[ntp:hackers] i think it's time to review ntp's default acl's

Danny Mayer mayer at ntp.isc.org
Fri Mar 24 04:11:08 UTC 2006

Can people please include Dave's email address on these messages? He's
not on the hackers list and this is important.



Paul Vixie wrote:
> # DNS and NTP are just the tip of the iceberg, and I think it's a huge one.
> yes.
> # Could somebody give me a lesson in the big picture?  (URL would be great.)
> <http://www.ietf.org/rfc/rfc2827.txt> or the PHB summary of same, writ by me:
> <http://www.icann.org/committees/security/sac004.txt>.
> # Are we going to have to give up on UDP because it's easily abused by bad
> # guys?
> that depends on who you mean by "we" and what you mean by "bad".  there will
> always be udp, and people using udp.  their service will suffer, and their
> suffering will create market pressure in unexpected places/kinds/directions.
> the "bad" guys in this case are ISP's who choose not to deploy BCP38 based on
> the lack of economic incentive, thus creating unexpected and less desireable
> outcomes like my plan to create a BGP blackhole list for open recursive DNS
> servers.
> it's possible that T/TCP or SCTP should be used instead of UDP for transaction
> based services like DNS.  but the timing characteristics of either are so much
> sloppier than UDP, that i don't imagine either being usable by NTP.  so, no.
> # Is it possible to get routers to drop packets with forged source addresses?  
> yes.  every modern router has this functionality.
> # I assume there are both technical and social/political issues.  I don't know 
> # if it's reasonable to solve either.
> it costs money to train staff for, write policies for, debug, and handle
> customer complaints about, BCP38.  the ISP who does this will save no money
> (since the pain caused by not doing it is felt by others, not by them), and
> will make no money (since customers will not pay extra for a change like this
> that adds no performance or features to their service.)  so, it's economics,
> not social/political issues, that leaves us where we now are (which to say,
> "a deer in the headlights".)
> # For NTP, it seems possible to allow access only by previous arrangements.  
> # The administrative overhead would probably eliminate public servers as they 
> # are currently used.  That would encourage/require ISPs to setup NTP servers 
> # for their customers.
> the way you say that doesn't make it sound bad.  is it actually bad and you're
> just really good at the kind of spin control that i find attractive, or is it
> really as good as you imply?
> _______________________________________________
> hackers mailing list
> hackers at support.ntp.org
> https://support.ntp.org/mailman/listinfo/hackers

More information about the hackers mailing list