Ragnar, On 3/28/2020 4:59 PM, Ragnar Sundblad wrote: > > >> On 29 Mar 2020, at 00:35, Harlan Stenn <st...@nwtime.org> wrote: >> >> Ragnar, >> >> On 3/28/2020 4:09 PM, Ragnar Sundblad wrote: >>> >>>> On 28 Mar 2020, at 23:58, Harlan Stenn <st...@nwtime.org> wrote: >>>> >>>>> Steven Sommars said: >>>>>> The secure time transfer of NTS was designed to avoid >>>>> amplification attacks. >>>> >>>> Uh, no. >>> >>> Yes, it was. >>> >>> As Steven said, “The secure time transfer of NTS was designed to >>> avoid amplification attacks”. I would even say - to make it >>> impossible to use for amplification attacks. >> >> Please tell me how. I've been part of this specific topic since the >> original NTS spec. For what y'all are saying to be true, there are some >> underlying assumptions that would need to be in place, and they are >> clearly not in place now and won't be until people update their >> software, and even better, tweak their configs. > > The NTS protected NTP request is always of the same size, or in some > cases larger, than the NTS protected NTP response. It is carefully > designed to work that way.
So what? The use of NTS is completely independent of whether or not a server will respond to a packet. And an unauthenticated NTP request that generates an unauthenticated response is *always* smaller than an authenticated request, regardless of whether or not the server responds. Claiming that amplification is a significant issue in the case where there's no amplification but the base packet size is bigger is ignoring a key piece of information, and is disingenuous in my book. > Hence, [what Steven said]. > >>>> If you understand what's going on from the perspective of both the >>>> client and the server and think about the various cases, I think you'll >>>> see what I mean. >>> >>> Hopefully, no-one exposes mode 6 or mode 7 on the internet anymore >>> at least not unauthenticated, and at least not the commands that are >>> not safe from amplification attacks. Those just can not be allowed >>> to be used anonymously. >> >> But mode 6/7 is completely independent of NTS. > > Exactly. No one needs to, or should, expose mode6/7 at all. They were > designed at a time when the internet was thought to be nice place were > people behaved, decades ago, today they are just huge pains in the > rear. Sadly allowing anonymous mode 6/7 was left in there far to long > (admittedly being wise in hindsight is so much easier than in advance). > And here we are, with UDP port 123 still being abused by the bad > guys, and still being filtered by the networks. Your statement about "exposing" is imprecise and bordering on incorrect, at least in some cases. But again, the use of mode 6/7 is completely independent of NTS. You are trying to tie them together. >> It's disingenuous for people to imply otherwise. > > I couldn’t say, I don’t even know of an example of someone who does. You've done it in two cases here, from everything I have seen. > Ragnar -- Harlan Stenn <st...@nwtime.org> http://networktimefoundation.org - be a member!