IETF Logo Mail Archive

Re: [Ntp] NTP Security (was NTPv5: big picture)

Watson Ladd <watsonbladd@gmail.com> Sun, 17 January 2021 00:43 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C01C93A1A72 for <ntp@ietfa.amsl.com>; Sat, 16 Jan 2021 16:43:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3CWWqq_w5lSB for <ntp@ietfa.amsl.com>; Sat, 16 Jan 2021 16:43:35 -0800 (PST)
Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC4AF3A1A71 for <ntp@ietf.org>; Sat, 16 Jan 2021 16:43:34 -0800 (PST)
Received: by mail-ej1-x62f.google.com with SMTP id hs11so16364624ejc.1 for <ntp@ietf.org>; Sat, 16 Jan 2021 16:43:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=o5n+ihTmZuyVHGsOE5lqXx7Pv9G4NXoJ9VrxUpgq30Y=; b=pxOClVFWBp9q39lpqDnFPYgZODxC2EcqK8+0iHMIqsNitFTm4geZdAPBTqZIzIALOX msPDrCTdlNInl+efnnlbwoFr/s+g5eSevnGGLKka8c3oEehRuT/o6v+cOmUpONiocNg1 Kb9EPz9lvVzK6th9uBJY33Yhply92WyZ9/wkx+Ssa8uZt/MD3LpJ0vuTFTzOLfz7j/uL dJ8Y+w8Tt69e0bd62nNHTDJUWWlJx1C9QuON6bpxQHgPlmrCnW/zdY0IA1SZoMySM5tT OHMDaaPQikPIZIhb0PD0bgdbVkCLhScnGFmkrHnRdzvuxs3XcjYtRutxrbIWEnPxgaiO 1pmQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=o5n+ihTmZuyVHGsOE5lqXx7Pv9G4NXoJ9VrxUpgq30Y=; b=BK60yatO2vgqPWEM9C6mom20DNA8l3/hOcAIATmRQbSoRKaid+NkdhYMTSola3I7wz e1MeO9O4PCEUsPevlargVFMYCGYGCK3CRJdhTWKutjwHDkdabBAK75ub5ZggtKnKLlSI AwI+Fn8/5+w3A4z8j8IybfHE8qTiN+haoYDEWs7i+gLUbBzKt5oZt2gw94joNV7zlKeD eUByJjG5T/EnjttEFbCBOniJt21JDlFt8jvSbPJBwijuhkOaPSsdG2NEv3pxKLyKek6s Qn4gYRMnBm5O/LPQ7lTjasddZwdckUkIVf1jvO9C75xy99AfHkLrnlYjLwA3wsunsQYA hNsw==
X-Gm-Message-State: AOAM532A/Laf6IJQCvzdopjtSKu4ORXC0LnsM35iLdFboW1wpsRVJgZs WtxOauuuCo1LUP0tarGRgUXaBiBLD7S+t3pwGos=
X-Google-Smtp-Source: ABdhPJy72I06hR73I4Bcq9e/EJw0rn3+pCLxFGfj02xqHg38Su9RosVQxU7CELT/vg3vU4hCGBRIX+ADgfRDP3LeQjw=
X-Received: by 2002:a17:906:2087:: with SMTP id 7mr13590114ejq.232.1610844213077; Sat, 16 Jan 2021 16:43:33 -0800 (PST)
MIME-Version: 1.0
References: <rsalz@akamai.com> <993FEEB5-F498-472E-813E-E684E273612F@akamai.com> <20210102050501.7D0DE40605C@ip-64-139-1-69.sjc.megapath.net> <26A97601-BEB4-4914-B570-6C8BD9C72FAD@akamai.com> <CACsn0cm=d3z+ceTDMaw2LDHg_AeNoxbs411iEFNpGpnWcyvZvw@mail.gmail.com> <CAFTY+dAMNZF_qPbzo2Fsj1LtF5+s-cze5s52rxBZSk6ofzG9gQ@mail.gmail.com> <YAN4PSgwEOVYkAJF@roeckx.be>
In-Reply-To: <YAN4PSgwEOVYkAJF@roeckx.be>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Sat, 16 Jan 2021 16:43:21 -0800
Message-ID: <CACsn0cmhJhhM4Ab64RXRknRi+jM-SugFYvA+71tSV4c0XXmAgQ@mail.gmail.com>
To: Kurt Roeckx <kurt@roeckx.be>
Cc: James Browning <jamesb.fe80@gmail.com>, NTP WG <ntp@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/5AmgOAxoAkhEdTvrikyx_pGdZpE>
Subject: Re: [Ntp] NTP Security (was NTPv5: big picture)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Jan 2021 00:43:38 -0000

On Sat, Jan 16, 2021 at 3:35 PM Kurt Roeckx <kurt@roeckx.be> wrote:
>
> On Sat, Jan 16, 2021 at 02:49:33PM -0800, James Browning wrote:
> > On Sat, Jan 16, 2021, at 11:02 AM Watson Ladd <watsonbladd@gmail.com> wrote:
> >
> > > I'd like to see some input from people who operate the pool on what
> > > solutions would work for them. Right now we're sort of flying blind.
> > > Perhaps we can discuss at IETF 110?
> > >
> >
> > Only a user of the pool, but I basically see three ways to manage that.
> > 1) Have the pool serve up SRV records and rewrite the pool code, the spec,
> > and clients to compensate.
>
> I think if we want to do it with DNS, it would require DNSSEC, and
> that the client validates DNSSEC.

I neglected to mention my now expired
https://datatracker.ietf.org/doc/draft-ladd-nts-for-ntp-pool/ as an
example of this approach.
>
> > 2) Have the pool run a common NTS-KE server for all NTS servers in the pool.
>
> As far as I understand things, that would not be a good idea.

Agreed. The key management and synchronization in such a system is a pain.

>
> > 3) Convince TLS certificate vendors to sell IP based certificates.

I have some issues with this rather not fleshed out proposal. Please
feel free to tell me I am completely misunderstanding it.

My first concern is that there is no easy analogue of DCV to perform
in the IP based certificate setting. SNI based shared hosting is the
most problematic case, and dooms the obvious techniques. This makes
for a big barrier to adoption. The second issue is that this does
little to secure the delegation from the pool to the server: an
attacker who legitimately controls an IP address can forge the DNS
response. This can be solved through DNSSEC and dynamically signing
the response, but then option 1 is equally easy.  Plus the pool can
generate names for the IPs for ACME to use.

>
> There are CAs that sell this.
>
> > I am not particularly fond of any. Someone should find a fourth way.
>
> Open a TLS connection to ask for servers, get a list of hostnames.

This has some interesting advantages.

>
>
> Kurt
>
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp

--
Astra mortemque praestare gradatim

v2.23.0 | Report a Bug | By Email