Re: [Ntp] [Tsv-art] Tsvart early review of draft-ietf-ntp-alternative-port-02
"touch@strayalpha.com" <touch@strayalpha.com> Sun, 05 December 2021 02:08 UTC
Return-Path: <touch@strayalpha.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 339A53A0D68; Sat, 4 Dec 2021 18:08:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.318
X-Spam-Level:
X-Spam-Status: No, score=-1.318 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fU0eiOSz9Cq1; Sat, 4 Dec 2021 18:08:22 -0800 (PST)
Received: from server217-1.web-hosting.com (server217-1.web-hosting.com [198.54.114.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B1933A0D69; Sat, 4 Dec 2021 18:08:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=6ul91U+hFo6EzWBpDbnjtNx5/sq4Y7r/gp+uJ663TIE=; b=k5mplpklGAhaBKgE4g+8FAViE2 Pa329WSdMrR5LE2My60tLP2CCkvf/jMgA9FBIkx1uQBnvSwl7AOprCa42B/UId63Q3zdvF4X7t1dd 7ryJ8RnY35r4Hmi++aD9MMPrwrN3Fmbwg1JGgcM9u07ShURUqr6XwEdAQbSxCODPDvPruygq0L9UM /1Se4LBpf0auTP/lBqxAHoiNA+QrkETlnkKGVaDOyKRPtawGDPbRlxfdihZ2N2iCjFtoUwiN+QHrO NoFgtOBOPSCq9wX8qtDrpewbjjF5xsaH6aRFZ5ccvC1TXvWLeVVKKlfJD9sJBfNaX/Bvq5WvBVO7f wKPGitdA==;
Received: from cpe-172-114-237-88.socal.res.rr.com ([172.114.237.88]:56014 helo=smtpclient.apple) by server217.web-hosting.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <touch@strayalpha.com>) id 1mtgwr-00AQYN-5w; Sat, 04 Dec 2021 21:08:21 -0500
Content-Type: multipart/alternative; boundary="Apple-Mail=_ADF7E190-A7DD-45C5-94D8-A53CDF719FD9"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.20.0.1.32\))
From: "touch@strayalpha.com" <touch@strayalpha.com>
In-Reply-To: <20211204231206.A534228C17A@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
Date: Sat, 04 Dec 2021 18:08:13 -0800
Cc: Magnus Westerlund <magnus.westerlund@ericsson.com>, draft-ietf-ntp-alternative-port.all@ietf.org, tsv-art <tsv-art@ietf.org>, ntp@ietf.org, TSVWG <tsvwg@ietf.org>, iana-port-experts@icann.org
Message-Id: <A803AF18-2BBD-4A54-9802-3EF693066E6C@strayalpha.com>
References: <20211204231206.A534228C17A@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
To: Hal Murray <halmurray@sonic.net>
X-Mailer: Apple Mail (2.3693.20.0.1.32)
X-OutGoing-Spam-Status: No, score=-0.5
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/n16h5-UDqYUJVEJ0NWn2obngN5U>
Subject: Re: [Ntp] [Tsv-art] Tsvart early review of draft-ietf-ntp-alternative-port-02
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Dec 2021 02:08:27 -0000
HI, Hal, Again, with ports team review hat on: Everything that happened below is equivalent to finding a zero-day or other kind of protocol error in any service. The fact that the current ’solution’ is to block that port isn’t new either. We don’t have resources to continually assign ‘fresh’ ports for services and I see no reason this one warrants an exception. There are other solutions here; if your own recommendations caused packets smaller than 48 to be dropped, then find a way to fragment and reassemble authenticated packets until you find out that larger ones get through. This is a protocol design problem, not a port assignment problem. Joe — Joe Touch, temporal epistemologist www.strayalpha.com > On Dec 4, 2021, at 3:12 PM, Hal Murray <halmurray@sonic.net> wrote: > > > touch@strayalpha.com said: >> FWIW, I don't see this assignment as appropriate. > > Without a new port, it will be close to impossible to widely deploy NTP > security. > > > Years ago (2013), NTP was used in a giant DDoS attack. That was due to a > bug/oversight that had been around since the early NTP work. (I've tracked it > back to 1989.) > https://www.spamhaus.org/news/article/695/answers-about-recent-ddos > https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification > The Wikipedia chart could use another column -- the number of sites available. > Almost all Linux or *BSD sites were running ntpd. > > The fix was trivial, but there are many essentially unattended sites running > old versions of ntpd that will never get fixed. > > Many many many sites have quietly installed filters in their routers. Set and > forget. > > A typical filter drops UDP traffic to port 123 with a length other than 48. > That lets old unauthenticated NTP through but authenticated packets are longer > and get dropped. > > To use authentication on the existing port would require removing those > filters. Even if you could track down the right people, they would probably > drag their feet until most of the sites running old unattended ntpd were fixed. > > An alternative would be to implement BCP 38. How long has that been in > progress? > > -- > These are my opinions. I hate spam. > > >
- [Ntp] Tsvart early review of draft-ietf-ntp-alter… Magnus Westerlund via Datatracker
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… touch@strayalpha.com
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Danny Mayer
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Hal Murray
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… touch@strayalpha.com
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… C. M. Heard
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Steven Sommars
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… touch@strayalpha.com
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Danny Mayer
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… C. M. Heard
- Re: [Ntp] Tsvart early review of draft-ietf-ntp-a… Erik Kline
- [Ntp] Antw: [EXT] Re: [Tsv‑art] Tsvart early revi… Ulrich Windl
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Eliot Lear
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Salz, Rich
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Miroslav Lichvar
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Salz, Rich
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Eliot Lear
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Hal Murray
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Eliot Lear
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Danny Mayer
- Re: [Ntp] [IANA-Port-Experts] Tsvart early review… touch@strayalpha.com
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… touch@strayalpha.com
- [Ntp] Antw: Re: [tsvwg] Antw: [EXT] Re: [Tsv‑art]… Ulrich Windl
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Martin Burnicki
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… touch@strayalpha.com
- Re: [Ntp] [IANA-Port-Experts] Tsvart early review… Salz, Rich
- Re: [Ntp] [IANA-Port-Experts] Tsvart early review… Joe Touch
- Re: [Ntp] [IANA-Port-Experts] Tsvart early review… Salz, Rich
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Eliot Lear
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Hal Murray
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Eliot Lear
- [Ntp] Antw: [EXT] Re: [tsvwg] [Tsv‑art] Tsvart ea… Ulrich Windl
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… touch@strayalpha.com
- [Ntp] Antw: [EXT] Re: [tsvwg] [Tsv‑art] Tsvart ea… Ulrich Windl
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Eliot Lear
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Hal Murray
- Re: [Ntp] Antw: [EXT] Re: [tsvwg] [Tsv‑art] Tsvar… Watson Ladd