Re: [Ntp] [EXT] KISS => NAT => Rate limiting
"Windl, Ulrich" <u.windl@ukr.de> Fri, 03 November 2023 07:13 UTC
Return-Path: <u.windl@ukr.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0BA3C16F3E4 for <ntp@ietfa.amsl.com>; Fri, 3 Nov 2023 00:13:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y6R_Q43HEPeF for <ntp@ietfa.amsl.com>; Fri, 3 Nov 2023 00:12:59 -0700 (PDT)
Received: from mail01.ukr.de (mail01.ukr.de [193.175.194.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B78FC151553 for <ntp@ietf.org>; Fri, 3 Nov 2023 00:12:56 -0700 (PDT)
X-CSE-ConnectionGUID: r1f3pN2cQNKU3JH2TfRKhQ==
X-CSE-MsgGUID: QEOnY34ITIGnWhf90WEh6Q==
X-ThreatScanner-Verdict: Negative
X-IronPort-AV: E=McAfee;i="6600,9927,10882"; a="439018"
X-IronPort-AV: E=Sophos;i="6.03,273,1694728800"; d="scan'208";a="439018"
Received: from unknown (HELO ukr-excmb02.ukr.local) ([172.24.6.62]) by dmz-infcsg01.ukr.dmz with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Nov 2023 08:12:53 +0100
Received: from ukr-excmb03.ukr.local (172.24.6.63) by ukr-excmb02.ukr.local (172.24.6.62) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.34; Fri, 3 Nov 2023 08:12:52 +0100
Received: from ukr-excmb03.ukr.local ([fe80::1cb4:6e0c:6da4:a8a0]) by ukr-excmb03.ukr.local ([fe80::1cb4:6e0c:6da4:a8a0%4]) with mapi id 15.01.2507.034; Fri, 3 Nov 2023 08:12:52 +0100
From: "Windl, Ulrich" <u.windl@ukr.de>
To: Hal Murray <halmurray+ietf@sonic.net>, NTP WG <ntp@ietf.org>
Thread-Topic: [EXT] [Ntp] KISS => NAT => Rate limiting
Thread-Index: AQHaDgMelGe0MqqIWU60QHDGy+/98LBoK25A
Date: Fri, 03 Nov 2023 07:12:52 +0000
Message-ID: <37b5baed943b48939b5d994e5b1d8716@ukr.de>
References: Message from Miroslav Lichvar <mlichvar@redhat.com> of "Thu, 02 Nov 2023 10:11:06 +0100." <ZUNnqmnEVDx1538O@localhost> <20231103030850.854FB28C20C@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
In-Reply-To: <20231103030850.854FB28C20C@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.24.3.1]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/gsn5LaEQ9aDdVydAllOdW0cxqAY>
Subject: Re: [Ntp] [EXT] KISS => NAT => Rate limiting
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Nov 2023 07:13:02 -0000
Hi! I think it's a complex topic. Obviously if clients do what they want, and servers do what they want, that would break any protocol. So obviously clients should be well-behaving, and servers should enforce some policy, at least as an option. And I think it's important to at least try to inform clients about the policy decisions at the server's side. And there are always exceptions to the rule. I admit that I mis-use NTP occasionally to evaluate the quality of the network, collecting long-term statistics, but also doing some rapid bursts of NTP packets (in our LAN). In the past there were some valid surveys collecting data from many servers, while today such "surveys" might be considered to be DDoS attacks. Finally wanting anonymous clients makes it hard to "respond" to a specific client. So I think "anonymous client" (call it "data minimization") should be an option, not necessarily the default. I guess public servers don't want to be "anonymous clients". Just a few thoughts... Kind regards, Ulrich WIndl -----Original Message----- From: ntp <ntp-bounces@ietf.org> On Behalf Of Hal Murray Sent: Friday, November 3, 2023 4:09 AM To: NTP WG <ntp@ietf.org> Cc: Hal Murray <halmurray+ietf@sonic.net> Subject: [EXT] [Ntp] KISS => NAT => Rate limiting Yet another problem with KISS is that it doesn't work with NAT. A server can't distinguish a slightly misbehaving client from a handful of clients behind a NAT box. With modern gear, is there any reason to tell a well behaving client to slow down? Should we pick a number, say 64 seconds, and say "Get permission from the operator if you want to send faster than that."? How does that work with iburst or ntpdate that send several packets on short intervals and then become reasonable? NAT gets involved with another tangle. Do we need to think about rate limiting so NTP servers can't be used as reflectors to hide the true source of a DoS attack? Is there an IETF group that thinks about UDP and rate limiting? I've been using a limit of 1 packet per second on a couple of pool servers. That seems generous. I've got a 20 second time constant on the filter so short bursts will work. Even if they are all polling at 64 seconds, that will handle several boxes behind NAT. (Handwave about getting started if they use iburst and all start at the same time like after a power failure and you are on the high side of several...) If you look at the traffic, and ignore the known broken senders, there is another layer of busy boxes. They are borderline abusive, more than 1 packet per second, less than 1000s that we get from the seriously broken boxes. I think they are NAT. I should probably try harder to contact the owners... I can see 2 approaches to getting around rate limiting if we decide that is appropriate. One is to get ISPs to run NTP servers and their customers to use them. The other is to setup a registry for IP Addresses of NAT boxes and have the servers allow more traffic from them. Any other ideas? -- These are my opinions. I hate spam. _______________________________________________ ntp mailing list ntp@ietf.org https://www.ietf.org/mailman/listinfo/ntp
- [Ntp] NTPv5 KISS code support David Venhoek
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Windl, Ulrich
- Re: [Ntp] [EXT] KISS => NAT => Rate limiting Windl, Ulrich
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Daniel Franke
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Ira McDonald
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support David Venhoek
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- [Ntp] KISS => NAT => Rate limiting Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Daniel Franke
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support David Venhoek
- [Ntp] Rate limiting/reflection prevention (Was: N… David Venhoek
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Danny Mayer
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Salz, Rich
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Danny Mayer
- Re: [Ntp] [EXT] Re: Re: NTPv5 KISS code support Windl, Ulrich
- Re: [Ntp] [EXT] Re: Re: NTPv5 KISS code support Danny Mayer
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Forrest Christian (List Account)