Wildcard-socket simplification hits a wall

Mark Atwood fallenpegasus at gmail.com
Fri Mar 31 20:06:32 UTC 2017 

I'm inclined to say drop the feature.

Yes defense in depth is good, but I think it doesn't really count in this
case.  If a network admin is defending their NTP in depth, they will do it
in (in order), the local kernel table, the local switch, the ingress
switch, on the ISP side on the other side of the link to the ingress
switch, and in their ISP's connection to their transit providers.

The feature also feels very "brittle" to me, from an admin POV.  How many
netadmins are going to remember to update the setting when they change
anything about the local interface topology, or in the local hypervisor or
container topology.

And yes, can someone Not Me ask on the NTP list?

..m

On Fri, Mar 31, 2017 at 12:31 PM Gary E. Miller <gem at rellim.com> wrote:

> Yo Mark!
>
> On Fri, 31 Mar 2017 19:19:04 +0000
> Mark Atwood <fallenpegasus at gmail.com> wrote:
>
> > I would like some discussion about this, however, my inclination is
> > to drop it.
>
> Drop the discussion, drop the old feature, or drop the work to drop the old
> feature?
>
> > It is my belief that when a sysadmin is going to do sophisticated
> > filtering based on MAC or by interface id, they will do it in their
> > switch or they will do locally with the ipfw or iptables feature, and
> > would not trust the daemon process they are trying to protect to get
> > it right.    Every Linux-like and modern POSIX-like OS has a kernel
> > level table filter feature like iptables or ipfw, and doing such
> > filtering there is the Right Place to do it.
>
> Or the newest toy: nftables.  My personal beliefe is every sysadmin
> should be managing his entire system from the one tool, but defense
> in depth is also good.
>
> > I specifically would like GEM and Hal to chime on this.  Am I correct?
>
> My main concern is if anyone actually uses this option.  If so, they
> are the more advanced users, and I'd rather not annoy them when we want
> them to switch to NTPsec.
>
> OTOH, if no one is actually using the option, then we can remove the
> option.  My totally unsubstantiated gut feel is that this is a newish
> feature that is not used by many sysadmins, if any.
>
> So, sadly, my answer is a non-answer.  When I kill off esr's suffix's
> I'd be happy to dig into this.  I have now looked at more than a
> hundred current and popular ways to dor .d directories.  Esr's take
> is very much an outlier.  But more on that later, in a different
> thread.
>
> Maybe someone could ask on the NTP list is anyone uses the feature?
>
> RGDS
> GARY
> ---------------------------------------------------------------------------
> Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
>         gem at rellim.com  Tel:+1 541 382 8588 <(541)%20382-8588>
>
>             Veritas liberabit vos. -- Quid est veritas?
>     "If you can’t measure it, you can’t improve it." - Lord Kelvin
> _______________________________________________
> devel mailing list
> devel at ntpsec.org
> http://lists.ntpsec.org/mailman/listinfo/devel

-- 
Mark Atwood
http://about.me/markatwood
+1-206-604-2198 SMS & Signal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20170331/ce435bf1/attachment.html>

More information about the devel mailing list