Re: [Ntp] [EXT] Re: NTPv5 KISS code support
Hal Murray <halmurray+ietf@sonic.net> Tue, 07 November 2023 20:03 UTC
Return-Path: <halmurray+ietf@sonic.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F2D8C1D46E1 for <ntp@ietfa.amsl.com>; Tue, 7 Nov 2023 12:03:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.607
X-Spam-Level:
X-Spam-Status: No, score=-2.607 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eW5vWzeKC8BB for <ntp@ietfa.amsl.com>; Tue, 7 Nov 2023 12:03:48 -0800 (PST)
Received: from c.mail.sonic.net (c.mail.sonic.net [64.142.111.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6543C198493 for <ntp@ietf.org>; Tue, 7 Nov 2023 12:02:28 -0800 (PST)
Received: from 107-137-68-211.lightspeed.sntcca.sbcglobal.net (104-182-38-69.lightspeed.sntcca.sbcglobal.net [104.182.38.69]) (authenticated bits=0) by c.mail.sonic.net (8.16.1/8.16.1) with ESMTPSA id 3A7K2RvR009134 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Tue, 7 Nov 2023 12:02:27 -0800
Received: from hgm (localhost [IPv6:::1]) by 107-137-68-211.lightspeed.sntcca.sbcglobal.net (Postfix) with ESMTP id E1C1E28C20C; Tue, 7 Nov 2023 12:02:26 -0800 (PST)
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8
To: Miroslav Lichvar <mlichvar@redhat.com>
cc: Hal Murray <halmurray+ietf@sonic.net>, NTP WG <ntp@ietf.org>
From: Hal Murray <halmurray+ietf@sonic.net>
In-Reply-To: Message from Miroslav Lichvar <mlichvar@redhat.com> of "Sat, 04 Nov 2023 09:22:46 +0100." <ZUX/VmCu/3Qoy5av@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Tue, 07 Nov 2023 12:02:26 -0800
Message-Id: <20231107200226.E1C1E28C20C@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
X-Sonic-CAuth: UmFuZG9tSVZuYoTs39TUi90haNb0Y2pc5TMFcXYN2GzI0ZHndz/Zs0ilQOeCEhDqME1S4+3SX9jEEHCgr1hAUwoKiozwki2/pOv7FIX6oL8=
X-Sonic-ID: C;asIQk6h97hG4BS5nR+6Zsg== M;dj0lk6h97hG4BS5nR+6Zsg==
X-Sonic-Spam-Details: -1.5/5.0 by cerberusd
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/XXP2BFd6NtgPi8PQhvgsowkwWFo>
Subject: Re: [Ntp] [EXT] Re: NTPv5 KISS code support
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Nov 2023 20:03:52 -0000
> NTPv5 shouldn't prevent rate limiting, but maybe it should provide some > guidance on how it should work to avoid security issues. If the server > completely stops responding to an address when it gets too many request over > an interval (I think the ntp.org implementation still does this), it is a > security issue (denial of service) which can be exploited by attackers > sending requests with spoofed source address at the rate which triggers rate > limiting. Instead, the server should always respond to some fraction of > requests selected randomly, so the victim always gets some responses. UDP request-response is about as simple a protocol as you can get. I find it amusing how complicated such a simple protocol can get. Suppose the bad guys are trying to DoS somebody by sending enough forged requests to trigger rate limiting. How did the bad guy figure out which servers the victim is using? Can we fight that by using a few more? Will responding to some requests be good enough? What fraction of requests need to get answered for NTP to "work"? Do the numbers work? If the bad guy sends 1 packet per second and the victim sends 1 packet every 64 seconds and the server responds to 1 packet per second, the victim gets 1/2 or 1/65 depending on implementation details. The bad guy can reduce the odds by sending faster. This is an arms race. I think we can fix this by adding an option to NTS to include the client's IP Address in the cookie. That would let the server split rate limiting into 2 piles, one for requests with a verified source, and the other for everybody else. Note that if an NTS client misses 8 responses in a row and doesn't reuse cookies, then the NTS-KE server will get increased traffic. -- These are my opinions. I hate spam.
- [Ntp] NTPv5 KISS code support David Venhoek
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Windl, Ulrich
- Re: [Ntp] [EXT] KISS => NAT => Rate limiting Windl, Ulrich
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Daniel Franke
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Ira McDonald
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support David Venhoek
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- [Ntp] KISS => NAT => Rate limiting Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Daniel Franke
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support David Venhoek
- [Ntp] Rate limiting/reflection prevention (Was: N… David Venhoek
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Danny Mayer
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Salz, Rich
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Danny Mayer
- Re: [Ntp] [EXT] Re: Re: NTPv5 KISS code support Windl, Ulrich
- Re: [Ntp] [EXT] Re: Re: NTPv5 KISS code support Danny Mayer
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Forrest Christian (List Account)