[Ntp] Benjamin Kaduk's Yes on draft-ietf-ntp-port-randomization-06: (with COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Wed, 02 June 2021 00:24 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: ntp@ietf.org
Delivered-To: ntp@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id D687A3A2D13; Tue, 1 Jun 2021 17:24:50 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-ntp-port-randomization@ietf.org, ntp-chairs@ietf.org, ntp@ietf.org, odonoghue@isoc.org, odonoghue@isoc.org
X-Test-IDTracker: no
X-IETF-IDTracker: 7.30.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <162259349040.28011.12868490801222617531@ietfa.amsl.com>
Date: Tue, 01 Jun 2021 17:24:50 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/-EVLa0HBQsAYuAv991uEcP5yzhM>
Subject: [Ntp] Benjamin Kaduk's Yes on draft-ietf-ntp-port-randomization-06: (with COMMENT)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jun 2021 00:24:51 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-ntp-port-randomization-06: Yes When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-ntp-port-randomization/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- There's a few places where we say things like "the choice of whether to randomize the ephemeral port number on a per-request or a per-association basis is left to the implementation, and should consider the possible effects on path selection along with its possible impact on time measurement." But the main specific consideration that we mention is that in ECMP and similar situations, randomizing per-request can cause problems; in particular, I don't remember seeing anything that would be an argument in favor of randomizing on a per-request basis. So the current guidance (entirely up to the implementation) doesn't seem to match up very well with what we say about the two choices. I think I'm missing (in the text, that is) some aspect about how randomizing the port on a per-request basis provides more robust defence against off-path attacks than only randomizing per-association. Section 3.3 inspecting the source and destination port numbers. Implementation of port randomization for non-symmetrical modes allows for simple differentiation of NTP requests and responses, and for the enforcement of security policies that may be valuable for the mitigation of DDoS attacks, when all NTP clients in a given network employ port randomization. I guess the details of what those security policies might look like are properly out of scope for this document ... but the potential consequences of such policies on clients that don't employ port randomization might be in scope for us. Section 4 Just an observation (no need to change anything), but we seem to be going from three lines of content in the original to 30 lines of content in the new version. If it was actually applied and viewed in context in the manner of inline errata, the new text might feel a bit out of place. NITS Abstract number. However, in the case of NTP modes where the use of a well- known port is not required, employing such well-known port unnecessarily increases the ability of attackers to perform blind/ off-path attacks. This document formally updates RFC5905, "increases" has some implicit baseline, which is typically "the current state prior to this document" (which is not the right baseline for this case). I'd suggest just "unnecessarily enables blind/off-path attacks", or maybe a variant with "facilitates" rather than "enables". (Similarly for the Introduction, twice.) Section 7 known for a long time now. However, the NTP specification has traditionally followed a pattern of employing common settings and code even when not strictly necessary, which at times has resulted in negative security and privacy implications (see e.g. It seems unusual for the NTP *specification* to employ common *code*. This issue has been tracked by US-CERT with VU#597821, and has been assigned CVE-2019-11331. I failed to find anything under us-cert.gov that referenced "VU#597821" or even just "597821".
- [Ntp] Benjamin Kaduk's Yes on draft-ietf-ntp-port… Benjamin Kaduk via Datatracker
- Re: [Ntp] Benjamin Kaduk's Yes on draft-ietf-ntp-… Fernando Gont
- Re: [Ntp] Benjamin Kaduk's Yes on draft-ietf-ntp-… Benjamin Kaduk