Re: [Ntp] WGLC on draft-ietf-alternative-port-01

Watson Ladd <> Thu, 29 July 2021 03:12 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 958673A1243 for <>; Wed, 28 Jul 2021 20:12:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dIZ5Z-BNenv2 for <>; Wed, 28 Jul 2021 20:12:40 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::62d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E633E3A1240 for <>; Wed, 28 Jul 2021 20:12:39 -0700 (PDT)
Received: by with SMTP id yk17so315397ejb.11 for <>; Wed, 28 Jul 2021 20:12:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6/c0guXiW320CGLUq5Ihe7DzY9RoNJ2Wa9rXPUO3M8s=; b=rOyTEUbU2UJhqtYAQ8sX1M09t18ZSxMEvb5GgSJBF5s6qxRZ+3+3MKveNvEG7crBko J/U3DXYfn6EH7pjqCAvcWpvyIN6rgJmgxTP9gpHknPzy/loBVGB2xYIgH1p6LpmIk44I 8K0aUycGTp0mbScsR5aIPbSKFlEw/Ae3i3t9tXc9jGR7/xHH/GB4dNeEGrO7bywBvTTR gfV2XSyiC5t7w0H4fPOf8UkOS7I2C6D7Xs4nRwaeguJAhPtGyae3mY0qBRfg552nUHw3 SdCjJGTu0bcDD/j5F/ZiVDdvum6bbh4GXfeHpB6hYbkEd2G7iYdQY/uuA5H0FH4hUOUX ReYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6/c0guXiW320CGLUq5Ihe7DzY9RoNJ2Wa9rXPUO3M8s=; b=Bm6wxCj0EBsI/4zDs6V0z4sAGZJDkL4uOrk4qwGkI/5PRLtb3ehjzk1i08ip4lkZm4 BYN+U8tk6hEX5AIkV7YG3ZNQjEOGNudAusge/qpNPFXEJqMyAZ2gp6sjumltnWT394rK YwD/oo34D3QilX7np8LXyDEJxbFlGK/l6zi8fOat0c9sBlCuiXPfTRdoSFQ1NFaG31dj sM+tkQXW1KMS6vlKGyLK2VY0mnmZZqoltjE8OkmBW+BzJsi0TySXFPZAg9cfftqjCdKu INyjSGzySoJ6Bpx4JfzY2QadBdWcby1uYLfu6pDPMYwurtZ8Z/OGl3c59CgDCQuYgHXl qAlw==
X-Gm-Message-State: AOAM531bThnpkcjN7jNKRR9719VkEdULF8HfKNvqPzqHz9DR4Z4apxZm LA/jSrNrBEdd8XTIj4HTRXr3hKBA/flh0T75XlA=
X-Google-Smtp-Source: ABdhPJwomCEsowlleRLYGo5GEJPI77kHBROIb83LJN89oZoqRn2AAZHKCtKC61WkBeTfcbd3853RqSZiRkqF/Tk/+iY=
X-Received: by 2002:a17:906:38c8:: with SMTP id r8mr2529434ejd.172.1627528356749; Wed, 28 Jul 2021 20:12:36 -0700 (PDT)
MIME-Version: 1.0
References: <> <YNMbMd+3dDjAnIDP@localhost> <> <> <> <> <YP562akF+CL/9R5s@localhost>
In-Reply-To: <YP562akF+CL/9R5s@localhost>
From: Watson Ladd <>
Date: Wed, 28 Jul 2021 20:12:25 -0700
Message-ID: <>
To: Miroslav Lichvar <>
Cc: Danny Mayer <>, Dieter Sibold <>, NTP WG <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [Ntp] WGLC on draft-ietf-alternative-port-01
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 29 Jul 2021 03:12:42 -0000

On Mon, Jul 26, 2021 at 2:05 AM Miroslav Lichvar <> wrote:
> On Sun, Jul 25, 2021 at 07:46:28PM -0400, Danny Mayer wrote:
> > I have now come to the conclusion that this should NOT be accepted. Based on
> > a conversation I had recently something like 70% of all traffic is still NTP
> > V3 so this would not have any effect on them. Millions of firewalls would
> > need to be changed. While the idea is generally good, it's not practical.
> The draft is not specific to NTPv4. NTPv3 clients can be updated to
> use the alternative port too. On the public servers I'm running, with
> one exception (India), the observed NTPv3 share is below 10% anyway.
> > An easier and more practical proposal would be to remove mode 6 and 7
> > packets from the existing protocol and require that those types of packets
> > and information be done on a separate port or even use TCP.
> I don't see how would that be better. If you write a new document that
> forbids mode 6/7 on port 123, how will that fix the existing devices
> that still respond to it?
> It's now over 7 years since the large-scale DDoS attacks started. If
> everyone fixed configuration of their devices to not respond to the
> modes, ISPs wouldn't be using the NTP rate-limiting middleboxes and we
> wouldn't have this discussion.
> Port 123 seems to be doomed, at least for the near future. The
> alternative port gives us a way forward. Yes, the adoption on the
> global scale will probably take a long time, but at least people who
> are most impacted will be able to do something to fix it (update their
> NTP servers and clients).

We see issues at Cloudflare with packet delivery on port 123. ISP
middleboxes are going to police by length, and an alternative port is
the way forward. There is much less policing on the alternative ports.

Watson Ladd

> --
> Miroslav Lichvar

Astra mortemque praestare gradatim