Re: [Ntp] NTS IANA request
Watson Ladd <watsonbladd@gmail.com> Sat, 08 June 2019 07:12 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE189120141 for <ntp@ietfa.amsl.com>; Sat, 8 Jun 2019 00:12:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yb4Zt64f6mjW for <ntp@ietfa.amsl.com>; Sat, 8 Jun 2019 00:12:43 -0700 (PDT)
Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE9781200EA for <ntp@ietf.org>; Sat, 8 Jun 2019 00:12:42 -0700 (PDT)
Received: by mail-lf1-x130.google.com with SMTP id j29so3200502lfk.10 for <ntp@ietf.org>; Sat, 08 Jun 2019 00:12:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WFf5bvd3X4L2Uqk6Pv7P7L35nTUvzoykZLPEK1S9yCo=; b=J0mdji5nqTvXC3ecsZl/Z1VQwrzwNdW67+H1CMfTUHedzxfxKMs1TelFXC/7qseKb6 Vp5mKnXlunRWtYaLey7gMbsK68eboKbt6MfI5pxP/EsYoGU5j3/o17hfJrhY8RfVcJei t6djFy7r43PNULrX7wcXfRVef5xVuNrtTKSdxh7mNA6lBb85egePZ6axe5vVbgbpGobT ileS10xShjMcVvYZHzN+QcTTnJ/P9FhFtHfoybpJq1JmrvY/L2LsdUeAysqx4KUHwHp/ QcZBMqy4viYG8fKYAllM/id+hCqSjkiDRjtiHVLjHiz6insU+Xm8ETCLmI3XXXumV8CL isZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WFf5bvd3X4L2Uqk6Pv7P7L35nTUvzoykZLPEK1S9yCo=; b=tkSgkqudAD3GTLIzL62E0qYY+5eIjBA1Rx/lT2nKjUtgn/W0G8CwYxbHAhMfzotLgr 1W3n33N4JgiJtaIleD2j1I1z3IrXzNqj/ukSzDnR+QTWlh26Mj1coO+snvce7M7bjQjI 6aNP/4OEcqE9jCJFBSwCW/6PJMvYsc0kS+ylaJmJdcLJonaNus3JD9asExDcSeD7CdWU eaDWm9YVL8S23c4pezb3HhjxkhZkjOE/ffDOV4Vskw0NKCeT6+eE/HAdnOAzLnyQfgsY RRgLX39GiMMvUfbGVoninLwEB+eHq6NFIy2mpEeTtaywERuiz2gE8SdKf6sGkhcjqn5B nFKA==
X-Gm-Message-State: APjAAAWrfiZ2juoh4d0hDXS8F3nUtytus//BYhId191hpq4JEQvvb2rf 5mRSOKdHMpB+iTDadFHOucHea6yHw/MfuQIgPNZvjGRm
X-Google-Smtp-Source: APXvYqy1wcK+5s1UMljLUPYvceqfpzOcEYijCyb5s7GgybndFRY14n2oxu+FDFo5uRBS7QvcoV2ZMyzjOqbew+UowZk=
X-Received: by 2002:ac2:5189:: with SMTP id u9mr27783354lfi.189.1559977960719; Sat, 08 Jun 2019 00:12:40 -0700 (PDT)
MIME-Version: 1.0
References: <CAN2QdAH9Uh_wYSEizgYTjd4Q6VFQT+tvH8dnbPgKKc59+vEfng@mail.gmail.com> <a123d81b-4994-9e35-58eb-6845cf439f91@nwtime.org> <20190605164753.6e71fcaa@rellim.com> <03055E77-EB42-494E-A231-039C4603E256@akamai.com> <CAJm83bDYZ+vcwkhFEf2YCAVwKcSm7rEgbuB0Wwsvm5XVVAMjuQ@mail.gmail.com> <C8E4189E-E3A1-4926-AF0F-93BE9C7255C8@akamai.com> <CAJm83bBkU91st1CFAsx+JCLpxXyWOQnSTY9sXeuA96R8pqXdCA@mail.gmail.com> <de0c6296-7152-044a-5613-dfdc8d924c2f@ntp.org> <CAJm83bA6Sn0ZiCTgfG7UUpB3DA_G5FMMu=3_JP4fA0Rr-nckNQ@mail.gmail.com> <CACsn0cnfSAT3PZMiz+LgcpOue3m=TYzbtGiW+jNBvZyX3q94=A@mail.gmail.com> <838bf818-9470-df72-2d64-0aafd715d67d@nwtime.org>
In-Reply-To: <838bf818-9470-df72-2d64-0aafd715d67d@nwtime.org>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Sat, 08 Jun 2019 00:12:28 -0700
Message-ID: <CACsn0ckc+OfmKS0EGKnrFf8XGYSbBQafJET2VyaodPzvrvn1Zg@mail.gmail.com>
To: Harlan Stenn <stenn@nwtime.org>
Cc: NTP WG <ntp@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/Zgp-DJnfNBMI_bIWJN4V9WpJ5xo>
Subject: Re: [Ntp] NTS IANA request
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Jun 2019 07:12:45 -0000
On Fri, Jun 7, 2019 at 10:16 PM Harlan Stenn <stenn@nwtime.org> wrote: > > > > On 6/7/2019 7:49 PM, Watson Ladd wrote: > > > > > > On Fri, Jun 7, 2019, 10:34 AM Daniel Franke <dfoxfranke@gmail.com > > <mailto:dfoxfranke@gmail.com>> wrote: > > > > On Fri, Jun 7, 2019 at 10:31 AM Danny Mayer <mayer@ntp.org > > <mailto:mayer@ntp.org>> wrote: > > > We do what we did for EDNS0, get the firewall folks to change their > > > policies to allow for larger payloads. It will takes years but > > firewall > > > people have to move with changes as they happen. > > > > EDNS0 may literally be the worst possible role model here. It made DNS > > a serious amplifier, the internet's second-worst offender after NTP. > > It *created* the problems that those firewall rules were put in to > > solve. Today if you want to make a DNS request whose response is > > likely to be larger than 512 bytes, you're practically forced to do it > > over TCP. > > > > > > NTP? There are no mode 6 packets in RFC 5905. > > How is this relevant? > > > Let's be clear about what happened: one implementation did something > > silly > > Point of order: is this a technical comment? Is it professional? > > The implementation was behaving as it did pretty much from before 1989 - > it was in xntp2, and I haven't checked anything earlier. > > Back from when the "internet" was a friendly and helpful place. > > The Reference Implementation required a token for MRU lists, the vehicle > for the amplification attack starting in late March of 2010. > > The 'monitor' keyword was added in July of 2010. > > The 'mode7' keyword was added in November of 2011. > > The big NTP attacked happened in December 2013. > > Folks had more than 2 years to decide to upgrade. > > But none of these attacks, NTP, DNS, etc. would have been possible had > folks implemented BCP38, which was published in May of 2000. There are many places where these problems could be solved. That doesn't free us from having to deal with them. > > > and we have to clean up the mess. > > If you mean the NTP WG, then we disagree. > > We have responsibilities *to* people, not *for* people. > > If folks choose not to upgrade their software, or to not bother with BCP > on traffic or configurations, against recommendation, that's their > choice. It is arguably irresponsible, but it's still their choice. > > > And to compound the problem > > src=123 is used for queries by that same implementation so time servers > > can't block the amplification easily and still be useable by the widely > > shipped implementation. > > How exactly would not using 123 for queries allow folks to block > amplification? The forged packets were likely not coming from port 123. The issue isn't with being an amplifier, the issue with being the victim of an amplifier. Blocking src = 123 is an easy solution for the network team, but makes it impossible to operate a time service without blocking those users who use the reference implementation. So operators of NTP servers have to decide: be vulnerable to DDOS or not support common clients. This is not good. > > Your assertion makes no sense to me. Perhaps you could rephrase it for > me and anybody else who doesn't know what you're trying to say. > > > I'm still jumping through hoops because of this. > > In what way? The details aren't that interesting and mostly concern assumptions that get broken by the solution to the above problem of putting the server on its own ip range with its own firewall rules which are not protected. > > > Sincerely, > > Watson > > > > > > > > _______________________________________________ > > ntp mailing list > > ntp@ietf.org <mailto:ntp@ietf.org> > > https://www.ietf.org/mailman/listinfo/ntp > > > > > > _______________________________________________ > > ntp mailing list > > ntp@ietf.org > > https://www.ietf.org/mailman/listinfo/ntp > > > > -- > Harlan Stenn, Network Time Foundation > http://nwtime.org - be a Member! > > _______________________________________________ > ntp mailing list > ntp@ietf.org > https://www.ietf.org/mailman/listinfo/ntp -- "Man is born free, but everywhere he is in chains". --Rousseau.
- [Ntp] NTS IANA request Watson Ladd
- Re: [Ntp] NTS IANA request Harlan Stenn
- Re: [Ntp] NTS IANA request Daniel Franke
- Re: [Ntp] NTS IANA request Gary E. Miller
- Re: [Ntp] NTS IANA request Daniel Franke
- Re: [Ntp] NTS IANA request Hal Murray
- Re: [Ntp] NTS IANA request Heiko Gerstung
- Re: [Ntp] NTS IANA request Miroslav Lichvar
- Re: [Ntp] NTS IANA request Salz, Rich
- Re: [Ntp] NTS IANA request Salz, Rich
- Re: [Ntp] NTS IANA request Daniel Franke
- Re: [Ntp] NTS IANA request Daniel Franke
- Re: [Ntp] NTS IANA request Salz, Rich
- Re: [Ntp] NTS IANA request Daniel Franke
- Re: [Ntp] NTS IANA request Harlan Stenn
- Re: [Ntp] NTS IANA request Harlan Stenn
- Re: [Ntp] NTS IANA request kodonog@pobox.com
- Re: [Ntp] NTS IANA request kodonog@pobox.com
- Re: [Ntp] NTS IANA request Heiko Gerstung
- Re: [Ntp] NTS IANA request Hal Murray
- Re: [Ntp] NTS IANA request Danny Mayer
- Re: [Ntp] NTS IANA request Warner Losh
- Re: [Ntp] NTS IANA request Daniel Franke
- Re: [Ntp] NTS IANA request Watson Ladd
- Re: [Ntp] NTS IANA request Majdi S. Abbas
- Re: [Ntp] NTS IANA request Daniel Franke
- Re: [Ntp] NTS IANA request Majdi S. Abbas
- Re: [Ntp] NTS IANA request Watson Ladd
- Re: [Ntp] NTS IANA request Harlan Stenn
- Re: [Ntp] NTS IANA request Watson Ladd
- Re: [Ntp] NTS IANA request tglassey@earthlink.net
- Re: [Ntp] NTS IANA request tglassey@earthlink.net
- Re: [Ntp] NTS IANA request tglassey@earthlink.net
- [Ntp] Antw: Re: NTS IANA request Ulrich Windl