[ntp:hackers] What does "interface listen wildcard" do?
mayer at ntp.org
Fri Jul 12 13:20:25 UTC 2013
On 7/10/2013 3:01 PM, Brian Utterback wrote:
> On 7/10/2013 2:54 PM, Brian Utterback wrote:
>> On 7/9/2013 11:30 PM, Danny Mayer wrote:
>>> The short answer is "DON'T". The longer answer is that such packets
>>> are not allowed to be forwarded by a router so you should use a
>>> specific subnet specific address, e.g. 10.10.10.255 when using
>>> broadcast mode. I think that we allowed the wildcard address for such
>>> packets but it's not good news and interferes with configuring
>>> specific addresses. Danny
>> I find that position completely untenable.
That was not meant as a political comment, but as a reminder that
routers should not be forwarding such packets on and if they do so you
start to get broadcast storms which the don't route mandate was supposed
The other comment here is that broadcast has been superceded by
multicast which has much better semantics and allows a much higher
degree of control. Broadcast is also going away and is not available in
IPv6 space and you MUST use multicast for IPv6 to accomplish a similar task.
Having said that, on to the purely technical side of things:
>> 1. This used to work.
Yes it did. I'm not sure when or why it broke.
>> 2. Users expect it to work.
Right. As I recall (and I'm basing these remarks purely from memory)
there are a lot of very tricky issues with supporting this type of
broadcast packet and it may very well be that you need a wildcard socket
to do that. However there are lots of issues with having a wildcard
socket listening for packets and it makes reconfiguration very tough.
There were plenty of bugs making a wildcard socket work just for
wildcard broadcast and caused me to spend a lot of time trying to get
these fixed. What is worse is if you have multiple interfaces I think
you need to bind the listener on each interface and then which interface
did it arrive on since you need to handle separately the packet
information for each interface and address.
>> 3. I know of no network "best practice" or other document that even
>> hints that one should used directed broadcasts in preference to
>> undirected broadcasts. They each have specific uses and cannot replace
>> one another.
There are very few protocols that should be using broadcast today.
Stevens has a list of protocols that use it in his book. DHCP is one of
them and it made sense at the time but they can't use it for IPv6. NTP
was an early protocol and took advantage of it's availability.
>> 4. I know of at least one major router vendor whose NTP implementation
>> does not allow the admin to set the broadcast address used by router
>> for broadcast packets.
We cannot legislate away bad design but we shouldn't try and support it
>> 5. I know of at least one major router vendor whose routers
>> automatically convert directed broadcasts passing through the router
>> into undirected broadcasts when the specified sub-net is reached.
We cannot legislate bad design. Rewriting of packets will also cause NTP
to drop such packets as the MAC would then be wrong if it is present.
>> 6. The creation of subnetting was specifically designed so that the
>> applications do not need to know the subnet masks of the adjacent
>> sub-nets. Using directed broadcasts violates this principle and will
>> probably break many configurations of virtual networking, certainly
>> those using routers I mentioned in point 5.
Using multicast avoids the problem.
> 7. In the most common case, wanting NTP broadcast packets to be sent
> out of all interfaces, the admin needs to know the sub-nets and
> interface addresses for all interfaces on the system when editing the
> ntp.conf file. Ig directed broadcasts are used, then I would argue that
> "broadcast" without an address should be taken to mean that ntpd should
> calculate the directed broadcast address for each interface and use
> that. Customers hate having unnecessary customizations.
Instead of trying to do that as an enhancement, look at multicast for
that purpose since that will work for IPv6. I don't think we want to use
broadcast for that since it being retired.
More information about the hackers