[ntp:hackers] i think it's time to review ntp's default acl's
Danny Mayer
mayer at ntp.isc.org
Fri Mar 24 04:11:08 UTC 2006
Can people please include Dave's email address on these messages? He's
not on the hackers list and this is important.
Thanks,
Danny
Paul Vixie wrote:
> # DNS and NTP are just the tip of the iceberg, and I think it's a huge one.
>
> yes.
>
> # Could somebody give me a lesson in the big picture? (URL would be great.)
>
> <http://www.ietf.org/rfc/rfc2827.txt> or the PHB summary of same, writ by me:
> <http://www.icann.org/committees/security/sac004.txt>.
>
> # Are we going to have to give up on UDP because it's easily abused by bad
> # guys?
>
> that depends on who you mean by "we" and what you mean by "bad". there will
> always be udp, and people using udp. their service will suffer, and their
> suffering will create market pressure in unexpected places/kinds/directions.
>
> the "bad" guys in this case are ISP's who choose not to deploy BCP38 based on
> the lack of economic incentive, thus creating unexpected and less desireable
> outcomes like my plan to create a BGP blackhole list for open recursive DNS
> servers.
>
> it's possible that T/TCP or SCTP should be used instead of UDP for transaction
> based services like DNS. but the timing characteristics of either are so much
> sloppier than UDP, that i don't imagine either being usable by NTP. so, no.
>
> # Is it possible to get routers to drop packets with forged source addresses?
>
> yes. every modern router has this functionality.
>
> # I assume there are both technical and social/political issues. I don't know
> # if it's reasonable to solve either.
>
> it costs money to train staff for, write policies for, debug, and handle
> customer complaints about, BCP38. the ISP who does this will save no money
> (since the pain caused by not doing it is felt by others, not by them), and
> will make no money (since customers will not pay extra for a change like this
> that adds no performance or features to their service.) so, it's economics,
> not social/political issues, that leaves us where we now are (which to say,
> "a deer in the headlights".)
>
> # For NTP, it seems possible to allow access only by previous arrangements.
> # The administrative overhead would probably eliminate public servers as they
> # are currently used. That would encourage/require ISPs to setup NTP servers
> # for their customers.
>
> the way you say that doesn't make it sound bad. is it actually bad and you're
> just really good at the kind of spin control that i find attractive, or is it
> really as good as you imply?
> _______________________________________________
> hackers mailing list
> hackers at support.ntp.org
> https://support.ntp.org/mailman/listinfo/hackers
>
More information about the hackers
mailing list