Page MenuHomeVyOS Platform

Unbind NTP while it's not requested...
Closed, ResolvedPublicBUG

Description

show system ntp

 allow-clients {
     address 192.168.100.0/24
 }
 server 10.255.0.1 {
     prefer
 }


netstat -vaun | grep 123
udp        0      0 127.0.0.1:123           0.0.0.0:*                          
udp6       0      0 ::1:123                 :::*

And in config file there is:

#Do not listen on any interface address by default
interface ignore wildcard

I think that it's mistake, "interface ignore wildcard" should come into confige only when "set system ntp listen-address" configured...

While "interface ignore wildcard" configured, we got:

ntpq -c lpeer
 remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 10.255.0.1      .INIT.          16 u    -   64    0    0.000    0.000   0.000

What do you think?

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

hexes created this task.Nov 13 2019, 4:40 PM
rps changed the task status from Open to Confirmed.Mar 3 2020, 12:47 AM
rps triaged this task as Unbreak Now! priority.
rps added a subscriber: rps.

Confirmed NTP is broken in 1.2.4 due to interface ignore wildcard statement in ntp.conf. When present NTP will never sync with time servers showing them perpetually in INIT.

Commenting out the configuration statement and manually restarting NTP resolves the issue. Alternatively, each IPv4 and IPv6 address potentially used to source NTP queries to configured servers must be explicitly configured as a listen-address.

This change was made in T1694 without considering that it would break established configurations.

Requiring that a listen address for each address possibly used for reaching configured servers complicates configuration needlessly. In a dynamic environment this becomes very tedious to maintain.

As mentioned unless a listen-address value is explicitly configured, the default should be to allow all interfaces, similar to the SSH listen-address directive. In most cases NTP is managed through firewall policy.

The default configuration already mitigates the majority of NTP behavior used for DDoS amplification attacks though restrict default noquery nopeer notrap nomodify.

Further review might look into better handling listen-interface directive to configure what queries are permitted, but for now we should unbreak the behavior by reverting the change made in T1694 .

syncer assigned this task to jestabro.Mar 15 2020, 10:28 PM
syncer changed the subtype of this task from "Feature Request" to "Bug".
syncer added a project: VyOS 1.3 Equuleus.
syncer moved this task from Needs Triage to Backlog on the VyOS 1.2 Crux (VyOS 1.2.5) board.
syncer moved this task from Need Triage to Backlog on the VyOS 1.3 Equuleus board.
jestabro closed this task as Resolved.Mar 16 2020, 1:40 AM
jestabro moved this task from Backlog to Finished on the VyOS 1.2 Crux (VyOS 1.2.5) board.
jestabro moved this task from Backlog to Finished on the VyOS 1.3 Equuleus board.