IETF Logo Mail Archive

Re: [Ntp] I-D Action: draft-ietf-ntp-alternative-port-00.txt

Steven Sommars <stevesommarsntp@gmail.com> Tue, 27 October 2020 20:18 UTC

Return-Path: <stevesommarsntp@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C2873A15FF for <ntp@ietfa.amsl.com>; Tue, 27 Oct 2020 13:18:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i1-kLhIQdM1p for <ntp@ietfa.amsl.com>; Tue, 27 Oct 2020 13:18:30 -0700 (PDT)
Received: from mail-il1-x133.google.com (mail-il1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50BE23A15FD for <ntp@ietf.org>; Tue, 27 Oct 2020 13:18:28 -0700 (PDT)
Received: by mail-il1-x133.google.com with SMTP id p10so2707980ile.3 for <ntp@ietf.org>; Tue, 27 Oct 2020 13:18:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9nPkvdwTuwWeUKInoA4FSN8WnA1qnocpyJIxSuA7GDw=; b=AtIFTJlcAJOQHwRi69KMOyevfSdGLMG3BH9ZU56j7lHGur6iqNpAOroUC1Fwqad1PR 0fL+5th8v6a8Ie7zNqVFuhaW6pveS4rMolqAQq7/TnlbB/oDfE7E2jo+V4xtiLl8hGyI 6O7oGPV9KydAR5hsuz50r58kPxiOzomdhVQaMScC0f/36I7UXJziNPKreONItIQ76nBq q8fA8IH5W/tJBCh/dK1hQ+Iltfyk/5MSH2msMHhul7dgA4NUB/loGFPuPXOin7Th08or U9m5FoukYrlK+Qdfadv9tsYOiKj54d7aOFjNr8qTyn6S0W1aws4wAXvXtX0Q6igTQ78/ a6dg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9nPkvdwTuwWeUKInoA4FSN8WnA1qnocpyJIxSuA7GDw=; b=gBFkGGf4T7X+0bn4VvIragO8+7vvoTixpPoQuMW1PBpKhO8hobDg7+7UjNEH/SLDE/ PGKAn8A/o9Zg5h6ZpiKMxT2oKmi7lwbMF1BwjQjyWMu2aA9+/Qxzj9UUzUPp5GNZr+RJ mZZ0QYnl2Y5O9u4tLRM55Yv3gf4yI4QyR/N7Hbjq8a3Bdk7xvaSaX//oyjAKw56TzXX5 XNyfnVvInJvCQc0OTI0Zu+ARw40wpkkKbAURwhDGDuNj3Resu7jU3YuU4fSqQIYRU3An P9ZXwZzh0jU615eddoeQtqxkMEFhMfKsAI3RedaiJVAYuKLGqZPRKTpFKb1JVgbw74Gf SiWg==
X-Gm-Message-State: AOAM530zsYh2QUagxAakqQS8cGjfrYWu6D4kclbCw+Z0C2y0wtNgX4Cx QacOaQUOwCi+ac/MaYFs9rPzogoTB3ACFzjjDL4=
X-Google-Smtp-Source: ABdhPJwLfg+SNwjtutRxopU6uc57jS6kdKHeCIXxr2v9ee22EQGMm3/x5uEs6d2md6djmxuroSGY7S5guISfmombBbY=
X-Received: by 2002:a92:ca90:: with SMTP id t16mr2991466ilo.33.1603829907504; Tue, 27 Oct 2020 13:18:27 -0700 (PDT)
MIME-Version: 1.0
References: <160251475240.1475.18009830719976625294@ietfa.amsl.com> <CAD4huA5UiS+yAjASKcj9FjWDuSCiVF4rEajZfkyzBSF61-yfvw@mail.gmail.com> <20201026173637.GE580262@localhost>
In-Reply-To: <20201026173637.GE580262@localhost>
From: Steven Sommars <stevesommarsntp@gmail.com>
Date: Tue, 27 Oct 2020 15:18:16 -0500
Message-ID: <CAD4huA6h8Nt5z=HnUQZUq8m6tXkPMe3boZK7gXJEPRnKnPB_9w@mail.gmail.com>
To: Miroslav Lichvar <mlichvar@redhat.com>
Cc: NTP WG <ntp@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000eac4ae05b2acbf0c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/P8boaTDLlSu7_tVnObGYx9kM7nw>
Subject: Re: [Ntp] I-D Action: draft-ietf-ntp-alternative-port-00.txt
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2020 20:18:39 -0000

As the problems with blocking and rate-limiting are not specific to
NTS-protected NTP packets, I think it would be nice to provide a
workaround for all servers and clients, not just those that are using
NTS. I don't think we can expect NTS to be instantly adopted everywhere.

Should blocking and rate limiting considerations be added to the NTP
specifications?  If so where?
Some hardware-based (e.g., FPGA) NTP implementations can handle 10Gbps of
traffic, yet lack rate limiting mechanism.

The immediate effect of the alternate port is to bypass the current NTP
filtering that can break NTS and that is currently causing problems for the
NTP pool.
I'm concerned that adding NTP(RFC5905) to ALTPORT may lead to ISP filtering
of those UDP packets as well.

Do you suggest to reword the abstract to mention only that it makes NTP
amplification-free?

That's the most it can do since with the current draft reflection attacks
are still possible.
[Using  ALTPORT=NTS-only would prevent reflection attacks.]

Maybe we could at least say that the number of servers dropped due to
the attacks, no matter why exactly were the servers removed? The graph
at this page clearly shows when it started:

https://www.ntppool.org/zone

That's probably the best available reference.  For NTP WG email history
here are two consequences of excessive NTP drops of the NTP Pool monitoring
system probe packets.
1) Servers are deemed unreachable/poorly reachable and are temporarily
removed from the NTP Pool
2) The volunteers offering their hosts as NTP Pool servers receive many
email notifications of poor reachability and eventually drop out of the NTP
Pool.

v2.23.0 | Report a Bug | By Email