Re: [Ntp] Symmetric mode
Miroslav Lichvar <mlichvar@redhat.com> Mon, 19 September 2022 09:02 UTC
Return-Path: <mlichvar@redhat.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 790ADC1522DB for <ntp@ietfa.amsl.com>; Mon, 19 Sep 2022 02:02:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.675
X-Spam-Level:
X-Spam-Status: No, score=-2.675 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M5yH31MSp5Vy for <ntp@ietfa.amsl.com>; Mon, 19 Sep 2022 02:01:57 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B160EC14CF01 for <ntp@ietf.org>; Mon, 19 Sep 2022 02:01:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1663578116; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=EuivtQbdNkVuW/2VF3rq8Ih+Vg6viEVSSs7zo6G5khQ=; b=jT+1cKEx3kfk3kP3Bc0EKvqh7erchQJG/6G2bz5fSWwF4ULPj55ZleajgoyXq/1GzhgDKx BjJLjFaA32eOsw4ALieNtEnHlhRUSSjoR8w0dtTCErEHHG+QfSxMXHZg5r475zKDO8zHKS suk805hC/0F9rsmzqbLcRiQgj4IByXo=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-113-M2FaZB2APX-1iqPQgbrfkQ-1; Mon, 19 Sep 2022 05:01:55 -0400
X-MC-Unique: M2FaZB2APX-1iqPQgbrfkQ-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id EC92685C1A2; Mon, 19 Sep 2022 09:01:54 +0000 (UTC)
Received: from localhost (unknown [10.43.135.229]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 60AA740C6EC2; Mon, 19 Sep 2022 09:01:54 +0000 (UTC)
Date: Mon, 19 Sep 2022 11:01:53 +0200
From: Miroslav Lichvar <mlichvar@redhat.com>
To: Hal Murray <halmurray@sonic.net>
Cc: Danny Mayer <mayer@pdmconsulting.net>, "ntp@ietf.org" <ntp@ietf.org>
Message-ID: <YygwAeTMeSHXXk6t@localhost>
References: <mayer@pdmconsulting.net> <796c33e6-02dc-0665-c8a2-a143f9100bdd@pdmconsulting.net> <20220919024614.4AB8328C1E2@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
MIME-Version: 1.0
In-Reply-To: <20220919024614.4AB8328C1E2@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/5FJbC9g6BIaGfP4nDa7u2E13wo8>
Subject: Re: [Ntp] Symmetric mode
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Sep 2022 09:02:01 -0000
On Sun, Sep 18, 2022 at 07:46:14PM -0700, Hal Murray wrote: > Is symmetric mode interesting enough that we should try to fix that? If so, > would you please say a few words about why it is interesting? It's not very useful. I think the most interesting thing about it is that sources using the symmetric mode are marked differently in tools like ntpq, so it's more obvious to the admin that synchronization can work in both directions. At the protocol level it's just trouble. It's difficult to implement if you want to handle all the corner cases and difficult to secure. The main problem is that there is no response for each request, so the peers have to select to which request they respond, i.e. guess which one was genuine. Authentication with a symmetric key doesn't prevent a replay attack. There are ephemeral associations, where only one peer is configured with the address of the other peer. This enables attackers to replay an authenticated message to create an unlimited number of associations on the peer. In the ntp.org implementation there is a possibility to limit keys to IP addresses to prevent that, but in that case it's easier to just specify the address directly as a peer in the configuration file and you don't have to worry about associations created on different ports of the address. -- Miroslav Lichvar
- [Ntp] NTPv5 Loop Detection without Stratum Heiko Gerstung
- Re: [Ntp] NTPv5 Loop Detection without Stratum Miroslav Lichvar
- Re: [Ntp] NTPv5 Loop Detection without Stratum Paul Gear
- [Ntp] Antw: [EXT] NTPv5 Loop Detection without St… Ulrich Windl
- Re: [Ntp] NTPv5 Loop Detection without Stratum Harlan Stenn
- Re: [Ntp] NTPv5 Loop Detection without Stratum Miroslav Lichvar
- Re: [Ntp] NTPv5 Loop Detection without Stratum Heiko Gerstung
- [Ntp] Antw: [EXT] Re: NTPv5 Loop Detection withou… Ulrich Windl
- Re: [Ntp] NTPv5 Loop Detection without Stratum Danny Mayer
- Re: [Ntp] Antw: [EXT] NTPv5 Loop Detection withou… Danny Mayer
- [Ntp] Antw: Re: Antw: [EXT] NTPv5 Loop Detection … Ulrich Windl
- Re: [Ntp] Antw: Re: Antw: [EXT] NTPv5 Loop Detect… David Venhoek
- Re: [Ntp] Antw: Re: Antw: [EXT] NTPv5 Loop Detect… Hal Murray
- Re: [Ntp] Antw: Re: Antw: [EXT] NTPv5 Loop Detect… Hal Murray
- [Ntp] Antw: Re: Antw: Re: Antw: [EXT] NTPv5 Loop … Ulrich Windl
- [Ntp] Antw: Re: Antw: Re: Antw: [EXT] NTPv5 Loop … Ulrich Windl
- Re: [Ntp] Antw: Re: Antw: [EXT] NTPv5 Loop Detect… Miroslav Lichvar
- Re: [Ntp] Antw: Re: Antw: Re: Antw: [EXT] NTPv5 L… Miroslav Lichvar
- [Ntp] Antw: Re: Antw: Re: Antw: [EXT] NTPv5 Loop … Ulrich Windl
- Re: [Ntp] Antw: Re: Antw: Re: Antw: [EXT] NTPv5 L… Miroslav Lichvar
- Re: [Ntp] Antw: Re: Antw: Re: Antw: [EXT] NTPv5 L… Ulrich Windl
- Re: [Ntp] Antw: Re: Antw: Re: Antw: [EXT] NTPv5 L… Miroslav Lichvar
- Re: [Ntp] Antw: Re: Antw: Re: Antw: [EXT] NTPv5 L… Heiko Gerstung
- Re: [Ntp] Antw: Re: Antw: [EXT] NTPv5 Loop Detect… Danny Mayer
- Re: [Ntp] Antw: Re: Antw: Re: Antw: [EXT] NTPv5 L… Danny Mayer
- Re: [Ntp] Antw: Re: Antw: [EXT] NTPv5 Loop Detect… Danny Mayer
- Re: [Ntp] Antw: Re: Antw: [EXT] NTPv5 Loop Detect… Hal Murray
- Re: [Ntp] Antw: Re: Antw: [EXT] NTPv5 Loop Detect… Danny Mayer
- Re: [Ntp] Antw: Re: Antw: [EXT] NTPv5 Loop Detect… Harlan Stenn
- Re: [Ntp] Antw: Re: Antw: [EXT] NTPv5 Loop Detect… Harlan Stenn
- [Ntp] Antw: Re: Antw: Re: Antw: [EXT] NTPv5 Loop … Ulrich Windl
- Re: [Ntp] Antw: Re: Antw: Re: Antw: [EXT] NTPv5 L… Harlan Stenn
- [Ntp] Antw: Re: Antw: Re: Antw: [EXT] NTPv5 Loop … Ulrich Windl
- Re: [Ntp] Antw: Re: Antw: Re: Antw: [EXT] NTPv5 L… Hal Murray
- Re: [Ntp] Antw: Re: Antw: Re: Antw: [EXT] NTPv5 L… Miroslav Lichvar
- [Ntp] Antw: Re: Antw: Re: Antw: Re: Antw: [EXT] N… Ulrich Windl
- [Ntp] SNTP and extension fields (WAS: Re: Antw: R… kristof.teichel
- Re: [Ntp] NTPv5 Loop Detection without Stratum - … kristof.teichel
- Re: [Ntp] NTPv5 Loop Detection without Stratum - … Miroslav Lichvar
- Re: [Ntp] NTPv5 Loop Detection without Stratum - … kristof.teichel
- Re: [Ntp] NTPv5 Loop Detection without Stratum - … Miroslav Lichvar
- Re: [Ntp] SNTP and extension fields (WAS: Re: Ant… Danny Mayer
- Re: [Ntp] NTPv5 Loop Detection without Stratum - … Danny Mayer
- Re: [Ntp] NTPv5 Loop Detection without Stratum - … Danny Mayer
- Re: [Ntp] NTPv5 Loop Detection without Stratum - … Miroslav Lichvar
- [Ntp] Antw: Re: SNTP and extension fields (WAS: R… Ulrich Windl
- [Ntp] Antw: [EXT] Re: NTPv5 Loop Detection withou… Ulrich Windl
- Re: [Ntp] NTPv5 Loop Detection without Stratum - … Danny Mayer
- Re: [Ntp] Antw: [EXT] Re: NTPv5 Loop Detection wi… Danny Mayer
- Re: [Ntp] NTPv5 Loop Detection without Stratum - … Miroslav Lichvar
- Re: [Ntp] NTPv5 Loop Detection without Stratum - … Danny Mayer
- Re: [Ntp] NTPv5 Loop Detection without Stratum - … Miroslav Lichvar
- [Ntp] Symmetric mode Hal Murray
- Re: [Ntp] NTPv5 Loop Detection without Stratum - … Danny Mayer
- Re: [Ntp] NTPv5 Loop Detection without Stratum - … Miroslav Lichvar
- [Ntp] Antw: [EXT] Re: NTPv5 Loop Detection withou… Ulrich Windl
- Re: [Ntp] Symmetric mode Miroslav Lichvar
- Re: [Ntp] NTPv5 Loop Detection without Stratum - … Danny Mayer
- Re: [Ntp] Symmetric mode Danny Mayer
- [Ntp] Antwort: Re: Symmetric mode kristof.teichel
- Re: [Ntp] Symmetric mode Hal Murray
- [Ntp] Antw: [EXT] Re: NTPv5 Loop Detection withou… Ulrich Windl
- Re: [Ntp] Antw: [EXT] Re: NTPv5 Loop Detection wi… Harlan Stenn
- [Ntp] Antw: Re: Antw: [EXT] Re: NTPv5 Loop Detect… Ulrich Windl
- Re: [Ntp] Antw: Re: Antw: [EXT] Re: NTPv5 Loop De… Harlan Stenn
- Re: [Ntp] Symmetric mode Miroslav Lichvar
- Re: [Ntp] Antwort: Re: Symmetric mode Danny Mayer
- Re: [Ntp] Symmetric mode Danny Mayer
- Re: [Ntp] Symmetric mode Hal Murray
- Re: [Ntp] Symmetric mode Harlan Stenn
- Re: [Ntp] Symmetric mode Hal Murray
- [Ntp] Antw: [EXT] Re: Antwort: Re: Symmetric mode Ulrich Windl
- [Ntp] Antw: [EXT] Re: Symmetric mode Ulrich Windl
- Re: [Ntp] Antwort: Re: Symmetric mode Miroslav Lichvar
- [Ntp] Antw: [EXT] Re: Antwort: Re: Symmetric mode Ulrich Windl
- Re: [Ntp] Antw: [EXT] Re: Antwort: Re: Symmetric … Hal Murray
- [Ntp] Antw: Re: Antw: [EXT] Re: Antwort: Re: Symm… Ulrich Windl
- Re: [Ntp] Antw: [EXT] Re: Antwort: Re: Symmetric … Miroslav Lichvar
- Re: [Ntp] Antw: [EXT] Re: Antwort: Re: Symmetric … Ulrich Windl
- Re: [Ntp] Antw: [EXT] Re: Antwort: Re: Symmetric … Miroslav Lichvar
- Re: [Ntp] Antw: [EXT] Re: Antwort: Re: Symmetric … Ulrich Windl
- Re: [Ntp] Antwort: Re: Symmetric mode Hal Murray
- Re: [Ntp] Symmetric mode Danny Mayer
- Re: [Ntp] Symmetric mode Danny Mayer
- Re: [Ntp] Antwort: Re: Symmetric mode Danny Mayer
- Re: [Ntp] Antw: Re: Antw: [EXT] Re: Antwort: Re: … Danny Mayer
- Re: [Ntp] Symmetric mode Hal Murray
- [Ntp] Antw: [EXT] Re: Symmetric mode Ulrich Windl
- Re: [Ntp] Antw: [EXT] Re: Symmetric mode Harlan Stenn
- Re: [Ntp] Symmetric mode Miroslav Lichvar
- Re: [Ntp] Antwort: Re: Symmetric mode Miroslav Lichvar
- Re: [Ntp] Symmetric mode Danny Mayer
- [Ntp] Antw: [EXT] Re: Symmetric mode Ulrich Windl
- Re: [Ntp] Symmetric mode Hal Murray
- Re: [Ntp] Symmetric mode Miroslav Lichvar
- Re: [Ntp] Antwort: Re: Symmetric mode Danny Mayer
- Re: [Ntp] Antwort: Re: Symmetric mode Miroslav Lichvar
- Re: [Ntp] Symmetric mode Hal Murray
- [Ntp] Antw: [EXT] Re: Symmetric mode Ulrich Windl
- Re: [Ntp] Symmetric mode Doug Arnold
- Re: [Ntp] Symmetric mode Hal Murray
- Re: [Ntp] Symmetric mode Harlan Stenn
- Re: [Ntp] Antwort: Re: Symmetric mode Danny Mayer
- Re: [Ntp] Symmetric mode Hal Murray
- Re: [Ntp] Antwort: Re: Symmetric mode Hal Murray
- Re: [Ntp] Symmetric mode Danny Mayer
- Re: [Ntp] Antwort: Re: Symmetric mode Danny Mayer
- Re: [Ntp] Symmetric mode Doug Arnold
- Re: [Ntp] Symmetric mode David Venhoek
- Re: [Ntp] Antwort: Re: Symmetric mode Miroslav Lichvar
- Re: [Ntp] Symmetric mode Miroslav Lichvar
- Re: [Ntp] Symmetric mode Hal Murray
- Re: [Ntp] Symmetric mode Danny Mayer
- Re: [Ntp] Antwort: Re: Symmetric mode Danny Mayer
- Re: [Ntp] Symmetric mode Danny Mayer
- [Ntp] Antw: [EXT] Re: Symmetric mode Ulrich Windl