[ntp:questions] Restrict statements and the "pool" directive

Rob nomail at example.com
Mon Dec 22 09:14:02 UTC 2014


David Woolley <david at ex.djwhome.demon.invalid> wrote:
> On 21/12/14 20:10, Rob wrote:
>> What I got from the documentation is that without "nopeer" a server
>> could setup a "peer" association.  I don't like that.
>
> No. Without nopeer, a *client* can't set up a peer session.  If you are 
> using a system as a server, it cannot cause you more disruption than if 
> it peered itself with you.
>
> The problem here is that the exact significance of being a peer isn't 
> well documented.

Exactly.  The description in the documentation is unreadable.  There
is no plain language paragraph after the initial definition that must
be in terminology explained elswhere, but has no pointer to there.

Until it is, I appears to be better to not use the functionality.
After 3 days of finding out how to install updates and where to get
updated source, Harlan finally stated on the Pool list:

 If you have been following BCP and only allow 'query' from trusted hosts
 you are protected from these attacks.

Was it really that hard to write that in the initial publication???
After all, it turned out to be completely unnecessary to update.
And with that, everyone would have avoided to run into an issue like
this and the matter could have been studied beforehand.



More information about the questions mailing list