Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 29 Apr 2016 16:43:16 -0700 (PDT)
From:      Roger Marquis <marquis@roble.com>
To:        "Matthew X. Economou" <xenophon@irtnog.org>
Cc:        freebsd-security@freebsd.org
Subject:   RE: FreeBSD Security Advisory FreeBSD-SA-16:16.ntp
In-Reply-To: <BABF8C57A778F04791343E5601659908237051@cinip100ntsbs.irtnog.net>
References:  <20160429082953.DB31D1769@freefall.freebsd.org> <9e6342a420259fec7bd21d6222cc6e05@zahemszky.hu> <1461929003.67736.2.camel@yandex.com> <CINIP100NTSBSRqf69a0000002a@cinip100ntsbs.irtnog.net> <BABF8C57A778F04791343E5601659908237051@cinip100ntsbs.irtnog.net>

| previous in thread | raw e-mail | index | archive | help
>> What are the reasons FreeBSD has not deprecated ntpd in favor of
>> openntpd?
>
> While I cannot speak for anyone other than myself, the two simply aren't
> equivalent.  As a conscious design choice, OpenNTPD trades off accuracy
> for code simplicity.

IIRC openntpd is accurate down to ~100ms.  Ntpd does have a lot of
code dedicated to additional accuracy but this is exactly the security
trade-off I want to avoid.  Who needs millisecond accuracy anyway?

> It lacks support for NTP authentication,

This is still the case but considering the tiny fraction of ntpd sites
that use encryption and the fact that encryption is not enabled by
default it is not really relevant to FreeBSD.

> access controls, reference clocks, multicast/broadcast operation,

Several reflection vulnerabilities over the past few years have been due
to holes in ntpd's access control so its hard to appreciate their value
or the value of these other little used features.

> or any kind of monitoring/reporting.

This is no longer correct.  Openntpd's 'ntpctl' reports are sufficient
for the vast majority of sites.

> OpenNTPD is probably closer to rdate than ntpd in terms of their relative
> capabilities.

Rdate?  Really?  This is a little over the top don't you think?

> I'd rather we keep ntpd in base as a consequence.

I'm sure the NSA would like it if we all did, considering the order of
magnitude difference in security vulnerabilities and the fact that the
daemon has to run as root.

> The only change I'd suggest would be to alter the default configuration
> such that all unauthorized access were blocked (i.e., set "restrict default
> ignore" and "restrict -6 default ignore").

This is a good idea, perhaps, for those sites that need to run ntpd for
one of the reasons listed above but again, that's a tiny fraction of the
installed base.  Most FreeBSD systems only need to query a timehost, not
to be a time server.

One of ntpd's biggest disadvantages is that its udp socket cannot be
disabled i.e., it cannot be configured as just a client (though you can
use ipfw or pf to that effect).  Considering the demand for this feature
you have to ask why ntpd hasn't been able to implement it?

Roger



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?>