[ntpwg] [dhcwg] Re: Network Time Protocol (NTP) OptionsforDHCPv6

David W. Hankins David_Hankins at isc.org
Mon Nov 26 19:03:12 GMT 2007 

On Sun, Nov 25, 2007 at 11:56:58PM -0500, Danny Mayer wrote:
> I refer you to the UWisc/Netgear incident paper that Dave Mills and Dave
> Plonka wrote:
> http://www.eecis.udel.edu/~mills/database/papers/ptti/ptti04a.pdf
> The brief slide version is here:
> http://www.eecis.udel.edu/~mills/database/brief/ptti/ptti04.pdf
> It also discusses the loads on a number of other servers inclusing NIST
> and USNO
> 
> PHK's incident with D-Link is written up here:
> http://news.bbc.co.uk/2/hi/technology/4906138.stm

Yes, I thought this was a subtext of this discussion, and in my
opinion is more important than any of the security subdiscussions.

It is also good to have my facts straightened, I was going from memory
before.

> I await your suggestions on how to prevent the routers becoming
> amplifiers via DHCP to bombarding NTP servers.

I do not believe there is any reasonable way we can provide this
with complete assuredness.

It may appear that if you gave the DNS name via DHCP that the clock's
administrator can now do clever things with DNS replies to ease the
pain on the individual clocks.  So mitigation tools may exist.

However it also opens the doorway for a clock manufacturer to set
the static value to a domain name they control - and deliver A records
for other folks' clocks.

You're screwed either way...in this case, you have some control over
firmware that has not been upgraded.


So my current recommendation is still to use binary IP addresses,
and track Ralph Drom's existing draft (which covers both v4 and v6,
I also stand corrected), in carefully explaining how a DHCP server
supplying it is expected to come by the configuration values:
Either manually supplied by the operator, or reflecting options
gained upstream.  No default values.

It's my estimation that this is the best compromise between managing
the risk of DDOS and scaling the DHCP protocol.


But I believe that the NTP community is now very well versed in the
concerns and facts surrounding this case, and I look forward to
reading your draft - whatever it might say.

-- 
Ash bugud-gul durbatuluk agh burzum-ishi krimpatul.
Why settle for the lesser evil?	 https://secure.isc.org/store/t-shirt/
-- 
David W. Hankins	"If you don't do it right the first time,
Software Engineer		     you'll just have to do it again."
Internet Systems Consortium, Inc.		-- Jack T. Hankins
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : https://lists.ntp.org/pipermail/ntpwg/attachments/20071126/8dd0d054/attachment.bin

More information about the ntpwg mailing list