Re: [ntpwg] Antw: Re: Antw: Re: call for adoption (draft-dfranke-ntp-data-minimization)
Daniel Franke <dfoxfranke@gmail.com> Tue, 28 March 2017 14:20 UTC
Return-Path: <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
X-Original-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Delivered-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B98B2129522 for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Tue, 28 Mar 2017 07:20:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.093
X-Spam-Level:
X-Spam-Status: No, score=-1.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, DKIM_SIGNED=0.1, FREEMAIL_FORGED_FROMDOMAIN=0.197, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (2048-bit key) reason="fail (body has been altered)" header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TGsZNUtScnr9 for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Tue, 28 Mar 2017 07:20:22 -0700 (PDT)
Received: from lists.ntp.org (psp3.ntp.org [185.140.48.241]) by ietfa.amsl.com (Postfix) with ESMTP id 3147D1294B8 for <ntp-archives-ahFae6za@lists.ietf.org>; Tue, 28 Mar 2017 07:20:21 -0700 (PDT)
Received: from psp3.ntp.org (localhost.ntp.org [127.0.0.1]) by lists.ntp.org (Postfix) with ESMTP id E2BC186DC01 for <ntp-archives-ahFae6za@lists.ietf.org>; Tue, 28 Mar 2017 14:20:20 +0000 (UTC)
X-Original-To: ntpwg@lists.ntp.org
Delivered-To: ntpwg@lists.ntp.org
Received: from mail1.ntp.org (fortinet.ntp.org [10.224.90.254]) by lists.ntp.org (Postfix) with ESMTP id 9088786DAE6 for <ntpwg@lists.ntp.org>; Tue, 28 Mar 2017 14:20:17 +0000 (UTC)
Received: from mail-qt0-f173.google.com ([209.85.216.173]) by mail1.ntp.org with esmtps (TLSv1:AES128-SHA:128) (Exim 4.77 (FreeBSD)) (envelope-from <dfoxfranke@gmail.com>) id 1csryg-000IQ4-S0 for ntpwg@lists.ntp.org; Tue, 28 Mar 2017 14:20:17 +0000
Received: by mail-qt0-f173.google.com with SMTP id n21so65121126qta.1 for <ntpwg@lists.ntp.org>; Tue, 28 Mar 2017 07:20:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=G5pALf6uAkEyHiWg1ER5FwoqnvW9KmwVSvVXyrsypbU=; b=rOV1vHGmQobCaEBkit+WFrUUB1ML/ZCtqof7VhLGVtlTYnPskAnGHyPj1bj8scvLZA tF1hitvDTA9nOfH+Xcl8u0ERjH8+pf3dMMHcWit2JFlXF3KkFPf5nHWgQOZ4tbNkbY/M VPAv28DU6sYW08QAE5+kLtxhr+aHPbeV4a3HgRck29iTu1CMeZCVOMRbdz+1N9tQgFQI kp2TRvWq8ME+us8wv2P82U73XuB6u5hYhfwqztXBLNcyaCd11WpPESJ2hYsc0DPdUI9O dQ3F22rPtSMkHh4fAAlXfrtxtgM0GIkKCMr5TvV828EK8WI/ZxPs5WaCVnc4TjalqPsM ODsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=G5pALf6uAkEyHiWg1ER5FwoqnvW9KmwVSvVXyrsypbU=; b=TQsW5oaXRrzoq5LeCPMghHDwXQ+ybzylYQD8+VqTrNT08EBcOU9If+7sfYP8r51nUF ngHb9yxwwsd1ZwHSJZ5A4bUBlANYKrowST8KR/RkWOrGAT+g++ZlTbHFtTRkfM85mCTu d8CZdn/ngCQdSt6tF+zg7701lu8sWtkny6ZuuIhrAtuHhzaoIOF+jNqaeNB2SUj1MT0r mFPnm4EmILklNaQmiJ1wlBJf3MeSAAMuAkj7NxrdYZ/Y/yVxE0VQjHJHWkNX1PCUVjxK 7nyojA0KpLDQuUUWmGvJTC5IGEYX2JbUqfOP9r7HkoY3eIbQgvCcW1DxWQgx1213Rynp KLug==
X-Gm-Message-State: AFeK/H2pWeUf87n5lzwJi4f9bn9869xsPUcgTJ1wEScLd27HpnziAoeedNDyoPno9KARMusDO6o3bZrE7oeIFQ==
X-Received: by 10.200.51.177 with SMTP id c46mr28716732qtb.55.1490710806027; Tue, 28 Mar 2017 07:20:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.136.119 with HTTP; Tue, 28 Mar 2017 07:20:05 -0700 (PDT)
In-Reply-To: <86fab54e-c328-a8ea-582a-fa5d7763ff1d@nwtime.org>
References: <CA564C5C-6CED-4810-BA2F-5433F2525249@isoc.org> <20170327133842.GK8192@localhost> <58D9FD22020000A1000255AD@gwsmtp1.uni-regensburg.de> <4cff4cd7-1eec-0e72-b235-1a8d65fc7fc4@nwtime.org> <58DA0F83020000A1000255CF@gwsmtp1.uni-regensburg.de> <86fab54e-c328-a8ea-582a-fa5d7763ff1d@nwtime.org>
From: Daniel Franke <dfoxfranke@gmail.com>
Date: Tue, 28 Mar 2017 10:20:05 -0400
Message-ID: <CAJm83bBHAD3vKaiCscbp+4h8Sn1Ewqcwoo3zU1KURA5y9ZPR8w@mail.gmail.com>
To: Harlan Stenn <stenn@nwtime.org>
X-SA-Exim-Connect-IP: 209.85.216.173
X-SA-Exim-Rcpt-To: ntpwg@lists.ntp.org
X-SA-Exim-Mail-From: dfoxfranke@gmail.com
X-SA-Exim-Version: 4.2
X-SA-Exim-Scanned: Yes (on mail1.ntp.org)
Subject: Re: [ntpwg] Antw: Re: Antw: Re: call for adoption (draft-dfranke-ntp-data-minimization)
X-BeenThere: ntpwg@lists.ntp.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: IETF Working Group for Network Time Protocol <ntpwg.lists.ntp.org>
List-Unsubscribe: <http://lists.ntp.org/options/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=unsubscribe>
List-Archive: <http://lists.ntp.org/pipermail/ntpwg/>
List-Post: <mailto:ntpwg@lists.ntp.org>
List-Help: <mailto:ntpwg-request@lists.ntp.org?subject=help>
List-Subscribe: <http://lists.ntp.org/listinfo/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=subscribe>
Cc: ntpwg@lists.ntp.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org
Sender: ntpwg <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
On 3/28/17, Harlan Stenn <stenn@nwtime.org> wrote: > The NTP Project's software will alert whenever an unexpected origin > timestamp arrives. So if you start seeing thousands of these arrive you > have knowledge that a bad guy is spoofing you to your server. By "alert" you mean "increment a counter whose value can be queried using ntpq". Few users know this counter exists and almost none outside this very small community check it routinely. It's absurd to demand of users that they be keeping constant vigil over the state of their ntp daemon, and any security model which assumes that they will do so is useless. Even if you *do* immediately notice the attack, what are you expected to do about it? You can either do nothing and let your clock get manipulated, or disassociate with the peer being spoofed, and if they're all being spoofed then you're left with letting your clock free-run. But with proper origin timestamp randomization, you can just ignore the attack because it will have a negligible chance of success. > Also, for client responses, the "gate" for using this is pretty short - > it's the window between sending the initial request to the server, and > the time the response comes back. That assumes the legitimate server is alive. The correct "gate" on which to base success-probability calculations is the MAXDIST parameter. _______________________________________________ ntpwg mailing list ntpwg@lists.ntp.org http://lists.ntp.org/listinfo/ntpwg
- [ntpwg] call for adoption (draft-dfranke-ntp-data… Karen O'Donoghue
- Re: [ntpwg] call for adoption (draft-dfranke-ntp-… Harlan Stenn
- Re: [ntpwg] call for adoption (draft-dfranke-ntp-… Paul Gear
- Re: [ntpwg] call for adoption (draft-dfranke-ntp-… Harlan Stenn
- Re: [ntpwg] call for adoption (draft-dfranke-ntp-… Miroslav Lichvar
- Re: [ntpwg] call for adoption (draft-dfranke-ntp-… Miroslav Lichvar
- Re: [ntpwg] call for adoption (draft-dfranke-ntp-… Salz, Rich via ntpwg
- Re: [ntpwg] call for adoption (draft-dfranke-ntp-… Sharon Goldberg
- Re: [ntpwg] call for adoption (draft-dfranke-ntp-… Daniel Franke
- Re: [ntpwg] call for adoption (draft-dfranke-ntp-… Miroslav Lichvar
- Re: [ntpwg] call for adoption (draft-dfranke-ntp-… Aanchal Malhotra
- Re: [ntpwg] call for adoption (draft-dfranke-ntp-… Daniel Franke
- Re: [ntpwg] call for adoption (draft-dfranke-ntp-… Daniel Franke
- Re: [ntpwg] call for adoption (draft-dfranke-ntp-… Miroslav Lichvar
- Re: [ntpwg] call for adoption (draft-dfranke-ntp-… Harlan Stenn
- Re: [ntpwg] call for adoption (draft-dfranke-ntp-… Harlan Stenn
- Re: [ntpwg] call for adoption (draft-dfranke-ntp-… Harlan Stenn
- Re: [ntpwg] call for adoption (draft-dfranke-ntp-… Daniel Franke
- Re: [ntpwg] call for adoption (draft-dfranke-ntp-… Daniel Franke
- Re: [ntpwg] call for adoption (draft-dfranke-ntp-… Harlan Stenn
- Re: [ntpwg] call for adoption (draft-dfranke-ntp-… Harlan Stenn
- Re: [ntpwg] call for adoption (draft-dfranke-ntp-… Harlan Stenn
- Re: [ntpwg] call for adoption (draft-dfranke-ntp-… Harlan Stenn
- [ntpwg] Antw: Re: call for adoption (draft-dfrank… Ulrich Windl
- Re: [ntpwg] Antw: Re: call for adoption (draft-df… Harlan Stenn
- [ntpwg] Antw: Re: call for adoption (draft-dfrank… Ulrich Windl
- [ntpwg] Antw: Re: call for adoption (draft-dfrank… Ulrich Windl
- Re: [ntpwg] Antw: Re: call for adoption (draft-df… Hal Murray
- [ntpwg] Antw: Re: Antw: Re: call for adoption (dr… Ulrich Windl
- Re: [ntpwg] Antw: Re: Antw: Re: call for adoption… Harlan Stenn
- Re: [ntpwg] Antw: Re: Antw: Re: call for adoption… Daniel Franke
- Re: [ntpwg] Antw: Re: Antw: Re: call for adoption… Daniel Franke
- [ntpwg] Antw: Re: Antw: Re: Antw: Re: call for ad… Ulrich Windl
- Re: [ntpwg] Antw: Re: Antw: Re: call for adoption… Daniel Franke
- Re: [ntpwg] Antw: Re: Antw: Re: call for adoption… Salz, Rich via ntpwg
- Re: [ntpwg] Antw: Re: Antw: Re: call for adoption… Harlan Stenn
- Re: [ntpwg] Antw: Re: Antw: Re: call for adoption… Daniel Franke
- [ntpwg] Antw: Re: Antw: Re: Antw: Re: call for ad… Ulrich Windl
- [ntpwg] Antw: Re: Antw: Re: Antw: Re: call for ad… Ulrich Windl
- Re: [ntpwg] call for adoption (draft-dfranke-ntp-… Miroslav Lichvar
- Re: [ntpwg] call for adoption (draft-dfranke-ntp-… Daniel Franke
- Re: [ntpwg] call for adoption (draft-dfranke-ntp-… Greg Dowd
- Re: [ntpwg] call for adoption (draft-dfranke-ntp-… Daniel Franke
- Re: [ntpwg] call for adoption (draft-dfranke-ntp-… dieter.sibold
- [ntpwg] Antw: Re: call for adoption (draft-dfrank… Ulrich Windl
- [ntpwg] Antw: Re: call for adoption (draft-dfrank… Ulrich Windl
- Re: [ntpwg] Antw: Re: call for adoption (draft-df… Miroslav Lichvar