Wildcard-socket simplification hits a wall

Mark Atwood fallenpegasus at gmail.com
Fri Mar 31 20:48:10 UTC 2017 

> running a single instance in a VM for the pool.

This feature would be a misfeature in a VM, as MACs and interface ID's are
particularly fluid in VMs.  And if someone is running ntpd in a VM and want
to protect it in depth, they will use the hypervisor's network access
control table.

..m

On Fri, Mar 31, 2017 at 1:42 PM Gary E. Miller <gem at rellim.com> wrote:

> Yo Mark!
>
> On Fri, 31 Mar 2017 20:06:32 +0000
> Mark Atwood <fallenpegasus at gmail.com> wrote:
>
> > I'm inclined to say drop the feature.
>
> Me too, but only as a me too.  Don't blame me!
>
> > Yes defense in depth is good, but I think it doesn't really count in
> > this case.  If a network admin is defending their NTP in depth, they
> > will do it in (in order), the local kernel table, the local switch,
> > the ingress switch, on the ISP side on the other side of the link to
> > the ingress switch, and in their ISP's connection to their transit
> > providers.
>
> Now you are thinking big boy toys, a lot of small guys run ntpd.  Think
> of Hal running a single instance in a VM for the pool.
>
> But then, Hal would not be using this feature...
>
> > The feature also feels very "brittle" to me, from an admin POV.  How
> > many netadmins are going to remember to update the setting when they
> > change anything about the local interface topology, or in the local
> > hypervisor or container topology.
>
> Yeah, I've been bitten by that.  Especially when Gentoo changed ethernet
> intertfaces names a while back.
>
> > And yes, can someone Not Me ask on the NTP list?
>
> I just asked on questions at ntp.org.  Did not seem like a hackers at ntp.org
> thing.
>
>
>
> RGDS
> GARY
> ---------------------------------------------------------------------------
> Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
>         gem at rellim.com  Tel:+1 541 382 8588 <(541)%20382-8588>
>
>             Veritas liberabit vos. -- Quid est veritas?
>     "If you can’t measure it, you can’t improve it." - Lord Kelvin
> _______________________________________________
> devel mailing list
> devel at ntpsec.org
> http://lists.ntpsec.org/mailman/listinfo/devel

-- 
Mark Atwood
http://about.me/markatwood
+1-206-604-2198 SMS & Signal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20170331/0da1c476/attachment.html>

More information about the devel mailing list