[ntp:hackers] NTP clients using source ports lower than 123

Danny Mayer mayer at ntp.org
Sun Dec 20 17:57:54 UTC 2009


Brian Utterback wrote:
> 
> Danny Mayer wrote:
>> Brian Utterback wrote:
>>> Danny Mayer wrote:
>>>
>>>> I think that is a policy decision in which case we would need to put
>>>> such a restriction into the configuration file for an admin to apply as
>>>> they see fit. In theory it should be either 123 or > 1023.
>>>>
>>>> Danny
>>>>
>>> Why in the world would you disallow the other ports below 1024?
>> That's why I consider it a policy decision. If you have are admin that
>> wants to restrict what queries it accepts then you should be able to
>> allow them to do so. I personally see no reason to allow queries from
>> privileged ports outside of ntp's 123 port, but I don't think I should
>> impose that opinion on others.
>>
>> Danny
>>
> 
> I agree that it should be a policy decision, but you stated above that
> the allowed port range should be either any port above 1023 or exactly
> 123. That is what I disagree with. Ports between 512 and 1023 are
> already treated as "ephemeral" priv ports. As an administrator, why
> should I be prevented from using an alternative priv port than 123?

You don't have to. I'm not trying to limit what you want to allow.
That's a policy decision. You are reading more into what I said than I
actually did say. You will set your own restrictions and I will set mine.

I would also point out that if I were a publicly available stratum 1
operator I would *only* allow requestors that are using port 123 so that
only other servers could use it since most client-only systems use
non-privileged ports. As a stratum 1 operator I would only want servers
that are willing to redistribute truechimes.

Danny

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the hackers mailing list