On Tue, Jan 08, 2019 at 09:43:01AM +0100, Lennart Poettering wrote:
Moreover, afair we install and enable NTP clients by default on all
our installations, no? just like pretty much any other OS these days
does... counting by NTP mostly just means switching from NTP pool
servers to fedora's own servers.
I think it would be difficult/expensive to provide the same quality of
service as the pool with thousands of servers distributed around the
Switching completely would probably be a bad idea. A better approach
would be to configure the clients to use a mix of the pool servers and
our servers. I think that's what Ubuntu does.
> 3. Logging NTP does not cover the problem the UUID is trying to
> solve.. there are two places where we undercount and overcount
> a. systems behind nat firewalls all show up as 1 ip address. ntp or
> yum or gnome-hotspot ask multiple times during a day.. but not a set
> number. Just looking at my 3 home systems I see around 1 to 80
> connections depending on what i have done that day.
The amount of traffic within a time window is linear to the number of
hosts behind that IP address. It's relatively easy to estimate that
there are 5 clients behind an IP adress if you get 5 NTP request
datagrams within one protocol iteration instead of just one...
That would work if the "tracking" NTP server was configured with a
fixed polling interval and disabled bursts, and the systems were always
running. In our default configuration we use a variable polling
interval and bursts. Tracking individual clients behind one IP address
is possible if their number is not very large, but it's a bit more
complicated (it depends also on the client's implementation), and it
can count only systems that are running at the same time.
> 4. NTP is a high security problem when you concentrate it to a
> servers. These become servers that everyone wants to hack even more
> than build systems. These problems range from DDOS to active hacks.
Uh, well, the major NTP servers tend to be pretty well tested and
fuzzed these days, and they can be sandboxed efficiently, since they
involve no big stack but only trivial SOCK_DGRAM traffic. I see no
reason whatsoever for them to be less secure than a hand-written HTTP
service that only Fedora runs and doesn't get all the validation love
the NTP servers get...
The problem are DoS attacks. If the number of servers was small, it'd
be easy (cheap) to take them all out. The pool has thousands of
servers. The weak point is rather in their monitoring.