idnits 2.17.1 draft-mlichvar-ntp-alternative-port-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. == The 'Updates: ' line in the draft header should list only the _numbers_ of the RFCs which will be updated by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (Apr 06, 2020) is 1473 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-11) exists of draft-ietf-ntp-mode-6-cmds-07 Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force M. Lichvar 3 Internet-Draft Red Hat 4 Updates: RFC5905 (if approved) Apr 06, 2020 5 Intended status: Standards Track 6 Expires: October 8, 2020 8 Alternative NTP port 9 draft-mlichvar-ntp-alternative-port-00 11 Abstract 13 This document specifies an alternative port for the Network Time 14 Protocol (NTP) which is restricted in modes in order to avoid 15 amplification attacks. 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at https://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on October 8, 2020. 34 Copyright Notice 36 Copyright (c) 2020 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (https://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 1. Introduction 51 There are several modes specified for NTP. NTP packets have a 3-bit 52 field for the mode. Modes 1, 2, 3, 4, and 5 are used for 53 synchronization of clocks. They are specified in RFC 5905 [RFC5905]. 54 Modes 6 and 7 are used for other purposes, like monitoring and remote 55 management of NTP servers and clients. The mode 6 is specified in 56 Control Messages Protocol for Use with Network Time Protocol Version 57 4 [I-D.ietf-ntp-mode-6-cmds]. 59 The first group of modes does not allow traffic amplification. 60 (Explain why?) 62 However, the modes 6 and 7 allow significant traffic amplification, 63 which has been exploited in large-scale denial-of-service (DoS) 64 attacks over the Internet. 66 Over time, network operators have been observed to implement the 67 following mitigations: 69 1. Blocked UDP packets with destination or source port 123 71 2. Blocked UDP packets with destination or source port 123 and 72 specific length (e.g. longer than 48 octets) 74 3. Blocked UDP packets with destination or source port 123 and NTP 75 mode 6 or 7 77 4. Limited rate of UDP packets with destination or source port 123 79 From those, only the 3rd approach does not have an impact on 80 synchronization of clocks with NTP. 82 The number of public servers in the pool.ntp.org project has dropped 83 in large part due to the mitigations (citation?). 85 Longer NTP packets (using extension fields) are needed by NTS 86 [I-D.ietf-ntp-using-nts-for-ntp]. 88 This document specifies an alternative port for NTP which is 89 restricted to the safe modes in order to enable synchronization of 90 clocks in networks where the port 123 is blocked or rate limited. 92 1.1. Requirements Language 94 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 95 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 96 document are to be interpreted as described in RFC 2119 [RFC2119]. 98 2. Alternative port 100 The port TBD is an alternative port for NTP. The protocol and the 101 format of NTP packets sent from or to this port is unchanged. The 102 port MAY be used in modes 1 (active), 2 (passive), 3 (client), 4 103 (server), and 5 (broadcast). The port MUST NOT be used in modes 0 104 (unspecified), 6 (control), and 7 (private). 106 An NTP server SHOULD receive requests on both the original NTP port 107 (123) and the alternative port (TBD). It MUST respond from the same 108 port which received the request. If a request is received on the 109 alternative port in a mode which is not allowed on this port, the 110 request MUST be discarded with no response. 112 When an NTP client is started, it SHOULD send the first request to 113 the alternative port. The client SHOULD be switching between the two 114 ports until a valid response is received. The client MAY send a 115 limited number of requests to both ports at the same time in order to 116 speed up the discovery of the responding port. When both ports are 117 responding, the client SHOULD prefer the alternative port. 119 An NTP server which supports NTS SHOULD include the NTPv4 Port 120 Negotiation record in NTS-KE responses to specify the alternative 121 port as the port to which the client should send NTP requests. 123 3. IANA Considerations 125 IANA is requested to allocate a (system?) UDP/TCP port. 127 4. References 129 4.1. Normative References 131 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 132 Requirement Levels", BCP 14, RFC 2119, 133 DOI 10.17487/RFC2119, March 1997, 134 . 136 [RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch, 137 "Network Time Protocol Version 4: Protocol and Algorithms 138 Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010, 139 . 141 4.2. Informative References 143 [I-D.ietf-ntp-mode-6-cmds] 144 Haberman, B., "Control Messages Protocol for Use with 145 Network Time Protocol Version 4", draft-ietf-ntp-mode- 146 6-cmds-07 (work in progress), November 2019. 148 [I-D.ietf-ntp-using-nts-for-ntp] 149 Franke, D., Sibold, D., Teichel, K., Dansarie, M., and R. 150 Sundblad, "Network Time Security for the Network Time 151 Protocol", draft-ietf-ntp-using-nts-for-ntp-28 (work in 152 progress), March 2020. 154 Author's Address 156 Miroslav Lichvar 157 Red Hat 158 Purkynova 115 159 Brno 612 00 160 Czech Republic 162 Email: mlichvar@redhat.com