nanog mailing list archives
Re: UDP/123 policers & status
From: Harlan Stenn <stenn () nwtime org>
Date: Wed, 18 Mar 2020 19:04:58 -0700
On 3/18/2020 4:46 PM, Damian Menscher via NANOG wrote:
On Wed, Mar 18, 2020 at 8:45 AM Steven Sommars <stevesommarsntp () gmail com <mailto:stevesommarsntp () gmail com>> wrote: The various NTP filters (rate limits, packet size limits) are negatively affecting the NTP Pool, the new secure NTP protocol (Network Time Security) and other clients. NTP filters were deployed several years ago to solve serious DDoS issues, I'm not second guessing those decisions. Changing the filters to instead block NTP mode 7, which cover monlist and other diagnostics, would improve NTP usability. http://www.leapsecond.com/ntp/NTP_Suitability_PTTI2020_Revised_Sommars.pdf I've advocated a throttle (not a hard block) on udp/123 packets with 468 Bytes/packet (the size of a full monlist response). In your paper you mention NTS extensions can be 200+ bytes. How large do those packets typically get, in practice? And how significant is packet loss for them (if there's high packet loss during the occasional attack, does that pose a problem)?
I expect to see NTP UDP packets that would approach the MTU limit, in some cases. If a packet is "too big" for some pathway, then are we talking about a fractional packet loss or are we talking about 100% packet loss (dropped mid-way due to size)?
Damian
-- Harlan Stenn <stenn () nwtime org> http://networktimefoundation.org - be a member!
Current thread:
- UDP/123 policers & status Jared Mauch (Mar 17)
- Re: UDP/123 policers & status Mark Tinka (Mar 17)
- Re: UDP/123 policers & status Compton, Rich A (Mar 17)
- Re: UDP/123 policers & status Ca By (Mar 17)
- Re: UDP/123 policers & status Mark Tinka (Mar 17)
- Re: UDP/123 policers & status Steven Sommars (Mar 18)
- Re: UDP/123 policers & status Ca By (Mar 18)
- Re: UDP/123 policers & status Saku Ytti (Mar 18)
- Re: UDP/123 policers & status Damian Menscher via NANOG (Mar 18)
- Re: UDP/123 policers & status Harlan Stenn (Mar 18)
- Re: UDP/123 policers & status Damian Menscher via NANOG (Mar 18)
- Re: UDP/123 policers & status Ca By (Mar 17)
- Re: UDP/123 policers & status Steven Sommars (Mar 19)
- <Possible follow-ups>
- Re: UDP/123 policers & status Hal Murray (Mar 23)
- Re: UDP/123 policers & status Ragnar Sundblad (Mar 27)
- Re: UDP/123 policers & status Saku Ytti (Mar 27)
- Re: UDP/123 policers & status Ragnar Sundblad (Mar 29)
- Re: UDP/123 policers & status Ragnar Sundblad (Mar 27)
- Re: UDP/123 policers & status Roland Dobbins (Mar 28)
- Re: UDP/123 policers & status Bottiger (Mar 28)
- Re: UDP/123 policers & status Harlan Stenn (Mar 28)
- Re: UDP/123 policers & status Ragnar Sundblad (Mar 29)