Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review of draft-ietf-ntp-alternative-port-02
Miroslav Lichvar <mlichvar@redhat.com> Tue, 07 December 2021 10:21 UTC
Return-Path: <mlichvar@redhat.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7DA43A14D8 for <ntp@ietfa.amsl.com>; Tue, 7 Dec 2021 02:21:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.701, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dg5ikMH_L-Ws for <ntp@ietfa.amsl.com>; Tue, 7 Dec 2021 02:21:25 -0800 (PST)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B56D3A14D6 for <ntp@ietf.org>; Tue, 7 Dec 2021 02:21:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1638872484; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=GSznxmBIOlZ4hkGV8TIXNkx8LW6NPUQTT+kBDm0YB/I=; b=HQP2IUh1ZnOOd7n2hZ+j1V+Vqvd8zdhfFBwwY9Roj2Y813R/60V5Cisy7aqEhS1EhfaW0W nkzkIurc4n8RHX6eAckSA8PfdLD6ifcQpDzci+dnn6UNItCdUtiU3IE3geHaDTbWaYbo7w mhqHTAFrwuFEqyqVcZYTSymVTAWHh54=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-453-6-_x0bl2OhemzP4rbW5aAA-1; Tue, 07 Dec 2021 05:21:20 -0500
X-MC-Unique: 6-_x0bl2OhemzP4rbW5aAA-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id C7CF4363A4; Tue, 7 Dec 2021 10:21:18 +0000 (UTC)
Received: from localhost (unknown [10.43.135.229]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4AEBD60BF1; Tue, 7 Dec 2021 10:21:14 +0000 (UTC)
Date: Tue, 07 Dec 2021 11:21:13 +0100
From: Miroslav Lichvar <mlichvar@redhat.com>
To: Martin Burnicki <martin.burnicki@meinberg.de>
Cc: Danny Mayer <mayer@pdmconsulting.net>, "C. M. Heard" <heard@pobox.com>, Magnus Westerlund <magnus.westerlund@ericsson.com>, NTP WG <ntp@ietf.org>, Joe Touch <touch@strayalpha.com>, TSVWG <tsvwg@ietf.org>, Steven Sommars <stevesommarsntp@gmail.com>, Harlan Stenn <stenn@nwtime.org>, iana-port-experts@icann.org, draft-ietf-ntp-alternative-port.all@ietf.org, tsv-art <tsv-art@ietf.org>, Hal Murray <halmurray@sonic.net>
Message-ID: <Ya81mYy8/EuH8ilY@localhost>
References: <20211204231206.A534228C17A@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <A803AF18-2BBD-4A54-9802-3EF693066E6C@strayalpha.com> <CAD4huA7RhF3xZJkdghz4yx3qk8uBjkfJv7Y_hDCvX1a=wATBkg@mail.gmail.com> <CACL_3VENkyebRf25W6EpW0yZY6ELYS41A4D_i+RnQE1M21P2hg@mail.gmail.com> <Ya3fLJCHUsm1wE28@localhost> <90723c26-0352-a4d1-f765-eb26b1522954@pdmconsulting.net> <bf78924b-69bc-760e-cc7f-e6896504e194@meinberg.de>
MIME-Version: 1.0
In-Reply-To: <bf78924b-69bc-760e-cc7f-e6896504e194@meinberg.de>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/f8Une_2kvjYsfUT2Md1KVJByZT0>
X-Mailman-Approved-At: Tue, 07 Dec 2021 04:39:21 -0800
Subject: Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review of draft-ietf-ntp-alternative-port-02
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Dec 2021 10:21:29 -0000
On Tue, Dec 07, 2021 at 10:23:10AM +0100, Martin Burnicki wrote: > I find it ridiculous to start using a new port for NTP because some admins > block the original, well-known port because many years ago there was a > possibility for DDoS for servers that weren't properly configured. That possibility still exists. It's a security issue in the protocol. The modes 6 and 7, and Autokey cannot be fixed without breaking compatibility. They cannot be exposed to Internet. On my public servers I still see scans looking for the amplification commands. If everyone suddenly stopped blocking NTP, I think we would see an explosion in the amplification attacks. It is not just some admin in a random company deciding to block NTP. It's major ISPs with millions of customers and huge transit networks in the Internet. We cannot expect them to be asking individual owners of misconfigured servers to fix their stuff and keep watching them indefinitely. I assume your products don't support NTS yet? I think you would have have a different view on the subject with customers complaining it doesn't work reliably. > What if that would be done for any service for which there was a security > problem in the past? Would a new port e.g. for DNS be proposed just because > some DNS servers that weren't properly configured could be misused? Well, DNS has this issue too. It allows traffic amplification and it's a big issue that requires a lot of resources to keep it running. But unlike DNS, NTP cannot fall back to TCP. Fortunately, NTP as a time synchronization protocol exchanging constant amount of data does not need any amplification. It can be easily restricted to a non-amplifying subset. -- Miroslav Lichvar
- [Ntp] Tsvart early review of draft-ietf-ntp-alter… Magnus Westerlund via Datatracker
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… touch@strayalpha.com
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Danny Mayer
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Hal Murray
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… touch@strayalpha.com
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… C. M. Heard
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Steven Sommars
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… touch@strayalpha.com
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Danny Mayer
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… C. M. Heard
- Re: [Ntp] Tsvart early review of draft-ietf-ntp-a… Erik Kline
- [Ntp] Antw: [EXT] Re: [Tsv‑art] Tsvart early revi… Ulrich Windl
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Eliot Lear
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Salz, Rich
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Miroslav Lichvar
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Salz, Rich
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Eliot Lear
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Hal Murray
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Eliot Lear
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Danny Mayer
- Re: [Ntp] [IANA-Port-Experts] Tsvart early review… touch@strayalpha.com
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… touch@strayalpha.com
- [Ntp] Antw: Re: [tsvwg] Antw: [EXT] Re: [Tsv‑art]… Ulrich Windl
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Martin Burnicki
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… touch@strayalpha.com
- Re: [Ntp] [IANA-Port-Experts] Tsvart early review… Salz, Rich
- Re: [Ntp] [IANA-Port-Experts] Tsvart early review… Joe Touch
- Re: [Ntp] [IANA-Port-Experts] Tsvart early review… Salz, Rich
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Eliot Lear
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Hal Murray
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Eliot Lear
- [Ntp] Antw: [EXT] Re: [tsvwg] [Tsv‑art] Tsvart ea… Ulrich Windl
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… touch@strayalpha.com
- [Ntp] Antw: [EXT] Re: [tsvwg] [Tsv‑art] Tsvart ea… Ulrich Windl
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Eliot Lear
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Hal Murray
- Re: [Ntp] Antw: [EXT] Re: [tsvwg] [Tsv‑art] Tsvar… Watson Ladd