Re: [ntpwg] [dhcwg] DNSSEC in names vs. numbers for NTP server information in DHCP
"TS Glassey" <tglassey@earthlink.net> Thu, 29 November 2007 16:02 UTC
Return-path: <dhcwg-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IxlqR-0006pe-9a; Thu, 29 Nov 2007 11:02:31 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IxlqP-0006pH-Ki for dhcwg@ietf.org; Thu, 29 Nov 2007 11:02:29 -0500
Received: from elasmtp-dupuy.atl.sa.earthlink.net ([209.86.89.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IxlqN-0006Gc-IW for dhcwg@ietf.org; Thu, 29 Nov 2007 11:02:29 -0500
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=earthlink.net; b=R38GWGZOS5nuE/Z0sxc+XzRsD6FqwG3blEqXH25/Zscpa/8fv35AUfjhf3uIuWB1; h=Received:Message-ID:From:To:Cc:References:Subject:Date:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE:X-ELNK-Trace:X-Originating-IP;
Received: from [24.23.176.93] (helo=tsg1) by elasmtp-dupuy.atl.sa.earthlink.net with asmtp (Exim 4.34) id 1IxlqI-000237-CB; Thu, 29 Nov 2007 11:02:22 -0500
Message-ID: <002a01c832a1$39e9b480$6501a8c0@tsg1>
From: TS Glassey <tglassey@earthlink.net>
To: Danny Mayer <mayer@ntp.org>, shane_kerr@isc.org
References: <474CB98F.7050603@isc.org> <474CECCD.6090707@ntp.org>
Subject: Re: [ntpwg] [dhcwg] DNSSEC in names vs. numbers for NTP server information in DHCP
Date: Thu, 29 Nov 2007 07:56:04 -0800
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
X-ELNK-Trace: 01b7a7e171bdf5911aa676d7e74259b7b3291a7d08dfec79a05707572786dd486d936b2bb8d982d3350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 24.23.176.93
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 14582b0692e7f70ce7111d04db3781c8
Cc: ntpwg@lists.ntp.org, dhcwg@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Errors-To: dhcwg-bounces@ietf.org
Shane/Danny As another possible solution here, let me ask, would it make sense to also setup a default Multicast type configuration for use in sites that support pre-host registration*** through DHCP... It seems like as setting the DHCP server itself could be peered with the NTP Server they represent, and as such it itself could serve a dual role, not per se setting open-client requests through NTP but through the DHCP listener. If the intent is to provide an unsecured time source for calibrating the operating clocks of un-plumbed hosts, then perhaps a multicast type deployment would work through DHCP for this. Also DHCP could easily be setup to do a two layer process, wherein it presets the client to a 'rudimentary' state where it could communicate with an authentication server to qualify and permit its entrance into a network. FWIW - I have an updated I-D for DHCP which adds this two layer process, and the security model it produces is pretty strong. If anyone is interested drop me a note offlist and I will send it to you. Todd Glassey ----- Original Message ----- From: "Danny Mayer" <mayer@ntp.org> To: <shane_kerr@isc.org> Cc: <ntpwg@lists.ntp.org>; <dhcwg@ietf.org> Sent: Tuesday, November 27, 2007 8:21 PM Subject: Re: [ntpwg] [dhcwg] DNSSEC in names vs. numbers for NTP server information in DHCP > Shane Kerr wrote: >> All, >> >> I was reading the long, long, long thread(s) about putting NTP >> information into >> DHCP, and the focus on whether DHCP servers should provide names or IP >> addresses >> for NTP servers. >> >> It occurs to me that DNSSEC requires accurate time. So, we have a bit of >> a >> bootstrapping issue if we ever decide to secure DNS zones that contain >> NTP >> servers in them and expect clients to use the server names to find them. >> >> It seems like we have to provide IP addresses for NTP servers for this >> reason. >> > > I'm not sure which hat to wear on this one. The first question is > 1) how accurate? Within 5 minutes like TSIG? > 2) I assume that this is both ends relative to each other? > > We always had a bootstrapping issue. It's only now becoming obvious. I > had mentioned this in a previous message. One way of avoiding the > accurate time issue is to use a refclock on the system and have NTP get > its time from there. > > There are actually three different parts of this: > 1) DNS Servers using DNSSEC for the zone in which they are authorative > These will have static IP addresses and DHCP would presumably not be > involved (though no doubt can provide other data). I would expect that > it would be set up manually to have ntpd to use servers specified by the > sysadmin. > > 2) Caching DNSSEC-aware servers > These are presumably the servers responsible for supplying the answers > to the ultimate clients. These would also presumably have static IP > addresses and not use DHCP. They too could be manually configured to use > NTP from their own resources but could conceivably get information from > DHCP servers. > > 3) The clients themselves using a DNSSEC-enabled resolver. These are > likely to be provisioned with IP addresses, DNS server addresses, etc. > and presumably get their information from DHCP. These clients are the > most vunerable since presumably the NTP server would be provisioned by > DHCP which would need to make sure that they receive authenticated data. > That's the chicken and egg problem since they presumably need an > accurate time before communicating with the DHCP server to get > information about the NTP server addresses to use. If you are concerned > enough to use DNSSEC you presumably are concerned enough to use only > authenticatable NTP servers and that means using autokey protocol (now > in IETF draft). That requires a key and it needs to be distributed OOB. > The key could potentially be distributed by DHCP but you also need to > protect the key from modification in flight which presumably needs DHCP > authenticationc and encryption if that's the distribution method. The > trick here is to figure out which piece to set up first. > > Ideas? > > Danny > _______________________________________________ > ntpwg mailing list > ntpwg@lists.ntp.org > https://lists.ntp.org/mailman/listinfo/ntpwg _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] DNSSEC in names vs. numbers for NTP serve… Shane Kerr
- [dhcwg] Re: [ntpwg] DNSSEC in names vs. numbers f… Harlan Stenn
- Re: [dhcwg] DNSSEC in names vs. numbers for NTP s… Masataka Ohta
- Re: [dhcwg] DNSSEC in names vs. numbers for NTP s… Danny Mayer
- Re: [dhcwg] DNSSEC in names vs. numbers for NTP s… David W. Hankins
- [dhcwg] Re: [ntpwg] DNSSEC in names vs. numbers f… David L. Mills
- Re: [ntpwg] [dhcwg] DNSSEC in names vs. numbers f… TS Glassey
- Re: [ntpwg] [dhcwg] DNSSEC in names vs. numbers f… TS Glassey