From owner-freebsd-security@freebsd.org Sat Apr 30 00:09:21 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 64921B20306 for ; Sat, 30 Apr 2016 00:09:21 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from mail-in6.apple.com (mail-out6.apple.com [17.151.62.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 455D2170C for ; Sat, 30 Apr 2016 00:09:20 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from relay2.apple.com (relay2.apple.com [17.128.113.67]) by mail-in6.apple.com (Apple Secure Mail Relay) with SMTP id 96.5F.27179.9A7F3275; Fri, 29 Apr 2016 17:09:13 -0700 (PDT) X-AuditID: 11973e15-f79686d000006a2b-05-5723f7a9eeab Received: from [17.149.235.79] (Unknown_Domain [17.149.235.79]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by relay2.apple.com (Apple SCV relay) with SMTP id B5.DD.11233.9A7F3275; Fri, 29 Apr 2016 17:09:13 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:16.ntp From: Charles Swiger In-Reply-To: <0O6F002Z65WLUS40@mr28p00im-smtpin028.me.com> Date: Fri, 29 Apr 2016 17:09:13 -0700 Cc: freebsd-security Content-Transfer-Encoding: quoted-printable Message-Id: <28698FCA-CEAB-4A0F-9F12-57FCCD871E1E@mac.com> References: <20160429082953.DB31D1769@freefall.freebsd.org> <9e6342a420259fec7bd21d6222cc6e05@zahemszky.hu> <1461929003.67736.2.camel@yandex.com> <0O6F002Z65WLUS40@mr28p00im-smtpin028.me.com> To: Roger Marquis X-Mailer: Apple Mail (2.3124) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrPLMWRmVeSWpSXmKPExsUi2FDorLvyu3K4wYp91hY9m56wWXQsdHdg 8pjxaT6Lx7H7q9kCmKK4bFJSczLLUov07RK4MhaeXM5YcEu2ovdfD0sD417xLkZODgkBE4nW A4eYIGwxiQv31rN1MXJxCAnsZZQ4s/wXO0xRw7ZXLBCJqUwSb9ufMYMkmAW0JG78ewnWzSug J7Fp/VswW1jAWmLZ0qdADRwcbAJqEhMm8oCEOQWsJP4eamYFsVkEVCUuf3nBCjHGWGJ5114W CFtbYtnC18wQI60kPjYtZoTYu4NJ4ub+f2AHiQA1955eC3W1rMSTk4vAjpMQ+MgqcXTbc6YJ jEKzkNw3C8l9s5AsWcDIvIpRKDcxM0c3M89ML7GgICdVLzk/dxMjKISn24nuYDyzyuoQowAH oxIP74x7SuFCrIllxZW5hxilOViUxHknfVMOFxJITyxJzU5NLUgtii8qzUktPsTIxMEp1cDY +XDmd6cZt/gmMTwUjJ9XaxHkK3DJ1fddv89m0cL1bHqTM69OOxcxY/KyHe/stbmPH1i8o+HL 0Tq9I2fOv52S6222s/N+XuijtIAOLTFJ0zx79v/P9G4afvM+XsbM0CfWM1HUWv7vld6PM7Yu m+roohj05bYv7/2pYVs7D9ZeMTBzXNJn8tpeiaU4I9FQi7moOBEAZGzA00ICAAA= X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrELMWRmVeSWpSXmKPExsUiOPW1v+7K78rhBu+um1n0bHrCZtGx0N2B yWPGp/ksHsfur2YLYIrisklJzcksSy3St0vgylh4cjljwS3Zit5/PSwNjHvFuxg5OSQETCQa tr1igbDFJC7cW8/WxcjFISQwlUnibfszZpAEs4CWxI1/L5lAbF4BPYlN69+C2cIC1hLLlj4F aubgYBNQk5gwkQckzClgJfH3UDMriM0ioCpx+csLVogxxhLLu/ayQNjaEssWvmaGGGkl8bFp MSPE3h1MEjf3/2MHSYgANfeeXssEcZysxJOTi1gmMPLPQnLSLCQnzUIydwEj8ypGgaLUnMRK I73EgoKcVL3k/NxNjKCQayh03sF4bJnVIUYBDkYlHt4Z95TChVgTy4orcw8xSnAwK4nwGn9V DhfiTUmsrEotyo8vKs1JLT7EKM3BoiTO6/4FKCWQnliSmp2aWpBaBJNl4uCUamCc9D1I5D6H pIz9+nsfZN6GTTrw7uvuX9F8039eU+Nctaspur0wht/y0bPZ8QtuyCb3HltfXnm7R0jSUzCn 98/+o0WP+jmKr77znZShr6V+50zh9oML1zDY6/zIvPPLUEv0H6uYbWzMv4SzQTMfRbbde+3J kPxba2qy3eL5ISYF1+PK04rc/TSVWIozEg21mIuKEwFVrgKuNQIAAA== X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Apr 2016 00:09:21 -0000 On Apr 29, 2016, at 4:43 PM, Roger Marquis wrote: >>> What are the reasons FreeBSD has not deprecated ntpd in favor of >>> openntpd? >>=20 >> While I cannot speak for anyone other than myself, the two simply = aren't >> equivalent. As a conscious design choice, OpenNTPD trades off = accuracy >> for code simplicity. >=20 > IIRC openntpd is accurate down to ~100ms. Hopefully better, since that is terrible clock accuracy. > Ntpd does have a lot of code dedicated to additional accuracy but this = is > exactly the security trade-off I want to avoid. Most of the ntpd security bugs relate to authentication, in part because = almost nobody ever used it. The timing code is more robust. > Who needs millisecond accuracy anyway? Cell phones, cell phone towers, computers handling financial = transactions, etc. >> It lacks support for NTP authentication, >=20 > This is still the case but considering the tiny fraction of ntpd sites > that use encryption and the fact that encryption is not enabled by > default it is not really relevant to FreeBSD. I'll give you this-- ntp auth is unlikely to be missed by most people. >> access controls, reference clocks, multicast/broadcast operation, >=20 > Several reflection vulnerabilities over the past few years have been = due > to holes in ntpd's access control so its hard to appreciate their = value > or the value of these other little used features. Any listening network service can be used for reflection attacks. >> or any kind of monitoring/reporting. >=20 > This is no longer correct. Openntpd's 'ntpctl' reports are sufficient > for the vast majority of sites. Surely individual sites can make up their own minds about that, right? >> OpenNTPD is probably closer to rdate than ntpd in terms of their = relative >> capabilities. >=20 > Rdate? Really? This is a little over the top don't you think? Not really. Lack of reference clocks is a big deal, and so is SNTP vs = NTP. >> I'd rather we keep ntpd in base as a consequence. >=20 > I'm sure the NSA would like it if we all did, considering the order of > magnitude difference in security vulnerabilities and the fact that the > daemon has to run as root. Most time daemons need root in order to execute adjtime() / adjtimex() / = ntp_adjtime(). Systems with a capability model might use something like CAP_SYS_TIME = instead; if present, ntpd can be run without root-- see NetBSD, Solaris, and some = Linux flavors. >> The only change I'd suggest would be to alter the default = configuration >> such that all unauthorized access were blocked (i.e., set "restrict = default >> ignore" and "restrict -6 default ignore"). >=20 > This is a good idea, perhaps, for those sites that need to run ntpd = for > one of the reasons listed above but again, that's a tiny fraction of = the > installed base. Most FreeBSD systems only need to query a timehost, = not > to be a time server. Your data for that? > One of ntpd's biggest disadvantages is that its udp socket cannot be > disabled i.e., it cannot be configured as just a client (though you = can > use ipfw or pf to that effect). Considering the demand for this = feature > you have to ask why ntpd hasn't been able to implement it? It's not possible to perform NTP timestamp exchange properly without = both sides listening because you want to determine both the round-trip delay and = the clock offset. openntpd implements SNTPv4 and not the NTPv4 protocol. The extra sanity = checking in the latter helps detect and mitigate against falsetickers, which is = why folks continue to use NTP and ntpd rather than rdate or SNTP implementations = like openntpd. Regards, --=20 -Chuck