From owner-freebsd-security@freebsd.org Fri Apr 29 23:43:17 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E1411B21A39 for ; Fri, 29 Apr 2016 23:43:17 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id CEC631846 for ; Fri, 29 Apr 2016 23:43:17 +0000 (UTC) (envelope-from marquis@roble.com) Date: Fri, 29 Apr 2016 16:43:16 -0700 (PDT) From: Roger Marquis To: "Matthew X. Economou" cc: freebsd-security@freebsd.org Subject: RE: FreeBSD Security Advisory FreeBSD-SA-16:16.ntp In-Reply-To: References: <20160429082953.DB31D1769@freefall.freebsd.org> <9e6342a420259fec7bd21d6222cc6e05@zahemszky.hu> <1461929003.67736.2.camel@yandex.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Apr 2016 23:43:18 -0000 >> What are the reasons FreeBSD has not deprecated ntpd in favor of >> openntpd? > > While I cannot speak for anyone other than myself, the two simply aren't > equivalent. As a conscious design choice, OpenNTPD trades off accuracy > for code simplicity. IIRC openntpd is accurate down to ~100ms. Ntpd does have a lot of code dedicated to additional accuracy but this is exactly the security trade-off I want to avoid. Who needs millisecond accuracy anyway? > It lacks support for NTP authentication, This is still the case but considering the tiny fraction of ntpd sites that use encryption and the fact that encryption is not enabled by default it is not really relevant to FreeBSD. > access controls, reference clocks, multicast/broadcast operation, Several reflection vulnerabilities over the past few years have been due to holes in ntpd's access control so its hard to appreciate their value or the value of these other little used features. > or any kind of monitoring/reporting. This is no longer correct. Openntpd's 'ntpctl' reports are sufficient for the vast majority of sites. > OpenNTPD is probably closer to rdate than ntpd in terms of their relative > capabilities. Rdate? Really? This is a little over the top don't you think? > I'd rather we keep ntpd in base as a consequence. I'm sure the NSA would like it if we all did, considering the order of magnitude difference in security vulnerabilities and the fact that the daemon has to run as root. > The only change I'd suggest would be to alter the default configuration > such that all unauthorized access were blocked (i.e., set "restrict default > ignore" and "restrict -6 default ignore"). This is a good idea, perhaps, for those sites that need to run ntpd for one of the reasons listed above but again, that's a tiny fraction of the installed base. Most FreeBSD systems only need to query a timehost, not to be a time server. One of ntpd's biggest disadvantages is that its udp socket cannot be disabled i.e., it cannot be configured as just a client (though you can use ipfw or pf to that effect). Considering the demand for this feature you have to ask why ntpd hasn't been able to implement it? Roger