Shippable ntp.conf files for the HOWTO

Gary E. Miller gem at rellim.com
Fri Jun 10 19:15:02 UTC 2016


Yo Hal!

On Fri, 10 Jun 2016 00:55:09 -0700
Hal Murray <hmurray at megapathdsl.net> wrote:

> gem at rellim.com said:
> >> The pool command hasn't been in the middle of this sort of sharp
> >> eyed=20 scrutiny.  I won't be surprised if there are bugs or
> >> quirks.  
> > Well, if we can't prove it is better I would not be in a hurry to
> > use it.   
> 
> Please give it a try.  We can't possibly prove anything if nobody
> tries it.

I'll wait until bug #79 is closed.  One way or another.  That is a
blocker.

And how it is closed will make a big difference.  Likely only git
versions after the fix will work, so I'll wait for the fix.

Worse yet, I'd hate to publish a how to that fails on 99.999999% of
the installed base.  So it would have to be an experimental only
feature of any howto.

> gem at rellim.com said:
> > Do we need the 'restict nopeer'?  From a quick google pretty much
> > every one says to use it.  If we need nppeer, we can't use 'pool'
> > until that bug is fixed.  
> 
> > From what I can see the nopeer is to prevent DoS.  We certainly do
> > not want to have a configuration that is know to allow DoS.  
> 
> > That pretty much makes up my mind.  Until issue #79 is closed we
> > can not use 'pool'.   
> 
> I don't know of any DoS mechanism that nopeer would fix.

There was a big media storm last year about it.  All the usual talking
heads saying to make the change.  True or not, we can't appear to ignore
the 'common wisdon'.

From my cursory reading I see the potential of memory exhaustion.  Looks
like without nopeer then each clients make ntpd allocate some RAM.  If
someone sprays your server with spoofed from addresses they will exhaust
your RAM.

Maybe not practical, but certainly theoretical.  NTPsec can't appear
to not take it seriously.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ntpsec.org/pipermail/devel/attachments/20160610/2c88062b/attachment.bin>


More information about the devel mailing list