Re: [Ntp] [Tsv-art] Tsvart early review of draft-ietf-ntp-alternative-port-02
Steven Sommars <stevesommarsntp@gmail.com> Sun, 05 December 2021 05:00 UTC
Return-Path: <stevesommarsntp@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DE283A10E6; Sat, 4 Dec 2021 21:00:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EGqX53ritn4l; Sat, 4 Dec 2021 21:00:23 -0800 (PST)
Received: from mail-yb1-xb2e.google.com (mail-yb1-xb2e.google.com [IPv6:2607:f8b0:4864:20::b2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53E483A10E5; Sat, 4 Dec 2021 21:00:23 -0800 (PST)
Received: by mail-yb1-xb2e.google.com with SMTP id e136so21550269ybc.4; Sat, 04 Dec 2021 21:00:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HL4T7gu5zyTqV0mWye6kyf1+cSbcGZcWu4rCShV97ao=; b=a46P4iAFBlppZzL4aLJiW5cG31pJebQcjV1gz2Rd/g4BdQIPGBLS/KLecwB49BW0pC WCTmeZkuyRxbrMGDi0hJ6WOJxLNB5UddmjzDYdV/mS7pfhhjLTpXjwbLfC5v6hwNBvNs VwRzEO3AMT13oiNcOs/1AKdjSDgepKRQafjrC4j70xxZe6gosJfPtSZZV0q5WG2Wpiq8 1ZqH4XjEtfhwGzDNhi1v4hOLRhD085BDVW0aJig38hXJM8yKxknWatgdRW+ADu4XhcHO OT+Wrd+vPJIy9pb7PySk36EwPb4SFrNMW1IsUADgc/d8Kc/NcgD77/U3W/wnY1Z96yKD dcBQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HL4T7gu5zyTqV0mWye6kyf1+cSbcGZcWu4rCShV97ao=; b=M/IcvSyOT/f/nXk9Lt7rKnpWTfP7ojxJuMMS8Dm2B6AvMx85IqBI8dp4bU07GgU8Ci 4oqBgKIFV2uKK78zq0HcbfepdpKXK4qqo25XRilQqTyTXrl94NSDn5bfWemX/u1rSxMR aNmYdpTVgdlUyfBgZT+DZxgE9B3hhK27VDZqQIG9IqdjRK4b/u52ZLyfmBrHm93Dak32 rNm4dVEU1aLbkYobNyy+560CXXdKv+jJrafdUNS/OBPYv4gxoxUsrWmrwPn4Ijk4WJzZ tqcDoLiCSDHzuNh855zjcvd4kE6HxMs3ENPOJISscjEgne5SYh36dzxrrJ2Al8WVnx/t xuvQ==
X-Gm-Message-State: AOAM5336FUSWdpxIMVHZk1fbWGg7Om7xhNoo6OHX7DpxGAPfamM14JuU G+WPPqsw2uDSdmqtv7RGcAl/XQvscH/yHIfNGm8=
X-Google-Smtp-Source: ABdhPJwBKtuEtyzS997JS8Y5wN7FWAi8uXfrAukM15KJzVGCn0VCxgWCj0RruxPV2uvCZC5p0wPc8aY/mApOeaK7X6E=
X-Received: by 2002:a5b:792:: with SMTP id b18mr33442145ybq.442.1638680421754; Sat, 04 Dec 2021 21:00:21 -0800 (PST)
MIME-Version: 1.0
References: <20211204231206.A534228C17A@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <A803AF18-2BBD-4A54-9802-3EF693066E6C@strayalpha.com>
In-Reply-To: <A803AF18-2BBD-4A54-9802-3EF693066E6C@strayalpha.com>
From: Steven Sommars <stevesommarsntp@gmail.com>
Date: Sat, 04 Dec 2021 23:00:10 -0600
Message-ID: <CAD4huA7RhF3xZJkdghz4yx3qk8uBjkfJv7Y_hDCvX1a=wATBkg@mail.gmail.com>
To: "touch@strayalpha.com" <touch@strayalpha.com>
Cc: Hal Murray <halmurray@sonic.net>, Magnus Westerlund <magnus.westerlund@ericsson.com>, NTP WG <ntp@ietf.org>, TSVWG <tsvwg@ietf.org>, iana-port-experts@icann.org, draft-ietf-ntp-alternative-port.all@ietf.org, tsv-art <tsv-art@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000706bb305d25f04fb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/JC15hb0xw0HyjUX-x5XOnW61atA>
Subject: Re: [Ntp] [Tsv-art] Tsvart early review of draft-ietf-ntp-alternative-port-02
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Dec 2021 05:00:29 -0000
NTP got a bad reputation as an amplification attack vector circa 2014. The offending NTP servers have largely been fixed; today few public servers will blindly amplify the Mode 7/monlist command (the major problem source). The organizations doing the filtering aren't receptive to suggestions that they alter/remove their filtering schemes. Those finding the alternate port distasteful could help by reaching out to the organizations doing the filtering and convincing them that changes are needed. I don't like the alternative port idea either, but see no other simple solution. Short of designing yet another time transfer protocol what would you suggest? On Sat, Dec 4, 2021 at 8:08 PM touch@strayalpha.com <touch@strayalpha.com> wrote: > HI, Hal, > > Again, with ports team review hat on: > > Everything that happened below is equivalent to finding a zero-day or > other kind of protocol error in any service. > > The fact that the current ’solution’ is to block that port isn’t new > either. > > We don’t have resources to continually assign ‘fresh’ ports for services > and I see no reason this one warrants an exception. > > There are other solutions here; if your own recommendations caused packets > smaller than 48 to be dropped, then find a way to fragment and reassemble > authenticated packets until you find out that larger ones get through. > > This is a protocol design problem, not a port assignment problem. > > Joe > > — > Joe Touch, temporal epistemologist > www.strayalpha.com > > On Dec 4, 2021, at 3:12 PM, Hal Murray <halmurray@sonic.net> wrote: > > > touch@strayalpha.com said: > > FWIW, I don't see this assignment as appropriate. > > > Without a new port, it will be close to impossible to widely deploy NTP > security. > > > Years ago (2013), NTP was used in a giant DDoS attack. That was due to a > bug/oversight that had been around since the early NTP work. (I've > tracked it > back to 1989.) > https://www.spamhaus.org/news/article/695/answers-about-recent-ddos > https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification > The Wikipedia chart could use another column -- the number of sites > available. > Almost all Linux or *BSD sites were running ntpd. > > The fix was trivial, but there are many essentially unattended sites > running > old versions of ntpd that will never get fixed. > > Many many many sites have quietly installed filters in their routers. Set > and > forget. > > A typical filter drops UDP traffic to port 123 with a length other than > 48. > That lets old unauthenticated NTP through but authenticated packets are > longer > and get dropped. > > To use authentication on the existing port would require removing those > filters. Even if you could track down the right people, they would > probably > drag their feet until most of the sites running old unattended ntpd were > fixed. > > An alternative would be to implement BCP 38. How long has that been in > progress? > > -- > These are my opinions. I hate spam. > > > > > _______________________________________________ > ntp mailing list > ntp@ietf.org > https://www.ietf.org/mailman/listinfo/ntp >
- [Ntp] Tsvart early review of draft-ietf-ntp-alter… Magnus Westerlund via Datatracker
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… touch@strayalpha.com
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Danny Mayer
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Hal Murray
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… touch@strayalpha.com
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… C. M. Heard
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Steven Sommars
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… touch@strayalpha.com
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Danny Mayer
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… C. M. Heard
- Re: [Ntp] Tsvart early review of draft-ietf-ntp-a… Erik Kline
- [Ntp] Antw: [EXT] Re: [Tsv‑art] Tsvart early revi… Ulrich Windl
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Eliot Lear
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Salz, Rich
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Miroslav Lichvar
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Salz, Rich
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Eliot Lear
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Hal Murray
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Eliot Lear
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Danny Mayer
- Re: [Ntp] [IANA-Port-Experts] Tsvart early review… touch@strayalpha.com
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… touch@strayalpha.com
- [Ntp] Antw: Re: [tsvwg] Antw: [EXT] Re: [Tsv‑art]… Ulrich Windl
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Martin Burnicki
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… touch@strayalpha.com
- Re: [Ntp] [IANA-Port-Experts] Tsvart early review… Salz, Rich
- Re: [Ntp] [IANA-Port-Experts] Tsvart early review… Joe Touch
- Re: [Ntp] [IANA-Port-Experts] Tsvart early review… Salz, Rich
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Eliot Lear
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Hal Murray
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Eliot Lear
- [Ntp] Antw: [EXT] Re: [tsvwg] [Tsv‑art] Tsvart ea… Ulrich Windl
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… touch@strayalpha.com
- [Ntp] Antw: [EXT] Re: [tsvwg] [Tsv‑art] Tsvart ea… Ulrich Windl
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Eliot Lear
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Hal Murray
- Re: [Ntp] Antw: [EXT] Re: [tsvwg] [Tsv‑art] Tsvar… Watson Ladd