Re: [Ntp] [EXT] Re: NTPv5 KISS code support
Ira McDonald <blueroofmusic@gmail.com> Fri, 03 November 2023 13:06 UTC
Return-Path: <blueroofmusic@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76D39C187728 for <ntp@ietfa.amsl.com>; Fri, 3 Nov 2023 06:06:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p0xsJzuPU882 for <ntp@ietfa.amsl.com>; Fri, 3 Nov 2023 06:06:02 -0700 (PDT)
Received: from mail-oi1-x236.google.com (mail-oi1-x236.google.com [IPv6:2607:f8b0:4864:20::236]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1F5BC1705F7 for <ntp@ietf.org>; Fri, 3 Nov 2023 06:06:02 -0700 (PDT)
Received: by mail-oi1-x236.google.com with SMTP id 5614622812f47-3b565722c0eso1198887b6e.2 for <ntp@ietf.org>; Fri, 03 Nov 2023 06:06:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699016762; x=1699621562; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=qazvSc+3f4E4Nq0XJwCVrV5iFoA7pJPtiJ2g4UN0nb8=; b=W9R1onWiohWndAKe8gja1DGabRrWnee4wzCxumnI8W5EljllMrbASU/G35RlWzdOe5 P3q9Oe5yLU5RR/w072groNEb7yqe5Fk1AEnl3U+kcIZfzhCuulWumipeoikjHbGm70YV 6IFnKzH0/I9AbuiD+EmTSggNjFI2/CLwAh2NvBhRgaYcysNsh/xso/x4btXb0SpS6st5 Oqpy7ZtDs4K9R5MSTlyFDo19uT5BB3+i/L4B1V61G+EGiKEM1N0M7L3xKPhyQ8bRtReJ v3d3BSMctN5YA2wQM2W6ty6jByirqAF3N5I/yAhes7AAu+fpFsvnuKZfl5hLIvaYozxv WXDA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699016762; x=1699621562; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=qazvSc+3f4E4Nq0XJwCVrV5iFoA7pJPtiJ2g4UN0nb8=; b=qcasetZh6TP+R4P2TzIW2m/QqO0j1nVqpr+/WeUvXJ87zlIyMfBtthABz2/9Q9sGbz PE5SQ3kNebc87OcBl96k88YzdnT7w3F7IghA4zuLs9kvnQdN65DWHEJW6VyxsyoiJjEE 55rrtd627lhCZ29pjnjfv9wgoNzhKXMn/30fFbbfva9TP/sPdyun+OQclyjCF+DGXwhO tgXmOqHFqG0mwTfn32g1MDhffyheywtoieTuS9rBHbkSwbRSIKTZCHJAj+iTp966kUXb KSZ1aaEKNZUfj62HGwVn1DsX4/iqBSlqfbqxGh14gNtVv03VCqqJj2NlXxCXOsoD87lU RWzw==
X-Gm-Message-State: AOJu0YzErCHNXtb9Ewvm3k4UdAgXZuPmznuKozEDRTr6ah+hL7H2L+X9 szYDycGck614nN67rHUL1ENxPzcUGsWPF4MlSrM=
X-Google-Smtp-Source: AGHT+IGlixh9axIxYsmwjXLT6G1TOA1zxMhjxp1xSxCTl59u9VslmpN2RyboqS8L/TQAZtGdDMYnL7gKBKpEUT0fiA8=
X-Received: by 2002:a05:6358:52c8:b0:169:a814:5ce6 with SMTP id z8-20020a05635852c800b00169a8145ce6mr8762214rwz.14.1699016761673; Fri, 03 Nov 2023 06:06:01 -0700 (PDT)
MIME-Version: 1.0
References: <CAPz_-SWRUTB2wQeLg5wS_c34D-7R-Ngcek13rzknyiGf9iG-tA@mail.gmail.com> <ZUNnqmnEVDx1538O@localhost> <960aba9f833b4461863ea165df632ea5@ukr.de> <CAJm83bDHvj9MVvNhnTS0riUqTWCz-y5gCes0v3K0ViXrZ4t9ow@mail.gmail.com>
In-Reply-To: <CAJm83bDHvj9MVvNhnTS0riUqTWCz-y5gCes0v3K0ViXrZ4t9ow@mail.gmail.com>
From: Ira McDonald <blueroofmusic@gmail.com>
Date: Fri, 03 Nov 2023 09:05:49 -0400
Message-ID: <CAN40gStPb66+4OShBcRjiFfUViitQxs=7N0sdGDJW8T4WhctnA@mail.gmail.com>
To: Daniel Franke <dfoxfranke@gmail.com>, Ira McDonald <blueroofmusic@gmail.com>
Cc: "Windl, Ulrich" <u.windl@ukr.de>, Miroslav Lichvar <mlichvar@redhat.com>, David Venhoek <david@venhoek.nl>, NTP WG <ntp@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008c091d06093f2af6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/GxvegxTX3A_zlc3MNNwfPCIPAy4>
Subject: Re: [Ntp] [EXT] Re: NTPv5 KISS code support
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Nov 2023 13:06:03 -0000
Hi, +1 to Daniel's comments. Stateful, Client-by-Client rate limiting is a black hole of potential software faults. Let the Server tell the same thing to every Client. Cheers, - Ira *Ira McDonald (Musician / Software Architect)* *Chair - SAE Trust Anchors and Authentication TF* *Co-Chair - TCG Trusted Mobility Solutions WG* *Co-Chair - TCG Metadata Access Protocol SG* *Chair - Linux Foundation Open Printing WGSecretary - IEEE-ISTO Printer Working GroupCo-Chair - IEEE-ISTO PWG Internet Printing Protocol WGIETF Designated Expert - IPP & Printer MIBBlue Roof Music / High North Inchttp://sites.google.com/site/blueroofmusic <http://sites.google.com/site/blueroofmusic>http://sites.google.com/site/highnorthinc <http://sites.google.com/site/highnorthinc>mailto: blueroofmusic@gmail.com <blueroofmusic@gmail.com>(permanent) PO Box 221 Grand Marais, MI 49839 906-494-2434* On Fri, Nov 3, 2023 at 8:23 AM Daniel Franke <dfoxfranke@gmail.com> wrote: > I agree with Miroslav: KISS codes as they exist today are broken to > the point of uselessness as a rate-limiting tool. In my early NTPv5 > sketch, I replaced them with a couple of fields in the base packet > which allow the server to inform clients of limits on how often it > wants to be polled, with one field for maximum sustained rate and > another for maximum burst rate. Compliance is still voluntary, but it > avoids any need for state-keeping on the server side because it just > sends the same information to everyone. > > On Fri, Nov 3, 2023 at 2:47 AM Windl, Ulrich <u.windl@ukr.de> wrote: > > > > Hi! > > > > So you are saying the KoD (Kiss of Death) as it is specified now is > broken by design? > > I see two possibilities: > > 1) Drop the concept for NTPv5 > > 2) Improve the concept for NTPv5 > > Basically I think KoD is a good idea to inform the client about an issue > the server sees, be it technical or political (policy). > > > > Kind Regards, > > Ulrich Windl > > > > -----Original Message----- > > From: ntp <ntp-bounces@ietf.org> On Behalf Of Miroslav Lichvar > > Sent: Thursday, November 2, 2023 10:11 AM > > To: David Venhoek <david@venhoek.nl> > > Cc: NTP WG <ntp@ietf.org> > > Subject: [EXT] Re: [Ntp] NTPv5 KISS code support > > > > On Wed, Nov 01, 2023 at 03:37:44PM +0100, David Venhoek wrote: > > > Hi All, > > > > > > I have made a pull request with suggested wording for including kiss > > > code support in ntpv5. The PR can be found > > > athttps://github.com/mlichvar/draft-ntp-ntpv5/pull/9, the suggested > > > patch is also included below for completeness. Please do share any > > > feedback regarding the chosen design, this looked good to me but there > > > may be better approaches. > > > > This looks similar to the description of DENY, RSTR, RATE codes in RFC > > 5905. > > > > One problem is that it's a security issue, a denial of service for the > > client. A single spoofed response shouldn't be able to completely break > > synchronization with a server. There needs to be some maximum poll > > value specificied for RATE and some interval specified for RSTR and > > DENY. With that, I would ask how is it better than what we already > > have with the suggested poll interval returned in a normal server > > response. > > > > The other issue is the most buggy clients that would need this > > handling are least likely to implement it, at least that's what > > we have seen with (S)NTPv4 implementations. With the most severe bugs > > that lead to flooding of servers (e.g. in systemd-timesyncd and > > Fortigate firewalls for example), handling of these codes wouldn't > > make a difference anyway. By the time the client receives a response > > from the server, it has already sent another request, so it couldn't > > accept it as valid even if it had this functionality implemented. > > > > -- > > Miroslav Lichvar > > > > _______________________________________________ > > ntp mailing list > > ntp@ietf.org > > https://www.ietf.org/mailman/listinfo/ntp > > > > _______________________________________________ > > ntp mailing list > > ntp@ietf.org > > https://www.ietf.org/mailman/listinfo/ntp > > _______________________________________________ > ntp mailing list > ntp@ietf.org > https://www.ietf.org/mailman/listinfo/ntp >
- [Ntp] NTPv5 KISS code support David Venhoek
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Windl, Ulrich
- Re: [Ntp] [EXT] KISS => NAT => Rate limiting Windl, Ulrich
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Daniel Franke
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Ira McDonald
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support David Venhoek
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- [Ntp] KISS => NAT => Rate limiting Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Daniel Franke
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support David Venhoek
- [Ntp] Rate limiting/reflection prevention (Was: N… David Venhoek
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Danny Mayer
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Salz, Rich
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Danny Mayer
- Re: [Ntp] [EXT] Re: Re: NTPv5 KISS code support Windl, Ulrich
- Re: [Ntp] [EXT] Re: Re: NTPv5 KISS code support Danny Mayer
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Forrest Christian (List Account)