Re: [Ntp] [Tsv-art] Tsvart early review of draft-ietf-ntp-alternative-port-02

"" <> Sun, 05 December 2021 02:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 339A53A0D68; Sat, 4 Dec 2021 18:08:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.318
X-Spam-Status: No, score=-1.318 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fU0eiOSz9Cq1; Sat, 4 Dec 2021 18:08:22 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4B1933A0D69; Sat, 4 Dec 2021 18:08:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=6ul91U+hFo6EzWBpDbnjtNx5/sq4Y7r/gp+uJ663TIE=; b=k5mplpklGAhaBKgE4g+8FAViE2 Pa329WSdMrR5LE2My60tLP2CCkvf/jMgA9FBIkx1uQBnvSwl7AOprCa42B/UId63Q3zdvF4X7t1dd 7ryJ8RnY35r4Hmi++aD9MMPrwrN3Fmbwg1JGgcM9u07ShURUqr6XwEdAQbSxCODPDvPruygq0L9UM /1Se4LBpf0auTP/lBqxAHoiNA+QrkETlnkKGVaDOyKRPtawGDPbRlxfdihZ2N2iCjFtoUwiN+QHrO NoFgtOBOPSCq9wX8qtDrpewbjjF5xsaH6aRFZ5ccvC1TXvWLeVVKKlfJD9sJBfNaX/Bvq5WvBVO7f wKPGitdA==;
Received: from ([]:56014 by with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <>) id 1mtgwr-00AQYN-5w; Sat, 04 Dec 2021 21:08:21 -0500
Content-Type: multipart/alternative; boundary="Apple-Mail=_ADF7E190-A7DD-45C5-94D8-A53CDF719FD9"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.\))
From: "" <>
In-Reply-To: <>
Date: Sat, 04 Dec 2021 18:08:13 -0800
Cc: Magnus Westerlund <>,, tsv-art <>,, TSVWG <>,
Message-Id: <>
References: <>
To: Hal Murray <>
X-Mailer: Apple Mail (2.3693.
X-OutGoing-Spam-Status: No, score=-0.5
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname -
X-AntiAbuse: Original Domain -
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Get-Message-Sender-Via: authenticated_id:
X-From-Rewrite: unmodified, already matched
Archived-At: <>
Subject: Re: [Ntp] [Tsv-art] Tsvart early review of draft-ietf-ntp-alternative-port-02
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 05 Dec 2021 02:08:27 -0000

HI, Hal,

Again, with ports team review hat on:

Everything that happened below is equivalent to finding a zero-day or other kind of protocol error in any service.

The fact that the current ’solution’ is to block that port isn’t new either.

We don’t have resources to continually assign ‘fresh’ ports for services and I see no reason this one warrants an exception.

There are other solutions here; if your own recommendations caused packets smaller than 48 to be dropped, then find a way to fragment and reassemble authenticated packets until you find out that larger ones get through.

This is a protocol design problem, not a port assignment problem.


Joe Touch, temporal epistemologist

> On Dec 4, 2021, at 3:12 PM, Hal Murray <> wrote:
> said:
>> FWIW, I don't see this assignment as appropriate. 
> Without a new port, it will be close to impossible to widely deploy NTP 
> security.
> Years ago (2013), NTP was used in a giant DDoS attack.  That was due to a 
> bug/oversight that had been around since the early NTP work.  (I've tracked it 
> back to 1989.)
> The Wikipedia chart could use another column -- the number of sites available. 
> Almost all Linux or *BSD sites were running ntpd.
> The fix was trivial, but there are many essentially unattended sites running 
> old versions of ntpd that will never get fixed.
> Many many many sites have quietly installed filters in their routers.  Set and 
> forget.
> A typical filter drops UDP traffic to port 123 with a length other than 48.  
> That lets old unauthenticated NTP through but authenticated packets are longer 
> and get dropped.
> To use authentication on the existing port would require removing those 
> filters.  Even if you could track down the right people, they would probably 
> drag their feet until most of the sites running old unattended ntpd were fixed.
> An alternative would be to implement BCP 38.  How long has that been in 
> progress?
> -- 
> These are my opinions.  I hate spam.