Re: [Ntp] [EXT] Re: NTPv5 KISS code support
Hal Murray <halmurray+ietf@sonic.net> Wed, 08 November 2023 08:44 UTC
Return-Path: <halmurray+ietf@sonic.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F190AC11D0E8 for <ntp@ietfa.amsl.com>; Wed, 8 Nov 2023 00:44:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OZN5DiT2Aayy for <ntp@ietfa.amsl.com>; Wed, 8 Nov 2023 00:44:36 -0800 (PST)
Received: from d.mail.sonic.net (d.mail.sonic.net [64.142.111.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B22DC17C539 for <ntp@ietf.org>; Wed, 8 Nov 2023 00:44:36 -0800 (PST)
Received: from 107-137-68-211.lightspeed.sntcca.sbcglobal.net (104-182-38-69.lightspeed.sntcca.sbcglobal.net [104.182.38.69]) (authenticated bits=0) by d.mail.sonic.net (8.16.1/8.16.1) with ESMTPSA id 3A88iY4V019614 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Wed, 8 Nov 2023 00:44:34 -0800
Received: from hgm (localhost [IPv6:::1]) by 107-137-68-211.lightspeed.sntcca.sbcglobal.net (Postfix) with ESMTP id 4B8DA28C20C; Wed, 8 Nov 2023 00:44:34 -0800 (PST)
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8
To: Miroslav Lichvar <mlichvar@redhat.com>
cc: Hal Murray <halmurray+ietf@sonic.net>, NTP WG <ntp@ietf.org>
From: Hal Murray <halmurray+ietf@sonic.net>
In-Reply-To: Message from Miroslav Lichvar <mlichvar@redhat.com> of "Wed, 08 Nov 2023 08:15:17 +0100." <ZUs1hQvWMeEm9nby@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 08 Nov 2023 00:44:34 -0800
Message-Id: <20231108084434.4B8DA28C20C@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
X-Sonic-CAuth: UmFuZG9tSVZN3tiQOdLtIenzKJHgaES07nAC6bmc0kEMVOWIOuPBaETGDyldlsKaKAYqZm8dv9u+KSVSiQlR8v2ompQJ2Qs8S+0EB4N7GAE=
X-Sonic-ID: C;HDm1ChN+7hGclJ0CP63e0g== M;Hk3MChN+7hGclJ0CP63e0g==
X-Sonic-Spam-Details: -1.5/5.0 by cerberusd
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/Z9pIGV6fraMNMk4Gm7VS-hUSttU>
Subject: Re: [Ntp] [EXT] Re: NTPv5 KISS code support
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Nov 2023 08:44:40 -0000
Thanks. > In my tests responding to 25% of requests seems to be sufficient for clients > like ntpd to keep the clock synchronized, although not very well. > The server needs to respond to some constant percentage of the requests and > select them randomly. The attacker would need to send requests at a much > higher rate in order to overload the network or the server to actually reduce > the rate of responses that the victim gets. Doing that for a larger number of > servers like pool.ntp.org would be impractical. If we let 25% of the bad traffic through, we have opened up the server for use as a reflector. The bad guy will just have to find 3 other servers to get the same amount of traffic through. [putting IP Address into cookie] > Yes, that would help. The drawback is that the clients would need to restart > NTS-KE after moving to a different network. Maybe that's the price we will have to pay for not letting NTP servers be used as reflectors. Servers and workstations/PCs don't change IP Addresses very frequently. For laptops, we could reduce the load by making the client store sets of cookies per IP Address. That would cover the common case of a laptop that migrates from home to work each day. I don't know enough about typical use cases for portable systems to go much farther than that. The client could run in no-check-address mode until they lost a string of packets, aka appeared to be under attack, then switch to check-address mode. -- These are my opinions. I hate spam.
- [Ntp] NTPv5 KISS code support David Venhoek
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Windl, Ulrich
- Re: [Ntp] [EXT] KISS => NAT => Rate limiting Windl, Ulrich
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Daniel Franke
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Ira McDonald
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support David Venhoek
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- [Ntp] KISS => NAT => Rate limiting Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Daniel Franke
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support David Venhoek
- [Ntp] Rate limiting/reflection prevention (Was: N… David Venhoek
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Danny Mayer
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Salz, Rich
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Danny Mayer
- Re: [Ntp] [EXT] Re: Re: NTPv5 KISS code support Windl, Ulrich
- Re: [Ntp] [EXT] Re: Re: NTPv5 KISS code support Danny Mayer
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Forrest Christian (List Account)