Re: [Ntp] WGLC: draft-ietf-ntp-using-nts-for-ntp
Miroslav Lichvar <mlichvar@redhat.com> Thu, 06 December 2018 12:17 UTC
Return-Path: <mlichvar@redhat.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49F32130DEF for <ntp@ietfa.amsl.com>; Thu, 6 Dec 2018 04:17:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id imKhrMEB12nv for <ntp@ietfa.amsl.com>; Thu, 6 Dec 2018 04:17:12 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DC43130DD7 for <ntp@ietf.org>; Thu, 6 Dec 2018 04:17:12 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 9AB69C04BD35 for <ntp@ietf.org>; Thu, 6 Dec 2018 12:17:11 +0000 (UTC)
Received: from localhost (holly.tpb.lab.eng.brq.redhat.com [10.43.134.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 1B7BA5D6A6 for <ntp@ietf.org>; Thu, 6 Dec 2018 12:17:10 +0000 (UTC)
Date: Thu, 06 Dec 2018 13:16:56 +0100
From: Miroslav Lichvar <mlichvar@redhat.com>
To: ntp@ietf.org
Message-ID: <20181206121656.GI28938@localhost>
References: <FF5E07A6-6F59-4D45-A186-7FC7C9B4A41C@isoc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <FF5E07A6-6F59-4D45-A186-7FC7C9B4A41C@isoc.org>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Thu, 06 Dec 2018 12:17:11 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/0ctnyPcgvumwyGhLz5p-K6Pv_Pk>
Subject: Re: [Ntp] WGLC: draft-ietf-ntp-using-nts-for-ntp
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Dec 2018 12:17:14 -0000
On Tue, Nov 06, 2018 at 08:46:12PM +0000, Karen O'Donoghue wrote: > Folks, > > This message initiates a three plus week working group last call for: > > Network Time Security for the Network Time Protocol > https://datatracker.ietf.org/doc/draft-ietf-ntp-using-nts-for-ntp/ I support advancing this document. It's well written and it secures the most important mode of NTP - client-server. >From an implementor's point of view, I'd prefer if TLS 1.3 was required, but I don't know much about TLS or crypto in general. I still think it would be good to specify the maximum length of the cookie. This would simplify the client implementation. From a previous discussion, it looks like 256 octets should be enough. In 5.2 there is "Possibly, some additional extension fields which are neither encrypted nor authenticated. These are discarded by the receiver." I'd suggest to change the last sentence to "These are normally discarded by the receiver". This is explained later in the document for both client and server sides. In 5.6 there are two instances "zero-padded to a word (four octets) boundary" and two instances of "bytes". The size of a word and byte is specific to the architecture, so just use "to a four-octet boundary" and "octets". In 5.7 there are typos in "but MUST be encrypted from sent from server to client." and "comply with RFC 5095, Section 7.4". In 5.7 there is "In that case, it MUST be able to detect and stop looping between the NTS-KE and NTP servers.". This could be explained in a more detail. The detection here means that the client should check if there were no good NTP packets received between NTS-KE exchanges? -- Miroslav Lichvar
- [Ntp] WGLC: draft-ietf-ntp-using-nts-for-ntp Karen O'Donoghue
- Re: [Ntp] WGLC: draft-ietf-ntp-using-nts-for-ntp Loganaden Velvindron
- Re: [Ntp] WGLC: draft-ietf-ntp-using-nts-for-ntp Martin Langer
- Re: [Ntp] WGLC: draft-ietf-ntp-using-nts-for-ntp Martin Langer
- Re: [Ntp] WGLC: draft-ietf-ntp-using-nts-for-ntp Karen O'Donoghue
- [Ntp] Fwd: WGLC: draft-ietf-ntp-using-nts-for-ntp Karen O'Donoghue
- [Ntp] Dave Mills: Re: WGLC: draft-ietf-ntp-using-… Harlan Stenn
- Re: [Ntp] WGLC: draft-ietf-ntp-using-nts-for-ntp Miroslav Lichvar
- Re: [Ntp] Fwd: WGLC: draft-ietf-ntp-using-nts-for… kristof.teichel
- Re: [Ntp] WGLC: draft-ietf-ntp-using-nts-for-ntp Denis Reilly
- Re: [Ntp] WGLC: draft-ietf-ntp-using-nts-for-ntp Marcus Dansarie
- Re: [Ntp] WGLC: draft-ietf-ntp-using-nts-for-ntp Harlan Stenn
- [Ntp] Antwort: Re: WGLC: draft-ietf-ntp-using-nts… kristof.teichel
- Re: [Ntp] Antwort: Re: WGLC: draft-ietf-ntp-using… Harlan Stenn
- [Ntp] Antwort: Re: Antwort: Re: WGLC: draft-ietf-… kristof.teichel
- Re: [Ntp] Antwort: Re: WGLC: draft-ietf-ntp-using… Salz, Rich
- Re: [Ntp] Antwort: Re: WGLC: draft-ietf-ntp-using… Harlan Stenn
- Re: [Ntp] Antwort: Re: WGLC: draft-ietf-ntp-using… Harlan Stenn
- Re: [Ntp] Antwort: Re: Antwort: Re: WGLC: draft-i… Harlan Stenn
- Re: [Ntp] Antwort: Re: Antwort: Re: WGLC: draft-i… kristof.teichel
- Re: [Ntp] Antwort: Re: WGLC: draft-ietf-ntp-using… Salz, Rich
- Re: [Ntp] Antwort: Re: WGLC: draft-ietf-ntp-using… kristof.teichel
- Re: [Ntp] WGLC: draft-ietf-ntp-using-nts-for-ntp Dieter Sibold
- Re: [Ntp] WGLC: draft-ietf-ntp-using-nts-for-ntp Brian Haberman
- Re: [Ntp] WGLC: draft-ietf-ntp-using-nts-for-ntp Karen O'Donoghue
- Re: [Ntp] WGLC: draft-ietf-ntp-using-nts-for-ntp Marcus Dansarie
- Re: [Ntp] WGLC: draft-ietf-ntp-using-nts-for-ntp Dieter Sibold
- Re: [Ntp] WGLC: draft-ietf-ntp-using-nts-for-ntp Salz, Rich
- Re: [Ntp] WGLC: draft-ietf-ntp-using-nts-for-ntp Dieter Sibold
- Re: [Ntp] WGLC: draft-ietf-ntp-using-nts-for-ntp Dieter Sibold
- Re: [Ntp] WGLC: draft-ietf-ntp-using-nts-for-ntp Salz, Rich
- Re: [Ntp] WGLC: draft-ietf-ntp-using-nts-for-ntp Dieter Sibold
- Re: [Ntp] WGLC: draft-ietf-ntp-using-nts-for-ntp Martin Langer
- Re: [Ntp] WGLC: draft-ietf-ntp-using-nts-for-ntp Dieter Sibold
- Re: [Ntp] WGLC: draft-ietf-ntp-using-nts-for-ntp Ragnar Sundblad
- Re: [Ntp] WGLC: draft-ietf-ntp-using-nts-for-ntp Miroslav Lichvar