Re: [ntp:questions] kod and limited
On Fri, Nov 20, 2015 at 04:40:24PM +0100, Marco Marongiu wrote: > Now I have two options: > 1. remove "kod" altogether > 2. add "limited" > > The defaults for discard seem sensible[3] and adding "limited" shouldn't > result in problems. On the other hand, I am worried that (for example) > local clients using burst/iburst or running ntpdate -q repeatedly for > debugging purposes may be denied the service. Am I just worrying too much? > > What option would you recommend? I think the recommendation is to not use the limited option at all. Some people reported that it may actually increase the amount of traffic, apparently there are broken clients that send a new request soon after missing a reply. Also, there is a security issue that an attacker can prevent a client from getting replies by sending spoofed packets to the server. See the archive of the ntp-hackers list for more information. -- Miroslav Lichvar ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] kod and limited
On 24/11/15 10:44, Miroslav Lichvar wrote: >> > What option would you recommend? > I think the recommendation is to not use the limited option at all. > Some people reported that it may actually increase the amount of > traffic, apparently there are broken clients that send a new request > soon after missing a reply. > > Also, there is a security issue that an attacker can prevent a client > from getting replies by sending spoofed packets to the server. See the > archive of the ntp-hackers list for more information. Thanks Miroslav, very informative as always! I'll kill "kod" altogether. Ciao -- bronto ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
[ntp:questions] kod and limited
Hi all In the document "ntpd access restrictions" it is recommended to use the restriction "kod"[1]. However, when used as it is there it makes ntpd complain: > Nov 20 11:54:00 testnode ntpd[40098]: restrict ::: KOD does nothing without > LIMITED. The documentation agrees[2]. Now I have two options: 1. remove "kod" altogether 2. add "limited" The defaults for discard seem sensible[3] and adding "limited" shouldn't result in problems. On the other hand, I am worried that (for example) local clients using burst/iburst or running ntpdate -q repeatedly for debugging purposes may be denied the service. Am I just worrying too much? What option would you recommend? Thanks in advance Ciao -- bronto [1] http://support.ntp.org/bin/view/Support/AccessRestrictions#Section_6.5.1.1.3. [2] http://doc.ntp.org/4.2.6p5/accopt.html#restrict [3] http://doc.ntp.org/4.2.6p5/accopt.html#discard ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions