Re: [Ntp] NTPv5 KISS code support

Miroslav Lichvar <mlichvar@redhat.com> Thu, 02 November 2023 09:11 UTC

Return-Path: <mlichvar@redhat.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC59AC1519A3 for <ntp@ietfa.amsl.com>; Thu, 2 Nov 2023 02:11:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KPau_MqSZGbp for <ntp@ietfa.amsl.com>; Thu, 2 Nov 2023 02:11:11 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A3EEC1519A0 for <ntp@ietf.org>; Thu, 2 Nov 2023 02:11:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1698916269; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=BbCRR581UEXvqBp03AOd4fM49ddLsp/E/Jr5f6QpDvc=; b=gKGJ9tbr9UUYM9bUk1VBsld1N/1T5REM2NjcU2n4xFULtwr02jdjHNYX+5BNOC5k3yvkAV JlVQDmLYBVO/JsCx7YY/2CgivqI/Hd/HduT1a+QQrkd8DdS+5XR5x7XbAVx9dxjHrx/iRa Buh+MAx8Inx39rxwkBa+h2H4hFJx6Dc=
Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-526-06z952DJMiuNLbphnnoixQ-1; Thu, 02 Nov 2023 05:11:08 -0400
X-MC-Unique: 06z952DJMiuNLbphnnoixQ-1
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 24BED3C1014E; Thu, 2 Nov 2023 09:11:08 +0000 (UTC)
Received: from localhost (unknown [10.43.135.229]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A395325C1; Thu, 2 Nov 2023 09:11:07 +0000 (UTC)
Date: Thu, 02 Nov 2023 10:11:06 +0100
From: Miroslav Lichvar <mlichvar@redhat.com>
To: David Venhoek <david@venhoek.nl>
Cc: NTP WG <ntp@ietf.org>
Message-ID: <ZUNnqmnEVDx1538O@localhost>
References: <CAPz_-SWRUTB2wQeLg5wS_c34D-7R-Ngcek13rzknyiGf9iG-tA@mail.gmail.com>
MIME-Version: 1.0
In-Reply-To: <CAPz_-SWRUTB2wQeLg5wS_c34D-7R-Ngcek13rzknyiGf9iG-tA@mail.gmail.com>
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.1
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/SUZQydxJjIVLdjRUO05bwxZlT7g>
Subject: Re: [Ntp] NTPv5 KISS code support
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Nov 2023 09:11:11 -0000

On Wed, Nov 01, 2023 at 03:37:44PM +0100, David Venhoek wrote:
> Hi All,
> 
> I have made a pull request with suggested wording for including kiss
> code support in ntpv5. The PR can be found
> athttps://github.com/mlichvar/draft-ntp-ntpv5/pull/9, the suggested
> patch is also included below for completeness. Please do share any
> feedback regarding the chosen design, this looked good to me but there
> may be better approaches.

This looks similar to the description of DENY, RSTR, RATE codes in RFC
5905.

One problem is that it's a security issue, a denial of service for the
client. A single spoofed response shouldn't be able to completely break
synchronization with a server. There needs to be some maximum poll
value specificied for RATE and some interval specified for RSTR and
DENY. With that, I would ask how is it better than what we already
have with the suggested poll interval returned in a normal server
response.

The other issue is the most buggy clients that would need this
handling are least likely to implement it, at least that's what
we have seen with (S)NTPv4 implementations. With the most severe bugs
that lead to flooding of servers (e.g. in systemd-timesyncd and
Fortigate firewalls for example), handling of these codes wouldn't
make a difference anyway. By the time the client receives a response
from the server, it has already sent another request, so it couldn't
accept it as valid even if it had this functionality implemented.

-- 
Miroslav Lichvar