It seems thata hosts sending large amounts of NTP traffic over the
public Internet can be safely filtered if you don't already know that
it's one of the handful that's in the ntp.org pools or another well
known NTP master.
Speaking as one of the 3841 servers in the pool.ntp.org pool, I'm happy to be described as a "handful," something my mother used to say, but I do feel obligated to point out that it's a pretty big handful especially if you want to be fiddling ACLs on an hourly basis which is pretty much what it takes.
And, of course, if you're one of that handful, then you've pretty much got to allow that NTP traffic in, although you're also probably, hopefully, clue-full enough not to let random hosts make you a DDoS accelerator.
It seems thata hosts sending large amounts of NTP traffic over the
public Internet can be safely filtered if you don't already know that
it's one of the handful that's in the ntp.org pools or another well
known NTP master.
Speaking as one of the 3841 servers in the pool.ntp.org pool, I'm happy to be described as a "handful," something my mother used to say, but I do feel obligated to point out that it's a pretty big handful especially if you want to be fiddling ACLs on an hourly basis which is pretty much what it takes.
I was thinking that the ntp.org servers on any particular network are a small set of exceptions to a general rule to rate limit outgoing NTP traffic.
Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
I was thinking that the ntp.org servers on any particular network are a small set of exceptions to a general rule to rate limit outgoing NTP traffic.
www.pool.ntp.org allows any NTP operator to opt-in to receive NTP traffic should their clock be available and accurate.
I believe you, but I don't believe that the set of ntp.org servers changes so rapidly that it is beyond the ability of network operators to handle the ones on their own networks as a special case.
Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
>> I was thinking that the ntp.org servers on any particular network are a small set of exceptions to a general rule to rate limit outgoing NTP traffic.
>
> www.pool.ntp.org allows any NTP operator to opt-in to receive NTP traffic should their clock be available and accurate.
I believe you, but I don't believe that the set of ntp.org servers changes
so rapidly that it is beyond the ability of network operators to handle
the ones on their own networks as a special case.
There's a bootstrap issue here. I'm guessing that you may be picturing
a scenario where a network operator simply queries to obtain the list of ntp.org servers and special-cases their own. However, I believe that
the system won't add NTP servers that appear to be nonresponsive to the
list (bootstrap paradox), and in any case the list of returned servers
is quite large and a response basically picks a few random servers, so
it is quite difficult to know what servers are on your network in an
automated fashion.
The list is large enough, and changes often enough, that filtering on it isn't likely to be successful. Also, the list of what are "your" servers can change without warning.
I have to say I've been shocked at how little most network
operators appear to understand about how NTP actually works, and
how little thought is going into the consequences of suggested
filtering techniques.
Has anyone considered the implications of a world where
your customers cannot correlate timestamps on abuse reports because
you decided you knew better than they did how, and which sources of
time they would be allowed to use?
NTP works best with a diverse set of peers. You know, outside
your little bubble, or walled garden, or whatever people in this thread
appear to be trying to build. I'm not sure what to call it, but it's
definitely not the Internet.