[ntp:questions] Thoughts on KOD

Magnus Danielson magnus at rubidium.dyndns.org
Sat Jul 5 22:42:41 UTC 2014


On 07/05/2014 11:40 PM, Harlan Stenn wrote:
> Folks,
> I was chatting with PHK about:
>   http://support.ntp.org/bin/view/Dev/NtpProtocolResponseMatrix
>   http://bugs.ntp.org/show_bug.cgi?id=2367
> and how we probably want to extend KOD coverage to more than just the
> "limited" case.
> I was assuming folks would want finer-grained control over this
> behavior, and thought about being able to choose any of kod-limited,
> kod-noserve, and kod-query.
> PHK suggested that we consider going the other way - KOD would mean
> "Send KODs whenever appropriate".
> I wonder what the costs/benefits will be when weighing the extra
> complexity of "multiple choices" against "when the defaults change and
> we get new behavior that we can't tune, that costs us in X and Y."
> This gets a bit more complicated when taking into consideration:
> - we'll get more traffic from a NAT gateway
> - - do we need to be able to configure a threshhold for this case?
> - we should pay attention to how a client, whom we find to be abusive,
>    reacts to:
> - - getting no response
> - - getting a KOD response
>    and adapt accordingly.
> Discussion appreciated.

There is also the aspect when KOD does not "bite". We have seen that.
Like other forms of defenses, inserting drop rules into firewall rules 
for the offending node is an alternative to consider. KOD only bites for 
nodes which follows the protocol, but somehow is offending in their 
configuration. More offensive configuration or packet generation will 
render KOD relatively useless.

Thus, there might be a limit on how much effort should be going into 
perfecting KOD-generation when maybe raising the bar even further is needed.

Then, we should also consider how KOD and drop-rule triggering can be 
used to trigger denial of service, and how to potentially protect 
against them.

Sorry for muddling your water even more.


More information about the questions mailing list