Re: [Ntp] Antw: [EXT] Re: WGLC on draft‑ietf‑alternative‑port‑01

Danny Mayer <mayer@pdmconsulting.net> Sat, 31 July 2021 22:33 UTC

Return-Path: <mayer@pdmconsulting.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BFCA3A1E4D for <ntp@ietfa.amsl.com>; Sat, 31 Jul 2021 15:33:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ffBsY0Cg7xqb for <ntp@ietfa.amsl.com>; Sat, 31 Jul 2021 15:33:18 -0700 (PDT)
Received: from chessie.everett.org (chessie.everett.org [66.220.13.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 009463A1E4C for <ntp@ietf.org>; Sat, 31 Jul 2021 15:33:17 -0700 (PDT)
Received: from newusers-MBP.fios-router.home (pool-108-26-179-179.bstnma.fios.verizon.net [108.26.179.179]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by chessie.everett.org (Postfix) with ESMTPSA id 4GcfDV4zVNzMNW6; Sat, 31 Jul 2021 22:33:14 +0000 (UTC)
To: Watson Ladd <watsonbladd@gmail.com>
Cc: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>, Miroslav Lichvar <mlichvar@redhat.com>, Dieter Sibold <dsibold.ietf@gmail.com>, NTP WG <ntp@ietf.org>
References: <PH0PR06MB7061EF8C35B67CDE520E60F2C2349@PH0PR06MB7061.namprd06.prod.outlook.com> <YNMbMd+3dDjAnIDP@localhost> <CACsn0cnMR=E13wd06+=Jdr++s5hqvSt7VitE8euUzc2dF_SjtQ@mail.gmail.com> <a39454b6-31b2-a8f5-1070-3d1b3c155297@pdmconsulting.net> <492BFE65-30FD-42AC-8891-B9A7D007BC03@gmail.com> <ac4aa859-7d26-17ba-a33b-dec781258b52@pdmconsulting.net> <YP562akF+CL/9R5s@localhost> <CACsn0ckn+-MTrnd7KLVQCjyGnDPAPhPYYZm6W-w92vtd0PEAgQ@mail.gmail.com> <610253DA020000A100042C8B@gwsmtp.uni-regensburg.de> <61025C79020000A100042C9B@gwsmtp.uni-regensburg.de> <CACsn0c=2iV01P+gNLXU-NcmsCyUcsO1QAgKfyQcUg8Ci4R+3Dg@mail.gmail.com> <315bacee-255f-b517-a149-dc37ae9e0999@pdmconsulting.net> <CACsn0c=aD3UsuMczgwzEvC5WPtrynG6LfnPxf30Muzt4vjDp8A@mail.gmail.com>
From: Danny Mayer <mayer@pdmconsulting.net>
Message-ID: <cdc952a5-16b5-2ee6-f3a8-4c304cbe0432@pdmconsulting.net>
Date: Sat, 31 Jul 2021 18:33:13 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.12.0
MIME-Version: 1.0
In-Reply-To: <CACsn0c=aD3UsuMczgwzEvC5WPtrynG6LfnPxf30Muzt4vjDp8A@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/hoeNTcBIhN6iFCyor8yX0zXdb3g>
Subject: Re: [Ntp] Antw: [EXT] Re: WGLC on draft‑ietf‑alternative‑port‑01
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Jul 2021 22:33:23 -0000

On 7/31/21 12:59 PM, Watson Ladd wrote:
> On Thu, Jul 29, 2021, 12:12 PM Danny Mayer <mayer@pdmconsulting.net> wrote:
>>
>> On 7/29/21 11:01 AM, Watson Ladd wrote:
>>> On Thu, Jul 29, 2021, 12:45 AM Ulrich Windl
>>> <Ulrich.Windl@rz.uni-regensburg.de> wrote:
>>> <snip>
>>>>>> We see issues at Cloudflare with packet delivery on port 123. ISP
>>>>>> middleboxes are going to police by length, and an alternative port is
>>>>>> the way forward. There is much less policing on the alternative ports.
>>>>> Actually I'd think teching cloudflare would be better than changing the
>>>> I had meant to write "teaching"...
>>> It's not our devices: it's middleboxes in ISP networks. We only find
>>> out from customer pcaps where one in four NTS packets makes it
>>> through. The policing is by length because that is what these boxes
>>> support.
>>>
>> So how would using an alternative port make a difference?
> The other port is not policed now. We use it, and take care to not
> massively deploy amplifiers on it, so it does not get policed.  This
> issue is not about opening firewalls that are under people's control.
> This is about firewalls on ISP networks to protect the ability of the
> network to function, that break and do things like take NIST offline
> in the Western US for a month.
>
> Sincerely,
> Watson

If you are not policing privileged ports then you have a problem with 
your firewall.

Danny