Re: [Ntp] [EXT] Re: NTPv5 KISS code support
"Windl, Ulrich" <u.windl@ukr.de> Fri, 03 November 2023 06:47 UTC
Return-Path: <u.windl@ukr.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21BB5C16F3FC for <ntp@ietfa.amsl.com>; Thu, 2 Nov 2023 23:47:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.906
X-Spam-Level:
X-Spam-Status: No, score=-6.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m_53XAQ1el7i for <ntp@ietfa.amsl.com>; Thu, 2 Nov 2023 23:47:22 -0700 (PDT)
Received: from mail01.ukr.de (mail01.ukr.de [193.175.194.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0E3BC15C2A5 for <ntp@ietf.org>; Thu, 2 Nov 2023 23:47:21 -0700 (PDT)
X-CSE-ConnectionGUID: A1RVPga3TPGZ7vpEWNWlLQ==
X-CSE-MsgGUID: X6tv3Qy/SqeBvs3RQS7mWg==
X-ThreatScanner-Verdict: Negative
X-IronPort-AV: E=McAfee;i="6600,9927,10882"; a="438935"
X-IronPort-AV: E=Sophos;i="6.03,273,1694728800"; d="scan'208";a="438935"
Received: from unknown (HELO ukr-excmb01.ukr.local) ([172.24.6.61]) by dmz-infcsg01.ukr.dmz with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Nov 2023 07:47:18 +0100
Received: from ukr-excmb03.ukr.local (172.24.6.63) by ukr-excmb01.ukr.local (172.24.6.61) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.34; Fri, 3 Nov 2023 07:47:18 +0100
Received: from ukr-excmb03.ukr.local ([fe80::1cb4:6e0c:6da4:a8a0]) by ukr-excmb03.ukr.local ([fe80::1cb4:6e0c:6da4:a8a0%4]) with mapi id 15.01.2507.034; Fri, 3 Nov 2023 07:47:18 +0100
From: "Windl, Ulrich" <u.windl@ukr.de>
To: Miroslav Lichvar <mlichvar@redhat.com>, David Venhoek <david@venhoek.nl>
CC: NTP WG <ntp@ietf.org>
Thread-Topic: [EXT] Re: [Ntp] NTPv5 KISS code support
Thread-Index: AQHaDWyNsw8tqUih0kePjwpr0l4st7BoJ2xA
Date: Fri, 03 Nov 2023 06:47:18 +0000
Message-ID: <960aba9f833b4461863ea165df632ea5@ukr.de>
References: <CAPz_-SWRUTB2wQeLg5wS_c34D-7R-Ngcek13rzknyiGf9iG-tA@mail.gmail.com> <ZUNnqmnEVDx1538O@localhost>
In-Reply-To: <ZUNnqmnEVDx1538O@localhost>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.24.3.1]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/btr17oDq6uWWOfNItbggMufDYXc>
Subject: Re: [Ntp] [EXT] Re: NTPv5 KISS code support
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Nov 2023 06:47:26 -0000
Hi! So you are saying the KoD (Kiss of Death) as it is specified now is broken by design? I see two possibilities: 1) Drop the concept for NTPv5 2) Improve the concept for NTPv5 Basically I think KoD is a good idea to inform the client about an issue the server sees, be it technical or political (policy). Kind Regards, Ulrich Windl -----Original Message----- From: ntp <ntp-bounces@ietf.org> On Behalf Of Miroslav Lichvar Sent: Thursday, November 2, 2023 10:11 AM To: David Venhoek <david@venhoek.nl> Cc: NTP WG <ntp@ietf.org> Subject: [EXT] Re: [Ntp] NTPv5 KISS code support On Wed, Nov 01, 2023 at 03:37:44PM +0100, David Venhoek wrote: > Hi All, > > I have made a pull request with suggested wording for including kiss > code support in ntpv5. The PR can be found > athttps://github.com/mlichvar/draft-ntp-ntpv5/pull/9, the suggested > patch is also included below for completeness. Please do share any > feedback regarding the chosen design, this looked good to me but there > may be better approaches. This looks similar to the description of DENY, RSTR, RATE codes in RFC 5905. One problem is that it's a security issue, a denial of service for the client. A single spoofed response shouldn't be able to completely break synchronization with a server. There needs to be some maximum poll value specificied for RATE and some interval specified for RSTR and DENY. With that, I would ask how is it better than what we already have with the suggested poll interval returned in a normal server response. The other issue is the most buggy clients that would need this handling are least likely to implement it, at least that's what we have seen with (S)NTPv4 implementations. With the most severe bugs that lead to flooding of servers (e.g. in systemd-timesyncd and Fortigate firewalls for example), handling of these codes wouldn't make a difference anyway. By the time the client receives a response from the server, it has already sent another request, so it couldn't accept it as valid even if it had this functionality implemented. -- Miroslav Lichvar _______________________________________________ ntp mailing list ntp@ietf.org https://www.ietf.org/mailman/listinfo/ntp
- [Ntp] NTPv5 KISS code support David Venhoek
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Windl, Ulrich
- Re: [Ntp] [EXT] KISS => NAT => Rate limiting Windl, Ulrich
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Daniel Franke
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Ira McDonald
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support David Venhoek
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- [Ntp] KISS => NAT => Rate limiting Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Daniel Franke
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support David Venhoek
- [Ntp] Rate limiting/reflection prevention (Was: N… David Venhoek
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Danny Mayer
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Salz, Rich
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Danny Mayer
- Re: [Ntp] [EXT] Re: Re: NTPv5 KISS code support Windl, Ulrich
- Re: [Ntp] [EXT] Re: Re: NTPv5 KISS code support Danny Mayer
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Forrest Christian (List Account)