[Ntp] Antw: [EXT] Re: Last Call: <draft-ietf-ntp-yang-data-model-10.txt> (A YANG Data Model for NTP) to Proposed Standardsecurity

Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de> Tue, 09 February 2021 07:39 UTC

Return-Path: <Ulrich.Windl@rz.uni-regensburg.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id A128A3A11E2; Mon, 8 Feb 2021 23:39:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id gv564TOh2eS2; Mon, 8 Feb 2021 23:39:24 -0800 (PST)
Received: from mx3.uni-regensburg.de (mx3.uni-regensburg.de []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 517873A11DF; Mon, 8 Feb 2021 23:39:22 -0800 (PST)
Received: from mx3.uni-regensburg.de (localhost []) by localhost (Postfix) with SMTP id 76BF3600004D; Tue, 9 Feb 2021 08:39:19 +0100 (CET)
Received: from gwsmtp.uni-regensburg.de (gwsmtp1.uni-regensburg.de []) by mx3.uni-regensburg.de (Postfix) with ESMTP id 5369D6000048; Tue, 9 Feb 2021 08:39:16 +0100 (CET)
Received: from uni-regensburg-smtp1-MTA by gwsmtp.uni-regensburg.de with Novell_GroupWise; Tue, 09 Feb 2021 08:39:17 +0100
Message-Id: <60223C23020000A10003ED11@gwsmtp.uni-regensburg.de>
X-Mailer: Novell GroupWise Internet Agent 18.3.0
Date: Tue, 09 Feb 2021 08:39:15 +0100
From: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>
To: daedulus@btconnect.com, dhruv.ietf@gmail.com
Cc: Dieter Sibold <dsibold.ietf@gmail.com>, ek.ietf@gmail.com, draft-ietf-ntp-yang-data-model@ietf.org, last-call@ietf.org, "ntp@ietf.org" <ntp@ietf.org>, "ntp-chairs@ietf.org" <ntp-chairs@ietf.org>
References: <161195994417.2651.6499166797756243533@ietfa.amsl.com> <60212265.6020204@btconnect.com> <CAB75xn7tXa1BCHd=KFR9DC=+bA01R1A+X2M4oUbrF-YLx8ExJA@mail.gmail.com>
In-Reply-To: <CAB75xn7tXa1BCHd=KFR9DC=+bA01R1A+X2M4oUbrF-YLx8ExJA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/1RkKwLM5JNbb9oHJ0sHeLKmRwcM>
Subject: [Ntp] Antw: [EXT] Re: Last Call: <draft-ietf-ntp-yang-data-model-10.txt> (A YANG Data Model for NTP) to Proposed Standardsecurity
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Feb 2021 07:39:27 -0000

>>> Dhruv Dhody <dhruv.ietf@gmail.com> schrieb am 08.02.2021 um 18:05 in
> Hi Tom,
> Thanks for your detailed review. Lets discuss the security first ‑
> On Mon, Feb 8, 2021 at 6:07 PM tom petch <daedulus@btconnect.com> wrote:
>> This is my second response to this Last Call, about a possible security
>> issue.
>> RFC8573 seems clear that MD5 must not be used to effect security for NTP
>> but this I‑D imports iana‑crypt‑hash which allows MD5 without any
>> restriction, so is MD5 allowed or not?
> Good question. While it is easy to restrict the use of MD5 by adding a
> must statement, I want to check if it is a good idea. The YANG model
> is written in such a way that it supports older versions of NTP as
> well. Would barring MD5 configuration be an issue if there are older
> implementations in the network still? I think perhaps adding a warning
> in the description is a good idea. I did a quick search and dont see
> other YANG models doing a check either. Would be good to get some
> guidance on this.

I just checked the docs of a recent ntpd: The docs say DES was replaced with
MD5, but they do in no way say that MD5 is obsolete.
For example the docs (man ntp.conf) say:
       /etc/ntp.conf  the default name of the configuration file
       ntp.keys       private MD5 keys


>> There are features defined which allow the hash in iana‑crypt‑hash to be
>> restricted but this I‑D does not use them.
> I didn't see any reason to use them in the NTP Yang. Can you?
>> Probably iana‑crypt‑hash should be updated ‑ I will raise that on the
>> NETMOD WG list.
>> The I‑D also uses MD5 in a way that would appear not to be security
>> related, to hash an IPv6 address.
> This is as per RFC 5905 ‑
>    If using the IPv4 address family, the identifier is the four‑
>    octet IPv4 address.  If using the IPv6 address family, it is the
>    first four octets of the MD5 hash of the IPv6 address.
>> In passing, this I‑D has three references to RFC7317.  This is wrong ‑
>> the module is IANA‑maintained and so the references should be to the
>> IANA website.
> But even the iana‑crypt‑hash YANG model put RFC 7317 as a reference ‑
>      revision 2014‑08‑06 {
>        description
>          "Initial revision.";
>        reference
>          "RFC 7317: A YANG Data Model for System Management";
>      }
> I will start working on your other comments and prepare a new version.
> Thanks!
> Dhruv
>> The secdir reviewer might be interested in my thoughts.
>> Tom Petch
>> On 29/01/2021 22:39, The IESG wrote:
>> >
>> > The IESG has received a request from the Network Time Protocol WG (ntp)
>> > consider the following document: ‑ 'A YANG Data Model for NTP'
>> >    <draft‑ietf‑ntp‑yang‑data‑model‑10.txt> as Proposed Standard
>> >
>> > The IESG plans to make a decision in the next few weeks, and solicits
>> > comments on this action. Please send substantive comments to the
>> > last‑call@ietf.org mailing lists by 2021‑02‑12. Exceptionally, comments
>> > be sent to iesg@ietf.org instead. In either case, please retain the 
> beginning
>> > of the Subject line to allow automated sorting.
>> >
>> > Abstract
>> >
>> >
>> >     This document defines a YANG data model for Network Time Protocol
>> >     (NTP) implementations.  The data model includes configuration data
>> >     and state data.
>> >
>> >
> _______________________________________________
> ntp mailing list
> ntp@ietf.org 
> https://www.ietf.org/mailman/listinfo/ntp