Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review of draft-ietf-ntp-alternative-port-02
Miroslav Lichvar <mlichvar@redhat.com> Tue, 07 December 2021 08:29 UTC
Return-Path: <mlichvar@redhat.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1ED33A1434 for <ntp@ietfa.amsl.com>; Tue, 7 Dec 2021 00:29:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.701, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7gVaekEioe4V for <ntp@ietfa.amsl.com>; Tue, 7 Dec 2021 00:29:52 -0800 (PST)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 047533A1419 for <ntp@ietf.org>; Tue, 7 Dec 2021 00:29:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1638865790; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=ZtNMrPZec7NDEj4jQjQNhZScVJ9DX/tXzIc3OeFik4Q=; b=V5uJ/gzsJ6bvfuJeVWcuYMZk+IG5mqDu09iRblEGuhlq5aI5RkNWW8tyZsN7paTJIvSQ7b qhThCs+hUQfKPN3r2XBfJemcZPYEkNDKeXLMVNXvYrZzxKg2YBbe8mxoFAtAZ75XnJQVC1 v3uTWLmARYLcP2GCU9eY1yBGFiGGIfE=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-427-OXjHwcRtM5Sy04IxcIqSkg-1; Tue, 07 Dec 2021 03:29:46 -0500
X-MC-Unique: OXjHwcRtM5Sy04IxcIqSkg-1
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 59516801AAB; Tue, 7 Dec 2021 08:29:43 +0000 (UTC)
Received: from localhost (unknown [10.43.135.229]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 14BB67095E; Tue, 7 Dec 2021 08:29:39 +0000 (UTC)
Date: Tue, 07 Dec 2021 09:29:38 +0100
From: Miroslav Lichvar <mlichvar@redhat.com>
To: Danny Mayer <mayer@pdmconsulting.net>
Cc: "C. M. Heard" <heard@pobox.com>, Magnus Westerlund <magnus.westerlund@ericsson.com>, NTP WG <ntp@ietf.org>, Joe Touch <touch@strayalpha.com>, TSVWG <tsvwg@ietf.org>, Steven Sommars <stevesommarsntp@gmail.com>, iana-port-experts@icann.org, draft-ietf-ntp-alternative-port.all@ietf.org, tsv-art <tsv-art@ietf.org>, Hal Murray <halmurray@sonic.net>, Harlan Stenn <stenn@nwtime.org>
Message-ID: <Ya8bcmEO04g1TCzB@localhost>
References: <20211204231206.A534228C17A@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <A803AF18-2BBD-4A54-9802-3EF693066E6C@strayalpha.com> <CAD4huA7RhF3xZJkdghz4yx3qk8uBjkfJv7Y_hDCvX1a=wATBkg@mail.gmail.com> <CACL_3VENkyebRf25W6EpW0yZY6ELYS41A4D_i+RnQE1M21P2hg@mail.gmail.com> <Ya3fLJCHUsm1wE28@localhost> <90723c26-0352-a4d1-f765-eb26b1522954@pdmconsulting.net>
MIME-Version: 1.0
In-Reply-To: <90723c26-0352-a4d1-f765-eb26b1522954@pdmconsulting.net>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/rrO231AYFSHzpEvt2XEPLeBN0UI>
X-Mailman-Approved-At: Tue, 07 Dec 2021 04:39:21 -0800
Subject: Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review of draft-ietf-ntp-alternative-port-02
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Dec 2021 08:30:04 -0000
On Mon, Dec 06, 2021 at 05:25:52PM -0500, Danny Mayer wrote: > That's untrue. It's been working for over 25 years and probably longer. The > real issue here is that there are firewalls and routers blocking packets > longer than 48 bytes, yet I've watch autokey do its dance with packet > lengths much longer. What you are trying to do is circumvent these firewall > and router rules to get NTP to work with larger packets but on a new port > and you will still have to set the rules to allow it. The problematic middleboxes don't block other ports. They specifically block or rate limit packets on the port 123 as a mitigation for the amplification attacks. If a non-amplifying subset of NTP moves to another port, they will have no reason to block it. Autokey allows amplification, so it must not be used on the alternative port. BTW, the length-specific blocking starts around 200 bytes, not 48. Autokey wouldn't be as impacted as NTS. See this great post from Steven Sommars (who spent a lot of time debugging these issues): https://weberblog.net/ntp-filtering-delay-blockage-in-the-internet/ > Like EDNS0 adjusting > the existing rules on port 123 is a much better solution. Removing or > restricting support for mode 6 and 7 packets is trivial and requires no > additional complexity. If it is so easy, why it didn't happen in those 8 years since the attacks become widespread? > > With NTS, which uses longer NTP messages it's quite common to see a > > client that doesn't get a response to most of its requests. > Fix the firewall rules. Some of them are in hardware. They cannot be fixed. They would need to be replaced with something that blocks all mode 6 and 7 packets, and packets in modes 1, 2, 3, 4 that contain an Autokey extension field. Even in a software firewall that would be difficult to do. > No, instead you should be fixing the servers to not reply to mode 6/7 > packets instead. How do you find them, how do you convince the owners to fix/replace them, and make sure it doesn't happen again? > In the NTP Reference implementation it's trivial to update > the configuration. Maybe it is, but how likely do you think it is that everyone will do that? > In other implementations that's a SMOP if it's not > already there. AFAIK, no other widely used implementation supports mode 6 or 7, or Autokey. It's just one implementation that still amplifies traffic in its default configuration. -- Miroslav Lichvar
- [Ntp] Tsvart early review of draft-ietf-ntp-alter… Magnus Westerlund via Datatracker
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… touch@strayalpha.com
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Danny Mayer
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Hal Murray
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… touch@strayalpha.com
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… C. M. Heard
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Steven Sommars
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… touch@strayalpha.com
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Danny Mayer
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… C. M. Heard
- Re: [Ntp] Tsvart early review of draft-ietf-ntp-a… Erik Kline
- [Ntp] Antw: [EXT] Re: [Tsv‑art] Tsvart early revi… Ulrich Windl
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Eliot Lear
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Salz, Rich
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Miroslav Lichvar
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Salz, Rich
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Eliot Lear
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Hal Murray
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… Eliot Lear
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Danny Mayer
- Re: [Ntp] [IANA-Port-Experts] Tsvart early review… touch@strayalpha.com
- Re: [Ntp] [tsvwg] Antw: [EXT] Re: [Tsv‑art] Tsvar… touch@strayalpha.com
- [Ntp] Antw: Re: [tsvwg] Antw: [EXT] Re: [Tsv‑art]… Ulrich Windl
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Martin Burnicki
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… touch@strayalpha.com
- Re: [Ntp] [IANA-Port-Experts] Tsvart early review… Salz, Rich
- Re: [Ntp] [IANA-Port-Experts] Tsvart early review… Joe Touch
- Re: [Ntp] [IANA-Port-Experts] Tsvart early review… Salz, Rich
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Eliot Lear
- Re: [Ntp] [Tsv-art] Tsvart early review of draft-… Hal Murray
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Eliot Lear
- [Ntp] Antw: [EXT] Re: [tsvwg] [Tsv‑art] Tsvart ea… Ulrich Windl
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… touch@strayalpha.com
- [Ntp] Antw: [EXT] Re: [tsvwg] [Tsv‑art] Tsvart ea… Ulrich Windl
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Eliot Lear
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Miroslav Lichvar
- Re: [Ntp] [tsvwg] [Tsv-art] Tsvart early review o… Hal Murray
- Re: [Ntp] Antw: [EXT] Re: [tsvwg] [Tsv‑art] Tsvar… Watson Ladd