[ntp:questions] Behaved ... Limited ... KODed

Doug Calvert dfc-list at douglasfcalvert.net
Sat Jun 8 00:25:58 UTC 2013


I thought I understood how a client's rate control indicator goes from being
well behaved (.) to limited (L) to KoD (K) but after trying to explain this to
someone today it is obvious that I do not. A server running the most recent dev
release (or post whatever version changed minimum to seconds instead of 2**n)
ntp.conf has:

restrict default KoD limited notrap nomodify nopeer

With no discard statements the defaults; average=8 (secs) and minimum=2 (secs)

accopt.html says:

"If the limited flag is present in the ACL, packets that violate these limits
are discarded. If, in addition, the KoD flag is present, a kiss-o'-death packet
is returned."

Given the above restrict line accopt seems to indicate that my mrulist will have
display either "K" or "." in the rate control field. At first rate.html seems to
agree with this description:

"Packets sent by other implementations that violate this constraint will be
dropped and a KoD packet returned, if enabled."

However further down in rate.html it seems to indicate that there are degrees of
punishent for misbehaving clients:

"Ordinarily, packets denied service are simply dropped with no further action
except incrementing statistics counters. Sometimes a more proactive response is
needed to cause the client to slow down. A special packet has been created for
this purpose called the kiss-o'-death (KoD) packet."

A glance at my mrulist also indicates that the latter description in rate.hml is
more accurate because there are .s Ls and Ks.

What does a client do to get an L? What is done differently to get a K? Can you
go from a K to an L?

On a somewhat related note:

Do I really have to send out a KoD every 2 seconds (guard time)? It seems
that the clients that are the most misbehaved are not the ones that are going
to honor the KoD packet. It is even worse if you set the guard time to allow
ntpdate through, you will be sending out KoD packets every second. Twenty
seconds and ten KoD packets later is it realistic to expect that the next KoD
packet is going to be the one that finally makes the client stop? The ptti04a
paper introducing KoDs mentions a university firewall with 2,000 misbehaving
clients behind it. On a lot of campuses today that fw is going to be NATing
those 2,000 clients. Whats the point of sending a packet every 2 seconds to the
lucky lottery winner behind the firewall?

Instead of guard time why not send KoD packets similar to the poll exponent:

After the initial KoD is sent, ignore clients for 2, 4, 8, 16, 32...X seconds
and then send another KoD packet.

Thank you for your time I apologize if I am being ignorant about something.

More information about the questions mailing list