people.freebsd.org/~phk/dlink -> people.freebsd.org/~phk/dlink/
Monday Update: It seems that the revelation that D-Link abuses a half-hundred stratum-1 servers is not going over so well with the administrators of these servers. How can people trust their network security to a company that cannot comprehend simple statements like: Access Policy: Open access to stratum 1, stratum 2 within Brazilian Research Network (RNP).
a list of abused servers, along with the restriction which D-Link couldn't understand. For the last five months I have wasted a lot of time trying to reach some kind of agreement with the Californian lawyer which D-Link put on the case. I can't quite make up my mind if D-Link's lawyer negotiates in bad faith or is merely uninformed, I tend to suspect the latter, but either way, as of this morning I decided to cut my losses. Since no one else at D-Link has reacted to my numerous emails, I have no other means of getting in touch with D-Link other than an open letter. I realize that it will be inconvenient and embarrasing for D-Link to have this matter exposed in public this way, but I seem to have no other choice. I will now lay out the case below in such detail that any moderately knowledgeable person should be able to understand it, and hopefully somebody, somewhere in D-Link will contact me so we can get this matter resolved.
NTP is Network Time Protocol, a protocol that allows computers to transfer timestamps across the internet so that they can set their clocks to the correct time. A number of NTP servers on the internet are connected to radio timecode receivers, GPS receivers or in some cases directly to national time laboratories primary atomic frequency standards. How not to implement NTP in a product A number of D-Link products, so far I have at least identified DI-604, DI-614+, DI-624, DI-754, DI-764, DI-774, DI-784, VDI604 and VDI624, contain a list of NTP servers in their firmware and using some sort of algorithm, they pick one and send packets to it. This is about as wrong a way to do things as one can imagine. There is no way D-Link can change the list once the product is shipped, unless D-Link can persuade the customer to upgrade the firmware. com" and populate this DNS entry with the list of NTP servers to be queried. That would allow D-Link to add or remove servers from the list by changing the DNS server files and all deployed devices would automatically see the update next time. If D-Link had implemented the NTP feature this way, my complaint could have been handled to my full satisfaction with an emailed apology and a few minutes of D-Link's DNS administrators time. dk" in the list of NTP servers to query, and they did so without asking for permission. I have no idea how many devices D-Link has sold, but between 75% and 90% of the packets which arrive at my server come from D-Link products via this mechanism.
You will notice two restrictions here, one is the "Service Area" and the other is the "Access Policy". D-Link makes no effort to comply with either of these two restrictions. dk is advertised and where DLink got the name from in the first place. Since D-Link does not comply with these restrictions, D-Link has no legitimate access to the server, and it follows trivially that D-Link should have asked for my permission before including it in the list embedded in their products firmware.
DIX, the neutral Danish Internet eXchange where ISPs exchange their traffic. Access to the DIX is only for BGP routers, you can not get your web-server hosted there. You might wonder why it is not a national time-laboratory which offers time service in Denmark, and the short answer is that we have no such thing. In the absense of this vital piece of public infrastructure, I have pro bono publico run this service because I am a time-geek. Obviously, this special arrangement is contingent on several restrictions, the main one being the "Service Area" restriction set out above: The service is intended for Danish networks only. dk would not help, the D-Link products would find the new IP number and the traffic would resume. Unfortunately, there is no way I can recognize these particular DNS queries and therefore it is not possible to deflect or avoid the subsequent NTP queries to the server from arriving from all over the world. dk server, and most of these have correctly configured their NTP software using the DNS name, so changing the name would be a very timeconsuming effort for both me and for the hundreds of system administrators this would affect. Filtering the D-Link packets requires inspection of fields which are not simple to implement in Cisco routers, and in particular such filtering seems to send all packets on the interface through the CPU instead of fast switching, so ingress filtering the packets at the ingress of AS1835 is totally out of the question. So the short and the long of it is that there is nothing I can do to avoid the packets arriving at my server, until all D-Link customers have updated to a fixed firmware or thrown out the D-Link device in 3-5 years time. I owe $5000 to an external consultant who helped me track down where these packets came from. All of this is entirely due to D-Link's incompetent product design and I have no way to mitigate it. I have asked D-Link to issue a prominent product notice to induce the affected customers to upgrade the firmware of their products as soon as possible. What D-Link has done Following my contact to D-Link in November, D-Link have released new firmware for some of the affected products where the list of NTP servers have been revised. One such revision can be seen in the table on the right. dk" in them, so obviously D-Link either has a very poor software development or hasn't allocated enough resources to the task. I can not publically disclose the specific offers D-Link's lawyer has made, but these documents are obviously available to D-Link management through internal channels. I can however summarize them: I have been accused of extortion. I have been told that I have no claim, been told that I exaggerate the claim. I have been told to submit myself to California law but would have to sign away all my rights under it. I have also been offered a specfic amount of "hush-money" if I would just shut up and go away, but the amount offered would not even cover my most direct expenses. In return D-Link would admit to nothing, promise nothing and do nothing to induce their customers to upgrade their firmware. And nowhere in five months of correspondence have I seen the word "sorry" or "apology" forwarded to me. I'm publishing this open letter in a last ditch attempt to get a responsible person at D-link to shoulder their responsibility. Hopefully one or more of them have sufficient integrity to escalate the case. It seems that they have managed to arrange their corporate affairs so that there is no way I can sue them here in Denmark, but will have to do it either in Taiwan or USA. dk server will cease to offer a public service to the Danish part of the internet. That is why the title of this open letter is titled "NTP vandalism". So if you, dear reader, know somebody who works at D-Link, please point them at this open letter. If you don't, feel free to spread news of it through other channels, my only hope is that eventually somebody in D-Link management becomes embarrased enough to do the honourable thing. Yes, D-Link is not the first vendor to make a hash of the NTP protocol.
Latest NTP standard but D-Links devices does not respect that option. Updates 2006-04-08 My plight seems to have made the rounds on the usual suspects favourite web-sites and portals, and many people have emailed me with comments suggestions and sympathy. Many have asked if I wanted to take donations to fight D-Link. That is however, not the same as I won't want to in the future. I'm still hoping that D-Link will act like a responsible company so we can settle this matter without making any lawyers rich, but if D-Link does not come to the table in good faith, I have plenty of arrows for my bow yet to be shot. Overall your reactions seems to come in three sorts, (four if we count people who plainly don't know what they're taking about). A lot of p...
|
http://csua.com/feed/