Re: [Ntp] New rev of the NTP port randomization I-D (Fwd: New Version Notification for draft-gont-ntp-port-randomization-01.txt)

" " <> Wed, 29 May 2019 05:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B49691200E5 for <>; Tue, 28 May 2019 22:58:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.135
X-Spam-Status: No, score=-2.135 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.415, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key); domainkeys=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9vSgji2WmYWR for <>; Tue, 28 May 2019 22:58:38 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E0C2D12008B for <>; Tue, 28 May 2019 22:58:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=dk12062016; t=1559109518; bh=Iq94COJP4a6lT/Em5OVGKm3oyCgKZjjh24DR KMrLihk=; h=Received:To:From:Subject:Date:MIME-Version:Content-Type: Message-ID:X-ELNK-Trace:X-Originating-IP; b=GfhMVL5qOWa3mMfV8b0a64 MOkefHQabmNMRr5iSFgEDV1MY89ioYCNaIBtmBbtxKcPMu3EMaDyC0QkA+5Yt/HjlO2 T7NOTWUHYyEdi2BR3yj+ZruLvIJXW2OScVyhmFlImrrvZtNJ/jpEgRFenU+G7A7Twly 9/KjNDhoaHLkuRiOnuDKe/bQQ61ovYySOjC3WjhfA4b3OPcEIRwyJKiDRyeIXEuO4xw LeV5kcx6XfIllnDwsP1enn8qdOad1am7RMqAa6nH6S2Z6Ybo7O8k0JMM3jRHlyKfJlI QIxzlnB5N8hzCNqYi4/1AQkvLmYOUFePJZRvTxOINrBq85q4tmWA==
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk12062016;; b=Ywef3QRnvofQRvziyJNXsbMemrXfFJAi6FBaJIxDXcnBdgsUwUhbd4xuHnvEyqj4fAnP71mu26WZli34O/Hgkmha76O8RVjaOkMTRt4gM19jmGyzhehuwm9JXRXHtTGDbC4ud0f06drjp47hODRSi93Jua27DvJ5d/Cr1vKFghO4E0gw1ytZDqNOnSRVwS+HIpMrDQaCR2MkVDoz1m3CvRaA2VkWwZWp4N0ekZhjxfdT9Id52v9aCMkPOxZsTc4Co6UpNTJH3ZsLVVPVi/hDFUXyKcLFMJcg+3r8lJEPgz1KAg90vt0lSx3oCi0v5yfP/e0IHMsrL2ZErGs98kRw7g==; h=Received:To:From:Subject:Date:MIME-Version:Content-Type:Message-ID:X-ELNK-Trace:X-Originating-IP;
Received: from [] (helo=[]) by with esmtpa (Exim 4) (envelope-from <>) id 1hVrbd-000Dp4-8Q; Wed, 29 May 2019 01:58:33 -0400
To: "=?utf-8?B?SGFybGFuIFN0ZW5u?=" <>,
From: "=?utf-8?B?dGdsYXNzZXlAZWFydGhsaW5rLm5ldA==?=" <>
Date: Wed, 29 May 2019 08:58:31 +0300
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_0_1559109511855"
Message-ID: <>
X-ELNK-Trace: 01b7a7e171bdf5911aa676d7e74259b7b3291a7d08dfec7928a240d0c814595ce294a4fa76af68e2350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
Archived-At: <>
Subject: Re: [Ntp] =?utf-8?q?New_rev_of_the_NTP_port_randomization_I-D_=28Fwd?= =?utf-8?q?=3A_New_Version_Notification_for_draft-gont-ntp-port-randomizat?= =?utf-8?q?ion-01=2Etxt=29?=
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 29 May 2019 05:58:41 -0000

Yes Harlen if you know you are being attacked the server can set itself as unavailable or untrustable until it recertifies. Information integrity is key for historical auditing of timestamps 


Sent from my HTC, so please excuse any typos.

----- Reply message -----
From: "Harlan Stenn" <>
To: <>
Subject: [Ntp] New rev of the NTP port randomization I-D (Fwd: New Version Notification for draft-gont-ntp-port-randomization-01.txt)
Date: Wed, May 29, 2019 08:20

On 5/28/2019 9:37 PM, Fernando Gont wrote:
> On 28/5/19 23:20, Majdi S. Abbas wrote:
>> Fernando,
>>     Randomizing the source port is pointless.  As Danny has noted, t1 already acts as a 2^64 nonce on each client mode chime request.  This sufficiently hardens the unauthenticated case to an off path attacker.  If additional security is required, authentication (via classic PSK, or NTS modes) should be used.
>>     Per session randomization doesn't resolve these issues -- the stated rationale for both the draft and filed CVE is hardening to off path attacks, which we've just covered.
>>     "Because it's best practice" isn't a reason -- it's a crutch to save a draft that was filed due to an insufficient understanding of RFC 5905 and current implementations of NTPv4.  
> Oh, by the way. While you enlighten me why you need a fixed well-known
> port number for the client, and how necessary this is, please also
> elaborate on how I'm running multiple NTP clients behind a NAT box.

Nobody seems to be saying there is benefit to *only* using the
well-known port number when sending a client request.  People are saying
that requiring this in all cases doesn't buy any significant benefit.

Of course it's fine if NTP client goes thru a NAT gateway.

So here's a related question for you:

Is there benefit to knowing if you are being attacked?

> Thanks,

Harlan Stenn, Network Time Foundation - be a Member!

ntp mailing list