IETF Logo Mail Archive

Re: [Ntp] [Tsv-art] Tsvart early review of draft-ietf-ntp-alternative-port-02

Steven Sommars <stevesommarsntp@gmail.com> Sun, 05 December 2021 05:00 UTC

Return-Path: <stevesommarsntp@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DE283A10E6; Sat, 4 Dec 2021 21:00:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EGqX53ritn4l; Sat, 4 Dec 2021 21:00:23 -0800 (PST)
Received: from mail-yb1-xb2e.google.com (mail-yb1-xb2e.google.com [IPv6:2607:f8b0:4864:20::b2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53E483A10E5; Sat, 4 Dec 2021 21:00:23 -0800 (PST)
Received: by mail-yb1-xb2e.google.com with SMTP id e136so21550269ybc.4; Sat, 04 Dec 2021 21:00:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HL4T7gu5zyTqV0mWye6kyf1+cSbcGZcWu4rCShV97ao=; b=a46P4iAFBlppZzL4aLJiW5cG31pJebQcjV1gz2Rd/g4BdQIPGBLS/KLecwB49BW0pC WCTmeZkuyRxbrMGDi0hJ6WOJxLNB5UddmjzDYdV/mS7pfhhjLTpXjwbLfC5v6hwNBvNs VwRzEO3AMT13oiNcOs/1AKdjSDgepKRQafjrC4j70xxZe6gosJfPtSZZV0q5WG2Wpiq8 1ZqH4XjEtfhwGzDNhi1v4hOLRhD085BDVW0aJig38hXJM8yKxknWatgdRW+ADu4XhcHO OT+Wrd+vPJIy9pb7PySk36EwPb4SFrNMW1IsUADgc/d8Kc/NcgD77/U3W/wnY1Z96yKD dcBQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HL4T7gu5zyTqV0mWye6kyf1+cSbcGZcWu4rCShV97ao=; b=M/IcvSyOT/f/nXk9Lt7rKnpWTfP7ojxJuMMS8Dm2B6AvMx85IqBI8dp4bU07GgU8Ci 4oqBgKIFV2uKK78zq0HcbfepdpKXK4qqo25XRilQqTyTXrl94NSDn5bfWemX/u1rSxMR aNmYdpTVgdlUyfBgZT+DZxgE9B3hhK27VDZqQIG9IqdjRK4b/u52ZLyfmBrHm93Dak32 rNm4dVEU1aLbkYobNyy+560CXXdKv+jJrafdUNS/OBPYv4gxoxUsrWmrwPn4Ijk4WJzZ tqcDoLiCSDHzuNh855zjcvd4kE6HxMs3ENPOJISscjEgne5SYh36dzxrrJ2Al8WVnx/t xuvQ==
X-Gm-Message-State: AOAM5336FUSWdpxIMVHZk1fbWGg7Om7xhNoo6OHX7DpxGAPfamM14JuU G+WPPqsw2uDSdmqtv7RGcAl/XQvscH/yHIfNGm8=
X-Google-Smtp-Source: ABdhPJwBKtuEtyzS997JS8Y5wN7FWAi8uXfrAukM15KJzVGCn0VCxgWCj0RruxPV2uvCZC5p0wPc8aY/mApOeaK7X6E=
X-Received: by 2002:a5b:792:: with SMTP id b18mr33442145ybq.442.1638680421754; Sat, 04 Dec 2021 21:00:21 -0800 (PST)
MIME-Version: 1.0
References: <20211204231206.A534228C17A@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <A803AF18-2BBD-4A54-9802-3EF693066E6C@strayalpha.com>
In-Reply-To: <A803AF18-2BBD-4A54-9802-3EF693066E6C@strayalpha.com>
From: Steven Sommars <stevesommarsntp@gmail.com>
Date: Sat, 04 Dec 2021 23:00:10 -0600
Message-ID: <CAD4huA7RhF3xZJkdghz4yx3qk8uBjkfJv7Y_hDCvX1a=wATBkg@mail.gmail.com>
To: "touch@strayalpha.com" <touch@strayalpha.com>
Cc: Hal Murray <halmurray@sonic.net>, Magnus Westerlund <magnus.westerlund@ericsson.com>, NTP WG <ntp@ietf.org>, TSVWG <tsvwg@ietf.org>, iana-port-experts@icann.org, draft-ietf-ntp-alternative-port.all@ietf.org, tsv-art <tsv-art@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000706bb305d25f04fb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/JC15hb0xw0HyjUX-x5XOnW61atA>
Subject: Re: [Ntp] [Tsv-art] Tsvart early review of draft-ietf-ntp-alternative-port-02
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Dec 2021 05:00:29 -0000

NTP got a bad reputation as an amplification attack vector circa 2014.  The
offending NTP servers have largely been fixed; today few public servers
will blindly amplify the Mode 7/monlist command (the major problem
source).  The organizations doing the filtering aren't receptive to
suggestions that they alter/remove their filtering schemes.

Those finding the alternate port distasteful could help by reaching out to
the organizations doing the filtering and convincing them that changes are
needed.

I don't like the alternative port idea either, but see no other simple
solution.  Short of designing yet another time transfer protocol what would
you suggest?










On Sat, Dec 4, 2021 at 8:08 PM touch@strayalpha.com <touch@strayalpha.com>
wrote:

> HI, Hal,
>
> Again, with ports team review hat on:
>
> Everything that happened below is equivalent to finding a zero-day or
> other kind of protocol error in any service.
>
> The fact that the current ’solution’ is to block that port isn’t new
> either.
>
> We don’t have resources to continually assign ‘fresh’ ports for services
> and I see no reason this one warrants an exception.
>
> There are other solutions here; if your own recommendations caused packets
> smaller than 48 to be dropped, then find a way to fragment and reassemble
> authenticated packets until you find out that larger ones get through.
>
> This is a protocol design problem, not a port assignment problem.
>
> Joe
>
> —
> Joe Touch, temporal epistemologist
> www.strayalpha.com
>
> On Dec 4, 2021, at 3:12 PM, Hal Murray <halmurray@sonic.net> wrote:
>
>
> touch@strayalpha.com said:
>
> FWIW, I don't see this assignment as appropriate.
>
>
> Without a new port, it will be close to impossible to widely deploy NTP
> security.
>
>
> Years ago (2013), NTP was used in a giant DDoS attack.  That was due to a
> bug/oversight that had been around since the early NTP work.  (I've
> tracked it
> back to 1989.)
>  https://www.spamhaus.org/news/article/695/answers-about-recent-ddos
>  https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification
> The Wikipedia chart could use another column -- the number of sites
> available.
> Almost all Linux or *BSD sites were running ntpd.
>
> The fix was trivial, but there are many essentially unattended sites
> running
> old versions of ntpd that will never get fixed.
>
> Many many many sites have quietly installed filters in their routers.  Set
> and
> forget.
>
> A typical filter drops UDP traffic to port 123 with a length other than
> 48.
> That lets old unauthenticated NTP through but authenticated packets are
> longer
> and get dropped.
>
> To use authentication on the existing port would require removing those
> filters.  Even if you could track down the right people, they would
> probably
> drag their feet until most of the sites running old unattended ntpd were
> fixed.
>
> An alternative would be to implement BCP 38.  How long has that been in
> progress?
>
> --
> These are my opinions.  I hate spam.
>
>
>
>
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp
>

v2.23.0 | Report a Bug | By Email