[ntp:hackers] Cool new stuff
Frank Kardel
kardel at ntp.org
Mon Jul 24 16:14:38 UTC 2006
David L. Mills wrote:
> Frank,
>
> I see your point, but I really don't want to see a refclock address or
> loopback address for that matter change,
Dave,
if you mean refclock address being from 127.127.0.0/16 - it definitely
won't and can't. This is hardcoded in the daemon and artificial - we
both know that.
The peer->srcadr is completely unchanged - for all peers (refclocks and
true peers).
The interface structure denoting loopback address is referenced in
peer->dstadr. It is configured only for true refclock
(127.127.0.0/16) peers. These never send or receive via the loopback
link (also an old story) not change here either.
> since lots and lots of bad things would happen if they did.
There is nothing to worry about - old semantics have not been changed.
If the interface setup is static so will
the interface bindings be. The scan code is build around the concept of
tracking only changes.
Dave, you may have seen a message like: set_peerdstadr(127.127.x.y):
change interface from <null> to 127.0.0.1
This message is generated very early in the newpeer configuration
process and just documents that the
refclock picked up the correct localhost address. As long as
nobody(root) messes with the localhost
interface configuration in a non standard way the binding will stay
fixed. This could have been the line
worrying you. Now you will see those initialization messages at debug
level 4.
Differences wrt/ localhost come in when administrators start to
massively fiddle with the system. But even these
effects would hit old ntpd if it was restarted on such an insanely
configured system (like loopback being 128.0.0.1).
Why? Because the dynamic interface code enforces the invariant that it
sets up the interfaces like it would
set them up when started - with the same interface scan algorithm that
was used before. So
an ntpd with dynamic interface code behaves interface wise at any time
just like a *freshly* started non-dynamic
ntpd. So all assumptions/rules that were valid before dynamic interfaces
are still valid after but without losing
all other state that a re-start would lose when the interface
configuration changes.
> Is it the intended result of the scan to bring up a new address when
> the ISP changes it? Doing so by default is a serious security
> vunerability. The capability should not be provided by default and the
> user should understand and accept the risk.
discussing client via dial-in mechanism (dynamic IP address assignment
for the client):
1) no ISP can remotely change your IP address after set up (or you would
have a security hole right there already)
2) an ISP could disconnect you forcing you to re-connect (and that might
give you a new IP address -
this is the famous "Zwangstrennung").
After re-connect the system may or may not get a different IP address.
If it stays the same:
The old daemon is likely to function (subject to OS strategies
wrt/ socket and interfaces being up/down).
If the IP address has changed:
The non dynamic ntpd has its peers still connected to a socket
bearing the old (now invalid, possibly re-assigned) address.
At best the OS would not send these pakets from ntpd:transmit() at
all because they are not matching a local interface address,
BUT usually these pakets are sent with the old invalid local
address provoking a server reply to the old (now invalid and
possibly assigned to another host) address. Some OS would even
terminate the socket with an error - old ntpd has no
provision for such a case but to ignore it.
This looks more like a DOS scenario against the old daemon and if
these pakets are sent out it looks like forged IP source addresses
to others outside. Sending these pakets from an old socket might
be considered an OS bug - different story. These pakets may therefore
be blocked at some other point in the IP infrastructure (ingress
filtering).
In any case the non-dynamic daemon will not get any replys (maybe
errors on sendto if it is lucky). This situation is unlikely to
heal by itself unless the previous address is set again. Is this
security by paket-filter/forged-IP-source address ?
When the non-dynamic daemon is restarted after re-connecting the
initialization code will pick up the correct local addresses
during startup. This is at the expense of losing all other state (except
for the drift value), but connectivity is re-stored because
the correct local addresses are picked up. So the failure modes are:
old daemon: lose connectivity and possibly pollute the net with
'forged' src ip address pakets (if the OS/network allows that)
new daemon: implicitly re-bind *local* address associations - keeps
connectivity, sends correctly generated pakets and
hopefully restarts the autokey dance. This host is a new
citizen on the block after all.
Given that - I wonder why an (automatic) restart would be safer security
wise ?
Secondly the old (and new) daemon tries very hard to get hold of all
interfaces so only one daemon can fiddle with the
clock and the port 123. Not re-scanning would defeat this purpose and
leave new interfaces ignored.
So if changing the IP address and tracking that by default would be
risky security wise, why is letting ntpd sit there in the dark
and possibly sending wrong pakets out to the network not (counting DOS,
pollution as security risk)?
What is the security risk you refer to exactly and why would a restart
of the old daemon not have that problem?
> It would seem the scan interval, apparently fixed at a few minutes,
> could be refined.
-U <seconds> switch.
> It doesn't make sense to scan every few minutes if the poll interval
> is 1024 seconds or even 36 hours.
On systems where interface change notification exists (*BSD, Windows,
Solaris AFAIK) this can be made
completely on demand (currently timeout based scans run as a
fallback). On other systems the re-scan costs
some cpu cycles but does not change anything if it is not needed. The
re-scan time could be derived from
the lowest next poll time stamp - 1 of all peers if cycles are
completely at premium - I doubt that that is the case.
> How about a per-association configuration bit that operates only when
> the server becomes unreacnable and does a scan initiated by the poll
> process?
Why would a peer be unreachable? Network partition? Server down?
Interface change?
Unreachable can have many causes. The interface scan code is in the
perfect position to
find solid reasons for a network disconnect from the ntpd point of view
and is able to rectify that if allowed to, even proactively.
Also several peers bind to a single interface. Would we process peer
re-binding one by one - would some peers be stuck
on the old address if they are not allowed to pick up new local
addresses? That looks pretty strange to me.
perr grouping on interfaces is a function of the routing table and thus
dependent on network topology.
What differentiates peers bound to the same local interface to be
allowed to pick up new addresses and to be
forbidden to. What would the configuration rules be?
To me if an interface (= local address) is gone - it's gone - it doesn't
belong to the host any more using the old
address does not achieve anything. After losing a local address the
pakets need to find a new way to their destination
- this is usually via another interface (=local address) thus a
re-binding of the peer to the correct interface is needed.
>
> As for the debug display, I am only concerned about the -d level.
> Informally, I have used the -d -d level for things that happen once or
> at relatively long intervals. The stuff at the -d -d -d level and
> above are there only for emergencies and until the stuff is eventually
> removed.
>
The debug topic should be a story from the past unless I get a new
message from you. I seem to have picked the right level to
get those messages out of your way.
Frank
More information about the hackers
mailing list