Re: UDP/123 policers & status

[Harlan Stenn <stenn () nwtime org>]

Ragnar,

On 3/28/2020 4:59 PM, Ragnar Sundblad wrote:
> > On 29 Mar 2020, at 00:35, Harlan Stenn <stenn () nwtime org> wrote:
> >
> > Ragnar,
> >
> > On 3/28/2020 4:09 PM, Ragnar Sundblad wrote:
> > > > On 28 Mar 2020, at 23:58, Harlan Stenn <stenn () nwtime org> wrote:
> > > >
> > > > > Steven Sommars said:
> > > > > > The secure time transfer of NTS was designed to avoid
> > > > >   amplification attacks.
> > > >
> > > > Uh, no.
> > >
> > > Yes, it was.
> > >
> > > As Steven said, “The secure time transfer of NTS was designed to
> > > avoid amplification attacks”. I would even say - to make it
> > > impossible to use for amplification attacks.
> >
> > Please tell me how.  I've been part of this specific topic since the
> > original NTS spec.  For what y'all are saying to be true, there are some
> > underlying assumptions that would need to be in place, and they are
> > clearly not in place now and won't be until people update their
> > software, and even better, tweak their configs.
>
> The NTS protected NTP request is always of the same size, or in some
> cases larger, than the NTS protected NTP response. It is carefully
> designed to work that way.

So what?

The use of NTS is completely independent of whether or not a server will
respond to a packet.

And an unauthenticated NTP request that generates an unauthenticated
response is *always* smaller than an authenticated request, regardless
of whether or not the server responds.

Claiming that amplification is a significant issue in the case where
there's no amplification but the base packet size is bigger is ignoring
a key piece of information, and is disingenuous in my book.

> Hence, [what Steven said].
>
> > > > If you understand what's going on from the perspective of both the
> > > > client and the server and think about the various cases, I think you'll
> > > > see what I mean.
> > >
> > > Hopefully, no-one exposes mode 6 or mode 7 on the internet anymore
> > > at least not unauthenticated, and at least not the commands that are
> > > not safe from amplification attacks. Those just can not be allowed
> > > to be used anonymously.
> >
> > But mode 6/7 is completely independent of NTS.
>
> Exactly. No one needs to, or should, expose mode6/7 at all. They were
> designed at a time when the internet was thought to be nice place were
> people behaved, decades ago, today they are just huge pains in the
> rear. Sadly allowing anonymous mode 6/7 was left in there far to long
> (admittedly being wise in hindsight is so much easier than in advance).
> And here we are, with UDP port 123 still being abused by the bad
> guys, and still being filtered by the networks.

Your statement about "exposing" is imprecise and bordering on incorrect,
at least in some cases.

But again, the use of mode 6/7 is completely independent of NTS.  You
are trying to tie them together.


> > It's disingenuous for people to imply otherwise.
>
> I couldn’t say, I don’t even know of an example of someone who does.

You've done it in two cases here, from everything I have seen.

> Ragnar

-- 
Harlan Stenn <stenn () nwtime org>
http://networktimefoundation.org - be a member!