IETF Logo Mail Archive

Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-model-10.txt> (A YANG Data Model for NTP) to Proposed Standardsecurity

tom petch <daedulus@btconnect.com> Mon, 08 February 2021 12:37 UTC

Return-Path: <daedulus@btconnect.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC9093A16AB; Mon, 8 Feb 2021 04:37:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J6miZ-rpPTJP; Mon, 8 Feb 2021 04:37:34 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70121.outbound.protection.outlook.com [40.107.7.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3833E3A169B; Mon, 8 Feb 2021 04:37:33 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NWZ9p4+2cHYQjjtTHz9wtotHJa7ZiPwklexeJrD+v8s8XFZhq1uQgc5FHGQcdI9jr2lPIe33uWqUbQr02aT9mJQZirY5zrO2Ev22XVARqynBwijmhj18t3Eaj3rhFxtB4sFx8dZ3rIBLweSlkVDws62svgeD2B06so7IrKzWE3PMLrHtlUnVXt5R0jjT4R4stvcuQx5En3XsHNWPf7ioMxqB2Ppkucc1rW1njUjJSKHzPbaNvEae6YHZZGHgttqF3hpfizjosOSUS5VHK8MhqoBx5vwXqpN75GZDA8yMJ6lvL64DiyokIF5gxYMNVwwBQsQZSA73X5vx7cxZichBuw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=17GJxekmQEF+uBi31EzZlA045Lj7NA92Hyv4gdGoULk=; b=iUbp+cWmZOSKlKGZ7OSGAJ542vAqg9w1Z4VnceN+2lAjIIMU8/iYhG9f9wp5siVWNUYMyYyL+XvHVRzhOKMRjSvyShZUWe+rl/8oRAzIkum2k3kGJlUaqB8V/GSDhf1bsUgBupUdwimj+hJNCuzcytp3ROHR1P333fqqJ16c1i3Z0frARH4ANSQ1P/qWNTMxo64U6/h+ApUT1WQY+39dD5zllK1JD9LwFyRGIWSHM/sIneVYoljsdmWHB7ln0WDydDs7kQvBrfKolKSEkVjTkPd/p5eT0FPgScK9p8AcAMhosRCn+GGmAaKwIcvk7uFcCyBKuSkI6a8y6hhIrwf5nA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=17GJxekmQEF+uBi31EzZlA045Lj7NA92Hyv4gdGoULk=; b=CnNS6rCNvNx0Kahdz0lJN6r5kTmDhWeA+ziB13X9j3UbfFP9zvvL2vcbEnYNzipaNSMuTLAdgNA73nNNWVUEgbZbzcgt6SpzqIJVuq1A2kOsp/2p1nEOCyqA7Nc4n3yIWTve0F5jX5pnwl0GcwsSlY7jmt5BedMRN5SFqL4jfwc=
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=btconnect.com;
Received: from (2603:10a6:800:18b::8) by VI1PR07MB6576.eurprd07.prod.outlook.com (2603:10a6:800:182::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.15; Mon, 8 Feb 2021 12:37:15 +0000
Received: from VI1PR07MB6704.eurprd07.prod.outlook.com ([fe80::181c:709a:6f7a:b811]) by VI1PR07MB6704.eurprd07.prod.outlook.com ([fe80::181c:709a:6f7a:b811%3]) with mapi id 15.20.3825.030; Mon, 8 Feb 2021 12:37:15 +0000
To: last-call@ietf.org
References: <161195994417.2651.6499166797756243533@ietfa.amsl.com>
Cc: ek.ietf@gmail.com, ntp-chairs@ietf.org, ntp@ietf.org, dsibold.ietf@gmail.com, draft-ietf-ntp-yang-data-model@ietf.org
From: tom petch <daedulus@btconnect.com>
Message-ID: <60212265.6020204@btconnect.com>
Date: Mon, 08 Feb 2021 11:37:09 +0000
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101 Thunderbird/38.5.0
In-Reply-To: <161195994417.2651.6499166797756243533@ietfa.amsl.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [86.146.121.140]
X-ClientProxiedBy: LO2P265CA0234.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:b::30) To VI1PR07MB6704.eurprd07.prod.outlook.com (2603:10a6:800:18b::8)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [192.168.1.65] (86.146.121.140) by LO2P265CA0234.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:b::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.3825.19 via Frontend Transport; Mon, 8 Feb 2021 12:37:15 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: cf4a75b1-3c61-411e-aae5-08d8cc2e4411
X-MS-TrafficTypeDiagnostic: VI1PR07MB6576:
X-Microsoft-Antispam-PRVS: <VI1PR07MB657670B250D2D989CD4F0EB9C68F9@VI1PR07MB6576.eurprd07.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: BOUO9ZG1+ugJvVwK5t5TsuIbS4KpBxVmQxFuX+Xn7FW3w6pWcSt9UMHcV1BAsqPEK1XFVdJZU0tkknkX2qFx4mg/KfPLUMICNR/q08aAB54AD8GbgYeHO7OIe3LA79DK8wkavZzjWVU5gD6ua2N/92IHNrAV2bP2Wo1w3GMRAfiqaP+EiqiBCKvBHNkrmpSn7hq/YxgX42eDQ4fFAoBIlGs+9yhANk8tAW6ljX8mDM/gu8rGP+IM2qcQW6Ct9Ab3vUYq9t9T7qKg8lQMRFycyj2XfknBUsZK+AFtRL/fH2r2OmA6Enfs7sCpnHsrdJSaHQIz/scYLYdwWQRfVulCRL82SFox8dqk0mjTlPGdZbqAqP1kj7FCPp/oJtFEBFscPENS7EayK+Sujkmb8zhKN7RUoyF0/tViqhT194AVJgyca/D9PDtwqggRVETC63Z6VFqjf5WtvEq95RpqzqqOJO8ZECKiIwon8Wc9FXhbpWi+t79XulWZM4LkfrLsqXLZccERc2wFFLZ/7uYWF9VXrRBcRD/FVk98kow7rCCu4Jo+8a2/BVRJ+kBH2C5mJc84
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR07MB6704.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(396003)(376002)(346002)(366004)(136003)(39860400002)(4326008)(52116002)(66946007)(8936002)(66476007)(8676002)(316002)(16576012)(66556008)(87266011)(186003)(16526019)(53546011)(478600001)(2906002)(6916009)(5660300002)(86362001)(2616005)(956004)(26005)(6666004)(6486002)(36756003)(83380400001)(62816006); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData: haEb3OsQhMEVOY9ShjTptFhU3krB/TkVYpr2QHoqXTWkqPmVa//TMkLk7DJCQEb0XnyCXN8z0cn5IzhP290Cbv/fM3tjhNsEzAQFc69xQGGPO6JQlOrpHGDQKOB84YKG1LF7P0R5n3S7kJ9ui6N+G0tsr9Za8+eSy+FaaNmTOldoGU96LkFoNWzTSCnlLTsTUj9kmSJsXmiPpSltIpOxKduu2WDmoVf+9n3abvgZL5LkM3LdSJp7BZgU846EomNcex8R2SlS5L6riCZsugCTtacOLBdqQah49Z2oCu+8SlgBHOqX0cYOnoKbuAmRE3k/TCIv0Pv6dPNBtf+tB+5JwqfSwMrSW1rY3e/ASli04L49hVNY+txp1siF4C8sbaLtJiQMQAWOlPFfOD1XGMqYiw8cqXcLVmVpZSvGzpXY0JCt7TAbcDHhKpuVRB9DS0S8HiZQFfL54GhzOAGfNPLXNvqoethz6S8r6YJ6kzqDH/myX9QY4c/7IyT1xM0wX89yf6QKDUcXCzO3zblZDe91oCvI4aCILCqUoYWD8VBAILMBsxieWS+CWC0WN3y0aMQOrWjQDyoUWNH0znW9bIsKVqSQgR8KUnX86ImMZkQxIcDe3Aj0bAkR56ozuFC2q7UQpOMKea5WbTDd/Q5yMJk6r/0NUL0RK6buyXD5EEsYTidvBTryZhZviDM/OD2pI37TM4beGwDVrjiR5LTQ9+8q5tD1/PxF/+q3HuBDF3n8dgXb1iFR9KvzLGHHSyUxYIFhwAMc7+FlG0JYC/o6qQppwBw/cKmY17BCiRElb1DWygN25wcDzSxp/yqHYxOy/tj+Hk62tf2XfiQVSI/4jHBZPpg8+I7XoCngc5ntfWWfp/SfnEIYdUHM2QJhSrbbxjuIQS344aaIHO4QPJ5enyx/CcEISJ2y5r2QADmtlmszGTfTGA3oYz0oJ2N0hsStGRHX4aCmvWn35GlwZ+E5EekZ2IQH+I+bfjbp3hQGxISyq21H+qDG1UsEgtIcx0KcjB6pXjCcRYiBYl1+pl5AJxBgeO82662arURZ03KZ9h/cdev0YSGw03v+UczUB4m57U/Vhzz9Q82kGmsP0sSp0DQ8EmJXjbxsCAW6GUYP8n1RSuSZWhYCoGEBs/Y06rEWWIHmwOJZWyAcUmzJ2ZdAu3Am2cet6FTWh/bQZ9Vns9Y1dWXAxIAdnVeaZEhBJzTSHbPSmTQlCIwrxgA6G2/V7LswYm+ii+lXbvr+GIy8dmzfF8t1D8PSFkunuI6dzVN+z6LKzYFXs+Pko8ycY7c0FprEHzn6Gw2E45G/6ayYoP/vQgzAnYurNcR69OCrly+24h/S
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cf4a75b1-3c61-411e-aae5-08d8cc2e4411
X-MS-Exchange-CrossTenant-AuthSource: VI1PR07MB6704.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Feb 2021 12:37:15.8293 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 4lTVEzz+zxcNE4qpGQx7QaLMcdB551fgCNY9xW5Qbk2gOhomfCdNEKunhzDzHl2qwstqlo3J/McIRqcWEeKotg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB6576
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/4x7AhvJLknoWVIrK9MdPjlzgN-g>
Subject: Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-model-10.txt> (A YANG Data Model for NTP) to Proposed Standardsecurity
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2021 12:37:36 -0000

This is my second response to this Last Call, about a possible security 
issue.

RFC8573 seems clear that MD5 must not be used to effect security for NTP 
but this I-D imports iana-crypt-hash which allows MD5 without any 
restriction, so is MD5 allowed or not?

There are features defined which allow the hash in iana-crypt-hash to be 
restricted but this I-D does not use them.

Probably iana-crypt-hash should be updated - I will raise that on the 
NETMOD WG list.

The I-D also uses MD5 in a way that would appear not to be security 
related, to hash an IPv6 address.

In passing, this I-D has three references to RFC7317.  This is wrong - 
the module is IANA-maintained and so the references should be to the 
IANA website.

The secdir reviewer might be interested in my thoughts.

Tom Petch

On 29/01/2021 22:39, The IESG wrote:
>
> The IESG has received a request from the Network Time Protocol WG (ntp) to
> consider the following document: - 'A YANG Data Model for NTP'
>    <draft-ietf-ntp-yang-data-model-10.txt> as Proposed Standard
>
> The IESG plans to make a decision in the next few weeks, and solicits final
> comments on this action. Please send substantive comments to the
> last-call@ietf.org mailing lists by 2021-02-12. Exceptionally, comments may
> be sent to iesg@ietf.org instead. In either case, please retain the beginning
> of the Subject line to allow automated sorting.
>
> Abstract
>
>
>     This document defines a YANG data model for Network Time Protocol
>     (NTP) implementations.  The data model includes configuration data
>     and state data.
>
>

v2.23.0 | Report a Bug | By Email