Re: [Ntp] New rev of the NTP port randomization I-D (Fwd: New Version Notification for draft-gont-ntp-port-randomization-01.txt)

Ask Bjørn Hansen <ask@develooper.com> Thu, 30 May 2019 01:05 UTC

Return-Path: <ask@develooper.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C23912003F for <ntp@ietfa.amsl.com>; Wed, 29 May 2019 18:05:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tdzVkiVK5Zc3 for <ntp@ietfa.amsl.com>; Wed, 29 May 2019 18:05:03 -0700 (PDT)
Received: from mx-out1.ewr1.develooper.com (mx-out1.ewr1.develooper.com [139.178.64.59]) by ietfa.amsl.com (Postfix) with ESMTP id 527DE120026 for <ntp@ietf.org>; Wed, 29 May 2019 18:05:02 -0700 (PDT)
Received: from mbox1.develooper.com (unknown [147.75.38.211]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx-out1.ewr1.develooper.com (Postfix) with ESMTPS id 0C51B6E0DDD for <ntp@ietf.org>; Thu, 30 May 2019 01:05:02 +0000 (UTC)
Received: from mbox1.develooper.com (mbox1.develooper.com [127.0.0.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mbox1.develooper.com (Postfix) with ESMTPS id 5ADBD1760B4 for <ntp@ietf.org>; Wed, 29 May 2019 18:05:01 -0700 (PDT)
Received: (qmail 29728 invoked from network); 30 May 2019 01:05:00 -0000
Received: from unknown (HELO ?10.1.24.177?) (ask@mail.dev@203.125.67.130) by smtp.develooper.com with ESMTPA; 30 May 2019 01:05:00 -0000
From: =?utf-8?Q?Ask_Bj=C3=B8rn_Hansen?= <ask@develooper.com>
Message-Id: <22EEF05E-6705-43B8-87BD-2A171E632B7D@develooper.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_DC449B58-7538-4D53-9FA8-493165DE3E35"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Thu, 30 May 2019 09:04:47 +0800
In-Reply-To: <69295233-497e-fa31-3270-691407fb6f30@nwtime.org>
Cc: Fernando Gont <fgont@si6networks.com>, ntp@ietf.org
To: Harlan Stenn <stenn@nwtime.org>
References: <155841904754.12856.3727925672753047210.idtracker@ietfa.amsl.com> <9d21f083-4cba-1dd1-f5bb-c95984d3127b@si6networks.com> <9d74c6e3-244e-fdd7-184a-0572f4f144cd@ntp.org> <25275d68-8c18-1616-f226-dffe7e21091e@si6networks.com> <20190528174208.11253a67@rellim.com> <1a133133-5d6a-ca96-6c15-73e6933baffc@si6networks.com> <2794A95B-B118-40BD-AD60-DCB50CC32717@latt.net> <2107d74d-02da-cbd7-7a12-2837cb2e47a2@si6networks.com> <ced4c6d4-c34d-3460-eccc-b5608fbd340e@nwtime.org> <b4faacdf-3d9b-5e47-2415-276ef3d7f3af@si6networks.com> <69295233-497e-fa31-3270-691407fb6f30@nwtime.org>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/rTU7WEJNSHVOhTnwhQpYv893oaw>
Subject: Re: [Ntp] New rev of the NTP port randomization I-D (Fwd: New Version Notification for draft-gont-ntp-port-randomization-01.txt)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2019 01:05:05 -0000


> On May 29, 2019, at 5:18 PM, Harlan Stenn <stenn@nwtime.org> wrote:
> 
> The NAT case you mention is a red herring.  That case effectively
> randomizes the port already, at least outside the LAN.

I’ve seen “enterprise NAT” devices that deliberately didn’t port randomize source ports below 1024 (so rather than getting them randomized you’d limit the network to one NTP client per server IP per NAT timeout interval).

On IPv4 it basically doesn't work without port randomization (at scale, etc).

Ask