Alternatives to port 123

Hal Murray halmurray at sonic.net
Thu May 2 20:48:23 UTC 2024 

I've pushed the code for alternatives to port 123.  It's working for me, but 
could use more testing.  You might hit a case I didn't consider.

There are 2 new options for the config file:
  nts port nnnn
  extra port nnnn
They do the same thing.  Pick one.

There are two parts.

If a server uses either, the NTS-KE step will tell the client to use the alterante port.  (Be sure your firewall lets that port in.)
If a client uses either, it will send requests from the alternate port.

Note that if both client and server use this feature, neither end will use port 123 so typical filtering is very unlikely to be a problem.  That does require action on both ends.

-----------

UDP port 123 filtering is still a black art, at least to me.

If you had asked me a few weeks ago, I would have said that AT&T blocks traffic going in to UDP port 123 and traffic going out from UDP port 123.

When I tested the first try at this code, it didn't work.  I was testing with port 8123.  Plain NTP (48 bytes) and NTP+AES (68 bytes) from a client using UDP port 123 to a server on AT&T using 8123 worked as expected.  But NTP+NTS (232 bytes) from port 123 didn't make it in to my server.  Sending from other than port 123 worked.  So I added a trivial change to send from the alternate port and now it works.  But note that requires changes on both ends.

(I don't know where that new filtering is happening.  It might be some ISP between my test client on DigitalOcean and AT&T.)

If anybody gets data on NTP blocking/filtering, please send me details.

Note that for AT&T, the normal case of an NTP client goes through NAT so NTP isn't using port 123 and doesn't get blocked.

------

We should teach the server config stuff to allow:
  server name:port
The complication is that IPv6 literals contain colons.  So we need [] around the address literal.  Therer is code in libntp/decodenetnum.c that does much of the work, but it also does the DNS lookup so we would have to split that.  (There is some ugly code someplace in NTS that could get cleaned up after we get that working.)

-- 
These are my opinions.  I hate spam.

More information about the devel mailing list