<div dir="ltr">I'm inclined to say drop the feature.<div><br></div><div>Yes defense in depth is good, but I think it doesn't really count in this case. If a network admin is defending their NTP in depth, they will do it in (in order), the local kernel table, the local switch, the ingress switch, on the ISP side on the other side of the link to the ingress switch, and in their ISP's connection to their transit providers.</div><div><br></div><div>The feature also feels very "brittle" to me, from an admin POV. How many netadmins are going to remember to update the setting when they change anything about the local interface topology, or in the local hypervisor or container topology.<br><div><br></div><div>And yes, can someone Not Me ask on the NTP list?</div><div><br></div><div>..m</div></div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Mar 31, 2017 at 12:31 PM Gary E. Miller <<a href="mailto:gem@rellim.com">gem@rellim.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Yo Mark!<br class="gmail_msg">
<br class="gmail_msg">
On Fri, 31 Mar 2017 19:19:04 +0000<br class="gmail_msg">
Mark Atwood <<a href="mailto:fallenpegasus@gmail.com" class="gmail_msg" target="_blank">fallenpegasus@gmail.com</a>> wrote:<br class="gmail_msg">
<br class="gmail_msg">
> I would like some discussion about this, however, my inclination is<br class="gmail_msg">
> to drop it.<br class="gmail_msg">
<br class="gmail_msg">
Drop the discussion, drop the old feature, or drop the work to drop the old<br class="gmail_msg">
feature?<br class="gmail_msg">
<br class="gmail_msg">
> It is my belief that when a sysadmin is going to do sophisticated<br class="gmail_msg">
> filtering based on MAC or by interface id, they will do it in their<br class="gmail_msg">
> switch or they will do locally with the ipfw or iptables feature, and<br class="gmail_msg">
> would not trust the daemon process they are trying to protect to get<br class="gmail_msg">
> it right. Every Linux-like and modern POSIX-like OS has a kernel<br class="gmail_msg">
> level table filter feature like iptables or ipfw, and doing such<br class="gmail_msg">
> filtering there is the Right Place to do it.<br class="gmail_msg">
<br class="gmail_msg">
Or the newest toy: nftables. My personal beliefe is every sysadmin<br class="gmail_msg">
should be managing his entire system from the one tool, but defense<br class="gmail_msg">
in depth is also good.<br class="gmail_msg">
<br class="gmail_msg">
> I specifically would like GEM and Hal to chime on this. Am I correct?<br class="gmail_msg">
<br class="gmail_msg">
My main concern is if anyone actually uses this option. If so, they<br class="gmail_msg">
are the more advanced users, and I'd rather not annoy them when we want<br class="gmail_msg">
them to switch to NTPsec.<br class="gmail_msg">
<br class="gmail_msg">
OTOH, if no one is actually using the option, then we can remove the<br class="gmail_msg">
option. My totally unsubstantiated gut feel is that this is a newish<br class="gmail_msg">
feature that is not used by many sysadmins, if any.<br class="gmail_msg">
<br class="gmail_msg">
So, sadly, my answer is a non-answer. When I kill off esr's suffix's<br class="gmail_msg">
I'd be happy to dig into this. I have now looked at more than a<br class="gmail_msg">
hundred current and popular ways to dor .d directories. Esr's take<br class="gmail_msg">
is very much an outlier. But more on that later, in a different<br class="gmail_msg">
thread.<br class="gmail_msg">
<br class="gmail_msg">
Maybe someone could ask on the NTP list is anyone uses the feature?<br class="gmail_msg">
<br class="gmail_msg">
RGDS<br class="gmail_msg">
GARY<br class="gmail_msg">
---------------------------------------------------------------------------<br class="gmail_msg">
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703<br class="gmail_msg">
<a href="mailto:gem@rellim.com" class="gmail_msg" target="_blank">gem@rellim.com</a> Tel:<a href="tel:(541)%20382-8588" value="+15413828588" class="gmail_msg" target="_blank">+1 541 382 8588</a><br class="gmail_msg">
<br class="gmail_msg">
Veritas liberabit vos. -- Quid est veritas?<br class="gmail_msg">
"If you can’t measure it, you can’t improve it." - Lord Kelvin<br class="gmail_msg">
_______________________________________________<br class="gmail_msg">
devel mailing list<br class="gmail_msg">
<a href="mailto:devel@ntpsec.org" class="gmail_msg" target="_blank">devel@ntpsec.org</a><br class="gmail_msg">
<a href="http://lists.ntpsec.org/mailman/listinfo/devel" rel="noreferrer" class="gmail_msg" target="_blank">http://lists.ntpsec.org/mailman/listinfo/devel</a></blockquote></div><div dir="ltr">-- <br></div><div data-smartmail="gmail_signature"><div dir="ltr">Mark Atwood<div><a href="http://about.me/markatwood">http://about.me/markatwood</a><div>+1-206-604-2198 SMS & Signal</div></div></div></div>