From owner-freebsd-security@FreeBSD.ORG  Tue Mar 18 07:41:21 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 6FD4BBA4
 for <freebsd-security@freebsd.org>; Tue, 18 Mar 2014 07:41:21 +0000 (UTC)
Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk
 [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 030547A9
 for <freebsd-security@freebsd.org>; Tue, 18 Mar 2014 07:41:20 +0000 (UTC)
Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk
 [81.2.117.99]) (authenticated bits=0)
 by smtp.infracaninophile.co.uk (8.14.8/8.14.8) with ESMTP id s2I7fG8h023648
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO)
 for <freebsd-security@freebsd.org>; Tue, 18 Mar 2014 07:41:16 GMT
 (envelope-from matthew@FreeBSD.org)
DKIM-Filter: OpenDKIM Filter v2.8.3 smtp.infracaninophile.co.uk s2I7fG8h023648
Authentication-Results: smtp.infracaninophile.co.uk/s2I7fG8h023648;
 dkim=none reason="no signature"; dkim-adsp=none
Message-ID: <5327F89C.60606@FreeBSD.org>
Date: Tue, 18 Mar 2014 07:41:16 +0000
From: Matthew Seaman <matthew@FreeBSD.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6;
 rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: freebsd-security@freebsd.org
Subject: Re: NTP security hole CVE-2013-5211?
References: <29310.1395114987@server1.tristatelogic.com>
In-Reply-To: <29310.1395114987@server1.tristatelogic.com>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="nJbI9T20nskbMJvo0DOFr0iOjOFM1ED0r"
X-Virus-Scanned: clamav-milter 0.98.1 at lucid-nonsense.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-3.0 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00
 autolearn=ham version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
 lucid-nonsense.infracaninophile.co.uk
X-Mailman-Approved-At: Tue, 18 Mar 2014 11:34:52 +0000
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Mar 2014 07:41:21 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--nJbI9T20nskbMJvo0DOFr0iOjOFM1ED0r
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 18/03/2014 03:56, Ronald F. Guilmette wrote:
> (It was explained to me at the time that NTP operates a bit like DNS...=

> with which I am more familiar... i.e. that all outbound requests origin=
ate
> on high numbered ports, well and truly away from all low numbered ports=
,
> including, in particular, 123.  I am just re-verifying that my understa=
nding
> in this regard is correct, and that my current blanket firewall rule is=

> fine as it stands.)

It's not uncommon for NTP to have both source and destination ports set
to 123.  This was the standard some years back, but such things as NAT
always meant that couldn't be relied on.  I don't know if this is still
seen as a normal practice, but all the NTP related entries sockstat
shows me are bound to port 123 on the local side.

Unlike DNS, I don't think there are any particular security penalties to
not using a wide range of UDP source ports for NTP.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey



--nJbI9T20nskbMJvo0DOFr0iOjOFM1ED0r
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJ8BAEBCgBmBQJTJ/icXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC
QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATqTUP/jpOcovOIrK+52MZgjZiBw93
6doxctuJa8pcBR6Hj7x76uO0tOYfzOS95RP3SWnEGpmsYJ7HDV6inMQSKc/RmmQA
4Gxs0/HRfE3bZ1DLfWUH7fZQZAVDgl/a7rn5cgr+kXfM27Qdekn5VFiAkT3ALthU
mjIcMSVEN2z0SPjIu9gp50lTcGiIlHfneyc74Fia2xUvOYjwv8inqiYm6V6h8AKu
dyquDrQdAAsg9bmjhuMZyMhwaZaSlIe7LpVFN17eCT9wbb46QEnR1IKbbxG4LWqH
H6NYFiHzy8EK7DTAbYFbynVfK+nPT15gLwDlJEq0TkjwYmjhqFsy7FW5oMBhq9f0
jLKOuU3NAw/tRgZAUuPohJr98WQcvA1DdI0i3GgYYCr64QvJqg/dgChb+B/7eEiQ
YkhciLBmgwNP/hI5RtTTmo78XIG28lXgDrHKu+5qdhdJt/v8zoR6c3ML4selfz5A
kR4Z8xEEtnSSVQSdXwFBuKbC8skdWk9Il0+jeImduxuOzR8PiaAGbPWVmHygabQt
MmlMSHwYiDZ6Wh+7Ua8kgwmpWuabMLaoLN3sUPHku8L9JD1qbLAsiWLUFyAgGHXF
nprLPPPCZSmRf+CuMZE8lewM16rtvMeTTzT8yzNeguzoWy8m5uN9LwcXdg2JaFuq
ejgaH41VwCvd9HpQzQt9
=VNFS
-----END PGP SIGNATURE-----

--nJbI9T20nskbMJvo0DOFr0iOjOFM1ED0r--