Re: [Ntp] I-D Action: draft-ietf-ntp-port-randomization-00.txt
Heiko Gerstung <heiko.gerstung@meinberg.de> Wed, 13 November 2019 13:27 UTC
Return-Path: <heiko.gerstung@meinberg.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 843311200BA for <ntp@ietfa.amsl.com>; Wed, 13 Nov 2019 05:27:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=meinberg.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qPcfmnqObmXf for <ntp@ietfa.amsl.com>; Wed, 13 Nov 2019 05:27:31 -0800 (PST)
Received: from server1a.meinberg.de (server1a.meinberg.de [176.9.44.212]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A5A912003E for <ntp@ietf.org>; Wed, 13 Nov 2019 05:27:31 -0800 (PST)
Received: from srv-kerioconnect.py.meinberg.de (unknown [193.158.22.2]) (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by server1a.meinberg.de (Postfix) with ESMTPSA id 58AD671C0400; Wed, 13 Nov 2019 14:27:27 +0100 (CET)
X-DKIM: Sendmail DKIM Filter v2.8.2 server1a.meinberg.de 58AD671C0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=meinberg.de; s=mail201101; t=1573651649; bh=X6+0REjoqVdgDASG3SXxIBYzPJZ60b8nzYvlNAL4onw=; h=Date:Subject:Message-ID:References:In-Reply-To:Mime-version:From: To:Content-Type:Content-Transfer-Encoding; b=Wmv2IFS5330zHp+vqLnekGGII8Q4qgkTDV7bI+SN1WK58luIG76KLC8QmpLe68v7+ vMnMIFO/Tzg7o7Wlgx3EBL6tu2yrq/mV8RfoniiV9yNAGIve2WVZCgCNYViyoFxj4l xMgPEmj/C1ck/G6WfiBOI27EBPwAestyS0I25TcY=
X-Kerio-Anti-Spam: Build: [Engines: 2.15.9.1281, Stamp: 3], Multi: [Enabled, t: (0.000006,0.009027)], BW: [Enabled, t: (0.000007)], RTDA: [Enabled, t: (0.086230), Hit: No, Details: v2.7.62; Id: 15.1i6tsil.1dpif50t7.hn1vo], total: 0(700)
X-Footer: bWVpbmJlcmcuZGU=
User-Agent: Microsoft-MacOutlook/10.1e.1.191020
Date: Wed, 13 Nov 2019 14:27:04 +0100
Message-ID: <6DF4A8E2-64B2-4173-B3D5-E7FFE1BAD1FD@meinberg.de>
Thread-Topic: [Ntp] I-D Action: draft-ietf-ntp-port-randomization-00.txt
References: <157262391705.31923.311801865037196489@ietfa.amsl.com> <20191113112126.GA2634@localhost>
In-Reply-To: <20191113112126.GA2634@localhost>
Mime-version: 1.0
Importance: Normal
X-Priority: 3
Thread-Index: AZ2x3tU+YWM5MzFiZWI5NDg3NTJlMA==
From: Heiko Gerstung <heiko.gerstung@meinberg.de>
To: Miroslav Lichvar <mlichvar@redhat.com>, "ntp@ietf.org" <ntp@ietf.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: clamav-milter 0.101.4 at server1a
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/bc8-AOdgwCiWHggCAezt67d1bCc>
Subject: Re: [Ntp] I-D Action: draft-ietf-ntp-port-randomization-00.txt
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Nov 2019 13:27:35 -0000
Hi Miroslav, I find the reasoning very convincing and very well explained. Best Regards, Heiko -- Heiko Gerstung Managing Director MEINBERG® Funkuhren GmbH & Co. KG Lange Wand 9 D-31812 Bad Pyrmont, Germany Phone: +49 (0)5281 9309-404 Fax: +49 (0)5281 9309-9404 Amtsgericht Hannover 17HRA 100322 Geschäftsführer/Management: Günter Meinberg, Werner Meinberg, Andre Hartmann, Heiko Gerstung Email: heiko.gerstung@meinberg.de Web: Deutsch https://www.meinberg.de English https://www.meinbergglobal.com Do not miss our Time Synchronization Blog: https://blog.meinbergglobal.com Connect via LinkedIn: https://www.linkedin.com/in/heikogerstung Am 13.11.19, 12:22 schrieb "ntp im Auftrag von Miroslav Lichvar" <ntp-bounces@ietf.org im Auftrag von mlichvar@redhat.com>: On Fri, Nov 01, 2019 at 08:58:37AM -0700, internet-drafts@ietf.org wrote: > https://tools.ietf.org/html/draft-ietf-ntp-port-randomization-00 This document describes a per-association and per-request approach for randomizing the client's port number with some of their advantages and disadvantages. It currently strongly recommends the per-association approach for all clients. For a typical client running on an OS it is about opening and closing sockets. Should it keep one socket open for the lifetime of the association, or should it open a new socket before each request? I'd like to propose changing the recommendation to the per-request approach for the following reasons: - It seems to be the current practice. From the implementations that I'm familiar with and that use a random source port, each one opens a new socket for each request, at least by default. On my public servers I see that most clients do change their port over time. - It doesn't seem like a good idea to require a client to keep its port open when it's not waiting for a response. If it received a valid response, or didn't receive a valid response in few seconds after sending the request, it should close the port. - The port number may be discoverable by other means, so it should change frequently. For example, the attacker could try sending packets to all ports and observe which one changed a value reported by the client in a monitoring protocol (e.g. mode 6). If the attacker can determine the port number, which cannot be prevented in the general case, the time for which it is useful for attacks should be limited. Does that make sense? -- Miroslav Lichvar _______________________________________________ ntp mailing list ntp@ietf.org https://www.ietf.org/mailman/listinfo/ntp
- [Ntp] I-D Action: draft-ietf-ntp-port-randomizati… internet-drafts
- Re: [Ntp] I-D Action: draft-ietf-ntp-port-randomi… Miroslav Lichvar
- [Ntp] Antw: Re: I-D Action: draft-ietf-ntp-port-r… Ulrich Windl
- Re: [Ntp] I-D Action: draft-ietf-ntp-port-randomi… Heiko Gerstung
- Re: [Ntp] I-D Action: draft-ietf-ntp-port-randomi… Salz, Rich
- Re: [Ntp] Antw: Re: I-D Action: draft-ietf-ntp-po… Miroslav Lichvar
- Re: [Ntp] Antw: Re: I-D Action: draft-ietf-ntp-po… Salz, Rich
- [Ntp] Antw: Re: Antw: Re: I-D Action: draft-ietf-… Ulrich Windl
- Re: [Ntp] Antw: Re: Antw: Re: I-D Action: draft-i… Miroslav Lichvar
- Re: [Ntp] I-D Action: draft-ietf-ntp-port-randomi… Fernando Gont
- Re: [Ntp] Antw: Re: I-D Action: draft-ietf-ntp-po… Fernando Gont
- Re: [Ntp] I-D Action: draft-ietf-ntp-port-randomi… Miroslav Lichvar