Re: [Ntp] NTPv5 KISS code support
Miroslav Lichvar <mlichvar@redhat.com> Thu, 02 November 2023 09:11 UTC
Return-Path: <mlichvar@redhat.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC59AC1519A3 for <ntp@ietfa.amsl.com>; Thu, 2 Nov 2023 02:11:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KPau_MqSZGbp for <ntp@ietfa.amsl.com>; Thu, 2 Nov 2023 02:11:11 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A3EEC1519A0 for <ntp@ietf.org>; Thu, 2 Nov 2023 02:11:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1698916269; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=BbCRR581UEXvqBp03AOd4fM49ddLsp/E/Jr5f6QpDvc=; b=gKGJ9tbr9UUYM9bUk1VBsld1N/1T5REM2NjcU2n4xFULtwr02jdjHNYX+5BNOC5k3yvkAV JlVQDmLYBVO/JsCx7YY/2CgivqI/Hd/HduT1a+QQrkd8DdS+5XR5x7XbAVx9dxjHrx/iRa Buh+MAx8Inx39rxwkBa+h2H4hFJx6Dc=
Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-526-06z952DJMiuNLbphnnoixQ-1; Thu, 02 Nov 2023 05:11:08 -0400
X-MC-Unique: 06z952DJMiuNLbphnnoixQ-1
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 24BED3C1014E; Thu, 2 Nov 2023 09:11:08 +0000 (UTC)
Received: from localhost (unknown [10.43.135.229]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A395325C1; Thu, 2 Nov 2023 09:11:07 +0000 (UTC)
Date: Thu, 02 Nov 2023 10:11:06 +0100
From: Miroslav Lichvar <mlichvar@redhat.com>
To: David Venhoek <david@venhoek.nl>
Cc: NTP WG <ntp@ietf.org>
Message-ID: <ZUNnqmnEVDx1538O@localhost>
References: <CAPz_-SWRUTB2wQeLg5wS_c34D-7R-Ngcek13rzknyiGf9iG-tA@mail.gmail.com>
MIME-Version: 1.0
In-Reply-To: <CAPz_-SWRUTB2wQeLg5wS_c34D-7R-Ngcek13rzknyiGf9iG-tA@mail.gmail.com>
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.1
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/SUZQydxJjIVLdjRUO05bwxZlT7g>
Subject: Re: [Ntp] NTPv5 KISS code support
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Nov 2023 09:11:11 -0000
On Wed, Nov 01, 2023 at 03:37:44PM +0100, David Venhoek wrote: > Hi All, > > I have made a pull request with suggested wording for including kiss > code support in ntpv5. The PR can be found > athttps://github.com/mlichvar/draft-ntp-ntpv5/pull/9, the suggested > patch is also included below for completeness. Please do share any > feedback regarding the chosen design, this looked good to me but there > may be better approaches. This looks similar to the description of DENY, RSTR, RATE codes in RFC 5905. One problem is that it's a security issue, a denial of service for the client. A single spoofed response shouldn't be able to completely break synchronization with a server. There needs to be some maximum poll value specificied for RATE and some interval specified for RSTR and DENY. With that, I would ask how is it better than what we already have with the suggested poll interval returned in a normal server response. The other issue is the most buggy clients that would need this handling are least likely to implement it, at least that's what we have seen with (S)NTPv4 implementations. With the most severe bugs that lead to flooding of servers (e.g. in systemd-timesyncd and Fortigate firewalls for example), handling of these codes wouldn't make a difference anyway. By the time the client receives a response from the server, it has already sent another request, so it couldn't accept it as valid even if it had this functionality implemented. -- Miroslav Lichvar
- [Ntp] NTPv5 KISS code support David Venhoek
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Windl, Ulrich
- Re: [Ntp] [EXT] KISS => NAT => Rate limiting Windl, Ulrich
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Daniel Franke
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Ira McDonald
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support David Venhoek
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- [Ntp] KISS => NAT => Rate limiting Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Daniel Franke
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support David Venhoek
- [Ntp] Rate limiting/reflection prevention (Was: N… David Venhoek
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Danny Mayer
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Salz, Rich
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Danny Mayer
- Re: [Ntp] [EXT] Re: Re: NTPv5 KISS code support Windl, Ulrich
- Re: [Ntp] [EXT] Re: Re: NTPv5 KISS code support Danny Mayer
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Forrest Christian (List Account)