IETF Logo Mail Archive

Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review of draft-ietf-ntp-alternative-port-02

Danny Mayer <mayer@pdmconsulting.net> Mon, 06 December 2021 22:26 UTC

Return-Path: <mayer@pdmconsulting.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAFBE3A060A; Mon, 6 Dec 2021 14:26:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.753
X-Spam-Level:
X-Spam-Status: No, score=-3.753 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-1.852, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yc0tB0Hfzz_c; Mon, 6 Dec 2021 14:26:06 -0800 (PST)
Received: from chessie.everett.org (chessie.everett.org [66.220.13.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DF7C3A0A00; Mon, 6 Dec 2021 14:25:57 -0800 (PST)
Received: from [192.168.0.101] (pool-108-26-179-179.bstnma.fios.verizon.net [108.26.179.179]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by chessie.everett.org (Postfix) with ESMTPSA id 4J7J0x1Pw6zMNZl; Mon, 6 Dec 2021 22:25:53 +0000 (UTC)
Message-ID: <90723c26-0352-a4d1-f765-eb26b1522954@pdmconsulting.net>
Date: Mon, 06 Dec 2021 17:25:52 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.3.2
Content-Language: en-US
To: Miroslav Lichvar <mlichvar@redhat.com>, "C. M. Heard" <heard@pobox.com>
Cc: Magnus Westerlund <magnus.westerlund@ericsson.com>, NTP WG <ntp@ietf.org>, Joe Touch <touch@strayalpha.com>, TSVWG <tsvwg@ietf.org>, Steven Sommars <stevesommarsntp@gmail.com>, iana-port-experts@icann.org, draft-ietf-ntp-alternative-port.all@ietf.org, tsv-art <tsv-art@ietf.org>, Hal Murray <halmurray@sonic.net>, Harlan Stenn <stenn@nwtime.org>
References: <20211204231206.A534228C17A@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <A803AF18-2BBD-4A54-9802-3EF693066E6C@strayalpha.com> <CAD4huA7RhF3xZJkdghz4yx3qk8uBjkfJv7Y_hDCvX1a=wATBkg@mail.gmail.com> <CACL_3VENkyebRf25W6EpW0yZY6ELYS41A4D_i+RnQE1M21P2hg@mail.gmail.com> <Ya3fLJCHUsm1wE28@localhost>
From: Danny Mayer <mayer@pdmconsulting.net>
In-Reply-To: <Ya3fLJCHUsm1wE28@localhost>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/a0puxtjjKrfSJIZNTo5c62ciltI>
X-Mailman-Approved-At: Mon, 06 Dec 2021 14:33:07 -0800
Subject: Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review of draft-ietf-ntp-alternative-port-02
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Dec 2021 22:26:11 -0000

On 12/6/21 5:00 AM, Miroslav Lichvar wrote:
> On Sun, Dec 05, 2021 at 03:20:12PM -0800, C. M. Heard wrote:
>> We have two contradictory assertions by proponents of the alternate port.
>> Which, if either, is correct?
>>
>> Are the servers largely fixed but the filters still in place out of
>> inertia, as Mr. Sommers says?
>>
>> Or do the filters remain because of servers that have not been fixed, as
>> Mr. Murray says?
> I suspect we won't know for sure as long as NTP is firewalled
> everywhere.
>
> The reality is that NTP doesn't work reliably over Internet. In the
> community of people running public servers (pool.ntp.org) it's the
> number one problem. My impression is that it's getting worse over
> time.
That's untrue. It's been working for over 25 years and probably longer. 
The real issue here is that there are firewalls and routers blocking 
packets longer than 48 bytes, yet I've watch autokey do its dance with 
packet lengths much longer. What you are trying to do is circumvent 
these firewall and router rules to get NTP to work with larger packets 
but on a new port and you will still have to set the rules to allow it. 
Like EDNS0 adjusting the existing rules on port 123 is a much better 
solution. Removing or restricting support for mode 6 and 7 packets is 
trivial and requires no additional complexity. You're just trying to 
move the underlying problem from one place to the other.
>
> With NTS, which uses longer NTP messages it's quite common to see a
> client that doesn't get a response to most of its requests.
Fix the firewall rules.
>
> The major ISPs have middleboxes, which cannot be configured to
> specifically block or rate limit the amplifiying mode-6/7 messages.
> Better hardware could be designed, but who will pay for that?
> Expecting all those existing servers that amplify the traffic to be
> fixed and the middleboxes to be disabled doesn't seem to be realistic.
>
No, instead you should be fixing the servers to not reply to mode 6/7 
packets instead. In the NTP Reference implementation it's trivial to 
update the configuration. In other implementations that's a SMOP if it's 
not already there.

Danny

v2.23.0 | Report a Bug | By Email