IETF Logo Mail Archive

Re: [Ntp] NTS4UPTP Rev 03 - Formal request for WG adoption

Daniel Franke <dfoxfranke@gmail.com> Wed, 26 May 2021 13:28 UTC

Return-Path: <dfoxfranke@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 560933A2E4B for <ntp@ietfa.amsl.com>; Wed, 26 May 2021 06:28:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x5EkQsGpHasT for <ntp@ietfa.amsl.com>; Wed, 26 May 2021 06:28:10 -0700 (PDT)
Received: from mail-pg1-x529.google.com (mail-pg1-x529.google.com [IPv6:2607:f8b0:4864:20::529]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2974C3A2E74 for <ntp@ietf.org>; Wed, 26 May 2021 06:28:10 -0700 (PDT)
Received: by mail-pg1-x529.google.com with SMTP id 6so948250pgk.5 for <ntp@ietf.org>; Wed, 26 May 2021 06:28:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=n08Q39J4LrJmm/kf85PQ6SK4Xs8zk65hv0i/SzUkaqQ=; b=IzuOOGYcChNiScAWIEomWyPQnD9F903TjQu1FPWfPr81mGiFp9zwhD/BGQv7+wscqu +4MrxaCK4nHzXjuzZcWJDRjf2eEa3uU+kuBirs1z/lRzsFWlYI3ZTxgc1ZVPxWfAkd60 hxLbfsxz6y+zcEbuvqKPSvFX51omIl7gSjFrBPbe3uL3DOeOwXoAZ70L6hD3wteNqAb6 F3eKZWBmbcPH73659lZ7ibjAJi0G0oWGmMSJPwNg5jLhfaZyM6tBYe+Afga/7okKVY/u 7ZBLIbWLZiZpurhKX8TjVSU82TQDlmQ0W57NAreefaMQqk/UtZZSlnnXcraaowkuehsU ogXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=n08Q39J4LrJmm/kf85PQ6SK4Xs8zk65hv0i/SzUkaqQ=; b=qw/Mjm5DWaB1Rgyi8iHkjtKwDGeOBcuV7ByeLMDzusbMdACIEKtaBiM/BoGkTY58Ab wT5SKq2b+aF5f8rkFZpF/52J8l9RMOkz3Ir4Oo+FpaghDJGiY9Cusw+WtETnbXTIn9VC oy94uh3lVtqZ3AQfxpHUydc+unjBJ6J5xIJ4rq0foCs8nr/7EtJslymKmVVU6IwFbtMl DD+BvcESlswB6ksp22SeoVl+d/RcIdk70UqDndq/l2gaPZ04f5cwU8VCP8WGm8SYMiUL oidmymA7adUNaFmBOji7MCrqLvcyez0+3oVhK84BB8bCUlqmTG2JpvZ1ZRXDIxY79hjq HMUA==
X-Gm-Message-State: AOAM5311lunyY+pqpZoTTq9rAXZLat0XqhAI5RcvqMTlIF2eE+MtKzFU LOgdjoWBJxCAqP/SsDPJ3BKLtbbY21DhySB3KYg=
X-Google-Smtp-Source: ABdhPJzmUfs+Ex0of4ThLq6hh69HHa8B93kFjG26OUUfBLZOwhxXrdXTfE2zu9PiChnUbZk6UZbdHd9lxx2J/LvIc0g=
X-Received: by 2002:a63:4609:: with SMTP id t9mr24730590pga.13.1622035688306; Wed, 26 May 2021 06:28:08 -0700 (PDT)
MIME-Version: 1.0
References: <7F9B8D13-BC90-4E15-9BDF-81714DF0F0C6@meinberg.de> <CAJm83bD1yGjtCkSkCQbXKznyPDZC6-bXigsm_BFiprNXkEY49Q@mail.gmail.com>
In-Reply-To: <CAJm83bD1yGjtCkSkCQbXKznyPDZC6-bXigsm_BFiprNXkEY49Q@mail.gmail.com>
From: Daniel Franke <dfoxfranke@gmail.com>
Date: Wed, 26 May 2021 09:27:57 -0400
Message-ID: <CAJm83bAXZmJX-7tUFefCMWPsn2QHpxsqe_n=HbjwW4YQSvT23A@mail.gmail.com>
To: Heiko Gerstung <heiko.gerstung=40meinberg.de@dmarc.ietf.org>, NTP WG <ntp@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000003ba4905c33b9d72"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/4adVBqyCsPAD-QD7V6ztTyo_xwU>
Subject: Re: [Ntp] NTS4UPTP Rev 03 - Formal request for WG adoption
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 May 2021 13:28:17 -0000

(Resending to reply to the list)

I finally gave this draft a close read this morning. I have to oppose
adoption, on the grounds that it doesn't appear to achieve any of
NTS's goals.

It clearly doesn't attempt to achieve server statelessness. It doesn't
achieve client unlinkability either, since only one cookie is provided
and there's no mechanism for refreshing it without a new NTS-KE. The
case possibly could be made (but hasn't been) that these goals aren't
as important for PTP as they are for NTP, but after this I would still
object that calling a protocol "NTS" when it doesn't provide these
things is bad marketing for NTS4NTP.

The killer, though, is that the protocol fails to provide time
authentication to within any reasonable error bounds. The only secure
time exchange is the one that happens in phase 2 during the
DELAY_REQ/DELAY_RESP exchange. Transmissions during phase 3 are
vulnerable to delay attacks. Checking sequence numbers is not
sufficient mitigation against these. A MitM could forward packet N
when (and only when) the server sends packet 2N. All sequence number
checks would pass, but absent any other sanity checks the client's
clock would be slowed by a factor of two.

The NTS TLV is missing any field that corresponds to the Unique
Identifier EF from NTS4NTP. Without this, an attacker can drop or
reorder the server's messages and confuse the client as to what
request a response corresponds to. This is easy to fix, but absent a
fix, clients would have to mitigate this by making sure they only ever
have one request in flight at a time. Failure to promptly obtain a
response to any time-sensitive request such as DELAY_REQ would require
rerunning NTS-KE. Non-time-sensitive requests could simply be
retransmitted.

To salvage the security of this protocol, you could first fix the
Unique Identifier issue and then have the client send DELAY_REQ
messages at NTP-like intervals, rather than just once per handshake,
in order to regularly reëstablish tight error bounds that can be used
to sanity-check the phase 3 packets. This would achieve time security
about equal to what you get from the NTP/PTP hybrid I proposed last
month, but without privacy, without server statelessness, and with an
added requirement for support from the server rather than being able
to unilaterally implement it on the client side.

On Wed, May 26, 2021 at 4:31 AM Heiko Gerstung <heiko.gerstung=
> 40meinberg.de@dmarc.ietf.org> wrote:
>
>> Dear fellow NTP working group members,
>>
>>
>>
>> I just submitted the latest revision of our NTS for Unicast PTP draft
>> (-02) which you can find here:
>>
>> https://datatracker.ietf.org/doc/draft-gerstung-nts4uptp/
>>
>>
>>
>>
>>
>> Based on our experience of more than 20 years (NTP) and 15 years of PTP
>> based network time synchronization for quite a large number of different
>> applications and industries, we believe that the proposed draft will
>> increase the number of potential use cases for unicast PTP by adding
>> serious and sound security mechanisms to this protocol. It will enable
>> users in a large variety of areas to transport highly accurate and reliable
>> time over wide area networks and hard to protect large-scale private
>> networks.
>>
>>
>>
>> Unicast PTP is a protocol that has been designed to be used in protected
>> network environments and requires additional protection to allow using it
>> in other types networks, i.e. the Internet or wide-area-networks where it
>> is impossible to ensure that no malicious actor with access to the network
>> can carry out various attacks. The proposed draft offers protection against
>> most of the possible attacks.
>>
>>
>>
>> The authors acknowledge that other variants of PTP, namely the multicast
>> and hybrid (i.e. unicast and multicast) forms, need to be protected as
>> well. However, those forms are rarely used over wide area networks and are
>> much more common in local area networks and protected network environments.
>> Securing multicast and hybrid PTP requires a more complex solution and our
>> expectation is that the proposed standard for securing unicast PTP will be
>> completed faster due to the fact that we built it on the work that already
>> went into RFC8915. The similarities in the key exchange phase of the
>> protocol also offer an efficient way to implement combined NTS4NTP and
>> NTS4UPTP key exchange service daemons and therefore helps to simplify
>> deploying secure time synchronization solutions that support NTP, PTP or
>> both in parallel.
>>
>>
>>
>> I therefore would like to formally request adoption of this draft by this
>> working group and kindly ask you to review the draft, and send your
>> questions, comments and general feedback to the WG and/or one of the
>> authors of this draft.
>>
>>
>>
>> Thank you and best regards,
>>
>>   Heiko
>>
>>
>>
>>
>>
>>
>> --
>>
>> Heiko Gerstung
>>
>> Managing Director
>>
>>
>>
>> MEINBERG® Funkuhren GmbH & Co. KG
>>
>> Lange Wand 9
>>
>> D-31812 Bad Pyrmont, Germany
>>
>> Phone: +49 (0)5281 9309-404
>>
>> Fax: +49 (0)5281 9309-9404
>>
>>
>>
>> Amtsgericht Hannover 17HRA 100322
>>
>> Geschäftsführer/Management: Günter Meinberg, Werner Meinberg, Andre
>> Hartmann, Heiko Gerstung
>>
>>
>>
>> Email:
>>
>> heiko.gerstung@meinberg.de
>>
>> Web:
>>
>> Deutsch https://www.meinberg.de
>>
>> English https://www.meinbergglobal.com
>>
>>
>>
>> Do not miss our Time Synchronization Blog:
>>
>> https://blog.meinbergglobal.com
>>
>>
>>
>> Connect via LinkedIn:
>>
>> https://www.linkedin.com/in/heikogerstung
>>
>>
>>
>>
>> _______________________________________________
>> ntp mailing list
>> ntp@ietf.org
>> https://www.ietf.org/mailman/listinfo/ntp
>>
>

v2.23.0 | Report a Bug | By Email