Re: [Ntp] NTS IANA request
Daniel Franke <dfoxfranke@gmail.com> Thu, 06 June 2019 18:28 UTC
Return-Path: <dfoxfranke@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A8B91200B9 for <ntp@ietfa.amsl.com>; Thu, 6 Jun 2019 11:28:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f56bRvzANpAQ for <ntp@ietfa.amsl.com>; Thu, 6 Jun 2019 11:28:41 -0700 (PDT)
Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com [IPv6:2607:f8b0:4864:20::d31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C5A7120077 for <ntp@ietf.org>; Thu, 6 Jun 2019 11:28:41 -0700 (PDT)
Received: by mail-io1-xd31.google.com with SMTP id i10so946118iol.13 for <ntp@ietf.org>; Thu, 06 Jun 2019 11:28:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KKNVrml+S+871rrr5/ZSqqH98paNsDMrFkx4azCLhY4=; b=LoL/Y5q/k82jDVyJoucSQBCE17J+0bRiXzLcrbjGtGQwYF13bEK8VBnGhs18oAv4Tu WChavaqKqIFtkO1my3eTqRhzWzvNVcm0N959uRtICUcO3pTK4PgCtyiN7oYD30IsHGXa 2C++eIwhfCcQRZ1bnsKEYz0B5oAEJUsy7wUstxOu2zViPF6XNE6/IVwN/pGx+ilktoTg YI0Yzpe50p2gc3tC1jEBAgF72Lm2uGeS2+e8v1/UufXrfJA5r4TfeJg2z4KTpDOydYK8 /jetUDfJcLaLrcHn6iko/5bFdZXmYjqkS8qBqgMWTF6gl6QFqy1ngpXqFecfmG/sIpvb fRog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KKNVrml+S+871rrr5/ZSqqH98paNsDMrFkx4azCLhY4=; b=uWoK99nHQYdY/Ws5y9kiwB5dfcYyQUpPUtnaQq6nX3cJx8VpUvg45N2KXHZMYuGxkE Cf3NAQBoeGN59jEHopku8vtRn2Tlob/45mNPWCV29YpadnL5yHkNz1t/NWg8TS/Rl2iq a5m/Nri7IJSE5xwR6ANrdasbtYoEiv1DbujrvTu4qI18xS/CG12zSRrJOCP6s6lpaI4E hfdheuRg10mI/KS3lhW15UoT5O5WBpOknapyQZHaXkiJQWALcKVnyJBN3G9qX2ZxgXNL bxC31eNntKUH7l7oCC9IBWS55kldnQ0gIQCFnpwR/FwewwxX5d4Ahvm1Pmx2P6ezd+1w ja6w==
X-Gm-Message-State: APjAAAW6m9inNY3VfoSSKJwPoKsGNtlRLEKadcY9XkDa8Iul3slrw0Xj jLbJIyV83yd/wZPU7eKY4fbrqItE/ITobV08kI0=
X-Google-Smtp-Source: APXvYqy/Dv6UJYrbgdyCGjavIH6WdEhFYf/RvdEQgu6nEJI4ijtKhAlfs4bL4AJiyNwQJz4yNnia3J99xpMbb8760V8=
X-Received: by 2002:a6b:6f06:: with SMTP id k6mr10581020ioc.32.1559845720334; Thu, 06 Jun 2019 11:28:40 -0700 (PDT)
MIME-Version: 1.0
References: <CAN2QdAH9Uh_wYSEizgYTjd4Q6VFQT+tvH8dnbPgKKc59+vEfng@mail.gmail.com> <a123d81b-4994-9e35-58eb-6845cf439f91@nwtime.org> <20190605164753.6e71fcaa@rellim.com> <03055E77-EB42-494E-A231-039C4603E256@akamai.com> <CAJm83bDYZ+vcwkhFEf2YCAVwKcSm7rEgbuB0Wwsvm5XVVAMjuQ@mail.gmail.com> <C8E4189E-E3A1-4926-AF0F-93BE9C7255C8@akamai.com>
In-Reply-To: <C8E4189E-E3A1-4926-AF0F-93BE9C7255C8@akamai.com>
From: Daniel Franke <dfoxfranke@gmail.com>
Date: Thu, 06 Jun 2019 14:28:28 -0400
Message-ID: <CAJm83bBkU91st1CFAsx+JCLpxXyWOQnSTY9sXeuA96R8pqXdCA@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: "ntp@ietf.org" <ntp@ietf.org>, "Gary E. Miller" <gem@rellim.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/czd8HZ7d8lY_I9g48uJVy3ryACc>
Subject: Re: [Ntp] NTS IANA request
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2019 18:28:42 -0000
As a slight tangent, we never concluded the discussion as to what we're going to do about the fact that so many ISPs are dropping 123/udp traffic with payloads larger than 48 bytes. I think we got as far as concluding: 1. We're never going to persuade enough ISPs to change their policy, making 123/udp basically doomed. 2. NTS-KE's port negotiation record gives us all the mechanism we need in order to run NTP-with-NTS over an alternate port. But that left an unresolved question: do we allocate a fixed alternate UDP port, or should servers ask the OS for a dynamic port and then use NTS-KE to advertise whatever the OS assigns to them? Both choices have firewall-related drawbacks. If we use a fixed port, we risk landing ourselves right back in the same situation we're in today with 123. At minimum, to protect ourselves from this, the NTF would have to commit to adding some code to ntpd such that it will refuse to ever send mode 6 or 7 responses over the new port no matter what configuration the user gives it. (Yes, mode 6 too, because mode 6 still amplifies, just not as severely as mode 7 does). If we use a dynamic port, then it becomes much harder for ISPs to block us, but it also becomes harder for corporate firewalls with a default-deny-all policy to let us through. On Thu, Jun 6, 2019 at 1:06 PM Salz, Rich <rsalz@akamai.com> wrote: > > > I'm strongly opposed to modifying NTS-KE to involve sending a STARTTLS > as a first step of the handshake. I don't want to make a breaking > change to a protocol that's passed WGLC and has four interoperating > implementations in order to accommodate a protocol that has never been > implemented and whose specification consists of three vague sentences > in an unadopted and expired I-D. > > I wasn't strongly advocating either mechanism, just trying to explain how things could share a port if that's what we wanted to do. > > For the record, since I see no definition of NTP/TLS, I am in favor of assigning 123/TCP to NTS. > >
- [Ntp] NTS IANA request Watson Ladd
- Re: [Ntp] NTS IANA request Harlan Stenn
- Re: [Ntp] NTS IANA request Daniel Franke
- Re: [Ntp] NTS IANA request Gary E. Miller
- Re: [Ntp] NTS IANA request Daniel Franke
- Re: [Ntp] NTS IANA request Hal Murray
- Re: [Ntp] NTS IANA request Heiko Gerstung
- Re: [Ntp] NTS IANA request Miroslav Lichvar
- Re: [Ntp] NTS IANA request Salz, Rich
- Re: [Ntp] NTS IANA request Salz, Rich
- Re: [Ntp] NTS IANA request Daniel Franke
- Re: [Ntp] NTS IANA request Daniel Franke
- Re: [Ntp] NTS IANA request Salz, Rich
- Re: [Ntp] NTS IANA request Daniel Franke
- Re: [Ntp] NTS IANA request Harlan Stenn
- Re: [Ntp] NTS IANA request Harlan Stenn
- Re: [Ntp] NTS IANA request kodonog@pobox.com
- Re: [Ntp] NTS IANA request kodonog@pobox.com
- Re: [Ntp] NTS IANA request Heiko Gerstung
- Re: [Ntp] NTS IANA request Hal Murray
- Re: [Ntp] NTS IANA request Danny Mayer
- Re: [Ntp] NTS IANA request Warner Losh
- Re: [Ntp] NTS IANA request Daniel Franke
- Re: [Ntp] NTS IANA request Watson Ladd
- Re: [Ntp] NTS IANA request Majdi S. Abbas
- Re: [Ntp] NTS IANA request Daniel Franke
- Re: [Ntp] NTS IANA request Majdi S. Abbas
- Re: [Ntp] NTS IANA request Watson Ladd
- Re: [Ntp] NTS IANA request Harlan Stenn
- Re: [Ntp] NTS IANA request Watson Ladd
- Re: [Ntp] NTS IANA request tglassey@earthlink.net
- Re: [Ntp] NTS IANA request tglassey@earthlink.net
- Re: [Ntp] NTS IANA request tglassey@earthlink.net
- [Ntp] Antw: Re: NTS IANA request Ulrich Windl