IETF Logo Mail Archive

Re: [Ntp] [EXT] Consensus call: NTPv5 and supported modes

Danny Mayer <mayer@pdmconsulting.net> Sun, 02 July 2023 15:42 UTC

Return-Path: <mayer@pdmconsulting.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC707C1516F3 for <ntp@ietfa.amsl.com>; Sun, 2 Jul 2023 08:42:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PwdTPRbP3lV4 for <ntp@ietfa.amsl.com>; Sun, 2 Jul 2023 08:42:56 -0700 (PDT)
Received: from chessie.everett.org (chessie.fmt1.pfcs.com [66.220.13.234]) by ietfa.amsl.com (Postfix) with ESMTP id 20D89C151078 for <ntp@ietf.org>; Sun, 2 Jul 2023 08:42:51 -0700 (PDT)
Received: from [IPV6:2600:4040:57a0:5000:d0a:583d:9db1:1cf9] (unknown [IPv6:2600:4040:57a0:5000:d0a:583d:9db1:1cf9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by chessie.everett.org (Postfix) with ESMTPSA id 4QvCxQ4dw2zMQkl for <ntp@ietf.org>; Sun, 2 Jul 2023 15:42:50 +0000 (UTC)
Message-ID: <5434c9a1-388b-f281-5434-dddbf8747592@pdmconsulting.net>
Date: Sun, 02 Jul 2023 11:42:49 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.12.0
Content-Language: en-US
To: ntp@ietf.org
References: <72794CC8-DC52-4F1D-B5A9-8A9FBFB0750D@gmail.com> <c2a6a80754d54cadbb1046a80d76d3c7@ukr.de> <CAPz_-SWv-Ba9O8-B7qKzp5gJB6fcY8FxFuHTJtNKBGLirQDhpw@mail.gmail.com>
From: Danny Mayer <mayer@pdmconsulting.net>
In-Reply-To: <CAPz_-SWv-Ba9O8-B7qKzp5gJB6fcY8FxFuHTJtNKBGLirQDhpw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/53AL4fyk6JB7y9auKxGKLJU7lwc>
Subject: Re: [Ntp] [EXT] Consensus call: NTPv5 and supported modes
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Jul 2023 15:42:59 -0000

On 6/30/23 5:05 AM, David Venhoek wrote:
> I am of the opinion that we should not include the modes 1, 2 and 5,
> based on the following arguments (in order of importance):
There are a lot of assumptions made here which are probably not valid.
>   - They are known to be vulnerable (about 50% of all ntp reference
> implementation vulnerabilities over the past years came from these
> modes alone, and I for one am not convinced that they are in any way
> securely usable today).

What evidence to you have of this and which modes do you think that they 
apply to? Certainly modes 1 and 2 are able to use the same security as 
modes 3 and 4.

There are ways of dealing with mode 5 (broadcast and multicast) and I 
seem to remember that autokey works for that. Yes, I know that autokey 
is vunerable but it means that there are ways to deal with it.

>   - There seems to be limited interest in working towards fixes for
> their vulnerability, and I have not seen concrete ideas as to how.
I don't know what that means. See above.
>   - The use cases for these modes have reasonable alternatives
> available today: dhcp can distribute the address of an ntp server as
> replacement for mode 5, and mutual client-server connections can be
> used in the same situations as modes 1/2 (if needed with configuration
> settings in the implementation for special algorithmic treatment).
That not a substitute for multicast and cannot handle changes in servers 
sending multicast packets. Furthermore many servers have fixed IP 
addresses and do not use dhcp.
>   - Removing them would significantly simplify both the NTPv5 standard
> and the process of creating it.
Simplication of a standard is not a goal merely because it's easier.
>   - They are already not supported in 2 of the 4 major implementations
> (ntpsec, ntpd-rs), and only partially in a 3rd (chrony).
That's irrelevant since it ignores the many systems that use it today.
>
> I would prefer we mark them as obsolete/deprecated or something like
> that, as I don't see a realistic path to getting them to the point
> where the security concerns are going to be allayed, but am willing to
> leave them open as potential future extensions to NTPv5.
No. The NTP reference implementation will continue to support them and 
it is straightforward to implement NTS for modes 1 and 2. Mode 5 will 
probably need additional work. I need to remind everyone of Jason 
Anderson's work on needing Broadcast mode (though I would change this to 
Multicast since Broadcast is not available in IPv6).
> On the idea that this might inhibit adoption, I am not convinced of
> that. Based on contacts I have had through the ntpd-rs project with
> users, these modes are not among the missing features people seem
> interested in. I know there have been claims that this is absolutely
> critical for some users, but we have not seen anything concrete as to
> for whom and why, and I am therefore not inclined to take those claims
> seriously.
>
> Kind regards,
> David Venhoek
>
> On Thu, Jun 29, 2023 at 3:13 PM Windl, Ulrich <u.windl@ukr.de> wrote:
>> Hi!
>>
>> On " Should NTPv5 additionally support also the modes 1, 2 and 5 known from NTPv4?": If not, what should the document say about those? Obsolete? An extension?
>> IMHO being too restrictive may delay adoption or acceptance of NTPv5 after it is available.
>>
>> Kind regards,
>> Ulrich Windl
>>
>>
>> -----Original Message-----
>> From: ntp <ntp-bounces@ietf.org> On Behalf Of Dieter Sibold
>> Sent: Wednesday, June 28, 2023 9:53 PM
>> To: NTP WG <ntp@ietf.org>
>> Subject: [EXT] [Ntp] Consensus call: NTPv5 and supported modes
>>
>> Dear all,
>>
>> at IETF 116 we decided to have two consensus calls regarding the content of the NTPv5 requirement draft. These are consensus calls that we would like to conduct to help progress the NTPv5 requirements document (https://datatracker.ietf.org/doc/draft-ietf-ntp-ntpv5-requirements/). Both consensus calls will run until July 21st 2023 and will be discussed at the next NTP wg meeting at IETF 117 in San Francisco.
>>
>> The first consensus call (the second comes in a follow up mail):
>>
>> Regarding supported modes:
>>
>> Currently, the NTPv5 requirement draft considers a client-server communication mode only. Should NTPv5 additionally support also the modes 1, 2 and 5 known from NTPv4?
>>
>>
>> Greetings
>> Karen and Dieter
>>
>>
>> _______________________________________________
>> ntp mailing list
>> ntp@ietf.org
>> https://www.ietf.org/mailman/listinfo/ntp
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp

v2.23.0 | Report a Bug | By Email