Why admin's do not trust daemons to do their own packet filtering (was Re: Resuming the great cleanup)

[Eric S. Raymond]

Gary E. Miller via devel <devel at ntpsec.org>:
> Yo Eric!
> 
> On Tue, 29 May 2018 16:17:36 -0400
> "Eric S. Raymond" <esr at thyrsus.com> wrote:
> 
> > Please either choose one drop/no-drop or explain why these cases
> > should be treated separately.
> 
> If that is the choice, the choice should be no-drop.

Well, then, we're back to square one, and you now have an argument
with Mark over his decision to drop filtering by name.

> A ton of ntpd installations were setup a long time ago, and unlikely an
> admin ever looks a the config.  Even new ones are setup from age-old
> howto's that use the built-in ntpd IP filtering.
> 
> if a distro should update from NTP Classic to NTPsec, and the admin
> is asleep at the wheel (99% probability), then the security features
> configured into ntdp on day-one will be lost, but no compensating
> security features, like a firewall, are configured to compensate.
> 
> Now the poor system is wide open to abuse.  Bad outcome.  NTPsec gets
> a blck eye as being 'insecure'.

But when I wrote this:

"We have removed packet filtering by interface name because we judge it's
a security-defect attractor.  The place to do this is in kernel-level packet
filters and firewalls, which get much more scrutiny; good admin practice 
in this century is to not trust usespace packet filtering at all."

you endorsed it.  Does that change if "name" in the first sentence is
deleted?
-- 
		<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>

My work is funded by the Internet Civil Engineering Institute: https://icei.org
Please visit their site and donate: the civilization you save might be your own.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20180529/1667e3a3/attachment.bin>