Re: [Ntp] WGLC on draft-ietf-alternative-port-01

Miroslav Lichvar <> Mon, 26 July 2021 09:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6F2C23A21E0 for <>; Mon, 26 Jul 2021 02:05:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.55
X-Spam-Status: No, score=-2.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id m-qtzKRDJQXi for <>; Mon, 26 Jul 2021 02:05:39 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6B5713A21DC for <>; Mon, 26 Jul 2021 02:05:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=mimecast20190719; t=1627290337; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Vu5QZo24Q6nwEgmA3TAXr1hVk1lLcdEgzNCJ5W5MksU=; b=T4HM8Hb++IGkV/ACfo6Z6wbkFXQF8/OMq9K4cLnIZeRf3dzgHav+idnLln57p21PhUJOFz sw/q+1mK9RlYHvfK9F20NPmmd7ce6DdIUuvSR6XuNKV70CnzeIP5VrFJNdtDtIPW/nYwfD wsvK/W7k+MF+5bwQK3Nqlt2PYZtB1U4=
Received: from ( []) (Using TLS) by with ESMTP id us-mta-46-4txY5PEkPlm_HvPi-Pd55A-1; Mon, 26 Jul 2021 05:05:33 -0400
X-MC-Unique: 4txY5PEkPlm_HvPi-Pd55A-1
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E0BF0800493; Mon, 26 Jul 2021 09:05:32 +0000 (UTC)
Received: from localhost ( []) by (Postfix) with ESMTPS id ECDC073DA1; Mon, 26 Jul 2021 09:05:30 +0000 (UTC)
Date: Mon, 26 Jul 2021 11:05:29 +0200
From: Miroslav Lichvar <>
To: Danny Mayer <>
Cc: Dieter Sibold <>, Watson Ladd <>, NTP WG <>
Message-ID: <YP562akF+CL/9R5s@localhost>
References: <> <YNMbMd+3dDjAnIDP@localhost> <> <> <> <>
MIME-Version: 1.0
In-Reply-To: <>
X-Scanned-By: MIMEDefang 2.79 on
Authentication-Results:; auth=pass smtp.auth=CUSA124A263
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Archived-At: <>
Subject: Re: [Ntp] WGLC on draft-ietf-alternative-port-01
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 26 Jul 2021 09:05:45 -0000

On Sun, Jul 25, 2021 at 07:46:28PM -0400, Danny Mayer wrote:
> I have now come to the conclusion that this should NOT be accepted. Based on
> a conversation I had recently something like 70% of all traffic is still NTP
> V3 so this would not have any effect on them. Millions of firewalls would
> need to be changed. While the idea is generally good, it's not practical.

The draft is not specific to NTPv4. NTPv3 clients can be updated to
use the alternative port too. On the public servers I'm running, with
one exception (India), the observed NTPv3 share is below 10% anyway.

> An easier and more practical proposal would be to remove mode 6 and 7
> packets from the existing protocol and require that those types of packets
> and information be done on a separate port or even use TCP.

I don't see how would that be better. If you write a new document that
forbids mode 6/7 on port 123, how will that fix the existing devices
that still respond to it?

It's now over 7 years since the large-scale DDoS attacks started. If
everyone fixed configuration of their devices to not respond to the
modes, ISPs wouldn't be using the NTP rate-limiting middleboxes and we
wouldn't have this discussion.

Port 123 seems to be doomed, at least for the near future. The
alternative port gives us a way forward. Yes, the adoption on the
global scale will probably take a long time, but at least people who
are most impacted will be able to do something to fix it (update their
NTP servers and clients).

Miroslav Lichvar