Re: [Ntp] Fwd: New Version Notification for draft-ietf-ntp-port-randomization-02.txt
Steven Sommars <stevesommarsntp@gmail.com> Tue, 21 April 2020 15:48 UTC
Return-Path: <stevesommarsntp@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 214763A0D69; Tue, 21 Apr 2020 08:48:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JNDhwvNjSh9p; Tue, 21 Apr 2020 08:48:41 -0700 (PDT)
Received: from mail-vs1-xe2e.google.com (mail-vs1-xe2e.google.com [IPv6:2607:f8b0:4864:20::e2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 561CD3A0E8A; Tue, 21 Apr 2020 08:44:18 -0700 (PDT)
Received: by mail-vs1-xe2e.google.com with SMTP id y185so8707938vsy.8; Tue, 21 Apr 2020 08:44:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qX2LgDNBKzjpD7MOreD7uY6+1MvqcvtUEsuO5x+B8PU=; b=qskiudrDXHfbSaGGxz+PWAA1sL0YmNskTIbmpuL7TTWiSRcFbqJ2yEmwoeV+vXmenf JhezAjMYlbG4WQINIUVFFolKuBaMWeCUwd5QOQJJFw1ZhbUkDhZ2C1hhxXV6Q/qd+dNi wjpHwUhj5ZK34GGGyCIU+iyVhEbg8esALbxNeJm4VcGTYCWblqxkBtMS1+D0yBdl1KPy Ct8l1zirNikMgHeWnnyPm8yn97bp1KyNXhh5ybdC8bCtBBWICALtFTMKKygOx2wV6Mef 5miuXBA0ex6c1axsXLC+Sq5f2R/YCpWajt2rQstVdgbi5sugJU7nmZ1jNq0tmWYY1LDS pdDw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qX2LgDNBKzjpD7MOreD7uY6+1MvqcvtUEsuO5x+B8PU=; b=G2ZEpTnq/+/0j+giveR3FxxkkS+6av4LW6lBPLjudavMiteQRrTjnkeFOSkHNzeJjk ZAlv9NbteVHyVdYS3VCP8RPMgqbDiQTz4Om6EGgvraV4gbefxtkpZKtIPQnlvbLLrCWX ifBrfC71KX3/VvO1YYU38/atzdSyJH2HHl/Bmls4u15J0K9ur3mYvPh67HRTXQPz/a/F MlOXRRkxMnTvgAodkNdcxWn4xPKX9SJAfQ5MmdshWXDrWtUL6ua4qMLfgo07uocG+OTm SMzAnbCGp0N0FDwcnbR0NQKh+X98kWrYl5O81oTVZXJyubE4xIVN3nrAaqj22S3xr3nc caBA==
X-Gm-Message-State: AGi0PuY8SwQ8r5V8kUUVufHjcNQITnZsd3LIHlihZTJlOgOsjq3+OChS mejpCb7mVo5SCIvdtkExXYfNI5bOUkYAl7u2eck=
X-Google-Smtp-Source: APiQypLgLpT+M2mlBqP1Qofr6+CtTecrOx+ZkNBGxJtp+n9LQf6rs1byL0vxzQdEmPX9oNSr8B82OQcFEdGNci53JTI=
X-Received: by 2002:a05:6102:382:: with SMTP id m2mr11315965vsq.141.1587483853125; Tue, 21 Apr 2020 08:44:13 -0700 (PDT)
MIME-Version: 1.0
References: <158706113942.27424.5328137517371748525@ietfa.amsl.com> <bb5a098c-e842-da1a-01d2-65d6d064f5cd@si6networks.com> <CAD4huA4FRGW4csX21K7Dst00rOuRubMHrXLieFd9JPyAUV4rxQ@mail.gmail.com> <20200421093759.GB4396@localhost>
In-Reply-To: <20200421093759.GB4396@localhost>
From: Steven Sommars <stevesommarsntp@gmail.com>
Date: Tue, 21 Apr 2020 10:44:02 -0500
Message-ID: <CAD4huA7FKbNpYn4O+h4Wq=59r_Z1Q=wVrnSeSc0GMnWb9LGjuA@mail.gmail.com>
To: Miroslav Lichvar <mlichvar@redhat.com>
Cc: Fernando Gont <fgont@si6networks.com>, "ntp-chairs@ietf.org" <ntp-chairs@ietf.org>, "ntp@ietf.org" <ntp@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000026fc7405a3cee388"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/rLJ6txxeUKfhuGX_ipOFu0I2Rug>
Subject: Re: [Ntp] Fwd: New Version Notification for draft-ietf-ntp-port-randomization-02.txt
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Apr 2020 15:48:44 -0000
On Tue, Apr 21, 2020 at 4:38 AM Miroslav Lichvar <mlichvar@redhat.com> wrote: > On Thu, Apr 16, 2020 at 07:06:33PM -0500, Steven Sommars wrote: > > Question: The draft doesn't enumerate the NTP modes of concern. Is Mode > 3 > > specifically covered? > > In the section "4. Update to RFC5905" the updated text says in which > modes randomization shouldn't be applied (modes 1, 2, 5) and that it > should be applied in the other cases (i.e. modes 3, 4). Do you > think the "other" modes need to be listed? > Since modes 3&4 are by far the most common they should be listed. [Mode 3 can be randomized, Mode 4 cannot.] > > Off-path attacks for Mode 3/Mode 4 exchanges are already difficult since > > the Mode 3 (request) transmit time stamp must > > be returned in the Mode 4 (response) message. > > That depends on the implementation. For instance, a vulnerability was > recently published for the "reference" implementation that it has > highly predictable transmit timestamps, which makes an off-path attack > taking control over the client's clock practical, even when the client > is using multiple servers. If it randomized the port, the attack > wouldn't be practical. > > > If predictable transmit time > > stamps are a concern then a random transmit time stamp > > (a la Chrony) can be used. > > Yes, that would prevent the attack, but as the draft explains port > randomization is a mitigation at a different layer than the > application protocol and is recommended by BCP 156. > OK. > > Comment: Some older NTP server implementation tracked per-client usage > > based on > > client IP + source port. > > Which server implementation did that? > I see some per-port tracking in old scans, e.g., ntpd 4.1.2@1.892 [Build date was December 2003] Such old implementations don't warrant further consideration. > > Port randomization will increase the apparent > > number of clients tracked. > > I don't know if this is a server performance issue, just wanted to > mention > > it. > > As NAT is widely used and the typical timeout for UDP connection > tracking seems shorter than typical polling interval, I don't think > the port randomization will make it significantly worse. > > OK > > 3.2. Effects on Path Selection > > > > "If the clients changed their source port with each request, packets in > > different exchanges would take different paths." > > > > s/would/could/ > > Ok, makes sense. > > > "The measured delay and offset would be less stable..." > > > > The measured delay is the RTT; sum of request delay and response > > delay. Occasionally the request and response delays > > on different client UDP ports differ by +delay and -delta > respectively. > > There is no "best" sample to choose since the RTT is > > nearly constant. > > I'm not sure I follow here. If for example between the server and > client there were four paths A, B, C, D with delays 10, 20, 30, 40 ms > respectively, it's possible that the request and response would go > only over A+D or B+C? > > This can happen Client Request Response RTT Request-Response port path path delta 30000 A D 50 -30 40000 D A 50 +30 50000 B C 50 -10 as could other combinations. Here the port 5000 path is most symmetric, but the filter algorithm won't know that. We shouldn't imply that port randomization helps time & frequency transfer. > > 3.3 Filtering of NTP traffic > > > > "Implementation of port randomization for non-symmetrical modes allows > for > > simple differentiation of NTP requests and responses" > > > > Such differentiation is only possible if the the use of port > > randomization is universal. > > Right, but some ISPs didn't care and blocked all incoming packets with > destination port 123. It was a common issue reported by users, e.g. > one client in local network oddly not working (the one that doesn't > have port remapped in NAT to a different port) or ntpdate working only > with the -q option (which enables on port randomization). > > NAT bugs can also cause the "one client doesn't work" symptom. > -- > Miroslav Lichvar > > Steve Sommars
- [Ntp] Fwd: New Version Notification for draft-iet… Fernando Gont
- Re: [Ntp] Fwd: New Version Notification for draft… Steven Sommars
- Re: [Ntp] Fwd: New Version Notification for draft… Miroslav Lichvar
- Re: [Ntp] Fwd: New Version Notification for draft… Steven Sommars
- Re: [Ntp] Fwd: New Version Notification for draft… Miroslav Lichvar