[ntp:questions] symmetric active while configurion uses server mode, RFC compliant or not?

Joe the Shmoe news at edrusb.is-a-geek.org
Mon May 20 19:24:50 UTC 2013


On 20/05/2013 14:42, Brian Utterback wrote:
> Okay, that looks really weird. Just the rate of the packets seems very
> off, only 10s of milliseconds between packets.
> 
> The system whose IP address ends in b900::1:1 doesn't like it.

the host ...:1:1  is my server. He is configured to ask time from
...:1b13 as a client (using ntpd 4.2.6p2). So the first packet is OK.

> The
> second packet it sends is a KOD packet that is complaining about the
> high rate of packets, and then it shuts down and refuses to respond
> anymore.
> 

Yes, you're right! I've missed it. I was wondering why my server was
initiating a symmetric active exchange toward that host, it is only a
KOD. I still remains that the mode used for that KOD is not identical to
the initial client request (mode 1 instead of mode 3)...

And also I see that subsequent symmetric active packets sent by my host
are no more KOD but rather what seems to be plain normal symmetric
active packet, while the ntpd configuration makes uses of the "server"
directive not of the "peer" one (!)

> Packets 2 and 3 of the trace are the same packet, but with the hop count
> decremented from 56 to 51.
> 
> Actually, on closer inspection, of the 24 packets in the trace
> transmitted by 823d:1b13, they are all duplicates of only two packets.
> The same two packets are looping around your network, with the hop count
> going down by 5 each time, until they hit zero and are dropped.

Excellent! You are absolutely right, there seems to be a loop in the
network somewhere probably near the ...:1b13 host, because I have normal
exchanges from ...:1:1 host toward other destinations in IPv6 too.

> 
> Now, I grant that which ones are sending client, server, and symmetric
> active and symmetric passive is odd, but until you fix the looping,
> there is no telling what is causing that. It might be an artifact of the
> looping.
> 

Unfortunately I cannot fix the loop, I have a single physical link to
Internet in IPv4/IPv6, I can't see how I can make a loop here as
moreover my host is configured not forwarding IPv6 packets, after this
is my ISP domain...

What I retain, is that I'd better change my configuration not asking
time to ...:1b13 server due to the network loop involved somewhere out
of my perimeter.

So remains two weird points, but don't waste your time with that:
- the KOD is not using the same mode as the request (mode 3), maybe a
detail?
- subsequent packet sent are no more KOD packets ...

I just hope that this might not be exploitable to have an ntpd server
synchronizing to a arbitrary faking stratum 1 server, for example... I
have configure the "floor" to the stratum value of servers I get time
from to reduce this risk, but I should also better update the software
to a more recent version.

Thank you very much for your pertinent explanations ! :)

Regards,
Joe.



More information about the questions mailing list