Re: [Ntp] Secdir last call review of draft-ietf-ntp-mode-6-cmds-08
Karen O'Donoghue <kodonog@gmail.com> Sun, 14 June 2020 04:10 UTC
Return-Path: <kodonog@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1C463A0A12; Sat, 13 Jun 2020 21:10:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XchjckqD7PU1; Sat, 13 Jun 2020 21:10:33 -0700 (PDT)
Received: from mail-qk1-x742.google.com (mail-qk1-x742.google.com [IPv6:2607:f8b0:4864:20::742]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7519D3A0A07; Sat, 13 Jun 2020 21:10:33 -0700 (PDT)
Received: by mail-qk1-x742.google.com with SMTP id b27so12745965qka.4; Sat, 13 Jun 2020 21:10:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=content-transfer-encoding:mime-version:subject:from:in-reply-to :date:cc:message-id:references:to; bh=ImSCK+XmR6blbevtYu+d7XAdpWuw2iXIlF2norLnF3k=; b=aA3CwgYobvr3rzQe4jfNhEpHZ3Wz9qWCav4fpblVbXtQJdF4xr4SQAAqn41cwJSM8p AzYp9dQfpLIicKgt8DCrxjTg1Gy6pxbp50ThiDrNNgBpRvaEYtYkKICEiqgbKg3pobn/ WMegyl+RtI46qywwLyTbmjjYyz3SAevS9uj4jAgeC8LNX3u/ro/12YK5v/D1f3I5oN5B BLhWeOYIJtC119VEJRE/bMFDd6+aFy7dQ0fsor8oRaDsj7KTkzaIziU6ca7PLLC3lSyx l153Z4NPkxbxEtsljoZfJttMOxRQ4AwKtIaL3t51C6XbZyDuNslUe+vSu9iK5bo9Ptyh FUng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:mime-version:subject :from:in-reply-to:date:cc:message-id:references:to; bh=ImSCK+XmR6blbevtYu+d7XAdpWuw2iXIlF2norLnF3k=; b=QKeMbrIGXQ7ZPSY3S0qwM4qqrzVmOnHBvixWjYKWt9oFjSHBY84EFolMZB9R4bDvfy /yXFDSScupm9MQpmlsfJQOnjjr7fBz2Bg00OuKmKy6ItfvRRjY4xIvKvMLcLgNE7Ofme eYBWn3nCNsQQsjPmkPDx/LBEoXSdexnhJF6LgAupFXQilHVXOabzSIIndFIuOvxA7MDG dIjhtxaHxl3jMBQ3qKJOU36m1K52ow1KXENWlHfQN0GS/mTKEoDKfgSsX1Gath1+w2DH S2vrjopheTQM9EyfX9iruVyOd3iTZ8sBf4R3j1e6AgLWC5auxDn3i2KK9RqBPC7ZhimA Chtg==
X-Gm-Message-State: AOAM533z284Ai5oGjMD0Y+BIHaRo5cQ3BtGYrBGY611TbRzsdG6nQ8Xk M402r/OmNUjhtYb0nvBVE6xBJw==
X-Google-Smtp-Source: ABdhPJzxjRRMONGzEDDRY6YcIR1+8dyLbZaLyfjUPXWXlIpPO+8dDwmb1Uxv/llO6lbpWJU8RjPPCg==
X-Received: by 2002:a37:9f89:: with SMTP id i131mr9501231qke.243.1592107829826; Sat, 13 Jun 2020 21:10:29 -0700 (PDT)
Received: from [192.168.1.150] (d-173-44-72-18.va.cpe.atlanticbb.net. [173.44.72.18]) by smtp.gmail.com with ESMTPSA id u16sm8430175qkm.107.2020.06.13.21.10.28 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 13 Jun 2020 21:10:28 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
From: Karen O'Donoghue <kodonog@gmail.com>
In-Reply-To: <ea8aff7c-35fa-6d64-3a75-21b31b45a9d9@nwtime.org>
Date: Sun, 14 Jun 2020 00:10:27 -0400
Cc: Brian Haberman <brian@innovationslab.net>, Daniel Franke <dafranke@akamai.com>, secdir@ietf.org, draft-ietf-ntp-mode-6-cmds.all@ietf.org, last-call@ietf.org, ntp@ietf.org
Message-Id: <13D6D5C7-090A-4C68-8F0B-EA6DE18FB1E9@gmail.com>
References: <ea8aff7c-35fa-6d64-3a75-21b31b45a9d9@nwtime.org>
To: Harlan Stenn <stenn@nwtime.org>
X-Mailer: iPad Mail (17E262)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/7EaKGG3PLUuiohGlapVVXuLJIpg>
Subject: Re: [Ntp] Secdir last call review of draft-ietf-ntp-mode-6-cmds-08
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Jun 2020 04:10:35 -0000
Folks, All of this was discussed during the development of this document. There was strong working group consensus to not publish as Standards Track. As described, there were concerns about the solution. The working group has gone back and forth between historic and informational. Regards, Karen > On Jun 13, 2020, at 8:27 PM, Harlan Stenn <stenn@nwtime.org> wrote: > > On 6/13/2020 11:15 AM, Brian Haberman wrote: >> Thanks for the review, Daniel. A quick follow-up below for those of you >> playing along at home... >> >>> On 6/13/20 11:18 AM, Daniel Franke via Datatracker wrote: >>> Reviewer: Daniel Franke >>> Review result: Ready >>> >>> I have reviewed this document as part of the security directorate's ongoing >>> effort to review all IETF documents being processed by the IESG. These >>> comments were written with the intent of improving security requirements and >>> considerations in IETF drafts. Comments not addressed in last call may be >>> included in AD reviews during the IESG review. Document editors and WG chairs >>> should treat these comments just like any other last call comments. >>> >>> This document describes a historic protocol whose design falls far short of >>> modern IETF standards. Its myriad issues are well-described in the Security >>> Considerations section. >>> >>> There has been some debate as to whether the appropriate status for this >>> document is Historic or Informational. I believe the currently-intended >>> Historic status is more appropriate. The argument I have heard repeatedly in >>> favor of Informational status is that it is not appropriate to classify a >>> protocol as Historic until a better alternative exists with a published >>> specification. I believe that better alternative exists, which is to have no >>> standard at all. It's perfectly fine for NTP monitoring and management >>> protocols to be vendor-specific. In virtually all legitimate uses ("legitimate" >>> so as to exclude RDoS attacks), both sides of the protocol run on systems >>> managed by the same organization and the need for vendor-specific tools is not >>> a practical issue. Lack of standardization is the already the status quo, since >>> there are many widely-used NTP implementations out there but only the Network >>> Time Foundation implementation and its derivatives (such as NTPsec) support >>> this protocol. I know of nobody who has ever been inconvenienced by this; >>> standardization is a solution in search of a problem. >>> >>> >> >> Interestingly enough, RFC 1305 actually says this... >> >> "Ordinarily, these functions can be implemented using a >> network-management protocol such as SNMP and suitable extensions to the >> MIB database. However, in those cases where such facilities are not >> available, these functions can be implemented using special NTP control >> messages described herein." > > Why is RFC 1305 even being brought up in this situation? > > NTPv3 was updated to NTPv4. > > During that update, mode 6 and mode 7 were inadvertently not included. > > RFC 5905 was developed, as was 5906 and 5907. But mode 6 is still in > active use and deserves a proper, updated specification. > >> SNMP exists and the NTP WG published RFC 5907 to cover the MIB support >> needed by NTP. I believe that also counts as a better alternative. > > Unbelievable. > > TTBOMK, the only implementation of 5907 is the one in the reference > implementation, and in the 12 years it has been out there we have had NO > reports of it being used. Furthermore, it was implemented USING MODE 6 > PACKETS! > > The only known SNMP interface to ntpd, ntpsnmpd has not seen significant > updates since 2010. > > The mode 6 interface to ntpd, ntpq, remains in continuous development > and evolution. > > Please identify any other implementations of 5907. If you find any, how > significant are they? Are they proprietary 5907 implementations? What > implementations to they work on? > > Please show how SNMP is a better way to monitor and control NTP than ntpq. > > Please show me a working deployment of SNMP controlling NTP, and then > please compare the number and quality of these deployments with those > that do the same with ntpq. > >> Regards, >> Brian >> >> >> _______________________________________________ >> ntp mailing list >> ntp@ietf.org >> https://www.ietf.org/mailman/listinfo/ntp >> > > -- > Harlan Stenn <stenn@nwtime.org> > http://networktimefoundation.org - be a member! > > _______________________________________________ > ntp mailing list > ntp@ietf.org > https://www.ietf.org/mailman/listinfo/ntp
- [Ntp] Secdir last call review of draft-ietf-ntp-m… Daniel Franke via Datatracker
- Re: [Ntp] Secdir last call review of draft-ietf-n… Brian Haberman
- Re: [Ntp] Secdir last call review of draft-ietf-n… Harlan Stenn
- Re: [Ntp] Secdir last call review of draft-ietf-n… Karen O'Donoghue
- Re: [Ntp] Secdir last call review of draft-ietf-n… Harlan Stenn
- Re: [Ntp] Secdir last call review of draft-ietf-n… Brian Haberman
- Re: [Ntp] [EXT] Re: Secdir last call review of dr… Ulrich Windl
- Re: [Ntp] Secdir last call review of draft-ietf-n… Harlan Stenn
- Re: [Ntp] [EXT] Re: Secdir last call review of dr… Ulrich Windl
- Re: [Ntp] [EXT] Re: Secdir last call review of dr… Harlan Stenn
- [Ntp] Antw: Re: [EXT] Re: Secdir last call review… Ulrich Windl
- Re: [Ntp] Secdir last call review of draft-ietf-n… Brian Haberman
- Re: [Ntp] Antw: Re: [EXT] Re: Secdir last call re… Harlan Stenn
- Re: [Ntp] Secdir last call review of draft-ietf-n… Harlan Stenn
- Re: [Ntp] [EXT] Re: Secdir last call review of dr… Harlan Stenn