IETF Logo Mail Archive

[ntpwg] Antw: Re: Antw: Re: Antw: Re: call for adoption (draft-dfranke-ntp-data-minimization)

"Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de> Wed, 29 March 2017 06:28 UTC

Return-Path: <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
X-Original-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Delivered-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C11012966D for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Tue, 28 Mar 2017 23:28:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5QphCvj76Ksl for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Tue, 28 Mar 2017 23:28:36 -0700 (PDT)
Received: from lists.ntp.org (psp3.ntp.org [185.140.48.241]) by ietfa.amsl.com (Postfix) with ESMTP id 0C0411293EC for <ntp-archives-ahFae6za@lists.ietf.org>; Tue, 28 Mar 2017 23:28:36 -0700 (PDT)
Received: from psp3.ntp.org (localhost.ntp.org [127.0.0.1]) by lists.ntp.org (Postfix) with ESMTP id BB4BF86DC0E for <ntp-archives-ahFae6za@lists.ietf.org>; Wed, 29 Mar 2017 06:28:35 +0000 (UTC)
X-Original-To: ntpwg@lists.ntp.org
Delivered-To: ntpwg@lists.ntp.org
Received: from mail1.ntp.org (fortinet.ntp.org [10.224.90.254]) by lists.ntp.org (Postfix) with ESMTP id DCF8486DAE6 for <ntpwg@lists.ntp.org>; Wed, 29 Mar 2017 06:28:32 +0000 (UTC)
Received: from rrzmta1.uni-regensburg.de ([194.94.155.51]) by mail1.ntp.org with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from <Ulrich.Windl@rz.uni-regensburg.de>) id 1ct75k-000HOU-Ol for ntpwg@lists.ntp.org; Wed, 29 Mar 2017 06:28:32 +0000
Received: from rrzmta1.uni-regensburg.de (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id E49EF5B2E9 for <ntpwg@lists.ntp.org>; Wed, 29 Mar 2017 08:28:23 +0200 (CEST)
Received: from gwsmtp1.uni-regensburg.de (gwsmtp1.uni-regensburg.de [132.199.5.51]) by rrzmta1.uni-regensburg.de (Postfix) with ESMTP id BCC975B2E6 for <ntpwg@lists.ntp.org>; Wed, 29 Mar 2017 08:28:23 +0200 (CEST)
Received: from uni-regensburg-smtp1-MTA by gwsmtp1.uni-regensburg.de with Novell_GroupWise; Wed, 29 Mar 2017 08:28:23 +0200
Message-Id: <58DB5405020000A100025639@gwsmtp1.uni-regensburg.de>
X-Mailer: Novell GroupWise Internet Agent 14.2.2
Date: Wed, 29 Mar 2017 08:28:21 +0200
From: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>
To: ntpwg@lists.ntp.org, stenn@nwtime.org
References: <CA564C5C-6CED-4810-BA2F-5433F2525249@isoc.org> <20170327133842.GK8192@localhost> <58D9FD22020000A1000255AD@gwsmtp1.uni-regensburg.de> <4cff4cd7-1eec-0e72-b235-1a8d65fc7fc4@nwtime.org> <58DA0F83020000A1000255CF@gwsmtp1.uni-regensburg.de> <CAJm83bCvuJTqoiP8SeYSwEceiJe90C+V8+3AfdgczJ-+L1sa9Q@mail.gmail.com> <33dc07d7-9c3b-a261-91f0-4c32b7f076a9@nwtime.org>
In-Reply-To: <33dc07d7-9c3b-a261-91f0-4c32b7f076a9@nwtime.org>
Mime-Version: 1.0
Content-Disposition: inline
X-SA-Exim-Connect-IP: 194.94.155.51
X-SA-Exim-Rcpt-To: ntpwg@lists.ntp.org
X-SA-Exim-Mail-From: Ulrich.Windl@rz.uni-regensburg.de
X-SA-Exim-Version: 4.2
X-SA-Exim-Scanned: Yes (on mail1.ntp.org)
Subject: [ntpwg] Antw: Re: Antw: Re: Antw: Re: call for adoption (draft-dfranke-ntp-data-minimization)
X-BeenThere: ntpwg@lists.ntp.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: IETF Working Group for Network Time Protocol <ntpwg.lists.ntp.org>
List-Unsubscribe: <http://lists.ntp.org/options/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=unsubscribe>
List-Archive: <http://lists.ntp.org/pipermail/ntpwg/>
List-Post: <mailto:ntpwg@lists.ntp.org>
List-Help: <mailto:ntpwg-request@lists.ntp.org?subject=help>
List-Subscribe: <http://lists.ntp.org/listinfo/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org
Sender: ntpwg <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>

>>> Ulrich Windl schrieb am 29.03.2017 um 08:26 in Nachricht <58DB53AC.69E : 161 :
60728>:
>>>> Harlan Stenn <stenn@nwtime.org> schrieb am 29.03.2017 um 01:23 in Nachricht
> <33dc07d7-9c3b-a261-91f0-4c32b7f076a9@nwtime.org>:
> 
> > 
> > On 3/28/2017 7:08 AM, Daniel Franke wrote:
> >> On 3/28/17, Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de> wrote:
> >>> IMHO it would be consistent to set precision to 3 (the lowest possible
> >>> precision (0.125s) where NTP will start to work) and use 29 bits of
> >>> randomness then. Still a half billion attack packets might transit without
> >>> being detected, but I doubt that.
> > 
> > Ulrich, a precision of 3 is 8 seconds.
> 
> Harlan,
> 
> you are right, I missed the fact that a signed 24-bit number is used. I 
> forgot about the fact that any real life clock using NTP could have a 
> precision > 0. Of course I meant -3.

Oops: (Still suffering from DST switch): 8 bit, not 24, of course.

> 
> Regards,
> Ulrich
> 
> 
> > 
> >> 2**29 packets is about 541 gigabits including ethernet headers, so on
> >> a 1Gbps link is about a 0.18% chance of attacker success during the 1s
> >> MAXDIST window. On a 10Gbps link this becomes 1.8%. That's a big
> >> improvement over the status quo but still a non-negligible weakness.
> > 
> > Daniel, you're continuing to focus on and assume that:
> > 
> > - nobody will notice or care about these spoofs.  The reference
> > implementation from NTF/ntp.org reports these on both the client and the
> > server side.
> > 
> > - Once the client receives the response from the server, the origin
> > timestamp is zeroed in the client so no more responses from the server
> > will be accepted.
> > 
> > This has all been said before, several times, and you continue to ignore
> > these points.
> > 
> > Please take a breath of fresh air.
> > 
> >> What's the benefit of randomizing anything less than the full 64 bits?
> > 
> > For extranet communications, I'd likely choose 64 bits.  But I'd also
> > consider this to be *my* policy choice.  If somebody has good reason to
> > pick a different number, they should be able to.
> > 
> > I would generally not choose information hiding or extra randomizing on
> > internal NTP traffic.
> > 
> > -- 
> > Harlan Stenn <stenn@nwtime.org>
> > http://networktimefoundation.org - be a member!
> > 
> > _______________________________________________
> > ntpwg mailing list
> > ntpwg@lists.ntp.org 
> > http://lists.ntp.org/listinfo/ntpwg 
> 
> 
> 
> 




_______________________________________________
ntpwg mailing list
ntpwg@lists.ntp.org
http://lists.ntp.org/listinfo/ntpwg

v2.23.0 | Report a Bug | By Email