[ntpwg] [dhcwg] Re: Network Time Protocol (NTP) Options for DHCPv6

Hal Murray hmurray at megapathdsl.net
Tue Nov 27 08:58:49 GMT 2007 

> I do wonder why some folks seem to think that using DNS names would
> somehow be "safer" than using v6 addresses. if someone shipped a
> server  with a canned list of DNS names for NTP servers, there would
> be a  problem until the owners of the NTP servers named moved them. I
> don't  see how that'd be any better than the analogous mistake
> involving IP addresses.

I think that suggestion is coming from the NTP community rather than DHCP.  
Using names rather than addresses provides a layer of indirection which is a 
powerful tool for recovering from screwups.

If Joe-Idiot hard wires 123.123.123.123 into his dumb box and then ships a 
zillion units, the guy who owns 123.123.123.123 is screwed.  Updating the 
firmware on enough units to make a difference won't ever happen.

If ntp.example.com gets wired in, you at least have a chance to play DNS 
games to distribute the load.


> shipping a DHCP server with a canned configuration would not be good,
> so  let's hope it doesn't happen. Mark Andrews's email seems to me to
> summarize what happens: 'home' routers have a dhcp client face and a
> dhcp server face, and use the client to populate the server.

That's another form of indirection.

It seems like a sensible approach to me.  On the other hand, a lot of boxes 
were shipped that didn't work that way.  For those who haven't read it, 
Wikipedia has a good summary of the NTP mess:
  http://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse


This problem has code in (at least) two places:  One is the DHCP server.  The 
other is the NTP client.  Either can screw it up.

The examples on the Wiki page didn't involve DHCP but a simple screwup in a 
DHCP server could generate similar results.  The obvious example is that if 
somebody has a NTP server address they are using for an internal NTP client 
and it is hard wired, they could easily use the same variable when they need 
something to stuff into a DHCP packet.


My vote would be to add some extra wording to emphasize this area.  Just 
saying "MUST" is too likely to get ignored.

I think the key idea is that you have to be very careful if the addresses (or 
names) you are giving out are not on your network.



As far as I can tell, all of this discussion holds for both IPv4 and IPv6.

I have no strong opinions on name vs address.  The extra level of indirection might be important.  On the other hand, it might be simpler to cleanly document and correctly implement a system that didn't have that extra layer of complexity.




-- 
These are my opinions, not necessarily my employer's.  I hate spam.

More information about the ntpwg mailing list