[Tsv-art] Tsvart early review of draft-ietf-ntp-alternative-port-02
Magnus Westerlund via Datatracker <noreply@ietf.org> Fri, 03 December 2021 10:55 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: tsv-art@ietf.org
Delivered-To: tsv-art@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AB8A3A073D; Fri, 3 Dec 2021 02:55:08 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Magnus Westerlund via Datatracker <noreply@ietf.org>
To: tsv-art@ietf.org
Cc: draft-ietf-ntp-alternative-port.all@ietf.org, ntp@ietf.org, tsvwg@ietf.org, iana-port-experts@icann.org
X-Test-IDTracker: no
X-IETF-IDTracker: 7.40.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <163852890830.991.35615173535953832@ietfa.amsl.com>
Reply-To: Magnus Westerlund <magnus.westerlund@ericsson.com>
Date: Fri, 03 Dec 2021 02:55:08 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/Sjb8z1qcR3vjOElr5im-cp624Ms>
Subject: [Tsv-art] Tsvart early review of draft-ietf-ntp-alternative-port-02
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Dec 2021 10:55:08 -0000
Reviewer: Magnus Westerlund Review result: Ready with Issues As TSVART reviewer I have included two additional mailing lists for this review response, sorry for the cross posting but I think it is relevant to get more opinions on this. The port experts, although they are not responsible for system port assignments per RFC 6335. TSVWG is included as it is the WG that have been responsible for developing the documents in BCP 165 and these rules. The main question here is if this particular case warrants an exception in regards to the principals documented by RFC 6335 and RFC 7605 (Together BCP 165)? So this document wants an alternative port that is to be used with a subset of NTPv4 that is deemed to be more operational safe and which has an packet response amplification factor below 1, i.e. for each request, one and only one response is generated and that packet is not larger than the request. For more details see (it is a very short document): https://datatracker.ietf.org/doc/draft-ietf-ntp-alternative-port/ So in regards to the basic principals this should be rejected as it is simply an alternative. However, I think this one might be a case where the exception is motivated. The service here is not identical and it has improved security properties, especially in regards to how network intermediaries may interpret the traffic. Where one might want to filter and/or block port 123 due to its potential for DDoS with a reduced risk the alternative port would imply I think this gets into the case which Section 7.1 of RFC 7605 discusses: o Separate assigned port numbers are not intended for insecure versions of existing (or new) secure services. A service that already requires security would be made more vulnerable by having the same capability accessible without security. Note that the converse is different, i.e., it can be useful to create a new, secure service that replicates an existing insecure service on a new port number assignment. This can be necessary when the existing service is not backward-compatible with security enhancements, such as the use of TLS [RFC5246] or DTLS [RFC6347]. The important difference here is that although this is not an endpoint incompatibility issue, it is an interpretation difference by the network itself. So personally I would argue for this exception to the basic principles. However, this is in the end going to be an IETF consensus decision if we allow it or not. Thus, I think discussing any views now, and allow a bit more time for discussion and also addressing any issue prior to IETF last call would be good. I also would like to ask the NTP experts if they really need a system port? >From my perspective an NTP server should not need to run with increased privileges on the host. The main purpose of NTP is after all to server the requester an answer based on its access to a clock that is believed to provide accurate time. So, could you please improve the motivation why "ntp-alt" actually needs a system port. Even if NTP as a service when originally was given port 123 a system ports it might have been considered a system services I do wonder if that assessment still stands. I would note that this motivation is required for any application for assigning a systems port. Cheers Magnus Westerlund
- [Tsv-art] Tsvart early review of draft-ietf-ntp-a… Magnus Westerlund via Datatracker
- Re: [Tsv-art] Tsvart early review of draft-ietf-n… touch@strayalpha.com
- Re: [Tsv-art] [Ntp] Tsvart early review of draft-… Danny Mayer
- Re: [Tsv-art] [tsvwg] [Ntp] Tsvart early review o… C. M. Heard
- Re: [Tsv-art] [Ntp] Tsvart early review of draft-… touch@strayalpha.com
- Re: [Tsv-art] [Ntp] Tsvart early review of draft-… Steven Sommars
- Re: [Tsv-art] [Ntp] Tsvart early review of draft-… touch@strayalpha.com
- Re: [Tsv-art] [Ntp] Tsvart early review of draft-… Danny Mayer
- Re: [Tsv-art] [tsvwg] [Ntp] Tsvart early review o… C. M. Heard
- Re: [Tsv-art] Tsvart early review of draft-ietf-n… Erik Kline
- Re: [Tsv-art] [IANA-Port-Experts] Tsvart early re… touch@strayalpha.com
- Re: [Tsv-art] [Ntp] [IANA-Port-Experts] Tsvart ea… Salz, Rich
- Re: [Tsv-art] [Ntp] [IANA-Port-Experts] Tsvart ea… Joe Touch
- Re: [Tsv-art] [Ntp] [IANA-Port-Experts] Tsvart ea… Salz, Rich
- Re: [Tsv-art] [tsvwg] [Ntp] Tsvart early review o… Eliot Lear
- Re: [Tsv-art] [Ntp] [tsvwg] Tsvart early review o… Miroslav Lichvar