IETF Logo Mail Archive

Re: [Ntp] NTP Security (was NTPv5: big picture)

FUSTE Emmanuel <emmanuel.fuste@thalesgroup.com> Mon, 18 January 2021 09:29 UTC

Return-Path: <emmanuel.fuste@thalesgroup.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16A993A1192 for <ntp@ietfa.amsl.com>; Mon, 18 Jan 2021 01:29:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.632
X-Spam-Level:
X-Spam-Status: No, score=-2.632 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.262, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=thalesgroup.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 95Vs0FrTYqnA for <ntp@ietfa.amsl.com>; Mon, 18 Jan 2021 01:29:48 -0800 (PST)
Received: from thsbbfxrt01p.thalesgroup.com (thsbbfxrt01p.thalesgroup.com [192.54.144.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 776B53A118D for <ntp@ietf.org>; Mon, 18 Jan 2021 01:29:48 -0800 (PST)
Received: from thsbbfxrt01p.thalesgroup.com (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 4DK62267K9z45M5 for <ntp@ietf.org>; Mon, 18 Jan 2021 10:29:46 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thalesgroup.com; s=xrt20181201; t=1610962186; bh=AM9xbgiwWBevWMtMHkH3Iv/k90u5FZkptwVHSHG1jg4=; h=From:To:Subject:Date:Message-ID:References:In-Reply-To: Content-Transfer-Encoding:MIME-Version:From; b=yMDRvTUIHxx4zQUH5bWPLLZ+GJuLiQduNyBnLx9EfEaV8b/VTXZIT7ME9j+GAt85o EeP4ppeNJraFhJ6UeS9cZNgvpYW9fXACwSc8f6b7Nx9+oTC2AEor4G6i9hIsPTZW6w OfF8Irc+hNip0R+h0kGSIBNiEowWzzAYVg4G5yNBfj3dTst0fBrtf7xP2fAtetYXxG XaSKznkR6U8jBFpuH65WrcA49T/9h5SUciMFUECKMXZDvgg6gyHmTmJxF1RfsujrY7 e1ktKY/6Ia4yTC9S/+8FxngLAsMfbNvO5Uf0ET2QHtRhsjwgcZ1dvUsFpI4c65fbL+ CdObYWzLDAu2Q==
From: FUSTE Emmanuel <emmanuel.fuste@thalesgroup.com>
To: "ntp@ietf.org" <ntp@ietf.org>
Thread-Topic: [Ntp] NTP Security (was NTPv5: big picture)
Thread-Index: AQHW4Q/PCWcm9A+sZEOhE3CV1WddQKoqoWYAgAA/bYCAAkUyAA==
Date: Mon, 18 Jan 2021 09:29:46 +0000
Message-ID: <0d7143fc-3e37-04f5-d0b1-385eac80d219@thalesgroup.com>
References: <rsalz@akamai.com> <993FEEB5-F498-472E-813E-E684E273612F@akamai.com> <20210102050501.7D0DE40605C@ip-64-139-1-69.sjc.megapath.net> <26A97601-BEB4-4914-B570-6C8BD9C72FAD@akamai.com> <CACsn0cm=d3z+ceTDMaw2LDHg_AeNoxbs411iEFNpGpnWcyvZvw@mail.gmail.com> <CAFTY+dAMNZF_qPbzo2Fsj1LtF5+s-cze5s52rxBZSk6ofzG9gQ@mail.gmail.com>
In-Reply-To: <CAFTY+dAMNZF_qPbzo2Fsj1LtF5+s-cze5s52rxBZSk6ofzG9gQ@mail.gmail.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.3.1
x-pmwin-version: 4.0.3, Antivirus-Engine: 3.79.0, Antivirus-Data: 5.81
Content-Type: text/plain; charset="utf-8"
Content-ID: <5089F75A0F47D4499A01CD32F609BB57@iris.infra.thales>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/5q5iXDxRYbEnNEE91yPKVJqStBw>
Subject: Re: [Ntp] NTP Security (was NTPv5: big picture)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jan 2021 09:29:50 -0000

Le 16/01/2021 à 23:49, James Browning a écrit :
> On Sat, Jan 16, 2021, at 11:02 AM Watson Ladd <watsonbladd@gmail.com 
> <mailto:watsonbladd@gmail.com>> wrote:
>
>     I'd like to see some input from people who operate the pool on what
>     solutions would work for them. Right now we're sort of flying blind.
>     Perhaps we can discuss at IETF 110?
>
>
> Only a user of the pool, but I basically see three ways to manage that.
> 1) Have the pool serve up SRV records and rewrite the pool code, the 
> spec, and clients to compensate.
> 2) Have the pool run a common NTS-KE server for all NTS servers in the 
> pool.
> 3) Convince TLS certificate vendors to sell IP based certificates.
>
Or start to discuss a DANE usage for NTS.
Basicaly use DANE-EE or TA certificate usage
Ot the pool could use it's own specialized pki for the pool participants 
with DANE-TA.

I think the most simple and flexible would be the EE in the pool 
hierachy. The validity of the certificate is only tied to the validity 
of the DNSSEC signature of the TLSA record.
And all bootstrapping problems could be solved with CD / DO flags 
controls and validation back checking with the first returned time of day.

Even out the pool context, a specified DANE usage for NTS would be very 
valuable.

Emmanuel.

v2.23.0 | Report a Bug | By Email