| RE: [chrony-users] RE: Can we deny non-NTS client? |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
- To: "chrony-users@xxxxxxxxxxxxxxxxxxxx" <chrony-users@xxxxxxxxxxxxxxxxxxxx>
- Subject: RE: [chrony-users] RE: Can we deny non-NTS client?
- From: "Akihiko.Izumi@xxxxxxxx" <Akihiko.Izumi@xxxxxxxx>
- Date: Wed, 11 Jan 2023 02:31:11 +0000
- Accept-language: ja-JP, en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sony.com; dmarc=pass action=none header.from=sony.com; dkim=pass header.d=sony.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ONFtchJCc0APOypCJBGRkw0vjh2IlU1WHXVjLeByoi8=; b=c0RyNXrMtd9QQDMj4/CXdesVuyGcVyvHrQIW9H9KjWw8ak9c2mtaUSAphDL3f+mapTi/9E1stvJ4H7tfpwWFKqR6sW7XzJOOZ3teuq2a0tB74vyzbYsNTUTIXVUyfxcaS4dgCOgQ0HjAOhFX8k3rdXJ7s0psrX5BTaeczR8lytJe1iLm4h9dR4qfKin5RlzZK0KQbMkPz9f7EgB5VG4S3z1y08w9yEOT4NQ9fVOd+UqpbfvFFVJKpK25ExrbZu4u7B77NkxQ9KCZ2pOkwDQPOMcPZeeEqN4ink00w2smsyjmOI8x9TfPCNcN6BZFWBCSmrjhrDSnTA5kL9ayiXrTUw==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BTaNUw5kJ27aSx0HHE0OWrivUdFMMKAgVs4H9QQjwwstJ9Q07qT3HUMM/rE+ExdKgwk0fSh0ETLJUgY0doAgHcVuTwAbClS34m5XohmJkuO6mmPSVWmpMHZivSmqEI9KZpwjQk5+fk4zec0uKQpjFsf3LXCr7RwpblRsAy3oVVqJut+2AHqBImG0gNjalH6bJN+lrwAQt7ENLhn/I2V/VVfNtYgWNxrrBgMkx69PErBUOQV49UevqrqUN8frOZ4++PylKZOt0nqh62bTgUWCXsi8GP0dXutwtiBjR/ODExj7FtUfECO9lkJfUL2BpZnOjXkj8IH3phAcVG7dLaXDKA==
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sony.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=S1; bh=ONFtchJCc0APOypCJBGRkw0vjh2IlU1WHXVjLeByoi8=; b=AjUstt62DayO8xtsI5LUZNJXQF8ZOpgGn6pTGCjwY9hTj7oO0UEx7nQu62WGUScbgF/n W0YL2ZXlOrwbQ4WfzQw+G0DsXe1AO5W1ibv34bEsI0pvsQGOs/kNxjNTDyzo+lXlFD4x lwKG4yidy8uiotc/NJG7o7/FJZ9jsHw3JkggJVydF5a8/e8cK0MDaFRDgpVM9/XA/ktM qDjYP0yk4d0IVs7phmxUM8gMYb+4d1lq4WWPeqiRbcEnrjLzhyopfRb/EP4kXnz/hnjr jMNk/fXh5lyzsvKrgwwEf8xVJ1xGZnqwsRHRCDRNfbxriMuqO8yTL2BNIN5TQmZ1k4ss Xg==
- Thread-index: AdkToT3TsRUSiNm2TZKwhNLLOQ9yigAASOTQADBde6ACiyUrAAFkJ10wAAGxZgAATslKkA==
- Thread-topic: [chrony-users] RE: Can we deny non-NTS client?
Thank you for clarifying my question. I learned a lot.
> it would not be sent as there is an additional check made before transmission comparing the length of the request and response.
What comparison is done between the length of the request and response?
> If the NTP server didn't respond to unauthenticated NTP requests, it couldn't respond with NTS NAK to indicate the client it has expired cookies.
I understand.
I think sending NTS NAK is necessary for mis-authenticated NTP packets, but not necessary for plain NTP packets.
Is my understanding correct?
I have another question.
RFC8915 describes "8.7. NTS Stripping". Isn't is applicable to Chrony?
Best Regards,
-----Original Message-----
From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Sent: Monday, January 9, 2023 9:42 PM
To: chrony-users@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [chrony-users] RE: Can we deny non-NTS client?
On Mon, Jan 09, 2023 at 12:15:23PM +0000, Akihiko.Izumi@xxxxxxxx wrote:
> > chrony does not implement any modes that could amplify NTP traffic
>
> Thank you.
> But I afraid NTP server is vulnerable to spoofed source IP address of NTP client, it may participate DDoS attacks even though chrony does not amplify NTP traffic (amplification factor is small).
A reflection (amplification factor of 1.0) does not seem to be useful.
If you can spoof the source address, why not send packets directly to the victim? At least, I have not heard of any DDoS attacks using a 1:1 reflection.
If that was an issue, many other protocols could be exploited, e.g.
TCP, ICMP.
In any case, NTP authentication doesn't prevent reflection. It actually makes it easier as the packets are longer, so a single server would reflect more traffic (if it is limited by packet rate).
--
Miroslav Lichvar
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.