Re: [Ntp] [EXT] Pool and DNS
Neta R S <neta.r.schiff@gmail.com> Fri, 21 October 2022 21:07 UTC
Return-Path: <neta.r.schiff@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EE4EC14CE41 for <ntp@ietfa.amsl.com>; Fri, 21 Oct 2022 14:07:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z1rO4KszkfuJ for <ntp@ietfa.amsl.com>; Fri, 21 Oct 2022 14:07:49 -0700 (PDT)
Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F2CCC14CE2B for <ntp@ietf.org>; Fri, 21 Oct 2022 14:07:49 -0700 (PDT)
Received: by mail-wm1-x333.google.com with SMTP id v130-20020a1cac88000000b003bcde03bd44so5970151wme.5 for <ntp@ietf.org>; Fri, 21 Oct 2022 14:07:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=2VCQ2DnvlrI/whYCVq0nwscJ/4VzO3+9vTbsoQc/SRY=; b=LShHEmDbsb9OgCCFdRyMQjGpgTI0HSg1zQLR4ORDXUzs6drtT0zFqgE3pRlN/nT8YH j7KfGaFbsQT0bJWRllldba2KFVdwPd36rxjs78+1QouGCVwwKyLZ3WwBYv6vkS/Gsma9 ZcvrB0rhAdxQy1iSGUU2OqLfd2soCmnueQU651889THHb8E8mcL+tQqi6ZI7pzCtl6vv EIVVm9FYn3Th4IGk/W+bqkvdapWkQYWN5udlkmPN9btHVi6Xzn5li+/TmxMvJt3OLHmM JTCEjcmLqYAU46nVaxQw8KmgbdBg6Mxkr7EAjN3jAr4txNxCBYKM3unmXsTcBer0YJLH wQLw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=2VCQ2DnvlrI/whYCVq0nwscJ/4VzO3+9vTbsoQc/SRY=; b=VzYUGxg2O1XmpJAxXaNgSTuLNqvpwlrnVC+gMhNMbgil1rC/DW8N4B1ltI51vXf2WF lcsL0Fs1qIpCxZ8Sa/O1fpBiiCgLVSgME2MMQTlvCs9Xl4Zgw/FPS/jk4bhh/SKUzgtz niSvHtpBZhkiZlf92HlVDCueaLFeD2Gc6cEnUs5fyhd3AIgIdqdTVtrDx8CJHW+uIR8m lmAlX4H0CJgq+SbzxmLdvk/d8OZC7xHZV1CvYQxkUnM74mkotynBNTn0OzwgQ8gpaFPt cSw15O3aKH4g3Ik+QWZnUXh5gBEmEOMWVvP93KQeFN8nrhdVi7WcqdNhgvklmypDHX9O fkYQ==
X-Gm-Message-State: ACrzQf0X3sR3koPuoQoMgUP2wcbHcecxRh2w3fSkdwJM41O46RRcKzAn XyfPzA9sKiLR81kZCg26VdczH05ezEkKCVk409s=
X-Google-Smtp-Source: AMsMyM5Y8bZoigE6NJ7u4hCOpzsb8U1d6zWxNRDnG6T+GPbddJBc75+8OnNSMh8lFxjAkzJVtW9wn8hAy9U/r3XoWFw=
X-Received: by 2002:a05:600c:3c8e:b0:3b4:d224:ae27 with SMTP id bg14-20020a05600c3c8e00b003b4d224ae27mr14762656wmb.187.1666386467548; Fri, 21 Oct 2022 14:07:47 -0700 (PDT)
MIME-Version: 1.0
References: <20221019044237.8DE2C28C1DB@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <634FCA5A020000A10004EB98@gwsmtp.uni-regensburg.de>
In-Reply-To: <634FCA5A020000A10004EB98@gwsmtp.uni-regensburg.de>
From: Neta R S <neta.r.schiff@gmail.com>
Date: Sat, 22 Oct 2022 00:07:36 +0300
Message-ID: <CAM-HxCP=eZoKC1OzSUDJv-3Gx9njwyemnOosGyY8mLiYFZF8pQ@mail.gmail.com>
To: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>
Cc: halmurray@sonic.net, "ntp@ietf.org" <ntp@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000074f46805eb91d567"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/hpyM6HZ1Qykis5nwqfFWBlv7zI8>
Subject: Re: [Ntp] [EXT] Pool and DNS
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2022 21:07:53 -0000
Hi, Perhaps, in order to avoid the uncertainty regarding when NTPs needs to query the DNS, we can just say that assuming the calibration period is one month, 250 DNS queries means an average of about 10 DNS queries per day, which is usually several order of magnitude lower than the total daily number of DNS queries per machine. Regarding NTS, I will add a reference to it in the draft, where we say that “adding an authentication layer to Khronos will enhance its security guarantees and enable the detection of various spoofing and modification attacks.” Thanks, Neta On Wed, Oct 19, 2022 at 12:58 PM Ulrich Windl < Ulrich.Windl@rz.uni-regensburg.de> wrote: > >>> Hal Murray <halmurray@sonic.net> schrieb am 19.10.2022 um 06:42 in > Nachricht > <20221019044237.8DE2C28C1DB@107-137-68-211.lightspeed.sntcca.sbcglobal.net > >: > > >> Around 250 DNS queries are required by Khronos to obtain a pool of 1000 > NTP > >> servers, which is equal to the number of queries performed by NTPv4 in a > >> duration of 10 days (assuming a query per hour). > > > > Where did that "a query per hour" come from? > > Good question: maxpoll default is still 10, and on typical servers a higher > number like 12 makes little sense. > > > > > It's not wildly wrong and I don't have a better number. But I worry > that > > somebody will assume it is a solid data point and use it in some future > line > > > > > of reasoning. > > > > ‑‑‑‑‑‑‑‑ > > > > My reading is that pool traffic is bimodal. ntpd makes a few DNS > requests > > on > > startup then uses those servers for a long time. sntp makes a DNS > request > > every time it is run. > > > > You can see that by watching the traffic on a server in the pool when > you > > disable it by setting the traffic rate to monitor‑only. The traffic > drops > > By "disabling" you mean removing it from the DNS pool, but keep it running? > > > abruptly by X%, then slowly decays. "Slowly" is ballpark of 10% per > day. X > > > > > is ballpark of 60%. (I didn't get decent data because I only figured > out > > what > > was going on after I had already messed things up. Next time...) > > > > ‑‑‑‑‑‑‑‑‑‑ > > > > The main problem with DNS and the pool is that there is currently no > clean > > way to remove a server from the pool. If you remove it from the pool, > the > > sntp traffic will vanish since it will get removed from future DNS > answers. > > > But the ntpd traffic will continue to use existing servers as long as > ntpd > > keeps running and the servers keep responding. > > Not quite: If the server performs worse than the rest, ntpd wil request > another one, dropping the bad one. > We are runníng most servers using manycast here, but the mechanism should > be > similar. > > > > > > There is no way to ask if a server is still in the pool. If there was, > ntpd > > > should check every day or week or ... That would add more DNS traffic > from > > > the long running ntpd servers. Khronos would add much more. > > > > ‑‑‑‑‑‑‑‑‑‑ > > > > The more interesting question is NTS. The NTS‑KE step is fairly > heavyweight, > > much more work than a DNS lookup. > > > > The current parameters are 8 cookies with a lifetime of a day. A day is > > 86400 seconds. That means we need to poll each server every 10800 > seconds. > > > With 1000 servers and M=15 (from the draft) that will take a Khronos > poll > > every (10800/1000)*15 => 162 seconds. If Khronos runs at 10x the poll > time > of > > ntpd, that's not going to work. > > > > We could gain a factor of 2 or 3 by dropping cookies older than a day. > (and > > > asking for several more to fill up again when we do poll a server) > > > > Of course, NTS doesn't work with the pool and I don't see how to fix > that, > > so this is all a wild goose chase. > > > > > > Maybe we should be comparing Khronos with 1 or 2 trusted servers using > NTS. > > > > > > ‑‑ > > These are my opinions. I hate spam. > > > > > > > > _______________________________________________ > > ntp mailing list > > ntp@ietf.org > > https://www.ietf.org/mailman/listinfo/ntp > > > >
- [Ntp] Pool and DNS Hal Murray
- [Ntp] Antw: [EXT] Pool and DNS Ulrich Windl
- Re: [Ntp] Pool and DNS Marcus Dansarie
- Re: [Ntp] [EXT] Pool and DNS Neta R S
- Re: [Ntp] [EXT] Pool and DNS David Venhoek
- Re: [Ntp] [EXT] Pool and DNS Neta R S
- Re: [Ntp] Pool and DNS Hal Murray
- [Ntp] Antw: [EXT] Re: Pool and DNS Ulrich Windl
- Re: [Ntp] Pool and DNS Miroslav Lichvar
- Re: [Ntp] Pool and DNS Christer Weinigel
- Re: [Ntp] Pool and DNS Christer Weinigel
- Re: [Ntp] Pool and DNS Miroslav Lichvar
- Re: [Ntp] Pool and DNS Leif Johansson