Why admin's do not trust daemons to do their own packet filtering (was Re: Resuming the great cleanup)
Eric S. Raymond
esr at thyrsus.com
Tue May 29 21:02:47 UTC 2018
Gary E. Miller via devel <devel at ntpsec.org>:
> Yo Eric!
> On Tue, 29 May 2018 16:17:36 -0400
> "Eric S. Raymond" <esr at thyrsus.com> wrote:
> > Please either choose one drop/no-drop or explain why these cases
> > should be treated separately.
> If that is the choice, the choice should be no-drop.
Well, then, we're back to square one, and you now have an argument
with Mark over his decision to drop filtering by name.
> A ton of ntpd installations were setup a long time ago, and unlikely an
> admin ever looks a the config. Even new ones are setup from age-old
> howto's that use the built-in ntpd IP filtering.
> if a distro should update from NTP Classic to NTPsec, and the admin
> is asleep at the wheel (99% probability), then the security features
> configured into ntdp on day-one will be lost, but no compensating
> security features, like a firewall, are configured to compensate.
> Now the poor system is wide open to abuse. Bad outcome. NTPsec gets
> a blck eye as being 'insecure'.
But when I wrote this:
"We have removed packet filtering by interface name because we judge it's
a security-defect attractor. The place to do this is in kernel-level packet
filters and firewalls, which get much more scrutiny; good admin practice
in this century is to not trust usespace packet filtering at all."
you endorsed it. Does that change if "name" in the first sentence is
<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
My work is funded by the Internet Civil Engineering Institute: https://icei.org
Please visit their site and donate: the civilization you save might be your own.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the devel