[Ntp] KISS => NAT => Rate limiting
Hal Murray <halmurray+ietf@sonic.net> Fri, 03 November 2023 03:08 UTC
Return-Path: <halmurray+ietf@sonic.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5F1AC151076 for <ntp@ietfa.amsl.com>; Thu, 2 Nov 2023 20:08:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9klr140LIhDs for <ntp@ietfa.amsl.com>; Thu, 2 Nov 2023 20:08:52 -0700 (PDT)
Received: from d.mail.sonic.net (d.mail.sonic.net [64.142.111.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52C98C15106E for <ntp@ietf.org>; Thu, 2 Nov 2023 20:08:51 -0700 (PDT)
Received: from 107-137-68-211.lightspeed.sntcca.sbcglobal.net (104-182-38-69.lightspeed.sntcca.sbcglobal.net [104.182.38.69]) (authenticated bits=0) by d.mail.sonic.net (8.16.1/8.16.1) with ESMTPSA id 3A338o6Q015155 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Thu, 2 Nov 2023 20:08:50 -0700
Received: from hgm (localhost [IPv6:::1]) by 107-137-68-211.lightspeed.sntcca.sbcglobal.net (Postfix) with ESMTP id 854FB28C20C; Thu, 2 Nov 2023 20:08:50 -0700 (PDT)
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8
To: NTP WG <ntp@ietf.org>
cc: Hal Murray <halmurray+ietf@sonic.net>
From: Hal Murray <halmurray+ietf@sonic.net>
In-Reply-To: Message from Miroslav Lichvar <mlichvar@redhat.com> of "Thu, 02 Nov 2023 10:11:06 +0100." <ZUNnqmnEVDx1538O@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Thu, 02 Nov 2023 20:08:50 -0700
Message-Id: <20231103030850.854FB28C20C@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
X-Sonic-CAuth: UmFuZG9tSVZwlH+IikWx5XZS70a5Pn53xNCyrYMEFGCGdDlwvCGc2+yyj+9+78SiU2DxL9GC6ktdILAdyo/cy061ONGpmS7BldvjiHIUGv4=
X-Sonic-ID: C;buUFUPZ57hGfX50CP63e0g== M;qgEcUPZ57hGfX50CP63e0g==
X-Sonic-Spam-Details: -1.5/5.0 by cerberusd
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/bUFtTqCAX1Vjz4Udi5ffVEtslg8>
Subject: [Ntp] KISS => NAT => Rate limiting
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Nov 2023 03:08:53 -0000
Yet another problem with KISS is that it doesn't work with NAT. A server can't distinguish a slightly misbehaving client from a handful of clients behind a NAT box. With modern gear, is there any reason to tell a well behaving client to slow down? Should we pick a number, say 64 seconds, and say "Get permission from the operator if you want to send faster than that."? How does that work with iburst or ntpdate that send several packets on short intervals and then become reasonable? NAT gets involved with another tangle. Do we need to think about rate limiting so NTP servers can't be used as reflectors to hide the true source of a DoS attack? Is there an IETF group that thinks about UDP and rate limiting? I've been using a limit of 1 packet per second on a couple of pool servers. That seems generous. I've got a 20 second time constant on the filter so short bursts will work. Even if they are all polling at 64 seconds, that will handle several boxes behind NAT. (Handwave about getting started if they use iburst and all start at the same time like after a power failure and you are on the high side of several...) If you look at the traffic, and ignore the known broken senders, there is another layer of busy boxes. They are borderline abusive, more than 1 packet per second, less than 1000s that we get from the seriously broken boxes. I think they are NAT. I should probably try harder to contact the owners... I can see 2 approaches to getting around rate limiting if we decide that is appropriate. One is to get ISPs to run NTP servers and their customers to use them. The other is to setup a registry for IP Addresses of NAT boxes and have the servers allow more traffic from them. Any other ideas? -- These are my opinions. I hate spam.
- [Ntp] NTPv5 KISS code support David Venhoek
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Windl, Ulrich
- Re: [Ntp] [EXT] KISS => NAT => Rate limiting Windl, Ulrich
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Daniel Franke
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Ira McDonald
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support David Venhoek
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- [Ntp] KISS => NAT => Rate limiting Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Daniel Franke
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support David Venhoek
- [Ntp] Rate limiting/reflection prevention (Was: N… David Venhoek
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Danny Mayer
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Salz, Rich
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Danny Mayer
- Re: [Ntp] [EXT] Re: Re: NTPv5 KISS code support Windl, Ulrich
- Re: [Ntp] [EXT] Re: Re: NTPv5 KISS code support Danny Mayer
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Forrest Christian (List Account)