Mark Atwood :
> It is possible to write an iptables kernel loadable module that can do
> application level filtering, and the ntp packet format even lends itself to
> it.
>
> However, we will not go down that route. It would be Linux-only, it would
> be outside of our remit and outside of our cur
It is possible to write an iptables kernel loadable module that can do
application level filtering, and the ntp packet format even lends itself to
it.
However, we will not go down that route. It would be Linux-only, it would
be outside of our remit and outside of our current hot skill-set, it wou
Yo Achim!
On Tue, 14 Jun 2016 20:39:35 +0200
Achim Gratz wrote:
> Daniel Franke writes:
> >> Are there other good ACL languages that we can steal the spec or
> >> implementation from
> >
> > Most of the features we want to match on (basically everything
> > except IP/port) are NTP-specific, so
On 6/14/16, Achim Gratz wrote:
> Sorry for the sidetracking, but while you mention iptables: if we can
> presume the existence of a packet filter in the OS, would it perhaps
> make sense to not implement that part of the filtering in ntpd and leave
> it to that filter?
No, because most of the tim
Daniel Franke writes:
>> Are there other good ACL languages that we can steal the spec or
>> implementation from
>
> Most of the features we want to match on (basically everything except
> IP/port) are NTP-specific, so not directly. But a lot of my design was
> inspired by iptables.
Sorry for the
> I'm significantly concerned about part 3. In any transition like
> this, there is a *lot* of potential for subtle bugs due to ontological
> mismatches between the new and old ways of doing things. It's going
> to be a defect attractor, potentially a very nasty one with security
> impact (as in,
Daniel Franke :
> On 6/13/16, Mark Atwood wrote:
>
> > Are there other good ACL languages that we can steal the spec or
> > implementation from
>
> Most of the features we want to match on (basically everything except
> IP/port) are NTP-specific, so not directly. But a lot of my design was
> ins
On 6/13/16, Mark Atwood wrote:
> Are there other good ACL languages that we can steal the spec or
> implementation from
Most of the features we want to match on (basically everything except
IP/port) are NTP-specific, so not directly. But a lot of my design was
inspired by iptables.
> How hard w
I like the idea of a better defined ACL language
Are there other good ACL languages that we can steal the spec or
implementation from
How hard will it be to implement this and make sure that implementation is
not itself an attack surface
It is important that the language be readable and writable b
Remove the following existing configuration commands:
* discard
* restrict
* controlkey
* requestkey
* trustedkey
And replace them with a directive named 'rule', with the following
EBNF syntax:
rule = 'rule', {predicate}, disposition, [key]
predicate = ['not'], atom
atom = 'source', CIDR-BLOCK
10 matches
Mail list logo
