[pkg-ntp-maintainers] Bug#813132: Bug#813132: ntp: provide configuration/system integration to use dedicated/firewalled IPv6 addresses for NTP clients
Kurt Roeckx
kurt at roeckx.be
Fri Jan 29 18:06:01 UTC 2016
On Fri, Jan 29, 2016 at 12:14:27PM -0500, Daniel Kahn Gillmor wrote:
> Package: ntp
> Severity: wishlist
> X-Debbugs-Cc: hazel at meddlingmojo.com
> Control: subscribe -1
>
> Hi Debian NTP maintainers--
>
> Over on oss-security, it's been announced that some operators of IPv6
> servers in the NTP pool who are using their position in the pool to
> probe active IPv6 addresses.
>
> One participant in the discussion proposed a mitigation technique where
> NTP IPv6 clients could just allocate a dedicated IPv6 address that would
> be otherwise firewalled and used only for NTP.
>
> I think the mitigation proposal (included in full below) is actually
> quite a nice idea, and something ideally suited for O/S distributions.
> Is this something we could integrate into one of the debian packages
> somehow?
>
> You can see the message in context at:
>
> http://openwall.com/lists/oss-security/2016/01/29/4
I have no idea how to start on this.
First, how do I know it's acting as a server? As server I might
want to have a fixed IP address. If I'm only acting as as client
it shouldn't be a problem to enable the privacy extention.
Does having a socket that's open for a long time work properly
with the privacy extentions? Will just enabling it, even when
it's disabled by default, do the right thing?
But then how is ntpd supposed to change the firewall rules? Do I
even want ntpd to modify the rules, and give it access to the
firewall in the first place?
Kurt
More information about the pkg-ntp-maintainers
mailing list