Re: [Ntp] I-D Action: draft-ietf-ntp-alternative-port-01.txt
Hal Murray <hmurray@megapathdsl.net> Wed, 17 February 2021 12:01 UTC
Return-Path: <hmurray@megapathdsl.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B9FB3A196C for <ntp@ietfa.amsl.com>; Wed, 17 Feb 2021 04:01:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.045
X-Spam-Level: *
X-Spam-Status: No, score=1.045 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_DYNAMIC_IPADDR=1.951, PDS_RDNS_DYNAMIC_FP=0.01, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hlqb5UMJx5lG for <ntp@ietfa.amsl.com>; Wed, 17 Feb 2021 04:01:29 -0800 (PST)
Received: from ip-64-139-1-69.sjc.megapath.net (ip-64-139-1-69.sjc.megapath.net [64.139.1.69]) by ietfa.amsl.com (Postfix) with ESMTP id 8629D3A1967 for <ntp@ietf.org>; Wed, 17 Feb 2021 04:01:28 -0800 (PST)
Received: from shuksan (localhost [127.0.0.1]) by ip-64-139-1-69.sjc.megapath.net (Postfix) with ESMTP id 9606940605C; Wed, 17 Feb 2021 04:01:24 -0800 (PST)
X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.3
To: ntp@ietf.org
cc: hmurray@megapathdsl.net
From: Hal Murray <hmurray@megapathdsl.net>
In-Reply-To: Message from internet-drafts@ietf.org of "Mon, 15 Feb 2021 07:05:13 PST." <161340151392.27073.10527818098176839039@ietfa.amsl.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 17 Feb 2021 04:01:24 -0800
Message-Id: <20210217120124.9606940605C@ip-64-139-1-69.sjc.megapath.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/nYJdEVLGHf7X1QtozMk62fnxxpA>
Subject: Re: [Ntp] I-D Action: draft-ietf-ntp-alternative-port-01.txt
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Feb 2021 12:01:30 -0000
Looks good. Do we need to include rate limiting? Without rate limiting, an NTP server can be used as a reflector. I'm not plugged into the crowd that does the anti-DoS work. How much of a problem is a non-amplifying reflector? Assuming we do add rate limiting, what is a sensible limit? Is there one? I see two tangles: The first is NAT. I have a couple of servers in the pool. I set their rate limiting to 1 packet per second averaged over 20 seconds. (you can send a 20 packet burst) That limit kicks in frequently with bursts of traffic that I think are coming from NAT boxes. I did confirm one case. The second is IPv6. Rate limiting is typically done by IP Address. With IPv6, a host can have many IP Addresses. This is really just the tip of an iceberg. Even with IPv4, I can DoS a site by sending to neighboring IP Addresses. -- These are my opinions. I hate spam.
- [Ntp] I-D Action: draft-ietf-ntp-alternative-port… internet-drafts
- Re: [Ntp] I-D Action: draft-ietf-ntp-alternative-… Hal Murray
- Re: [Ntp] I-D Action: draft-ietf-ntp-alternative-… Miroslav Lichvar