Re: [Ntp] Details of the fragmentation attacks against NTP and port randomization
Fernando Gont <fgont@si6networks.com> Tue, 02 July 2019 12:31 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19054120089 for <ntp@ietfa.amsl.com>; Tue, 2 Jul 2019 05:31:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1vjtup-C8zpG for <ntp@ietfa.amsl.com>; Tue, 2 Jul 2019 05:31:32 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74E5012006A for <ntp@ietf.org>; Tue, 2 Jul 2019 05:31:31 -0700 (PDT)
Received: from [192.168.1.114] (unknown [160.176.57.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id D915592F58; Tue, 2 Jul 2019 14:31:28 +0200 (CEST)
To: "Gary E. Miller" <gem@rellim.com>, ntp@ietf.org
References: <CAN2QdAGS20q=7+r+qMFEBBu4gNmSDR9-vYDbvgC=ZnqWLEU-6w@mail.gmail.com> <739c2eaa-05f1-0b30-4b64-fc5d3f91ce5b@pdmconsulting.net> <a3a545cf-d83d-a2c7-ad6c-3e349de78615@si6networks.com> <9f75e400-cf2f-053f-ed06-f4d6df415eaf@pdmconsulting.net> <70d86938-5d50-7732-5257-c698d7d308d6@si6networks.com> <b4a5d0ec-606e-7994-9bc9-e21e24f38def@ntp.org> <f4b5312c-b02c-ee51-1c59-f0467f51ab77@si6networks.com> <OF8F5917D8.BA274E92-ONC1258418.004C2FAF-C1258418.0052EEFB@ptb.de> <20190613100006.45108edd@rellim.com> <68186be5-764d-73e7-1631-04567edf28a7@si6networks.com> <20190613122929.0e049722@rellim.com> <3b7c6e55-b2a9-443c-e5cb-3b4c9e5bb642@si6networks.com> <20190614112522.2e5676f3@rellim.com>
From: Fernando Gont <fgont@si6networks.com>
Openpgp: preference=signencrypt
Autocrypt: addr=fgont@si6networks.com; prefer-encrypt=mutual; keydata= mQINBE5so2gBEACzBQBLUy8nzgAzSZn6ViXT6TmZBFNYNqTpPRvTVtUqF6+tkI+IEd9N2E8p pXUXCd0W4dkxz6o7pagnK63m4QSueggvp881RVVHOF8oTSHOdnGxLfLeLNJFKE1FOutU3vod GK/wG/Fwzkv9MebdXpMlLV8nnJuAt66XGl/lU1JrNfrKO4SoYQi4TsB/waUQcygh7OR/PEO0 EttiU8kZUbZNv58WH+PAj/rdZCrgUSiGXiWUQQKShqKnJxLuAcTcg5YRwL8se/V6ciW0QR9i /sr52gSmLLbW5N3hAoO+nv1V/9SjJAUvzXu43k8sua/XlCXkqU7uLj41CRR72JeUZ4DQsYfP LfNPC98ZGTVxbWbFtLXxpzzDDT8i3uo7w1LJ2Ij/d5ezcARqw01HGljWWxnidUrjbTpxkJ9X EllcsH94mer728j/HKzC9OcTuz6WUBP3Crgl6Q47gY5ZIiF0lsmd9/wxbaq5NiJ+lGuBRZrD v0dQx9KmyI0/pH2AF8cW897/6ypvcyD/1/11CJcN+uAGIrklwJlVpRSbKbFtGC6In592lhu7 wnK8cgyP5cTU+vva9+g6P1wehi4bylXdlKc6mMphbtSA+T3WBNP557+mh3L62l4pGaEGidcZ DLYT2Ud18eAJmxU3HnM8P3iZZgeoK7oqgb53/eg96vkONXNIOwARAQABtCVGZXJuYW5kbyBH b250IDxmZ29udEBzaTZuZXR3b3Jrcy5jb20+iQJBBBMBAgArAhsjBQkSzAMABgsJCAcDAgYV CAIJCgsEFgIDAQIeAQIXgAUCTmylpQIZAQAKCRCuJQ1VHU50kv7wD/9fuNtTfxSLk3B3Hs3p ixTy8YXVjdkVwWlnJjFd7BOWmg7sI+LDhpjGfT6+ddOiwkumnvUZpObodj4ysH0i8c7P4C5t F9yu7WjklSlrB5Rth2CGChg5bKt541z2WHkFFxys9qBLmCSYDeKQkzLqhCjIUJizY2kOJ2GI MnSFDzJjhSFEh//oW830Y8fel1xnf/NVF+lBVtRMtMOfoWUqDjvP3sJ1G4zgkDCnF0CfncLx +hq2Mv26Uq9OTzvLH9aSQQ/f067BOkKAJKsfHdborX4E96ISTz57/4xECRSMr5dVsKVm4Y// uVIsb+L5z+a32FaiBZIAKDgnJO7Z8j6CV5e5yfuBTtX52Yi9HjYYqnYJGSDxYd6igD4bWu+7 xmJPHjkdqZgGV6dQIgiUfqkU+s5Cv350vK48CMaT/ZLo2BdsMhWsmaHmb+waePUMyq6E4E9x 9Js+EJb9ZiCfxS9exgieZQpet1L36IvhiwByvkQM009ywfa30JeMOltUtfLi5V06WQWsTzPL 5C+4cpkguSuAJVDTctjCA0moIeVDOpJ8WH9voQ4IeWapQnX35OIoj1jGJqqYdx65gc1ygbyx b8vw+pJ9E5GLse5TQnYifOWpXzX9053dtbwp/2OVhU4KLlzfCPCEsoTyfu9nIZxdI2PMwiL5 M85BfjX4NmwBLmPGoLkCDQRObKNoARAAqqXCkr250BchRDmi+05F5UQFgylUh10XTAJxBeaQ UNtdxZiZRm6jgomSrqeYtricM9t9K0qb4X2ZXmAMW8o8AYW3RrQHTjcBwMnAKzUIEXXWaLfG cid/ygmvWzIHgMDQKP+MUq1AGQrnvt/MRLvZLyczAV1RTXS58qNaxtaSpc3K/yrDozh/a4pu WcUsVvIkzyx43sqcwamDSBb6U8JFoZizuLXiARLLASgyHrrCedNIZdWSx0z0iHEpZIelA2ih AGLiSMtmtikVEyrJICgO81DkKNCbBbPg+7fi23V6M24+3syHk3IdQibTtBMxinIPyLFF0byJ aGm0fmjefhnmVJyCIl/FDkCHprVhTme57G2/WdoGnUvnT7mcwDRb8XY5nNRkOJsqqLPemKjz kx8mXdQbunXtX9bKyVgd1gIl+LLsxbdzRCch773UBVoortPdK3kMyLtZ4uMeDX3comjx+6VL bztUdJ1Zc9/njwVG8fgmQ+0Kj5+bzQfUY+MmX0HTXIx3B4R1I1a8QoOwi1N+iZNdewV5Zfq+ 29NlQLnVPjCRCKbaz9k6RJ2oIti55YUI6zSsL3lmlOXsRbXN5bRswFczkNSCJxJMlDiyAUIC WOay7ymzvgzPa+BY/mYn94vRaurDQ4/ljOfj6oqgfjts+dJev4Jj89vp8MQI3KJpZPEAEQEA AYkCJQQYAQIADwUCTmyjaAIbDAUJEswDAAAKCRCuJQ1VHU50km4xEACho45PZrUjY4Zl2opR DFNo5a6roTOPpgwO9PcBb3I5F8yX2Dnew+9OhgWXbBhAFq4DCx+9Gjs43Bn60qbZTDbLGJ/m 8N4PwEiq0e5MKceYcbetEdEUWhm5L6psU9ZZ82GR3UGxPXYe+oifEoJjOXQ39avf9S8p3yKP Diil0E79rn7LbJjMcgMLyjFg9SDoJ6pHLtniJoDhEAaSSgeV7Y745+gyMIdtQmrFHfqrFdjq D6G0HE+Z68ywc5KN67YxhvhBmSycs1ZSKAXv1zLDlXdmjHDHkU3xMcB+RkuiTba8yRFYwb/n j62CC4NhFTuIKOc4ta3dJsyXTGh/hO9UjWUnmAGfd0fnzTBZF8Qlnw/8ftx5lt4/O+eqY1EN RITScnPzXE/wMOlTtdkddQ+QN6xt6jyR2XtAIi7aAFHypIqA3lLI9hF9x+lj4UQ2yA9LqpoX 6URpPOd13JhAyDe47cwsP1u9Y+OBvQTVLSvw7Liu2b4KjqL4lx++VdBi7dXsjJ6kjIRjI6Lb WVpxe8LumMCuVDepTafBZ49gr7Fgc4F9ZSCo6ChgQNLn6WDzIkqFX+42KuHz90AHWhuW+KZR 1aJylERWeTcMCGUSBptd48KniWmD6kPKpzwoMkJtEXTuO2lVuborxzwuqOTNuYg9lWDl7zKt wPI9brGzquUHy4qRrA==
Message-ID: <73f861c1-72e0-5e01-87e1-18658cd11859@si6networks.com>
Date: Tue, 02 Jul 2019 13:31:18 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.1
MIME-Version: 1.0
In-Reply-To: <20190614112522.2e5676f3@rellim.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/k-MlMs5GIH_ckW3ZANOCH3LFSr0>
Subject: Re: [Ntp] Details of the fragmentation attacks against NTP and port randomization
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jul 2019 12:31:35 -0000
Hello, Gary, On 14/6/19 19:25, Gary E. Miller wrote: > Yo Fernando! > > On Fri, 14 Jun 2019 14:07:29 +0300 > Fernando Gont <fgont@si6networks.com> wrote: > >>> PROVEN to degrade. With a few known mechanisms for that understood. >>> Many more suspected but as yet undocumented. >> >> What I'm saying it: the port number may affect the path in scenarios >> where forwarding is somewhat based on the port number. > > Yes. That is one of a great many scenarios where randomizing the port > per connection degrades the time qulity of the connection. Just for the record: all of the revs we have published so for advised to randomize the port on a per-association basis, not on a "per transaction" basis. > >> Unless you >> assume that every router forwards packets with a hash-based algorithm >> that includes the port, then randomization *may* affect the path. > > So you propose one, of many, ways the random port per connection is > bad. Then sweep all the others under the rug because they are not that > one? Sloppy thinking. No. I noted that the I-D has so far proposed to randomize the port on a per-association basis, something that does not degrade the time quality. That's what I've said. We can add a discussion of "randomizing per-association vs. per-transaction basis". In which case we should note the effect of randomization on time quality. SO far that's not what the document has been proposed. Hence I asked (and still ask) what are the alledged negative effects of the type of randomization the I-D is actually proposing. >> That said, at least in the IPv4 world, you have to learned to live >> with this, since the pervasive of NATs means that it may be >> impossible to enforce src=PORT (whatever port is), unless e.g. you >> send requests every t<30 secs which is a usual NAT timeout for and >> UDP "flow". > > Yup. The point of this discussion is finding the best of all the > imperfect options. When you randomize on the per-association basis (as opposed to per-transaction basis), I still fail to see what are the problems it brings. > >>> But your summary did not mention it. >> >> Indeed the last rev didn't mentioned. In all fairness, I think it was >> you that raised this (and we already starting working on this on our >> working copy) -- those who objected to port randomization didn't raise >> this, and even less considered per-association vs per-request >> randomization in the objections they voiced. > > I read the room differently. I'm all ears to hear/red your view. Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- [Ntp] Details of the fragmentation attacks agains… Watson Ladd
- Re: [Ntp] Details of the fragmentation attacks ag… Danny Mayer
- Re: [Ntp] Details of the fragmentation attacks ag… Watson Ladd
- Re: [Ntp] Details of the fragmentation attacks ag… Fernando Gont
- Re: [Ntp] Details of the fragmentation attacks ag… tglassey@earthlink.net
- Re: [Ntp] Details of the fragmentation attacks ag… Danny Mayer
- Re: [Ntp] Details of the fragmentation attacks ag… Ask Bjørn Hansen
- Re: [Ntp] Details of the fragmentation attacks ag… Warner Losh
- Re: [Ntp] Details of the fragmentation attacks ag… Tony Finch
- Re: [Ntp] Details of the fragmentation attacks ag… Watson Ladd
- Re: [Ntp] Details of the fragmentation attacks ag… Majdi S. Abbas
- Re: [Ntp] Details of the fragmentation attacks ag… Danny Mayer
- Re: [Ntp] Details of the fragmentation attacks ag… Hal Murray
- Re: [Ntp] Details of the fragmentation attacks ag… Danny Mayer
- Re: [Ntp] Details of the fragmentation attacks ag… tglassey@earthlink.net
- Re: [Ntp] Details of the fragmentation attacks ag… Miroslav Lichvar
- Re: [Ntp] Details of the fragmentation attacks ag… Fernando Gont
- Re: [Ntp] Details of the fragmentation attacks ag… Fernando Gont
- Re: [Ntp] Details of the fragmentation attacks ag… Fernando Gont
- Re: [Ntp] Details of the fragmentation attacks ag… Salz, Rich
- Re: [Ntp] Details of the fragmentation attacks ag… Danny Mayer
- Re: [Ntp] Details of the fragmentation attacks ag… Watson Ladd
- Re: [Ntp] Details of the fragmentation attacks ag… Fernando Gont
- Re: [Ntp] Details of the fragmentation attacks ag… Danny Mayer
- Re: [Ntp] Details of the fragmentation attacks ag… Warner Losh
- Re: [Ntp] Details of the fragmentation attacks ag… tglassey@earthlink.net
- Re: [Ntp] Details of the fragmentation attacks ag… Fernando Gont
- Re: [Ntp] Details of the fragmentation attacks ag… kristof.teichel
- Re: [Ntp] Details of the fragmentation attacks ag… Gary E. Miller
- Re: [Ntp] Details of the fragmentation attacks ag… Fernando Gont
- Re: [Ntp] Details of the fragmentation attacks ag… Gary E. Miller
- Re: [Ntp] Details of the fragmentation attacks ag… Fernando Gont
- Re: [Ntp] Details of the fragmentation attacks ag… Gary E. Miller
- Re: [Ntp] Details of the fragmentation attacks ag… Fernando Gont
- [Ntp] Antw: Re: Details of the fragmentation atta… Ulrich Windl
- Re: [Ntp] Antw: Re: Details of the fragmentation … Fernando Gont