Re: [mif] New Charter Items - NTP in RA for DNSSEC

Markus Stenberg <markus.stenberg@iki.fi> Sun, 13 March 2016 09:26 UTC

Return-Path: <markus.stenberg@iki.fi>
X-Original-To: mif@ietfa.amsl.com
Delivered-To: mif@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6F7C12D535 for <mif@ietfa.amsl.com>; Sun, 13 Mar 2016 01:26:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.821
X-Spam-Level:
X-Spam-Status: No, score=-1.821 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_NEUTRAL=0.779] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uwe0vN7rQQpF for <mif@ietfa.amsl.com>; Sun, 13 Mar 2016 01:26:30 -0800 (PST)
Received: from johanna2.inet.fi (mta-out1.inet.fi [62.71.2.195]) by ietfa.amsl.com (Postfix) with ESMTP id 27A1312D541 for <mif@ietf.org>; Sun, 13 Mar 2016 01:26:30 -0800 (PST)
RazorGate-KAS: Status: not_detected
RazorGate-KAS: Rate: 0
RazorGate-KAS: Envelope from:
RazorGate-KAS: Version: 5.5.3
RazorGate-KAS: LuaCore: 80 2014-11-10_18-01-23 260f8afb9361da3c7edfd3a8e3a4ca908191ad29
RazorGate-KAS: Lua profiles 69136 [Nov 12 2014]
RazorGate-KAS: Method: none
Received: from poro.lan (80.220.86.47) by johanna2.inet.fi (9.0.002.03-2-gbe5d057) (authenticated as stenma-47) id 56E18B5B0035B64D; Sun, 13 Mar 2016 11:26:28 +0200
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: Markus Stenberg <markus.stenberg@iki.fi>
In-Reply-To: <9B436C85-C05B-430A-915E-C332604DAA7E@gmail.com>
Date: Sun, 13 Mar 2016 11:26:27 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <CAC398DB-EB00-4A3B-912D-84B3F7CD9ADC@iki.fi>
References: <39E5345B-04C4-4149-A1A6-F0F5F4988C16@gmail.com> <56DECBC9.7060800@gmail.com> <9B436C85-C05B-430A-915E-C332604DAA7E@gmail.com>
To: Margaret Cullen <mrcullen42@gmail.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/mif/aIjsD87sCBFiBsJ4jpH0ucuiFz0>
Cc: mif@ietf.org
Subject: Re: [mif] New Charter Items - NTP in RA for DNSSEC
X-BeenThere: mif@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multiple Interface Discussion List <mif.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mif>, <mailto:mif-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mif/>
List-Post: <mailto:mif@ietf.org>
List-Help: <mailto:mif-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Mar 2016 09:26:33 -0000

On 13.3.2016, at 2.06, Margaret Cullen <mrcullen42@gmail.com>; wrote:
> On Mar 8, 2016, at 7:55 AM, Alexandre Petrescu <alexandre.petrescu@gmail.com>; wrote:
>>> - An NTP server option for RAs, so that DNSSEC can be used for the lookup.
>> 
>> Sounds like a good idea.
>> 
>> I guess DNSSEC operation needs the querier to have the right time otherwise it's insecure?  Hence the need for NTP?
> 
> As I understand it, DNSSEC needs the right time, otherwise it doesn’t work.

Yes. Although given sane RTCs it can most of the time work even without _accurate_ time.

>> I could find 2 earlier drafts on this, maybe there are others.
>> draft-chen-ntps-ra-opt-00
>> draft-bcd-6man-ntp-server-ra-opt-00
>> 
>> If extending RA then it's good to use the RA "flags option" RFC5075.
> 
> I don't think we'd probably do an NTP RA option in the MIF WG.  I suspect it would make more sense to do it in 6man — we'd have to discuss it with them and see if they agree.

NTP RA option would not really fix the solution securely anyway, as secure RA does not really happen. And secure NTP is also something that does not really happen. So there is chicken and egg problem there that is relatively far out of MIF scope I think.

IETF being IETF, we cannot specify insecure things these days officially but all base things are insecure and/or undeployed.

Cheers,

-Markus