Re: [Ntp] NTS IANA request
Heiko Gerstung <heiko.gerstung@meinberg.de> Fri, 07 June 2019 07:40 UTC
Return-Path: <heiko.gerstung@meinberg.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80E9412008D for <ntp@ietfa.amsl.com>; Fri, 7 Jun 2019 00:40:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.289
X-Spam-Level:
X-Spam-Status: No, score=-4.289 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=meinberg.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l84zO4kMVdi8 for <ntp@ietfa.amsl.com>; Fri, 7 Jun 2019 00:40:41 -0700 (PDT)
Received: from server1a.meinberg.de (server1a.meinberg.de [176.9.44.212]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5C6A12013D for <ntp@ietf.org>; Fri, 7 Jun 2019 00:40:39 -0700 (PDT)
Received: from srv-kerioconnect.py.meinberg.de (unknown [193.158.22.2]) (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by server1a.meinberg.de (Postfix) with ESMTPSA id 6BB7C71C0993; Fri, 7 Jun 2019 09:40:35 +0200 (CEST)
X-DKIM: Sendmail DKIM Filter v2.8.2 server1a.meinberg.de 6BB7C71C0993
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=meinberg.de; s=mail201101; t=1559893237; bh=SV5Lda/IUgCLvuy0EeOKJfjnrFnLmc3uGuR675d55Aw=; h=Date:Subject:Message-ID:References:In-Reply-To:Mime-version:From: To:Cc:Content-Type:Content-Transfer-Encoding; b=tT1UD0EhCgSjKooW+vRuZFR+6W7nXZZ1D/rYBie9W1IXqPbfbTfDMLDdG2c0KDdyG tGJqa7yBJrjQ/6E2IljPhTfT0DFDF+kl1Dw0DjntEXQeaijbCk1/Vy28pEw4suOPhE 72eUCdEyq93PXdPjFlgJ3Uz5pIGbOm5cjcQrG6bo=
X-Kerio-Anti-Spam: Build: [Engines: 2.15.9.1244, Stamp: 3], Multi: [Enabled, t: (0.000005,0.006912)], BW: [Enabled, t: (0.000006)], RTDA: [Enabled, t: (0.038033), Hit: No, Details: v2.7.39; Id: 15.1i616g6.1dcoe3kus.1gghv], total: 0(700)
X-Footer: bWVpbmJlcmcuZGU=
User-Agent: Microsoft-MacOutlook/10.19.0.190512
Date: Fri, 07 Jun 2019 09:40:32 +0200
Message-ID: <487FBFAD-D082-4CA8-AC14-C2CC8B007DBB@meinberg.de>
Thread-Topic: [Ntp] NTS IANA request
References: <CAN2QdAH9Uh_wYSEizgYTjd4Q6VFQT+tvH8dnbPgKKc59+vEfng@mail.gmail.com> <a123d81b-4994-9e35-58eb-6845cf439f91@nwtime.org> <20190605164753.6e71fcaa@rellim.com> <03055E77-EB42-494E-A231-039C4603E256@akamai.com> <CAJm83bDYZ+vcwkhFEf2YCAVwKcSm7rEgbuB0Wwsvm5XVVAMjuQ@mail.gmail.com> <C8E4189E-E3A1-4926-AF0F-93BE9C7255C8@akamai.com> <CAJm83bBkU91st1CFAsx+JCLpxXyWOQnSTY9sXeuA96R8pqXdCA@mail.gmail.com>
In-Reply-To: <CAJm83bBkU91st1CFAsx+JCLpxXyWOQnSTY9sXeuA96R8pqXdCA@mail.gmail.com>
Mime-version: 1.0
Importance: Normal
X-Priority: 3
Thread-Index: AZ2x3tU+MGYyMDc0YTk1Y2Q5ZTQ4ZQ==
From: Heiko Gerstung <heiko.gerstung@meinberg.de>
To: Daniel Franke <dfoxfranke@gmail.com>, "Salz, Rich" <rsalz@akamai.com>
Cc: "ntp@ietf.org" <ntp@ietf.org>, "Gary E. Miller" <gem@rellim.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: clamav-milter 0.100.3 at server1a
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/tTa_LAC-iHDoFDStwiz7wVvkoIA>
Subject: Re: [Ntp] NTS IANA request
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jun 2019 07:40:45 -0000
I initially wanted to have an IANA assigned port for NTP-over-NTS to make it easier for users to manage their firewall settings. As we know, quite a number of ISPs and corporate firewall admins created these size-limiting rules in the wake of the amplification attacks carried out via the monlist feature a while ago. Now, I do not see the problem that an IANA assigned well known port will be hit by the same firewall rules, as for the ISPs it requires most probably to create a new firewall rule (and do not put stringent packet size limits in it), if they set up a rule at all. In order to simplify firewall handling for corporate users/non-ISPs, I would recommend the well known port but obviously the NTS-KE mechanism to advertise a different port is still a good option in case some people prefer that. My suggestions: register a port (it does not really have to be a system port IMHO), use that as a default for the NTS-KE port advertising and allow users to change it. This way, someone can even use 123/udp again if they see fit. Regards, Heiko -- Heiko Gerstung Managing Director MEINBERG® Funkuhren GmbH & Co. KG Lange Wand 9 D-31812 Bad Pyrmont, Germany Phone: +49 (0)5281 9309-404 Fax: +49 (0)5281 9309-9404 Amtsgericht Hannover 17HRA 100322 Geschäftsführer/Management: Günter Meinberg, Werner Meinberg, Andre Hartmann, Heiko Gerstung Email: heiko.gerstung@meinberg.de Web: Deutsch https://www.meinberg.de English https://www.meinbergglobal.com Do not miss our Time Synchronization Blog: https://blog.meinbergglobal.com Connect via LinkedIn: https://www.linkedin.com/in/heikogerstung On 06.06.19, 20:29 "ntp im Auftrag von Daniel Franke" <ntp-bounces@ietf.org im Auftrag von dfoxfranke@gmail.com> wrote: As a slight tangent, we never concluded the discussion as to what we're going to do about the fact that so many ISPs are dropping 123/udp traffic with payloads larger than 48 bytes. I think we got as far as concluding: 1. We're never going to persuade enough ISPs to change their policy, making 123/udp basically doomed. 2. NTS-KE's port negotiation record gives us all the mechanism we need in order to run NTP-with-NTS over an alternate port. But that left an unresolved question: do we allocate a fixed alternate UDP port, or should servers ask the OS for a dynamic port and then use NTS-KE to advertise whatever the OS assigns to them? Both choices have firewall-related drawbacks. If we use a fixed port, we risk landing ourselves right back in the same situation we're in today with 123. At minimum, to protect ourselves from this, the NTF would have to commit to adding some code to ntpd such that it will refuse to ever send mode 6 or 7 responses over the new port no matter what configuration the user gives it. (Yes, mode 6 too, because mode 6 still amplifies, just not as severely as mode 7 does). If we use a dynamic port, then it becomes much harder for ISPs to block us, but it also becomes harder for corporate firewalls with a default-deny-all policy to let us through. On Thu, Jun 6, 2019 at 1:06 PM Salz, Rich <rsalz@akamai.com> wrote: > > > I'm strongly opposed to modifying NTS-KE to involve sending a STARTTLS > as a first step of the handshake. I don't want to make a breaking > change to a protocol that's passed WGLC and has four interoperating > implementations in order to accommodate a protocol that has never been > implemented and whose specification consists of three vague sentences > in an unadopted and expired I-D. > > I wasn't strongly advocating either mechanism, just trying to explain how things could share a port if that's what we wanted to do. > > For the record, since I see no definition of NTP/TLS, I am in favor of assigning 123/TCP to NTS. > > _______________________________________________ ntp mailing list ntp@ietf.org https://www.ietf.org/mailman/listinfo/ntp
- [Ntp] NTS IANA request Watson Ladd
- Re: [Ntp] NTS IANA request Harlan Stenn
- Re: [Ntp] NTS IANA request Daniel Franke
- Re: [Ntp] NTS IANA request Gary E. Miller
- Re: [Ntp] NTS IANA request Daniel Franke
- Re: [Ntp] NTS IANA request Hal Murray
- Re: [Ntp] NTS IANA request Heiko Gerstung
- Re: [Ntp] NTS IANA request Miroslav Lichvar
- Re: [Ntp] NTS IANA request Salz, Rich
- Re: [Ntp] NTS IANA request Salz, Rich
- Re: [Ntp] NTS IANA request Daniel Franke
- Re: [Ntp] NTS IANA request Daniel Franke
- Re: [Ntp] NTS IANA request Salz, Rich
- Re: [Ntp] NTS IANA request Daniel Franke
- Re: [Ntp] NTS IANA request Harlan Stenn
- Re: [Ntp] NTS IANA request Harlan Stenn
- Re: [Ntp] NTS IANA request kodonog@pobox.com
- Re: [Ntp] NTS IANA request kodonog@pobox.com
- Re: [Ntp] NTS IANA request Heiko Gerstung
- Re: [Ntp] NTS IANA request Hal Murray
- Re: [Ntp] NTS IANA request Danny Mayer
- Re: [Ntp] NTS IANA request Warner Losh
- Re: [Ntp] NTS IANA request Daniel Franke
- Re: [Ntp] NTS IANA request Watson Ladd
- Re: [Ntp] NTS IANA request Majdi S. Abbas
- Re: [Ntp] NTS IANA request Daniel Franke
- Re: [Ntp] NTS IANA request Majdi S. Abbas
- Re: [Ntp] NTS IANA request Watson Ladd
- Re: [Ntp] NTS IANA request Harlan Stenn
- Re: [Ntp] NTS IANA request Watson Ladd
- Re: [Ntp] NTS IANA request tglassey@earthlink.net
- Re: [Ntp] NTS IANA request tglassey@earthlink.net
- Re: [Ntp] NTS IANA request tglassey@earthlink.net
- [Ntp] Antw: Re: NTS IANA request Ulrich Windl