UDP/123 policers & status

• Previous message (by thread): UDP/123 policers & status
• Next message (by thread): UDP/123 policers & status
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ragnar,

On 3/28/2020 4:59 PM, Ragnar Sundblad wrote:
> 
> 
>> On 29 Mar 2020, at 00:35, Harlan Stenn <stenn at nwtime.org> wrote:
>>
>> Ragnar,
>>
>> On 3/28/2020 4:09 PM, Ragnar Sundblad wrote:
>>>
>>>> On 28 Mar 2020, at 23:58, Harlan Stenn <stenn at nwtime.org> wrote:
>>>>
>>>>> Steven Sommars said:
>>>>>> The secure time transfer of NTS was designed to avoid
>>>>>   amplification attacks.
>>>>
>>>> Uh, no.
>>>
>>> Yes, it was.
>>>
>>> As Steven said, “The secure time transfer of NTS was designed to
>>> avoid amplification attacks”. I would even say - to make it
>>> impossible to use for amplification attacks.
>>
>> Please tell me how.  I've been part of this specific topic since the
>> original NTS spec.  For what y'all are saying to be true, there are some
>> underlying assumptions that would need to be in place, and they are
>> clearly not in place now and won't be until people update their
>> software, and even better, tweak their configs.
> 
> The NTS protected NTP request is always of the same size, or in some
> cases larger, than the NTS protected NTP response. It is carefully
> designed to work that way.

So what?

The use of NTS is completely independent of whether or not a server will
respond to a packet.

And an unauthenticated NTP request that generates an unauthenticated
response is *always* smaller than an authenticated request, regardless
of whether or not the server responds.

Claiming that amplification is a significant issue in the case where
there's no amplification but the base packet size is bigger is ignoring
a key piece of information, and is disingenuous in my book.

> Hence, [what Steven said].
> 
>>>> If you understand what's going on from the perspective of both the
>>>> client and the server and think about the various cases, I think you'll
>>>> see what I mean.
>>>
>>> Hopefully, no-one exposes mode 6 or mode 7 on the internet anymore
>>> at least not unauthenticated, and at least not the commands that are
>>> not safe from amplification attacks. Those just can not be allowed
>>> to be used anonymously.
>>
>> But mode 6/7 is completely independent of NTS.
> 
> Exactly. No one needs to, or should, expose mode6/7 at all. They were
> designed at a time when the internet was thought to be nice place were
> people behaved, decades ago, today they are just huge pains in the
> rear. Sadly allowing anonymous mode 6/7 was left in there far to long
> (admittedly being wise in hindsight is so much easier than in advance).
> And here we are, with UDP port 123 still being abused by the bad
> guys, and still being filtered by the networks.

Your statement about "exposing" is imprecise and bordering on incorrect,
at least in some cases.

But again, the use of mode 6/7 is completely independent of NTS.  You
are trying to tie them together.


>> It's disingenuous for people to imply otherwise.
> 
> I couldn’t say, I don’t even know of an example of someone who does.

You've done it in two cases here, from everything I have seen.

> Ragnar

-- 
Harlan Stenn <stenn at nwtime.org>
http://networktimefoundation.org - be a member!

• Previous message (by thread): UDP/123 policers & status
• Next message (by thread): UDP/123 policers & status
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]