UDP/123 policers & status

• Previous message (by thread): UDP/123 policers & status
• Next message (by thread): UDP/123 policers & status
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 3/18/2020 4:46 PM, Damian Menscher via NANOG wrote:
> On Wed, Mar 18, 2020 at 8:45 AM Steven Sommars
> <stevesommarsntp at gmail.com <mailto:stevesommarsntp at gmail.com>> wrote:
> 
>     The various NTP filters (rate limits, packet size limits) are
>     negatively affecting the NTP Pool, the new secure NTP protocol
>     (Network Time Security) and other clients.  NTP filters were
>     deployed several years ago to solve serious DDoS issues, I'm not
>     second guessing those decisions.  Changing the filters to instead
>     block NTP mode 7, which cover monlist and other diagnostics, would
>     improve NTP usability.
> 
>     http://www.leapsecond.com/ntp/NTP_Suitability_PTTI2020_Revised_Sommars.pdf  
> 
> 
> I've advocated a throttle (not a hard block) on udp/123 packets with 468
> Bytes/packet (the size of a full monlist response).  In your paper you
> mention NTS extensions can be 200+ bytes.  How large do those packets
> typically get, in practice?  And how significant is packet loss for them
> (if there's high packet loss during the occasional attack, does that
> pose a problem)?

I expect to see NTP UDP packets that would approach the MTU limit, in
some cases.

If a packet is "too big" for some pathway, then are we talking about a
fractional packet loss or are we talking about 100% packet loss (dropped
mid-way due to size)?

> Damian

-- 
Harlan Stenn <stenn at nwtime.org>
http://networktimefoundation.org - be a member!

• Previous message (by thread): UDP/123 policers & status
• Next message (by thread): UDP/123 policers & status
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]