draft-ietf-ntp-mode-6-cmds-04.txt   draft-ietf-ntp-mode-6-cmds-05.txt 
Network Working Group D. Mills Network Working Group D. Mills
Internet-Draft University of Delaware Internet-Draft University of Delaware
Intended status: Informational B. Haberman, Ed. Intended status: Informational B. Haberman, Ed.
Expires: September 20, 2018 JHU Expires: September 27, 2018 JHU
March 19, 2018 March 26, 2018
Control Messages Protocol for Use with Network Time Protocol Version 4 Control Messages Protocol for Use with Network Time Protocol Version 4
draft-ietf-ntp-mode-6-cmds-04 draft-ietf-ntp-mode-6-cmds-05
Abstract Abstract
This document describes the structure of the control messages used This document describes the structure of the control messages used
with the Network Time Protocol. These control messages can be used with the Network Time Protocol. These control messages can be used
to monitor and control the Network Time Protocol application running to monitor and control the Network Time Protocol application running
on any IP network attached computer. The information in this on any IP network attached computer. The information in this
document was originally described in Appendix B of RFC 1305. The document was originally described in Appendix B of RFC 1305. The
goal of this document is to provide a historic description of the goal of this document is to provide a historic description of the
control messages as described in RFC 1305 and any additional commands control messages as described in RFC 1305 and any additional commands
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 20, 2018. This Internet-Draft will expire on September 27, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 5, line 29 skipping to change at page 5, line 29
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
/ Authenticator (optional, 96 bits) / / Authenticator (optional, 96 bits) /
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: NTP Control Message Header Figure 1: NTP Control Message Header
Leap Indicator (LI): This is a two-bit integer that is set to b00 for Leap Indicator (LI): This is a two-bit integer that is set to b00 for
control message requests and responses. The Leap Indicator value control message requests and responses. The Leap Indicator value
used as this position in mot NTP modes is in the System Status Word used at this position in most NTP modes is in the System Status Word
provided in some control message responses. provided in some control message responses.
Version Number (VN): This is a three-bit integer indicating a minimum Version Number (VN): This is a three-bit integer indicating a minimum
NTP version number. NTP servers do not respond to control messages NTP version number. NTP servers do not respond to control messages
with an unrecognized version number. Requests may intentionally use with an unrecognized version number. Requests may intentionally use
a lower version number to enable interoperability with earlier a lower version number to enable interoperability with earlier
versions of NTP. Responses carry the same version as the versions of NTP. Responses carry the same version as the
corresponding request. corresponding request.
Mode: This is a three-bit integer indicating the mode. The value 6 Mode: This is a three-bit integer indicating the mode. The value 6
skipping to change at page 17, line 5 skipping to change at page 17, line 5
o NTP as a Distributed Denial-of-Service (DDoS) vector. NTP timing o NTP as a Distributed Denial-of-Service (DDoS) vector. NTP timing
query and response packets (modes 1-2, 3-4, 5) are usually short query and response packets (modes 1-2, 3-4, 5) are usually short
in size. However, some NTP control queries generate a very long in size. However, some NTP control queries generate a very long
packet in response to a short query. As such, there is a history packet in response to a short query. As such, there is a history
of use of NTP's control queries, which exhibit such behavior, to of use of NTP's control queries, which exhibit such behavior, to
perform DDoS attacks. These off-path attacks exploit the large perform DDoS attacks. These off-path attacks exploit the large
size of NTP control queries to cause UDP-based amplification size of NTP control queries to cause UDP-based amplification
attacks (e.g., mode 7 monlist command generates a very long packet attacks (e.g., mode 7 monlist command generates a very long packet
in response to a small query (CVE-2013-5211)). These attacks only in response to a small query (CVE-2013-5211)). These attacks only
use NTP as a vector for DoS atacks on other protocols, but do not use NTP as a vector for DoS atacks on other protocols, but do not
affect the time service on the NTP host itself. affect the time service on the NTP host itself. To limit the
sources of these malicious commands, NTP server operators are
recommended to deploy ingress filtering [RFC2827].
o Time-shifting attacks through information leakage/overwriting. o Time-shifting attacks through information leakage/overwriting.
NTP hosts save important system and peer state variables. An off- NTP hosts save important system and peer state variables. An off-
path attacker who can read these variables remotely can leverage path attacker who can read these variables remotely can leverage
the information leaked by these control queries to perform time- the information leaked by these control queries to perform time-
shifting and DoS attacks on NTP clients. These attacks do affect shifting and DoS attacks on NTP clients. These attacks do affect
time synchronization on the NTP hosts. For instance, time synchronization on the NTP hosts. For instance,
* In the client/server mode, the client stores its local time * In the client/server mode, the client stores its local time
when it sends the query to the server in its xmt peer variable. when it sends the query to the server in its xmt peer variable.
skipping to change at page 18, line 33 skipping to change at page 18, line 36
deserve credit for portions of this document due to their earlier deserve credit for portions of this document due to their earlier
efforts to document these commands. efforts to document these commands.
8. Normative References 8. Normative References
[RFC1305] Mills, D., "Network Time Protocol (Version 3) [RFC1305] Mills, D., "Network Time Protocol (Version 3)
Specification, Implementation and Analysis", RFC 1305, Specification, Implementation and Analysis", RFC 1305,
DOI 10.17487/RFC1305, March 1992, DOI 10.17487/RFC1305, March 1992,
<https://www.rfc-editor.org/info/rfc1305>. <https://www.rfc-editor.org/info/rfc1305>.
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827,
May 2000, <https://www.rfc-editor.org/info/rfc2827>.
[RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch, [RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch,
"Network Time Protocol Version 4: Protocol and Algorithms "Network Time Protocol Version 4: Protocol and Algorithms
Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010, Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010,
<https://www.rfc-editor.org/info/rfc5905>. <https://www.rfc-editor.org/info/rfc5905>.
Appendix A. NTP Remote Facility Message Format Appendix A. NTP Remote Facility Message Format
The format of the NTP Remote Facility Message header, which The format of the NTP Remote Facility Message header, which
immediately follows the UDP header, is shown in Figure 3. Following immediately follows the UDP header, is shown in Figure 3. Following
is a description of its fields. Bit positions marked as zero are is a description of its fields. Bit positions marked as zero are
 End of changes. 6 change blocks. 
6 lines changed or deleted 13 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/