Re: [Ntp] Antw: [EXT] NTP WG virtual interim -- Thursday, 17 September 2020, 1530 - 1700 UTC

Watson Ladd <watsonbladd@gmail.com> Thu, 17 September 2020 23:43 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B477E3A0F46 for <ntp@ietfa.amsl.com>; Thu, 17 Sep 2020 16:43:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BKtw6IKwceFF for <ntp@ietfa.amsl.com>; Thu, 17 Sep 2020 16:43:00 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BFDF3A0F2C for <ntp@ietf.org>; Thu, 17 Sep 2020 16:43:00 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id z19so4099582lfr.4 for <ntp@ietf.org>; Thu, 17 Sep 2020 16:43:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=/0oDn9htN8MhiLJFAVyzHoGSV5vvqqfjVbDANxdTtis=; b=Qt0cP5ZfJgjYLvIybL1Fix4KcODK2DIR2sLOhK/kF4oQUlir0sGpjhwnjJH+yfJmNd A1RKuW37wIi6t85tmMqdPpYBHLKBND3YVIVWIG5X6uQ9iy5aOX8XyKiRT51/nB8LHHmJ EwQG+ZEvh+Ycaez60VHILi4jQ96B4pd/+OrSDQiB67JFLq8r3oAD02wMRx/X9Qmrm3Ir MvNmojeUt20u9lrPuuO/3iePpUtp+RiMxf02T+E1cEy0PctOfnodW2F2cQTekzcpc/Ct Jnyw3qnuNTkuS7sv3igg4SobkCC0UF52B0zhDJxQMNKGdzyX66O+E2lmzED+Vq4JuIXr GIwg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=/0oDn9htN8MhiLJFAVyzHoGSV5vvqqfjVbDANxdTtis=; b=jt0fCd5j93yg7TnY4C0cSfnc+yOpD34Mb9LyMM40CSCjuSVNKK+1CTPV6M6tmthAqO lVLhoC7scN1WjZBElymzQ8segHeyqYCi4pvd+TH+TNoC6PC/d2X89Nf+d1NRANGp6kfG IQmSpKUOuq/x7WS4ut4Qr/AHKzDexzcfKgvWxp+nEaU54ajbBXhocrEPN718HZVM9RDN gkSI6DacRFKb7cw0lNxba+A+c7cu26QAN/xvgbA1BksE77EcY/nVLiyeijQaB+CY+/xT 4EUGcy2Jv7QJvGqoXyUgWB5QBrOhfQj0gpoezcMTJ9FgKXQiBNrEPHZITzM8w1rBmniJ 3QHA==
X-Gm-Message-State: AOAM533REHE+wcR0qh//Tly0yNr/3YtRZNIxBYnv7TXa8U9sQqOtr/uU A6sgJWQO7k1gAJa8HIYp4aNs0csMD9RaNsPJ19veYsOUppbgSw==
X-Google-Smtp-Source: ABdhPJzha1L7QhbO0OLgXgckNfvpFM98p2Tty01IWheam9lcr7vmdzjvItBpL5GVVrmUn9Th84PRHsgGzZZ+4x35CRE=
X-Received: by 2002:a19:ed15:: with SMTP id y21mr11244034lfy.570.1600386178307; Thu, 17 Sep 2020 16:42:58 -0700 (PDT)
MIME-Version: 1.0
References: <3FBC06BC-A42A-42BA-B2E4-15C4B19FF829@isoc.org> <5F4C9C96020000A10003AFFA@gwsmtp.uni-regensburg.de>
In-Reply-To: <5F4C9C96020000A10003AFFA@gwsmtp.uni-regensburg.de>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Thu, 17 Sep 2020 19:42:46 -0400
Message-ID: <CACsn0cnS-b-vJs8CYxFqTUTcE2JSVHL+zn6KCYsKtQpOoqQrgA@mail.gmail.com>
To: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>
Cc: "ntp@ietf.org" <ntp@ietf.org>, Karen O'Donoghue <odonoghue@isoc.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/RTWbQZjsNaSBa82GBCb4e4K6O_I>
Subject: Re: [Ntp] Antw: [EXT] NTP WG virtual interim -- Thursday, 17 September 2020, 1530 - 1700 UTC
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2020 23:43:02 -0000

On Mon, Aug 31, 2020 at 2:46 AM Ulrich Windl
<Ulrich.Windl@rz.uni-regensburg.de> wrote:
>
> >>> Karen O'Donoghue <odonoghue@isoc.org> schrieb am 28.08.2020 um 19:42 in
> Nachricht <3FBC06BC-A42A-42BA-B2E4-15C4B19FF829@isoc.org>:
>
> ...
> > 4. Call for Adoption results/discussion on
> draft‑mlichvar‑ntp‑alternative‑port
> ...
>
> I wonder: If adopted, how would it be implemented most likely? When done at
> network/transport level at some gateway:
> If incoming traffic to TDB is redirected to port 123 _if_ it's not mode 6 or
> mode 7, then the filtering could be done right on port 123. Likewise for
> outgoung traffic.

No, the goal is to get the software onto a clean port and not mess up
this time. It's a mulligan.
>
> Is this RFC basically for:
>
> Inability of firewall firmware to do proper filtereing?
> Inability of network administrators to apply the correct filters ("Don't
> panic", but they still do)?
>
> Seeing that firewalls try deep packet inspection, I wonder whether the RFC is
> needed, specifically: How long will it take to have a significant effect? If
> you assume port 123 is blacklisted on some sites, it may be effective when all
> the NTP software had been updates, but when allowable ports are whitelisted,
> then the lack of port 123 being allowed doesn't help for the alternate port...

ISP equipment often cannot inspect beyond the port number, and they
faced existential risk from the NTP floods knocking them offline.  As
a result extreme policing of port 123. Whitelisting environments are
typically ones with more control and less traffic and equipment that
can look deeper.

Sincerely,
watson