IETF Logo Mail Archive

Re: [Ntp] NTS IANA request

Heiko Gerstung <heiko.gerstung@meinberg.de> Fri, 07 June 2019 07:40 UTC

Return-Path: <heiko.gerstung@meinberg.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80E9412008D for <ntp@ietfa.amsl.com>; Fri, 7 Jun 2019 00:40:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.289
X-Spam-Level:
X-Spam-Status: No, score=-4.289 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=meinberg.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l84zO4kMVdi8 for <ntp@ietfa.amsl.com>; Fri, 7 Jun 2019 00:40:41 -0700 (PDT)
Received: from server1a.meinberg.de (server1a.meinberg.de [176.9.44.212]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5C6A12013D for <ntp@ietf.org>; Fri, 7 Jun 2019 00:40:39 -0700 (PDT)
Received: from srv-kerioconnect.py.meinberg.de (unknown [193.158.22.2]) (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by server1a.meinberg.de (Postfix) with ESMTPSA id 6BB7C71C0993; Fri, 7 Jun 2019 09:40:35 +0200 (CEST)
X-DKIM: Sendmail DKIM Filter v2.8.2 server1a.meinberg.de 6BB7C71C0993
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=meinberg.de; s=mail201101; t=1559893237; bh=SV5Lda/IUgCLvuy0EeOKJfjnrFnLmc3uGuR675d55Aw=; h=Date:Subject:Message-ID:References:In-Reply-To:Mime-version:From: To:Cc:Content-Type:Content-Transfer-Encoding; b=tT1UD0EhCgSjKooW+vRuZFR+6W7nXZZ1D/rYBie9W1IXqPbfbTfDMLDdG2c0KDdyG tGJqa7yBJrjQ/6E2IljPhTfT0DFDF+kl1Dw0DjntEXQeaijbCk1/Vy28pEw4suOPhE 72eUCdEyq93PXdPjFlgJ3Uz5pIGbOm5cjcQrG6bo=
X-Kerio-Anti-Spam: Build: [Engines: 2.15.9.1244, Stamp: 3], Multi: [Enabled, t: (0.000005,0.006912)], BW: [Enabled, t: (0.000006)], RTDA: [Enabled, t: (0.038033), Hit: No, Details: v2.7.39; Id: 15.1i616g6.1dcoe3kus.1gghv], total: 0(700)
X-Footer: bWVpbmJlcmcuZGU=
User-Agent: Microsoft-MacOutlook/10.19.0.190512
Date: Fri, 07 Jun 2019 09:40:32 +0200
Message-ID: <487FBFAD-D082-4CA8-AC14-C2CC8B007DBB@meinberg.de>
Thread-Topic: [Ntp] NTS IANA request
References: <CAN2QdAH9Uh_wYSEizgYTjd4Q6VFQT+tvH8dnbPgKKc59+vEfng@mail.gmail.com> <a123d81b-4994-9e35-58eb-6845cf439f91@nwtime.org> <20190605164753.6e71fcaa@rellim.com> <03055E77-EB42-494E-A231-039C4603E256@akamai.com> <CAJm83bDYZ+vcwkhFEf2YCAVwKcSm7rEgbuB0Wwsvm5XVVAMjuQ@mail.gmail.com> <C8E4189E-E3A1-4926-AF0F-93BE9C7255C8@akamai.com> <CAJm83bBkU91st1CFAsx+JCLpxXyWOQnSTY9sXeuA96R8pqXdCA@mail.gmail.com>
In-Reply-To: <CAJm83bBkU91st1CFAsx+JCLpxXyWOQnSTY9sXeuA96R8pqXdCA@mail.gmail.com>
Mime-version: 1.0
Importance: Normal
X-Priority: 3
Thread-Index: AZ2x3tU+MGYyMDc0YTk1Y2Q5ZTQ4ZQ==
From: Heiko Gerstung <heiko.gerstung@meinberg.de>
To: Daniel Franke <dfoxfranke@gmail.com>, "Salz, Rich" <rsalz@akamai.com>
Cc: "ntp@ietf.org" <ntp@ietf.org>, "Gary E. Miller" <gem@rellim.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: clamav-milter 0.100.3 at server1a
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/tTa_LAC-iHDoFDStwiz7wVvkoIA>
Subject: Re: [Ntp] NTS IANA request
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jun 2019 07:40:45 -0000

I initially wanted to have an IANA assigned port for NTP-over-NTS to make it easier for users to manage their firewall settings. As we know, quite a number of ISPs and corporate firewall admins created these size-limiting rules in the wake of the amplification attacks carried out via the monlist feature a while ago. Now, I do not see the problem that an IANA assigned well known port will be hit by the same firewall rules, as for the ISPs it requires most probably to create a new firewall rule (and do not put stringent packet size limits in it), if they set up a rule at all.

In order to simplify firewall handling for corporate users/non-ISPs, I would recommend the well known port but obviously the NTS-KE mechanism to advertise a different port is still a good option in case some people prefer that.

My suggestions: register a port (it does not really have to be a system port IMHO), use that as a default for the NTS-KE port advertising and allow users to change it. This way, someone can even use 123/udp again if they see fit.

Regards,
   Heiko



-- 
Heiko Gerstung 
Managing Director

MEINBERG® Funkuhren GmbH & Co. KG
Lange Wand 9
D-31812 Bad Pyrmont, Germany
Phone:    +49 (0)5281 9309-404
Fax:        +49 (0)5281 9309-9404

Amtsgericht Hannover 17HRA 100322
Geschäftsführer/Management: Günter Meinberg, Werner Meinberg, Andre Hartmann, Heiko Gerstung

Email:
 heiko.gerstung@meinberg.de 
Web:
 Deutsch   https://www.meinberg.de
 English    https://www.meinbergglobal.com

Do not miss our Time Synchronization Blog:
 https://blog.meinbergglobal.com 

Connect via LinkedIn: 
https://www.linkedin.com/in/heikogerstung
 
 

On 06.06.19, 20:29 "ntp im Auftrag von Daniel Franke" <ntp-bounces@ietf.org im Auftrag von dfoxfranke@gmail.com> wrote:

    As a slight tangent, we never concluded the discussion as to what
    we're going to do about the fact that so many ISPs are dropping
    123/udp traffic with payloads larger than 48 bytes. I think we got as
    far as concluding:
    
    1. We're never going to persuade enough ISPs to change their policy,
    making 123/udp basically doomed.
    2. NTS-KE's port negotiation record gives us all the mechanism we need
    in order to run NTP-with-NTS over an alternate port.
    
    But that left an unresolved question: do we allocate a fixed alternate
    UDP port, or should servers ask the OS for a dynamic port and then use
    NTS-KE to advertise whatever the OS assigns to them? Both choices have
    firewall-related drawbacks. If we use a fixed port, we risk landing
    ourselves right back in the same situation we're in today with 123. At
    minimum, to protect ourselves from this, the NTF would have to commit
    to adding some code to ntpd such that it will refuse to ever send mode
    6 or 7 responses over the new port no matter what configuration the
    user gives it. (Yes, mode 6 too, because mode 6 still amplifies, just
    not as severely as mode 7 does). If we use a dynamic port, then it
    becomes much harder for ISPs to block us, but it also becomes harder
    for corporate firewalls with a default-deny-all policy to let us
    through.
    
    On Thu, Jun 6, 2019 at 1:06 PM Salz, Rich <rsalz@akamai.com> wrote:
    >
    > >    I'm strongly opposed to modifying NTS-KE to involve sending a STARTTLS
    >     as a first step of the handshake. I don't want to make a breaking
    >     change to a protocol that's passed WGLC and has four interoperating
    >     implementations in order to accommodate a protocol that has never been
    >     implemented and whose specification consists of three vague sentences
    >     in an unadopted and expired I-D.
    >
    > I wasn't strongly advocating either mechanism, just trying to explain how things could share a port if that's what we wanted to do.
    >
    > For the record, since I see no definition of NTP/TLS, I am in favor of assigning 123/TCP to NTS.
    >
    >
    
    _______________________________________________
    ntp mailing list
    ntp@ietf.org
    https://www.ietf.org/mailman/listinfo/ntp

v2.23.0 | Report a Bug | By Email