Re: [Ntp] Post NTS, Is shared key authentication interesting?

Hal Murray <hmurray@megapathdsl.net> Tue, 26 May 2020 16:47 UTC

Return-Path: <hmurray@megapathdsl.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C81E53A0A97 for <ntp@ietfa.amsl.com>; Tue, 26 May 2020 09:47:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.035
X-Spam-Level: *
X-Spam-Status: No, score=1.035 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_DYNAMIC_IPADDR=1.951, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xwFQDqPyTHMy for <ntp@ietfa.amsl.com>; Tue, 26 May 2020 09:47:24 -0700 (PDT)
Received: from ip-64-139-1-69.sjc.megapath.net (ip-64-139-1-69.sjc.megapath.net [64.139.1.69]) by ietfa.amsl.com (Postfix) with ESMTP id 803D63A0B4F for <ntp@ietf.org>; Tue, 26 May 2020 09:47:10 -0700 (PDT)
Received: from shuksan (localhost [127.0.0.1]) by ip-64-139-1-69.sjc.megapath.net (Postfix) with ESMTP id 48F3D40605C; Tue, 26 May 2020 09:47:06 -0700 (PDT)
X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.3
To: Miroslav Lichvar <mlichvar@redhat.com>
cc: NTP WG <ntp@ietf.org>, hmurray@megapathdsl.net
From: Hal Murray <hmurray@megapathdsl.net>
In-Reply-To: Message from Miroslav Lichvar <mlichvar@redhat.com> of "Tue, 26 May 2020 17:23:28 +0200." <20200526152328.GE18070@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 26 May 2020 09:47:06 -0700
Message-Id: <20200526164706.48F3D40605C@ip-64-139-1-69.sjc.megapath.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/9ZqPw3CdeI1nkIRg6kFFCZ5gsPc>
Subject: Re: [Ntp] Post NTS, Is shared key authentication interesting?
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2020 16:47:25 -0000

mlichvar@redhat.com said:
> A different point of view would be to avoid exposing the NTS+TLS stack to
> attackers if not necessary. The complexity of the NTP MAC is minimal when
> compared to that. 

Indeed.  The external dependencies are reduced to an AES package and test 
vectors are available for that.

In addition to the complexity and exposure of the code, there is also the 
documentation.

RFC 8573, MAC for NTP (AES), is 5 pages, mostly boilerplate.
NTS for NTP (draft 26) is 44 pages.


-- 
These are my opinions.  I hate spam.