[pkg-ntp-maintainers] Bug#813132: Bug#813132: ntp: provide configuration/system integration to use dedicated/firewalled IPv6 addresses for NTP clients

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Jan 29 22:56:26 UTC 2016


On Fri 2016-01-29 13:06:01 -0500, Kurt Roeckx wrote:
> I have no idea how to start on this.
>
> First, how do I know it's acting as a server?  As server I might
> want to have a fixed IP address.  If I'm only acting as as client
> it shouldn't be a problem to enable the privacy extention.

right, the server-side access would be stable, but the client-side
queries would use dedicated IPv6 addresses.

> Does having a socket that's open for a long time work properly
> with the privacy extentions?

privacy extension addresses can be assigned for as long as the user
wants:

    https://tools.ietf.org/html/rfc4941#section-5

> Will just enabling it, even when it's disabled by default, do the
> right thing?

I'm not sure what this question means.

> But then how is ntpd supposed to change the firewall rules?  Do I
> even want ntpd to modify the rules, and give it access to the
> firewall in the first place?

I'm not suggesting that ntpd itself is necessarily the right place to
set up these changes -- maybe some .service file that ships disabled by
default with the ntp package could do the work, though?

And i understand the integration concerns -- we don't necessarily want
to interfere with existing firewalls, and it's tricky.

My point in filing this wishlist bug is because operating system
integrators like debian are the right place to do this kind of
integration work.  ntp can't (and probably shouldn't) do it on its own,
i think.

            --dkg



More information about the pkg-ntp-maintainers mailing list