Re: [Ntp] Antw: Re: Antw: [EXT] Re: WGLC on draft‑ietf‑alternative‑port‑01

Doug Arnold <doug.arnold@meinberg-usa.com> Thu, 05 August 2021 14:26 UTC

Return-Path: <doug.arnold@meinberg-usa.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CA223A1413 for <ntp@ietfa.amsl.com>; Thu, 5 Aug 2021 07:26:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meinberg-usa.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fkn0iMAoEZXh for <ntp@ietfa.amsl.com>; Thu, 5 Aug 2021 07:26:41 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2041.outbound.protection.outlook.com [40.107.22.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AD943A1415 for <ntp@ietf.org>; Thu, 5 Aug 2021 07:26:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RQ3vyPimwUfxyQ4Khyf+/ZMSL6YEpYst10V7IXlefNyPCgywRKDPNWGHU2ELrxN+WMjQvPsnLlKk/JdwA5SPBLskzwySeP5wFbStWspBxfYmiDbS1fXacApNHnGmZCWXb3bq/EK6IVvUm/wQvVBzyk1gseyzH9Gb6hpQ0YdRIam/Itm9grIuxzb2MpHyS8HMLfWQCJ4hLyIaCxp7kKmO13d6Hev0y+i5BwvK6xcS8PyB2f1Fjnse9HpqsdI6DTon/lwI/XZ6mEx2WiesZMSfFogUM3oq77i6OXAGFovdK2kJQa0u5c1QRDg69ueuW1UI3pIOngMWanExAfqnyk8AuQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9K4wRJrkMzSK1O8gwVPW65mpdTo/jGIn0Tn0+umLgeo=; b=P+yEH01l6E+JEshxLeEU2qW2WcNncD9L3OsGLKdrEgdMVKwho6GWjeae1ShEvXdi3pkfuz0zMwAiN0hCDLqwv3pvJWrOMKYxHlTi+Dtuphvw3Di+2C45Q0DGez8oyC3coWWGFrBFl7s4KiMmNTivUcx5zFzWL7GbbXPPAyCrpaGZNJ7d+DmJq52zEE6DU90TIbzFuYlfc5jzyCBVJhh+wy4LtOVPs8VAHR917R3BT2bv5S0sVfRWzHLW2sFG7t9bs4ZI+c8YWcAvOoydPx/rNC74wY3HdaR0J009l5ylhBkNXXNa68rUEDZLWcvyFvWdbmrjG82wWTUhJbmf11J1Kw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meinberg-usa.com; dmarc=pass action=none header.from=meinberg-usa.com; dkim=pass header.d=meinberg-usa.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meinberg-usa.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9K4wRJrkMzSK1O8gwVPW65mpdTo/jGIn0Tn0+umLgeo=; b=M/FpvVCLnBp8LilRCNyKKn/DhZZD2vJWM2DOQ9hVsZUPLir1DfvGs3y1IsQbcWQWVGUevFWknye7Zj1ajNlgr7pMzjH6ETy0qf4E4tIuAQk2fRCJ4ESHsmm+xB8r2DGfP1AnunI0P7kEJBcre2lcUyZRYSkq20HTognvrscUj/g0ZEwUYit+5cYA9UbD10JBQZPyy0FtYhUFVrs5CDXOS/auV0HglzZLQ/0l+K6JJFO+di7hlXEQOUZUx8TAITr4fe5ijYQjORkcXIHSpZDlO2v/idBjZTjgqpOFAwfEmh5eeXaeKVyJNB8US/vz56C3sT2AMokd+lQy66w22WM3zA==
Received: from AM7PR02MB5765.eurprd02.prod.outlook.com (2603:10a6:20b:102::15) by AM6PR02MB4630.eurprd02.prod.outlook.com (2603:10a6:20b:64::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.26; Thu, 5 Aug 2021 14:26:35 +0000
Received: from AM7PR02MB5765.eurprd02.prod.outlook.com ([fe80::a8da:813a:9ad2:f3c5]) by AM7PR02MB5765.eurprd02.prod.outlook.com ([fe80::a8da:813a:9ad2:f3c5%2]) with mapi id 15.20.4394.017; Thu, 5 Aug 2021 14:26:35 +0000
From: Doug Arnold <doug.arnold@meinberg-usa.com>
To: Miroslav Lichvar <mlichvar@redhat.com>, Harlan Stenn <stenn@nwtime.org>
CC: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>, "ntp@ietf.org" <ntp@ietf.org>, "halmurray+ietf@sonic.net" <halmurray+ietf@sonic.net>
Thread-Topic: [Ntp] Antw: Re: Antw: [EXT] Re: WGLC on draft‑ietf‑alternative‑port‑01
Thread-Index: AQHXiQTjpPxFsfWS0UyenqgjMNL5katkeyQAgAB9Yx4=
Date: Thu, 05 Aug 2021 14:26:35 +0000
Message-ID: <AM7PR02MB5765DF53FC8FB21D59DE4A49CFF29@AM7PR02MB5765.eurprd02.prod.outlook.com>
References: <9C21DF1F020000EB6A6A8CFC@gwsmtp.uni-regensburg.de> <D9104F8D020000FEAB59E961@gwsmtp.uni-regensburg.de> <610253DA020000A100042C8B@gwsmtp.uni-regensburg.de> <61025C79020000A100042C9B@gwsmtp.uni-regensburg.de> <2FCD5C39020000B9AB59E961@gwsmtp.uni-regensburg.de> <1E89B79A020000F55AEBDC6A@gwsmtp.uni-regensburg.de> <32C7A15902000060FDA5B133@gwsmtp.uni-regensburg.de> <61078A68020000A100042DD7@gwsmtp.uni-regensburg.de> <YQegwC/8qioEWJ/P@localhost> <c8e4130c-cd44-e426-4346-31ffb879e289@nwtime.org>, <YQuK5gqaxay/xR93@localhost>
In-Reply-To: <YQuK5gqaxay/xR93@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: redhat.com; dkim=none (message not signed) header.d=none;redhat.com; dmarc=none action=none header.from=meinberg-usa.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2040f399-3f31-43a7-f2a2-08d9581d077c
x-ms-traffictypediagnostic: AM6PR02MB4630:
x-microsoft-antispam-prvs: <AM6PR02MB4630614115CF7BF80445637FCFF29@AM6PR02MB4630.eurprd02.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: fX+zn2CwNPjQW/znoPTL6BVfEL3f8H97o7whEnYC5py6AWpACEfQocFSVXqVrVZM3uCb8Kg8+JzS+707Vf/ldTpo9c6czegebtEH+9HPsUzodu10rrYWwqM3FN63DlS8ib2SHezPsZ99TGyzH7mpFTlsUV1qqxBfyw4tC0CwhNF1srO09+ntUc9OXEi2ktu6tYuE61vu5G7xBu7xSW5E73RXja5VyunJuGP+ueR1z258eYyiSev3IXZGlfn/KrKRSqQkjnUn66zGU82aiuRz0RaD4Yn6U/TtfO4b1XCUg2wtyu/W/g2z9adavmrt+i1IX+jn4xoS2GkRb32+kucsEKLsKCIJAkSnbGmwCc9g9VUK9LoLacTjsxhyAIstQ6hvonWphX4yvxO9G8XlZfO60faG3ULKQEy+lvx7IZqA5U/KKU9iyLs5ddm+AHIrch0MShqgfXfd+/Wai9QdLJu8kJHB8rSUK0MRjSVD92xxbknFbAF3ogMAdaBpPhB+evTPwnzD2wV3nIkV0gQymYuUEIAkho2wyXN8SbQfhv+q61bUYzbtIbCdfQ59glGWbArKW+NrpMpIPI2VK+t+LfLJ+6gvWM57uoAFHRDYo3Uo9HitNvx0pmODbdFA6sTVpaaN+Wi4F0YHLPNZ6TK2146eQ65ZsI/Uvj3OPMqxYdwKyO9xPmQP3Yv//hAgYfP6fc5IWrOGHnUDniwmMDmcKqCGe9HyhZ1SsYCBHqS7HDeQkLcKRVxmrgZ+fBh2s29OmT3lOq3ls/ZEFOx0Rz8gYmIchkPipcft6A5JsdKvr4Gmvds=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR02MB5765.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(366004)(136003)(346002)(396003)(39830400003)(76116006)(66446008)(2906002)(5660300002)(54906003)(64756008)(44832011)(66556008)(110136005)(86362001)(66476007)(122000001)(91956017)(83380400001)(508600001)(966005)(26005)(53546011)(52536014)(38100700002)(66946007)(7696005)(9686003)(186003)(8936002)(166002)(71200400001)(6506007)(4326008)(33656002)(316002)(55016002)(38070700005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 5MnE8rCZXdplLv9YqH7H9S571Q9ITvfeQ7yMCUWyeR29YHyu6MTtZCzlBdi4eLcao3zYD93rjhIMxvUcTBaTnPAb6jcrsz9i1vZoSwLg4f+uzfm6k3Tiw6Xh1ptLSNA0G9HPifodm0xTu21zKhIHvoKNX7sZtQfly9ekbsrc77OOoCxZl2NWkXFDx+ibNfMT7Hd5fqDOCtoJ3m5Sw4BScRmtArdckBtg5FZtyCeJXtkszDUsPHNEeTEuRfHZGoAc5Cd15nPQh3hwNzVoc2Qf9U+4Pehm6MnDKyC4QuZUolyj+TqE98ehmqCo5nK/NmL8Ag/RtbI7LxtwAk4xiIPZ8wDJNnze5PPAJoJlQnzv8FgnLg4XepPB669sCmkyWBRxJtdF+wkUnMkNUi9ygL93E+Y3CtgW/VjMKws+3CVQKE5oinXkwo6FmWeNDLL3C3zE39jvNiBYafQ939ss0UvusIthhLV2mtBJCqPBPAv9VkIpAsHzNiTYL2bvJymiIK02OlyjZZM7lRBEWlqFoZPB9CJ8lLpJOhxRjR4OOudMLyxA//hQGc8IYSaLbPIGvVeOcWx3i8t7ylal1ZSNwsrhL6RuLkalaP9PCaTlodhNlYEMbrjGjebq/9DFY8ICU1CwaIwiKue1EwvMvk/TgxVM3fNjSOjJiJ0gWbme3rXnwEqBMWtjmYpNfy5edOoUQyuOKG7j4Dqhc3qiU63b4IettOa9k4T14POzjwjbGIAjWNmuFf2jI4rP/UVgqjsWPpYIdWuGFkp+abhrD1Gkp6eIQtww1/HSJvcVHBjplyVVmJM6KrLk4EiEfmSNsex8nTijvmSX5LSANtpbfiwmaLUewQD39zXkqpAXWWd+t9MKPhxPepCv8zNkmgLOVYOmA78GWQrMAibwob2Za/WicHjLcqNWi5tZV2nMxWDSsPMTzXQLbfBUaQtjTdnH8HNWDab7I83PaJ6IG4VtZxmR6uQOFN5wFJbOCMsIq8QFXLnf/bGgbUczPAstSAE5V79qZpDcKuENNtHXmX4tQbHjXyptEM/hhabf8777k/O0gr8UHMf0Zbnk1Y9kbjw797WBLgko/PiXEN1GqnQB+uHvimvjn3JX0i7KbL5+gfNqXl3C2PT8Fdx2q7A7hhQX5CUkJMXv4Avv7nNBDEQ0bNrG1QGpxTRBl5JPqLBnEj0E0NaCJAs9butGI+6i+CY2OFm2zXVSCV1LyTVFR6bsaVnzs903D8cZUqL5vRwNtNZLpq+tuhaGNQQ5o+SNJUnBpgNVuFhiPOBrIzc6TqyHcYhScG+vkVz7fyue5ZSK2KfB5WILqQHJCGM7w3PQ0n7DL4ijDcxQ
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM7PR02MB5765DF53FC8FB21D59DE4A49CFF29AM7PR02MB5765eurp_"
MIME-Version: 1.0
X-OriginatorOrg: meinberg-usa.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR02MB5765.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2040f399-3f31-43a7-f2a2-08d9581d077c
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Aug 2021 14:26:35.1326 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d59904cd-769f-4368-8bd0-f5f435893a38
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Tc4tHOJZPlwtBNJKJxLv5Ef14sTqWVVmpmTnsY10Ch0T4sEd4cpTPFdh6Mv8dbk66Pvdf+BbemfrvpOL+1H1SM78tvYAkKC102Ya3Rg++EU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR02MB4630
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/PLEQe2o9zGVYyVBO3JhpN-2Fams>
Subject: Re: [Ntp] Antw: Re: Antw: [EXT] Re: WGLC on draft‑ietf‑alternative‑port‑01
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Aug 2021 14:26:47 -0000

Miroslav is correct.  Once network appliances are deployed in the field, then some instances that still behave this way with respect to port 123 will be around for many years to come.

Doug

From: ntp <ntp-bounces@ietf.org> on behalf of Miroslav Lichvar <mlichvar@redhat.com>
Date: Thursday, August 5, 2021 at 2:53 AM
To: Harlan Stenn <stenn@nwtime.org>
Cc: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>, ntp@ietf.org <ntp@ietf.org>, halmurray+ietf@sonic.net <halmurray+ietf@sonic.net>
Subject: Re: [Ntp] Antw: Re: Antw: [EXT] Re: WGLC on draft‑ietf‑alternative‑port‑01
On Wed, Aug 04, 2021 at 12:46:21AM -0700, Harlan Stenn wrote:
> On 8/2/2021 12:37 AM, Miroslav Lichvar wrote:
> > On Mon, Aug 02, 2021 at 08:02:16AM +0200, Ulrich Windl wrote:
> >> I just wonder: Wouldn't rate limiting (or bandwidth limiting) be the correct
> >> way to do?
> >
> > I think that's what they currently do. It effectively causes a DoS on
> > NTP.
>
> I don't understand exactly what you mean here by "causes a DoS on NTP."
>  Clarify, please?

Rate limiting of NTP packets can cause a denial of the NTP service for
legitimate clients. They don't get a response to their requests and
cannot synchronize their clock. It doesn't matter if the rate limiting
is happening on the server or some middlebox in the network.

> > See the discussions at community.ntppool.org. Large numbers of
> > servers are randomly rejected from the pool due to heavy packet loss
> > specific to port 123 on the path to the monitoring system.
>
> If the target system is receiving too many packets and is dropping them
> already the monitoring system needs to know this, and rank the target
> accordingly.

It's not the server dropping packets. It's major ISPs specifically
rate limiting packets on the UDP port 123. If you run mtr in the UDP
mode on that port, you will see a huge packet loss on the boundary of
their network. If you change the port number, the loss immediately
disappears. It's not a congested network or overloaded server.

We can speculate if this would have happened if ntpd promptly fixed
the mode 6 to not amplify traffic, or at least changed the defaults to
not allow remote access. We probably won't ever know. The damage is
done. The port is no longer usable on the global scale. We need to
move to a different port and restrict it to the non-amplifying subset
of the protocol, so this doesn't happen again. That's what this draft
is trying to do.

--
Miroslav Lichvar

_______________________________________________
ntp mailing list
ntp@ietf.org
https://www.ietf.org/mailman/listinfo/ntp