jPTgAY4XPXMw75GnWKWzndu6cq 15x5Zk5XG7w=; b=hXptMy+YE8kiokdRjveQt+Ok0bfWVQM1+EZhyAgyK35pDEaB 3bMKLjGSVJzcdOuwaRZC9YyVLCWjRXFx6vPNs3hlkTEdG3l5Yt/n6RTjIvWq+URj ZzkKiKqlrDFmI0S5m4k6mXHzZ14oapLdeYs9epP74oqIFi70L8BFLUdPvlE=
Received: from pb-smtp20.sea.icgroup.com (unknown [127.0.0.1]) by pb-smtp20.pobox.com (Postfix) with ESMTP id 91D91171F9C; Sat, 4 Dec 2021 20:30:40 -0500 (EST) (envelope-from heard@pobox.com)
Received: from mail-pf1-f182.google.com (unknown [209.85.210.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pb-smtp20.pobox.com (Postfix) with ESMTPSA id E90F5171F96; Sat, 4 Dec 2021 20:30:34 -0500 (EST) (envelope-from heard@pobox.com)
Received: by mail-pf1-f182.google.com with SMTP id b68so6640411pfg.11; Sat, 04 Dec 2021 17:30:34 -0800 (PST)
X-Gm-Message-State: AOAM530mgEfOiJrE+W8lP+OGPMS4BlidbmaUesbLCktYaHQx3yZoHbA5 DADbOgrygaPFpGazd1O2+jaFxC2LK1wxDtrmnN4=
X-Google-Smtp-Source: ABdhPJzKrVS9tD4svs/bafJphl6lfNzxh9RMo+u2bu1rRyOHpF06DLljmExEDinXuHu4CzF3bPadAg3JytCN7XLyLL0=
X-Received: by 2002:a05:6a00:24cd:b0:49f:a4d8:3d43 with SMTP id d13-20020a056a0024cd00b0049fa4d83d43mr28438741pfv.49.1638667833408; Sat, 04 Dec 2021 17:30:33 -0800 (PST)
MIME-Version: 1.0
References: <163852890830.991.35615173535953832@ietfa.amsl.com> <C02367A6-EB70-40C2-8B7F-6FEE8FF25EE4@strayalpha.com> <e606e2e7-5509-a3f6-9f7e-48c1b6b6309d@pdmconsulting.net>
In-Reply-To: <e606e2e7-5509-a3f6-9f7e-48c1b6b6309d@pdmconsulting.net>
From: "C. M. Heard" <heard@pobox.com>
Date: Sat, 04 Dec 2021 17:30:22 -0800
X-Gmail-Original-Message-ID: <CACL_3VH38nf=9buDdQF27mnV1sOjwpqNUNpkswwry=OeoqkdpQ@mail.gmail.com>
Message-ID: <CACL_3VH38nf=9buDdQF27mnV1sOjwpqNUNpkswwry=OeoqkdpQ@mail.gmail.com>
To: Danny Mayer <mayer@pdmconsulting.net>
Cc: Joe Touch <touch@strayalpha.com>, Magnus Westerlund <magnus.westerlund@ericsson.com>, ntp@ietf.org, TSVWG <tsvwg@ietf.org>, Harlan Stenn <stenn@nwtime.org>, iana-port-experts@icann.org, draft-ietf-ntp-alternative-port.all@ietf.org, tsv-art <tsv-art@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001d822705d25c1684"
X-Pobox-Relay-ID: F19642D2-556A-11EC-9343-F327CE9DA9D6-06080547!pb-smtp20.pobox.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/FYd35QcCmE9qQ-zwUa8BT6xsw1Y>
Subject: Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review of draft-ietf-ntp-alternative-port-02
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Dec 2021 01:30:50 -0000

I read the document, and as a previously uninvolved member of the IETF
community, I am unconvinced that an alternative port for NTP is a good idea.

The purpose for an alternative port is to provide a workaround for
third-party filtering of port 123. That filtering in turn is motivated by
some NTP server installations not following BCP 223 / RFC 8633 with respect
to NTP mode 6 and mode 7 packets. Danny Mayer makes a very convincing case
that it would take much less effort to modify the errant server
installations to follow BCP 223 (which may only require configuration
changes) than to implement the alternative port on both servers and
clients. IMO the only way that the latter could be justified would be if
the filtering of port 123 is pervasive with little hope of correction once
errant servers are fixed. The draft in its present form does not make that
case.

Mike Heard

On Sat, Dec 4, 2021 at 12:05 PM Danny Mayer <mayer@pdmconsulting.net> wrote:

> I agree with you. I have already objected to this draft being accepted
> because of this and a few other reasons.
>
> The underlying issue that prompted this was that servers were allowing NTP
> mode 6 and 7 packets to be responded to, leading to amplification DDOS
> attacks. To implement this draft requires that code needs to be added to
> the NTP servers to support this and then get admins to use it. Instead of
> which they could just turn off accepting mode 6 and 7 packets. Disabling
> this is simple. In the NTP reference implementation this already exists as
> the noquery option in the configuration file. I cannot say what other
> implementations support but they can certainly change their code to do so.
> Since this can be done directly the draft is not needed.
>
> Danny
> On 12/3/21 12:54 PM, touch@strayalpha.com wrote:
>
> FWIW, I don’t see this assignment as appropriate.
>
> Speaking as a ports review team member, it opens the floodgates to “one
> more port for a more secure/safe version of X”, for all X.
>
> I see no reason why NTP should be an exception; EVERY service benefits
> from being more secure and safe. If you want a safe NTP port, run safe NTP
> on that port. That goes for all services.
>
> Note that if a port is assigned by the IESG, IMO it should not be a system
> port, for the reasons stated in RFC7605, ESPECIALLY if this is about safety
> and security.
>
> Joe
> —
> Joe Touch, temporal epistemologist
> www.strayalpha.com
>
> On Dec 3, 2021, at 2:55 AM, Magnus Westerlund via Datatracker <
> noreply@ietf.org> wrote:
>
> Reviewer: Magnus Westerlund
> Review result: Ready with Issues
>
> As TSVART reviewer I have included two additional mailing lists for this
> review
> response, sorry for the cross posting but I think it is relevant to get
> more
> opinions on this. The port experts, although they are not responsible for
> system port assignments per RFC 6335. TSVWG is included as it is the WG
> that
> have been responsible for developing the documents in BCP 165 and these
> rules.
>
> The main question here is if this particular case warrants an exception in
> regards to the principals documented by RFC 6335 and RFC 7605 (Together BCP
> 165)?
>
> So this document wants an alternative port that is to be used with a
> subset of
> NTPv4 that is deemed to be more operational safe and which has an packet
> response amplification factor below 1, i.e. for each request, one and only
> one
> response is generated and that packet is not larger than the request. For
> more
> details see (it is a very short document):
> https://datatracker.ietf.org/doc/draft-ietf-ntp-alternative-port/
>
> So in regards to the basic principals this should be rejected as it is
> simply
> an alternative. However, I think this one might be a case where the
> exception
> is motivated. The service here is not identical and it has improved
> security
> properties, especially in regards to how network intermediaries may
> interpret
> the traffic. Where one might want to filter and/or block port 123 due to
> its
> potential for DDoS with a reduced risk the alternative port would imply I
> think
> this gets into the case which Section 7.1 of RFC 7605 discusses:
>
>   o  Separate assigned port numbers are not intended for insecure
>      versions of existing (or new) secure services.  A service that
>      already requires security would be made more vulnerable by having
>      the same capability accessible without security.
>
>      Note that the converse is different, i.e., it can be useful to
>      create a new, secure service that replicates an existing insecure
>      service on a new port number assignment.  This can be necessary
>      when the existing service is not backward-compatible with security
>      enhancements, such as the use of TLS [RFC5246] or DTLS [RFC6347].
>
> The important difference here is that although this is not an endpoint
> incompatibility issue, it is an interpretation difference by the network
> itself.
>
> So personally I would argue for this exception to the basic principles.
> However, this is in the end going to be an IETF consensus decision if we
> allow
> it or not. Thus, I think discussing any views now, and allow a bit more
> time
> for discussion and also addressing any issue prior to IETF last call would
> be
> good.
>
> I also would like to ask the NTP experts if they really need a system port?
>
> From my perspective an NTP server should not need to run with increased
>
> privileges on the host. The main purpose of NTP is after all to server the
> requester an answer based on its access to a clock that is believed to
> provide
> accurate time. So, could you please improve the motivation why "ntp-alt"
> actually needs a system port. Even if NTP as a service when originally was
> given port 123 a system ports it might have been considered a system
> services I
> do wonder if that assessment still stands. I would note that this
> motivation is
> required for any application for assigning a systems port.
>
> Cheers
>
> Magnus Westerlund
>
>
> _______________________________________________
> Tsv-art mailing list
> Tsv-art@ietf.org
> https://www.ietf.org/mailman/listinfo/tsv-art
>
>
>
> _______________________________________________
> ntp mailing listntp@ietf.orghttps://www.ietf.org/mailman/listinfo/ntp
>
>

v2.23.0 | Report a Bug | By Email