IETF Logo Mail Archive

Re: [Ntp] NTP Security (was NTPv5: big picture)

Kurt Roeckx <kurt@roeckx.be> Sat, 16 January 2021 23:35 UTC

Return-Path: <kurt@roeckx.be>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D134D3A13B3 for <ntp@ietfa.amsl.com>; Sat, 16 Jan 2021 15:35:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LQrf3c1hQI8H for <ntp@ietfa.amsl.com>; Sat, 16 Jan 2021 15:35:31 -0800 (PST)
Received: from excelsior.roeckx.be (excelsior.roeckx.be [IPv6:2a05:7300:0:100::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF2553A12E7 for <ntp@ietf.org>; Sat, 16 Jan 2021 15:35:30 -0800 (PST)
Received: from intrepid.roeckx.be (localhost [127.0.0.1]) by excelsior.roeckx.be (Postfix) with ESMTP id 99B8CA8A0BA8; Sat, 16 Jan 2021 23:35:26 +0000 (UTC)
Received: by intrepid.roeckx.be (Postfix, from userid 1000) id 29E031FE0DDD; Sun, 17 Jan 2021 00:35:26 +0100 (CET)
Date: Sun, 17 Jan 2021 00:35:25 +0100
From: Kurt Roeckx <kurt@roeckx.be>
To: James Browning <jamesb.fe80@gmail.com>
Cc: NTP WG <ntp@ietf.org>
Message-ID: <YAN4PSgwEOVYkAJF@roeckx.be>
References: <rsalz@akamai.com> <993FEEB5-F498-472E-813E-E684E273612F@akamai.com> <20210102050501.7D0DE40605C@ip-64-139-1-69.sjc.megapath.net> <26A97601-BEB4-4914-B570-6C8BD9C72FAD@akamai.com> <CACsn0cm=d3z+ceTDMaw2LDHg_AeNoxbs411iEFNpGpnWcyvZvw@mail.gmail.com> <CAFTY+dAMNZF_qPbzo2Fsj1LtF5+s-cze5s52rxBZSk6ofzG9gQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAFTY+dAMNZF_qPbzo2Fsj1LtF5+s-cze5s52rxBZSk6ofzG9gQ@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/7jb7v-eCWfkHe-yWjR-fUI064v0>
Subject: Re: [Ntp] NTP Security (was NTPv5: big picture)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Jan 2021 23:35:33 -0000

On Sat, Jan 16, 2021 at 02:49:33PM -0800, James Browning wrote:
> On Sat, Jan 16, 2021, at 11:02 AM Watson Ladd <watsonbladd@gmail.com> wrote:
> 
> > I'd like to see some input from people who operate the pool on what
> > solutions would work for them. Right now we're sort of flying blind.
> > Perhaps we can discuss at IETF 110?
> >
> 
> Only a user of the pool, but I basically see three ways to manage that.
> 1) Have the pool serve up SRV records and rewrite the pool code, the spec,
> and clients to compensate.

I think if we want to do it with DNS, it would require DNSSEC, and
that the client validates DNSSEC.

> 2) Have the pool run a common NTS-KE server for all NTS servers in the pool.

As far as I understand things, that would not be a good idea.

> 3) Convince TLS certificate vendors to sell IP based certificates.

There are CAs that sell this.

> I am not particularly fond of any. Someone should find a fourth way.

Open a TLS connection to ask for servers, get a list of hostnames.


Kurt

v2.23.0 | Report a Bug | By Email