IETF Logo Mail Archive

Re: [Ntp] Antwort: Re: Symmetric mode

Miroslav Lichvar <mlichvar@redhat.com> Mon, 26 September 2022 10:54 UTC

Return-Path: <mlichvar@redhat.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21A18C14F725 for <ntp@ietfa.amsl.com>; Mon, 26 Sep 2022 03:54:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.677
X-Spam-Level:
X-Spam-Status: No, score=-2.677 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nbdqfb7XMI7N for <ntp@ietfa.amsl.com>; Mon, 26 Sep 2022 03:54:29 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53F0BC14CE3C for <ntp@ietf.org>; Mon, 26 Sep 2022 03:53:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1664189617; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=RJxDww1J9wCQ20CEdkJdvhxXxup212UBwZkveXWH/ps=; b=YpNk+nmB1myNl4a+P4C33pdtZNFFSLphHnYj/EeSHrH2JNIPoZ3cq4bOD8GdMaPznKOf+Z llFuPuDE4hZ8CUgHGVpB9OcypXp4nfe3U5ixaXDFKyS93BtsduwRoxz+9Yh2WF3M00Ctwa DNlkY1qOZG/LpRxqeAZ36mzRGR5Ka44=
Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-454-OEJf7tZlORutczlRRiSCyg-1; Mon, 26 Sep 2022 06:53:34 -0400
X-MC-Unique: OEJf7tZlORutczlRRiSCyg-1
Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id E30353C01DE7; Mon, 26 Sep 2022 10:53:33 +0000 (UTC)
Received: from localhost (unknown [10.43.135.229]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 555A94750A5; Mon, 26 Sep 2022 10:53:33 +0000 (UTC)
Date: Mon, 26 Sep 2022 12:53:32 +0200
From: Miroslav Lichvar <mlichvar@redhat.com>
To: Danny Mayer <mayer@pdmconsulting.net>
Cc: kristof.teichel=40ptb.de@dmarc.ietf.org, ntp@ietf.org
Message-ID: <YzGErHj7nkt+Ehd8@localhost>
References: <880b8ec4-e112-e2e2-f48c-c940064bc749@pdmconsulting.net> <mayer@pdmconsulting.net> <796c33e6-02dc-0665-c8a2-a143f9100bdd@pdmconsulting.net> <20220919024614.4AB8328C1E2@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <YygwAeTMeSHXXk6t@localhost> <OF42F0D0F6.E94FA935-ONC12588C3.005225C3-C12588C3.0054DC8B@ptb.de> <d13df0b6-7c47-820e-5dbd-21dd7e2d4801@pdmconsulting.net> <YywRhCmTD4mt8KTy@localhost> <9eac8a08-80d7-0d23-940a-d00c4bb2382f@pdmconsulting.net>
MIME-Version: 1.0
In-Reply-To: <9eac8a08-80d7-0d23-940a-d00c4bb2382f@pdmconsulting.net>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.9
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/1eTvwbdyPcOhWioBX66YGWaSWuY>
Subject: Re: [Ntp] Antwort: Re: Symmetric mode
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2022 10:54:35 -0000

On Sat, Sep 24, 2022 at 07:20:36PM -0400, Danny Mayer wrote:
> On 9/22/22 3:40 AM, Miroslav Lichvar wrote:
> > The peer doesn't know if a received message is a new one or it was
> > already sent before by one of the peers. It doesn't have an infinite
> > storage and there can be messages lost in the network.
> When a peer is acting as the client it knows if it already has received the
> message. If the peer is acting as the server then it acts as if that's a new
> request from a client and responds appropriately.

The trouble is that the peer is doing both the client and server part
of the protocol at the same time. The server responds only once per
polling interval and it doesn't know which request is the genuine
request from the other peer, so replays can cause a denial of service
due to the response having an origin timestamp from the attacker's
replay instead of the peer's request.

> > The IP addresses and ports are not included in the data authenticated
> > by the NTP MAC. You can replay an authenticated NTP messages from any
> > address and any port.
> First of all you know what IP addresses you are peering with, so that
> wouldn't work anyway. I assume that you are talking about the peer acting as
> a client so if it's a replay attack it wouldn't work as the peer acting as a
> client has already received the packet so it would discard the replay
> packet.

No, this is about the server part. If the server allows ephemeral
associations, the attacker can create an unlimited number of them and
prevent a real peer from 

> >   And if you
> > specify the other peer on both ends, you can just as well use the
> > client/server mode. It will double the NTP traffic, but it will be
> > more secure.
> 
> No, that's not true. Symmetric peer mode uses the same number of packets as
> client/server

Here is a packet capture comparing two systems polling each other like
this:

A: server B minpoll 3 maxpoll 3
B: server A minpoll 3 maxpoll 3

vs this:

A: peer B minpoll 3 maxpoll 3
B: peer A minpoll 3 maxpoll 3

10:30:25.051989 IP 192.168.50.2.ntp > 192.168.50.1.ntp: NTPv4, Client, length 48
10:30:25.052171 IP 192.168.50.1.ntp > 192.168.50.2.ntp: NTPv4, Server, length 48
10:30:25.476877 IP 192.168.50.1.ntp > 192.168.50.2.ntp: NTPv4, Client, length 48
10:30:25.476911 IP 192.168.50.2.ntp > 192.168.50.1.ntp: NTPv4, Server, length 48
10:30:33.051990 IP 192.168.50.2.ntp > 192.168.50.1.ntp: NTPv4, Client, length 48
10:30:33.052176 IP 192.168.50.1.ntp > 192.168.50.2.ntp: NTPv4, Server, length 48
10:30:33.476129 IP 192.168.50.1.ntp > 192.168.50.2.ntp: NTPv4, Client, length 48
10:30:33.476175 IP 192.168.50.2.ntp > 192.168.50.1.ntp: NTPv4, Server, length 48
10:30:57.719140 IP 192.168.50.1.ntp > 192.168.50.2.ntp: NTPv4, symmetric active, length 48
10:30:59.393583 IP 192.168.50.2.ntp > 192.168.50.1.ntp: NTPv4, symmetric active, length 48
10:31:05.718401 IP 192.168.50.1.ntp > 192.168.50.2.ntp: NTPv4, symmetric active, length 48
10:31:07.393583 IP 192.168.50.2.ntp > 192.168.50.1.ntp: NTPv4, symmetric active, length 48

As you can see, there are 4 client/server mode packets per poll, but
only 2 symmetric mode packets per poll.

> and as I said above it's no more vulnerable than
> client/server.

No, there are at least three security issues specific to the symmetric
mode. You don't seem to be following what others have been saying here
for years.

As an example, I can show you how the replay attack breaks a symmetric
association configured as in the previous test.

Before the attack starts ntpq -pn on the peer B prints:

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*192.168.50.1    10.2.32.37       3 s    3    8  377    0.124   +4.482   2.969

After capturing a single packet from B to A with tcpdump and replaying
it with tcpreplay once per second for 8 polling intervals the
reachability reported by ntpq drops to zero, i.e. no valid response
was received and synchronization is broken:

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 192.168.50.1    10.2.32.37       3 s    8    8    0    0.011   +4.770   1.927

Here is the complete packet capture if you want to check how the peer
A is sending messages with wrong origin timestamp:

https://fedorapeople.org/~mlichvar/tmp/ntp-replay.pcap

Repeating the replay once per second is not necessary, but this was
easier than trying to time it between the request and response.

-- 
Miroslav Lichvar

v2.23.0 | Report a Bug | By Email