Alternative NTP port
draft-ietf-ntp-alternative-port-01
Internet Engineering Task Force M. Lichvar
Internet-Draft Red Hat
Updates: 5905 (if approved) Feb 15, 2021
Intended status: Standards Track
Expires: August 19, 2021
Alternative NTP port
draft-ietf-ntp-alternative-port-01
Abstract
This document updates RFC 5905 to specify an alternative port for the
Network Time Protocol (NTP) which is restricted to NTP messages that
do not allow traffic amplification.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 19, 2021.
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Lichvar Expires August 19, 2021 [Page 1]
Internet-Draft Alternative NTP port Feb 2021
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. Alternative port - update to RFC 5905 . . . . . . . . . . . . 3
3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
4. Security Considerations . . . . . . . . . . . . . . . . . . . 5
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5
6.1. Normative References . . . . . . . . . . . . . . . . . . 5
6.2. Informative References . . . . . . . . . . . . . . . . . 6
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6
1. Introduction
There are several modes specified for NTP. NTP packets in versions
2, 3, and 4 have a 3-bit field for the mode. Modes 1 (active), 2
(passive), 3 (client), 4 (server), and 5 (broadcast) are used for
synchronization of clocks. They are specified in RFC 5905 [RFC5905].
Modes 6 and 7 are used for other purposes, like monitoring and remote
management of NTP servers and clients. The mode 6 is specified in
Control Messages Protocol for Use with Network Time Protocol Version
4 [I-D.ietf-ntp-mode-6-cmds].
The first group of modes typically does not allow any traffic
amplification, i.e. the response is not larger than the request. An
exception is Autokey [RFC5906], which allows an NTP response to be
longer than the request, e.g. packets containing the Certificate
Message or Cookie Message extension field. Autokey is rarely used.
If it is enabled on a publicly accessible server, the access needs to
be tightly controlled to limit denial-of-service (DoS) attacks
exploiting the amplification.
The modes 6 and 7 of NTP allow significant traffic amplification,
which has been exploited in large-scale DoS attacks on the Internet.
Publicly accessible servers that support these modes need to be
configured to not respond to requests using the modes, as recommended
in BCP 233 [RFC8633], but the number of servers that still do that is
significant enough to require specific mitigations.
Network operators have implemented different mitigations. They are
not documented and may change over time. Some of the mitigations
that have been observed are:
1. Blocked UDP packets with destination or source port 123
2. Blocked UDP packets with destination or source port 123 and
specific length (e.g. longer than 48 octets)
Lichvar Expires August 19, 2021 [Page 2]
Internet-Draft Alternative NTP port Feb 2021
3. Blocked UDP packets with destination or source port 123 and NTP
mode 6 or 7
4. Limited rate of UDP packets with destination or source port 123
Show full document text