Re: [Ntp] [EXT] KISS => NAT => Rate limiting

"Windl, Ulrich" <u.windl@ukr.de> Fri, 03 November 2023 07:13 UTC

Return-Path: <u.windl@ukr.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0BA3C16F3E4 for <ntp@ietfa.amsl.com>; Fri, 3 Nov 2023 00:13:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y6R_Q43HEPeF for <ntp@ietfa.amsl.com>; Fri, 3 Nov 2023 00:12:59 -0700 (PDT)
Received: from mail01.ukr.de (mail01.ukr.de [193.175.194.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B78FC151553 for <ntp@ietf.org>; Fri, 3 Nov 2023 00:12:56 -0700 (PDT)
X-CSE-ConnectionGUID: r1f3pN2cQNKU3JH2TfRKhQ==
X-CSE-MsgGUID: QEOnY34ITIGnWhf90WEh6Q==
X-ThreatScanner-Verdict: Negative
X-IronPort-AV: E=McAfee;i="6600,9927,10882"; a="439018"
X-IronPort-AV: E=Sophos;i="6.03,273,1694728800"; d="scan'208";a="439018"
Received: from unknown (HELO ukr-excmb02.ukr.local) ([172.24.6.62]) by dmz-infcsg01.ukr.dmz with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Nov 2023 08:12:53 +0100
Received: from ukr-excmb03.ukr.local (172.24.6.63) by ukr-excmb02.ukr.local (172.24.6.62) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.34; Fri, 3 Nov 2023 08:12:52 +0100
Received: from ukr-excmb03.ukr.local ([fe80::1cb4:6e0c:6da4:a8a0]) by ukr-excmb03.ukr.local ([fe80::1cb4:6e0c:6da4:a8a0%4]) with mapi id 15.01.2507.034; Fri, 3 Nov 2023 08:12:52 +0100
From: "Windl, Ulrich" <u.windl@ukr.de>
To: Hal Murray <halmurray+ietf@sonic.net>, NTP WG <ntp@ietf.org>
Thread-Topic: [EXT] [Ntp] KISS => NAT => Rate limiting
Thread-Index: AQHaDgMelGe0MqqIWU60QHDGy+/98LBoK25A
Date: Fri, 03 Nov 2023 07:12:52 +0000
Message-ID: <37b5baed943b48939b5d994e5b1d8716@ukr.de>
References: Message from Miroslav Lichvar <mlichvar@redhat.com> of "Thu, 02 Nov 2023 10:11:06 +0100." <ZUNnqmnEVDx1538O@localhost> <20231103030850.854FB28C20C@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
In-Reply-To: <20231103030850.854FB28C20C@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.24.3.1]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/gsn5LaEQ9aDdVydAllOdW0cxqAY>
Subject: Re: [Ntp] [EXT] KISS => NAT => Rate limiting
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Nov 2023 07:13:02 -0000

Hi!

I think it's a complex topic. Obviously if clients do what they want, and servers do what they want, that would break any protocol.
So obviously clients should be well-behaving, and servers should enforce some policy, at least as an option.
And I think it's important to at least try to inform clients about the policy decisions at the server's side.

And there are always exceptions to the rule. I admit that I mis-use NTP occasionally to evaluate the quality of the network, collecting long-term statistics, but also doing some rapid bursts of NTP packets (in our LAN).
In the past there were some valid surveys collecting data from many servers, while today such "surveys" might be considered to be DDoS attacks.

Finally wanting anonymous clients makes it hard to "respond" to a specific client. So I think "anonymous client" (call it "data minimization") should be an option, not necessarily the default.
I guess public servers don't want to be "anonymous clients".

Just a few thoughts...

Kind regards,
Ulrich WIndl

-----Original Message-----
From: ntp <ntp-bounces@ietf.org> On Behalf Of Hal Murray
Sent: Friday, November 3, 2023 4:09 AM
To: NTP WG <ntp@ietf.org>
Cc: Hal Murray <halmurray+ietf@sonic.net>
Subject: [EXT] [Ntp] KISS => NAT => Rate limiting


Yet another problem with KISS is that it doesn't work with NAT.  A server 
can't distinguish a slightly misbehaving client from a handful of clients 
behind a NAT box.

With modern gear, is there any reason to tell a well behaving client to slow 
down?  Should we pick a number, say 64 seconds, and say "Get permission from 
the operator if you want to send faster than that."?  How does that work with 
iburst or ntpdate that send several packets on short intervals and then become 
reasonable?


NAT gets involved with another tangle.  Do we need to think about rate 
limiting so NTP servers can't be used as reflectors to hide the true source of 
a DoS attack?  Is there an IETF group that thinks about UDP and rate limiting?


I've been using a limit of 1 packet per second on a couple of pool servers.  
That seems generous.  I've got a 20 second time constant on the filter so 
short bursts will work.  Even if they are all polling at 64 seconds, that will 
handle several boxes behind NAT.  (Handwave about getting started if they use 
iburst and all start at the same time like after a power failure and you are 
on the high side of several...)

If you look at the traffic, and ignore the known broken senders, there is 
another layer of busy boxes.  They are borderline abusive, more than 1 packet 
per second, less than 1000s that we get from the seriously broken boxes.  I 
think they are NAT.  I should probably try harder to contact the owners...



I can see 2 approaches to getting around rate limiting if we decide that is 
appropriate.

One is to get ISPs to run NTP servers and their customers to use them.

The other is to setup a registry for IP Addresses of NAT boxes and have the 
servers allow more traffic from them.

Any other ideas?


-- 
These are my opinions.  I hate spam.



_______________________________________________
ntp mailing list
ntp@ietf.org
https://www.ietf.org/mailman/listinfo/ntp