[169306] in North American Network Operators' Group
Filter NTP traffic by packet size?
daemon@ATHENA.MIT.EDU (Edward Roels)
Thu Feb 20 15:42:25 2014
Date: Thu, 20 Feb 2014 15:41:27 -0500
From: Edward Roels <edwardroels@gmail.com>
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Curious if anyone else thinks filtering out NTP packets above a certain
packet size is a good or terrible idea.
From my brief testing it seems 90 bytes for IPv4 and 110 bytes for IPv6 are
typical for a client to successfully synchronize to an NTP server.
If I query a server for it's list of peers (ntpq -np <ip>) I've seen
packets as large as 522 bytes in a single packet in response to a 54 byte
query. I'll admit I'm not 100% clear of the what is happening
protocol-wise when I perform this query. I see there are multiple packets
back forth between me and the server depending on the number of peers it
has?
Would I be breaking something important if I started to filter NTP packets
> 200 bytes into my network?
