Why admin's do not trust daemons to do their own packet filtering (was Re: Resuming the great cleanup)

Gary E. Miller gem at rellim.com
Tue May 29 20:50:28 UTC 2018


Yo Eric!

On Tue, 29 May 2018 16:17:36 -0400
"Eric S. Raymond" <esr at thyrsus.com> wrote:

> Please either choose one drop/no-drop or explain why these cases
> should be treated separately.

If that is the choice, the choice should be no-drop.

A ton of ntpd installations were setup a long time ago, and unlikely an
admin ever looks a the config.  Even new ones are setup from age-old
howto's that use the built-in ntpd IP filtering.

if a distro should update from NTP Classic to NTPsec, and the admin
is asleep at the wheel (99% probability), then the security features
configured into ntdp on day-one will be lost, but no compensating
security features, like a firewall, are configured to compensate.

Now the poor system is wide open to abuse.  Bad outcome.  NTPsec gets
a blck eye as being 'insecure'.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20180529/c900a6a7/attachment.bin>


More information about the devel mailing list