Re: [Ntp] Antw: Re: Antw: [EXT] Re: Benjamin Kaduk's Discuss on draft-ietf-ntp-mode-6-cmds-09: (with DISCUSS and COMMENT)
Harlan Stenn <stenn@nwtime.org> Mon, 31 August 2020 09:44 UTC
Return-Path: <stenn@nwtime.org>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34CCD3A1191; Mon, 31 Aug 2020 02:44:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.848
X-Spam-Level:
X-Spam-Status: No, score=-2.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.948, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oNO8SQaYmzHm; Mon, 31 Aug 2020 02:44:00 -0700 (PDT)
Received: from chessie.everett.org (chessie.everett.org [66.220.13.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4BFB3A1195; Mon, 31 Aug 2020 02:44:00 -0700 (PDT)
Received: from [10.208.75.157] (075-139-194-196.res.spectrum.com [75.139.194.196]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by chessie.everett.org (Postfix) with ESMTPSA id 4Bg4z10NYTzL7p; Mon, 31 Aug 2020 09:43:55 +0000 (UTC)
To: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>, Hal Murray <hmurray@megapathdsl.net>
Cc: "ntp@ietf.org" <ntp@ietf.org>, odonoghue@isoc.org, kaduk@mit.edu, "ntp-chairs@ietf.org" <ntp-chairs@ietf.org>, draft-ietf-ntp-mode-6-cmds@ietf.org, The IESG <iesg@ietf.org>
References: <20200829084626.C0F2E40605C@ip-64-139-1-69.sjc.megapath.net> <b262735b-19fb-21ba-891f-5de33ab2a488@nwtime.org> <5F4CC110020000A10003B016@gwsmtp.uni-regensburg.de>
From: Harlan Stenn <stenn@nwtime.org>
Autocrypt: addr=stenn@nwtime.org; keydata= mQGNBFI2xmQBDACrPayw18eU4pIwCvKh7k0iMkAV9cvzs49kBppM+xoH+KKj4QWmkKELD39H ngQnT3RkKsTLlwxyLqPdUmeQNAY2M5fsOK+OF6EvwLPK9hbmE3Wx2moX+sbEUxJ2VzFhKSKb OPZALXwk1XxL0qBedz0xHYcDwaSAZZkEFXURv2pDIdrmnoUnq2gdC8GpoFJiXoUaCLSYzzaY ac4Njw7Mue8IqfzRQb70aMjXl/qmsmfmEVAyGXywDdc/ler4XSgiuYOV7Kf69bj9PFZZSMdJ MWgEyZH6lJ0TU5ccR2zp5ZRmWzQQkxJMyH2th7q0Nmz3aX4A0K4yE0Ba9/5Dr7ctpF15BrMF aEo4s5lwI6tUnkgMWo265mMzCz4mAPV/ac0w0OXQg7r9E2r0+dRapnzUlG43D0JLDqDr9uRR L6IrRQqoCWUC75lfmPYQYSlaTJaK68r3lXd0z1cXJUgVtEL5H3/Z71R2B20twcQVAnw2iIH6 L5vdrsIjHrMmkqRVbs9nNyEAEQEAAbQ5SGFybGFuIFN0ZW5uIChOZXR3b3JrIFRpbWUgRm91 bmRhdGlvbikgPHN0ZW5uQG53dGltZS5vcmc+iQG5BBMBAgAjBQJSNsblAhsvBwsJCAcDAgEG FQgCCQoLBBYCAwECHgECF4AACgkQyIwAt1pH+kBlzgv/QOg70vdj8wU/z97UPdlbxtN4THAB gfSX4N0VPKT5fjX1tFhuXZQAOv7wedR3Trh7TGteyg33TBAFf9A42mXZKi1IxAiQG118Hd8I 51rXwnugURIYQaIyQI+vbchRbwVyz+mVLTI/h6FdbsVzT4UFmir+ZMkb/XeZPu0HItk4OZHE 6hk+TuTiCnlqlCPLq371fXV54VOb91WZYD8EQFtK02QHGHsQqWvapdphiDVpYehmsPyiTESq NMKLVtjtyPkQ6S7QF3slSg+2q3j8lyxEA78Yl0MSFNU8B/BtKgzWP2itBOfi+rtUKg+jOY1V /s2uVk2kq2QmHJ/s5k5ldy3qVvoTpxvwBe0+EoBocTHYt+xxp0mTM6YY1xLiQpLznzluqg9z qtejX1gZOF4mgLiBIrhXzed3zsAazhTp5rNb1kn0brZFh6JC5Wk941eilnA4LqX8AWo0lmwo eb+mpwZK/5lNdage/anpVqft9wJ/8EcvST9TLUO4fPrmT3d/0LpWuQGNBFI2xmQBDADXLsBk I7CSa5UXlrNVFJQHER1VxRBKqjWWCh/8Qv9v3p3NrIc2UnhoZ1uWQ2voBGty5Xfy9k4afV5k WwDyRDUIb7PX+Tj4HjVVr7qvnOVe/0KzZpNq0Azd0ggFbsM+8mydktHIwJykW0NUsGwPRYuD OA0Lro0ohb5IiCt3sSQi1X1hYjo7O1Vmn8Gy/XYOnhnMux+5zDPO2yTkCNX5PocYi9IJJy6p Mq1yQV4Y2Dl8KtQzvtq55vCUxx6n0MMzFViGwNW6F4ge9ItO4tDScsgowDrHa208ehwOpv/i wjf93lCClQ6vaKmOBX872K/tdY/hwhxPPjgl1bcrOwMRYVemOPPehwnXH5bwclk1hvDQdkJQ 5pJOkE4VCryTF/iDAt4g2QnHocUwt3b6/ChUUWmj2GZ22OR12rbnCtLedwp0DpViKPUCQHBO vpgXdzE/L9zWar9fqM0EREMgfWbsJc9028qluCcFLIN1gYsq4cC+YGAcOu7HOI5orBBV4m9j XfsAEQEAAYkDPgQYAQIACQUCUjbGZAIbLgGpCRDIjAC3Wkf6QMDdIAQZAQIABgUCUjbGZAAK CRDfCQ/G52/8P/uWDACe7OEM+VETDRqjQgAwzX+RjCVPvtgrqc1SExS0fV7i1mUUxr/B8io3 Y1cRHFoFKmedxf8prHZq316Md5u4egjFdTT6ZqEqkK0hvv+i0pRpCa5EX9VIStcJStomZp8F cY34grA+EOWITaLQ4qNZUP7rf2e7gq1ubQTj7uLr6HZZvMZ5em+IvrOWEuWDI6yOiI6px04w RDfkoR2h6kgdw4V0PT4NjK9WYYKrVCf1bjLlVImNBEcXfvlUTrIYO8y6ptvoUsBQky5pQRvP 99Pn42WfyLy50aII6+vyudD4T0yLjXAz4KteUttxtIte64m/F9/7GEIZAxTUcLyOq/7bP4le h39jBckwc62iYzeK/VkU/bMMh2D68Z3QylMnhhcW27BcgQHPKsHhmFa2SNytYcuQiSdf9+pj 4i32ETz1nJAvYAAqgTF/0PL+8ZNQoEpe/n9woMKrlZrqD4EgFmhQ3bNVhlaXz1nuTZDrwPt1 yMxBuUNbCF4jFnaruwrSiGTRoIfUZQwAjQglahrV4/mcjfnvbNoseHX0PKd9q+wjg7MIjWqr f2CI8Fa6MdanqwYphz43I2yXANKFZuMWsWqyQYlvGuPUlUUcAL3stp24RkzDB1Q+JS0IZJST T2JSu0aTfUdWVNqr2UI19eX+zxbOTckSi3Ng14ezG8ZX194ZH10b8JzntQOwmA20pd5JDhug zQfASER+CZDiPPcQ4mvC4y7rMrfV6XGQbDynC3ekDxo8SC5SvjaczXMwXg6SZ8iFtEWmEwW9 r7zPjjIPDrX8w5LXBgxArM5o/HbERpc2EdAvMh1D7LC0SvmoE7fBKxsicVBe4h6vXjEZ+LLr /wuZiBld9OnxAUIpwptbBspO6WKTQYvgFH2OeDG27hiE5P4Xs4WSp5j9ez8OVB1iZnA2nCQ+ tNTjO8c+C/P92vPLx5+bpGRXTXMNaLh34PS3ZsYoUDkKZNhczRZUWJ7nynSbeeyF+QW7SLwA qY7O7dyk9LFTsfJqRQJ7tWnIAjJPCwmSgQ8Kl0UJ
Message-ID: <9c3915b5-5911-f472-393c-7d7e85ff03d9@nwtime.org>
Date: Mon, 31 Aug 2020 02:43:52 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To: <5F4CC110020000A10003B016@gwsmtp.uni-regensburg.de>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/5OEvWdgMsIT0f5oV_QjjxA6TTFk>
Subject: Re: [Ntp] Antw: Re: Antw: [EXT] Re: Benjamin Kaduk's Discuss on draft-ietf-ntp-mode-6-cmds-09: (with DISCUSS and COMMENT)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Aug 2020 09:44:05 -0000
On 8/31/2020 2:21 AM, Ulrich Windl wrote: >>>> Harlan Stenn <stenn@nwtime.org> schrieb am 29.08.2020 um 11:47 in Nachricht > <b262735b-19fb-21ba-891f-5de33ab2a488@nwtime.org>: >> On 8/29/2020 1:46 AM, Hal Murray wrote: >>> >>> Ulrich.Windl@rz.uni-regensburg.de said: >>>> While many decisions in the past were made to keep up backwards >>>> compatibility, the encryption type is set up indirectly vie the ntp.keys >>>> file. However (AFAIR) the file is not part of the NTP specification, so for >>>> the on-wire protocol there's no change to get the encryption type. One might >>>> guess, however. >>> >>>> Probably this was an omission after the only encryption type (DES) had been >>>> extended to allow MD5 also (in NTPv3 AFAIR). The later on it was still >>>> forgotten. >>> >>> No, it's not an omission. There is no need for the encryption type to be on >> >>> the wire. The admins for the client and server agree on the type while they >> >>> are agreeing on the key and keyid. >> >> It's not an omission, and that the encryption type is not part of the >> on-wire protocol is a clear feature. >> >>> The backwards compatibility was just good luck. >> >> I don't understand. Backward compatibility? Good luck? >> >> The NTP MAC is the stuff after the base packet and any EFs. >> >> It is comprised of a 32-bit (4 octet) keyid and a digest payload. >> >> This digest payload can be a number of different sizes. RFC5905 talks >> about the size needed for an MD5 digest. Other digests and other digest >> sizes are perfectly acceptable. >> >>>> Actually I don't understand the part: "The client and server or peer can use >>>> different values, but they must map to the same key." >>> >>> I think it's a bug. >> >> I don't know anybody who is using one keyid for authenticating from A to >> B, and a different keyid for authenticating from B to A. But there's no >> reason that should not be permitted. I don't even believe there should >> be a requirement that this case MUST map to the same key. > > However as not even the reference implementation supports it (AFAIK) (and I guess nobody else), so why make that statement. > Are you saying for "server server1 key 123" server1 is receiving queries authenticated with key 123, but is allowed to send replies using any different key, and that response is OK? That would mean if one key is disclosed, an attacker could send bogus responses using that key, right? I'm not saying anything about it, because that would be taking a stand on behavior outside the scope of an informational specification. You and I seem to be the minority of people who believe this document should be a full-on Standards document that tackles these issues, however. -- Harlan Stenn <stenn@nwtime.org> http://networktimefoundation.org - be a member!
- [Ntp] Benjamin Kaduk's Discuss on draft-ietf-ntp-… Benjamin Kaduk via Datatracker
- Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-… Hal Murray
- [Ntp] Antw: [EXT] Benjamin Kaduk's Discuss on dra… Ulrich Windl
- Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [Ntp] Antw: [EXT] Benjamin Kaduk's Discuss on… Benjamin Kaduk
- Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-… Hal Murray
- [Ntp] Antw: [EXT] Re: Benjamin Kaduk's Discuss on… Ulrich Windl
- [Ntp] Antw: Antw: [EXT] Re: Benjamin Kaduk's Disc… Ulrich Windl
- [Ntp] Antw: Antw: [EXT] Re: Benjamin Kaduk's Disc… Ulrich Windl
- Re: [Ntp] Antw: [EXT] Re: Benjamin Kaduk's Discus… Hal Murray
- Re: [Ntp] Antw: [EXT] Re: Benjamin Kaduk's Discus… Harlan Stenn
- [Ntp] Antw: Re: Antw: [EXT] Re: Benjamin Kaduk's … Ulrich Windl
- [Ntp] Antw: Re: Antw: [EXT] Re: Benjamin Kaduk's … Ulrich Windl
- Re: [Ntp] Antw: Re: Antw: [EXT] Re: Benjamin Kadu… Harlan Stenn
- Re: [Ntp] Antw: Re: Antw: [EXT] Re: Benjamin Kadu… Harlan Stenn
- Re: [Ntp] Antw: Re: Antw: [EXT] Re: Benjamin Kadu… Miroslav Lichvar
- Re: [Ntp] Antw: Re: Antw: [EXT] Re: Benjamin Kadu… Harlan Stenn
- Re: [Ntp] Antw: Re: Antw: [EXT] Re: Benjamin Kadu… Miroslav Lichvar
- Re: [Ntp] Antw: Re: Antw: [EXT] Re: Benjamin Kadu… Harlan Stenn
- Re: [Ntp] Antw: Re: Antw: [EXT] Re: Benjamin Kadu… Miroslav Lichvar
- Re: [Ntp] Antw: Re: Antw: [EXT] Re: Benjamin Kadu… Hal Murray
- Re: [Ntp] Antw: Re: Antw: [EXT] Re: Benjamin Kadu… Harlan Stenn