draft-ietf-ntp-port-randomization-04.txt   draft-ietf-ntp-port-randomization-05.txt 
Network Time Protocol (ntp) Working Group F. Gont Network Time Protocol (ntp) Working Group F. Gont
Internet-Draft G. Gont Internet-Draft G. Gont
Updates: rfc5905 (if approved) SI6 Networks Updates: rfc5905 (if approved) SI6 Networks
Intended status: Standards Track M. Lichvar Intended status: Standards Track M. Lichvar
Expires: December 12, 2020 Red Hat Expires: January 27, 2021 Red Hat
June 10, 2020 July 26, 2020
Port Randomization in the Network Time Protocol Version 4 Port Randomization in the Network Time Protocol Version 4
draft-ietf-ntp-port-randomization-04 draft-ietf-ntp-port-randomization-05
Abstract Abstract
The Network Time Protocol can operate in several modes. Some of The Network Time Protocol can operate in several modes. Some of
these modes are based on the receipt of unsolicited packets, and these modes are based on the receipt of unsolicited packets, and
therefore require the use of a service/well-known port as the local therefore require the use of a service/well-known port as the local
port number. However, in the case of NTP modes where the use of a port number. However, in the case of NTP modes where the use of a
service/well-known port is not required, employing such well-known/ service/well-known port is not required, employing such well-known/
service port unnecessarily increases the ability of attackers to service port unnecessarily increases the ability of attackers to
perform blind/off-path attacks. This document formally updates perform blind/off-path attacks. This document formally updates
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 12, 2020. This Internet-Draft will expire on January 27, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 6, line 4 skipping to change at page 6, line 4
server mode (5) and symmetric modes (1 and 2), it SHOULD contain server mode (5) and symmetric modes (1 and 2), it SHOULD contain
the NTP port number PORT (123) assigned by the IANA. In the the NTP port number PORT (123) assigned by the IANA. In the
client mode (3), it SHOULD contain a randomized port number, as client mode (3), it SHOULD contain a randomized port number, as
specified in [RFC6056]. The value in this variable becomes the specified in [RFC6056]. The value in this variable becomes the
source port number of packets sent from this association. The source port number of packets sent from this association. The
randomized port number SHOULD NOT be shared with other randomized port number SHOULD NOT be shared with other
associations. associations.
If a client implementation performs port randomization on a per- If a client implementation performs port randomization on a per-
request basis, it SHOULD close the corresponding socket/port after request basis, it SHOULD close the corresponding socket/port after
each request/response exchange. The client SHOULD wait for each request/response exchange. In order to prevent duplicate or
response packets from the server for at least 3 seconds before delayed server packets from eliciting ICMP port unreachable error
closing the UDP socket/port, even if a successful response is messages at the client, the client MAY wait for more responses
received. This will prevent duplicate or delayed server packets from the server for a specific period of time (e.g. 3 seconds)
from eliciting ICMP port unreachable error messages at the client. before closing the UDP socket/port.
NOTES: NOTES:
The choice of whether to randomize the port number on a per- The choice of whether to randomize the port number on a per-
request or a per-association basis is left to the request or a per-association basis is left to the
implementation, and should consider, among others, the implementation, and should consider, among others, the
considerations discussed in Section 3.2. considerations discussed in Section 3.2.
On most current operating systems, which implement ephemeral On most current operating systems, which implement ephemeral
port randomization [RFC6056], an NTP client may normally rely port randomization [RFC6056], an NTP client may normally rely
on the operating system to perform port randomization. For on the operating system to perform port randomization. For
 End of changes. 4 change blocks. 
9 lines changed or deleted 9 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/