<div dir="ltr">> <span style="color:rgb(33,33,33)">running a single instance in a VM for the pool.</span><div><span style="color:rgb(33,33,33)"><br></span></div><div><font color="#212121">This feature would be a misfeature in a VM, as MACs and interface ID's are particularly fluid in VMs. And if someone is running ntpd in a VM and want to protect it in depth, they will use the hypervisor's network access control table.</font></div><div><font color="#212121"><br></font></div><div><font color="#212121">..m</font></div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Mar 31, 2017 at 1:42 PM Gary E. Miller <<a href="mailto:gem@rellim.com">gem@rellim.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Yo Mark!<br class="gmail_msg">
<br class="gmail_msg">
On Fri, 31 Mar 2017 20:06:32 +0000<br class="gmail_msg">
Mark Atwood <<a href="mailto:fallenpegasus@gmail.com" class="gmail_msg" target="_blank">fallenpegasus@gmail.com</a>> wrote:<br class="gmail_msg">
<br class="gmail_msg">
> I'm inclined to say drop the feature.<br class="gmail_msg">
<br class="gmail_msg">
Me too, but only as a me too. Don't blame me!<br class="gmail_msg">
<br class="gmail_msg">
> Yes defense in depth is good, but I think it doesn't really count in<br class="gmail_msg">
> this case. If a network admin is defending their NTP in depth, they<br class="gmail_msg">
> will do it in (in order), the local kernel table, the local switch,<br class="gmail_msg">
> the ingress switch, on the ISP side on the other side of the link to<br class="gmail_msg">
> the ingress switch, and in their ISP's connection to their transit<br class="gmail_msg">
> providers.<br class="gmail_msg">
<br class="gmail_msg">
Now you are thinking big boy toys, a lot of small guys run ntpd. Think<br class="gmail_msg">
of Hal running a single instance in a VM for the pool.<br class="gmail_msg">
<br class="gmail_msg">
But then, Hal would not be using this feature...<br class="gmail_msg">
<br class="gmail_msg">
> The feature also feels very "brittle" to me, from an admin POV. How<br class="gmail_msg">
> many netadmins are going to remember to update the setting when they<br class="gmail_msg">
> change anything about the local interface topology, or in the local<br class="gmail_msg">
> hypervisor or container topology.<br class="gmail_msg">
<br class="gmail_msg">
Yeah, I've been bitten by that. Especially when Gentoo changed ethernet<br class="gmail_msg">
intertfaces names a while back.<br class="gmail_msg">
<br class="gmail_msg">
> And yes, can someone Not Me ask on the NTP list?<br class="gmail_msg">
<br class="gmail_msg">
I just asked on <a href="mailto:questions@ntp.org" class="gmail_msg" target="_blank">questions@ntp.org</a>. Did not seem like a <a href="mailto:hackers@ntp.org" class="gmail_msg" target="_blank">hackers@ntp.org</a><br class="gmail_msg">
thing.<br class="gmail_msg">
<br class="gmail_msg">
<br class="gmail_msg">
<br class="gmail_msg">
RGDS<br class="gmail_msg">
GARY<br class="gmail_msg">
---------------------------------------------------------------------------<br class="gmail_msg">
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703<br class="gmail_msg">
<a href="mailto:gem@rellim.com" class="gmail_msg" target="_blank">gem@rellim.com</a> Tel:<a href="tel:(541)%20382-8588" value="+15413828588" class="gmail_msg" target="_blank">+1 541 382 8588</a><br class="gmail_msg">
<br class="gmail_msg">
Veritas liberabit vos. -- Quid est veritas?<br class="gmail_msg">
"If you can’t measure it, you can’t improve it." - Lord Kelvin<br class="gmail_msg">
_______________________________________________<br class="gmail_msg">
devel mailing list<br class="gmail_msg">
<a href="mailto:devel@ntpsec.org" class="gmail_msg" target="_blank">devel@ntpsec.org</a><br class="gmail_msg">
<a href="http://lists.ntpsec.org/mailman/listinfo/devel" rel="noreferrer" class="gmail_msg" target="_blank">http://lists.ntpsec.org/mailman/listinfo/devel</a></blockquote></div><div dir="ltr">-- <br></div><div data-smartmail="gmail_signature"><div dir="ltr">Mark Atwood<div><a href="http://about.me/markatwood">http://about.me/markatwood</a><div>+1-206-604-2198 SMS & Signal</div></div></div></div>