[chrony-users] RE: Can we deny non-NTS client?

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

To: "chrony-users@xxxxxxxxxxxxxxxxxxxx" <chrony-users@xxxxxxxxxxxxxxxxxxxx>
Subject: [chrony-users] RE: Can we deny non-NTS client?
From: "Akihiko.Izumi@xxxxxxxx" <Akihiko.Izumi@xxxxxxxx>
Date: Tue, 20 Dec 2022 11:14:04 +0000
Accept-language: ja-JP, en-US
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sony.com; dmarc=pass action=none header.from=sony.com; dkim=pass header.d=sony.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9lWJfIwjEtHM6QQrg8WmXFNw6ORL6M4vei48KpC2aJs=; b=OnC20fulwmLMj7Ufytn8Gj9uqcTghR25kcjJHxK7a+EVqCSHRQEbfJuTtFhLSX6EP5SFiJbjhzd2sIiWosbOHH5VMcIGeQcPvddoscRQ2vTNpTc/hrUWAxuvBRlSEmQA0TPyyXrR1+itF6ytXaBwqhUwW9GxZpAyJ5HBIJjURFvtmuFVzmgYMxKAp4Ot/zxEIWb7lRPSgwRzlG2IGvi3mMEatjpcqtoLQl0He1l917xV/XskAP0sJRwpcQbCRX3apRpqvXycFeLqkM1sbZCQnNouYOPPax49ef0ZTMamQ2gaZgQyXcqkbjqfSDvg6eJJGM1XoO5N7CSAd62j73UwXA==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=A6rtvCLvgqlm4T1sdL1DImFeW0pEeoj+ryJ3/pJvhXWYs+V4UHVR0G9pPsqyqjpBuS17GI7WYTf/VgdwVDBzYnPPi+9+qN6y/biXRQqGov6eu4oWyGW1p0tjBIhyjnVnszrilKXFnS656x1mm90KDvyvCs8QBy4HAtGI3WGqcUfueMVI7dKK/QbPhAhwVAiNg3a3TPh0VPgjYi17Y4qj0Fl/7ABGSXoqo7gqAq7YT45hH4fTjEDnsNDEWdZdMb3mHCNHIidoepy0EDSHOnSCWwt2lR8CKxFKGn+qs+OMqmhviguLObstWupAizKKV/qyZV0g87jNKhKoRsM3gvfAdA==
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sony.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=S1; bh=9lWJfIwjEtHM6QQrg8WmXFNw6ORL6M4vei48KpC2aJs=; b=SXYCHYXueMqNziri3WB5Omp4NXuN/iF+8D4chBhxbcDI/4WQBcJ5PKm9D0sswN6r3ZQw ROmvyhDztQEW8bhMJU4q2AVgtjF34Jpd4Z4B1vbhEV3qJdPtdmpTER2FwBrpWZDlwQ48 h3Yl2WwVYXJUkXNYAUV/TJInBTQVro2sH98aSxYi61ZOB43nkOz+b/G1WnJUzU8soNGE l/5HBD87AuEKkIdTlqcguZ7gT0EK0QKXLw+1ubBNvZQaVOnOWmRlXg67aZbO1p9LslUn Z7gsNVJvZ2s7l67v8sVqufwCjrw5fv8ke6cDMP5MdjyPMDt+Uwtihd3XPpHICVjRC9cV 6A==
Thread-index: AdkToT3TsRUSiNm2TZKwhNLLOQ9yigAASOTQADBde6A=
Thread-topic: Can we deny non-NTS client?

> The existing configuration parameters should not contain the field for rejecting clients that do not support the NTS function. 

Thank you, I understand.

> To prevent attacks, you can limit the IP address or ntsratelimit.

I consider public NTS servers which serve to any NTP client.
I afraid NTS servers are abused for DDoS amplification.

Regarding RFC8915, "8.4 Avoiding DDoS Amplification", 

  NTS is designed to avoid contributing any further to this problem ...

So, I think NTS server should be able to reject non-NTS NTP request to avoid DDoS amplification.

Best Regards,
A.Izumi

-----Original Message-----
From: chengyechun <chengyechun1@xxxxxxxxxx> 
Sent: Monday, December 19, 2022 9:07 PM
To: chrony-users@xxxxxxxxxxxxxxxxxxxx
Subject: [chrony-users] 答复: Can we deny non-NTS client?

NTS is applicable to server identity authentication. The existing configuration parameters should not contain the field for rejecting clients that do not support the NTS function. To prevent attacks, you can limit the IP address or ntsratelimit.

-----邮件原件-----
发件人: Akihiko.Izumi@xxxxxxxx [mailto:Akihiko.Izumi@xxxxxxxx] 
发送时间: 2022年12月19日 20:00
收件人: chrony-users@xxxxxxxxxxxxxxxxxxxx
主题: [chrony-users] Can we deny non-NTS client?

Hello,

When we run Chrony as public NTP server, is it possible to deny NTP clients which do not support NTS?
If it possible, I would like to know how to setup so.

A public NTP server which accept both normal(non-NTS) NTP request and NTS request may suffer attacks both to normal NTP servers and to NTS-KE servers.
To reduce vulunerablity, I would like to set up NTS servers which do not accept non-NTS NTP requests.

Best Regards,
A.Izumi

-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


韬{.n?壏灆ēr锜+瑉?z珵沧!畨蚨靇jhナ娻?a簕.n?壏豝叉銀薊⒏^枟)\喓'孰蕺绗等k跉)r⒏0娯azZb炟^叉銀薙畫洉?j)e娝fj薧k跉)r⒏

Follow-Ups:
- [chrony-users] 答复: Can we deny non-NTS client?
  - From: chengyechun

References:
- [chrony-users] Can we deny non-NTS client?
  - From: Akihiko.Izumi@xxxxxxxx
- [chrony-users] 答复: Can we deny non-NTS client?
  - From: chengyechun

Messages sorted by: [ date | thread ]
Prev by Date: [chrony-users] 答复: Can we deny non-NTS client?
Next by Date: [chrony-users] 答复: Can we deny non-NTS client?
Previous by thread: [chrony-users] 答复: Can we deny non-NTS client?
Next by thread: [chrony-users] 答复: Can we deny non-NTS client?

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/