IETF Logo Mail Archive

Re: [Ntp] Antw: Re: Antw: [EXT] Re: Quick review of WGLC for status change for draft‑ietf‑ntp‑update‑registries

Harlan Stenn <stenn@nwtime.org> Thu, 11 August 2022 12:06 UTC

Return-Path: <stenn@nwtime.org>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 617DFC14F74B for <ntp@ietfa.amsl.com>; Thu, 11 Aug 2022 05:06:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.908
X-Spam-Level:
X-Spam-Status: No, score=-6.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LwjlWRkza_ue for <ntp@ietfa.amsl.com>; Thu, 11 Aug 2022 05:06:47 -0700 (PDT)
Received: from chessie.everett.org (chessie.everett.org [66.220.13.234]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84993C14F739 for <ntp@ietf.org>; Thu, 11 Aug 2022 05:06:45 -0700 (PDT)
Received: from [10.208.75.149] (071-084-168-128.res.spectrum.com [71.84.168.128]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by chessie.everett.org (Postfix) with ESMTPSA id 4M3QX26LYyzMP49; Thu, 11 Aug 2022 12:06:42 +0000 (UTC)
Message-ID: <2b368565-8cb1-fa6e-8c56-1dae27c66528@nwtime.org>
Date: Thu, 11 Aug 2022 05:06:42 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.12.0
Content-Language: en-US
To: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>, "ntp@ietf.org" <ntp@ietf.org>
References: <PH0PR06MB706126984E4442EF32F8242AC2999@PH0PR06MB7061.namprd06.prod.outlook.com> <da155c84-2c70-2e3b-59eb-03e380806cf2@nwtime.org> <PH0PR06MB70611F2331D8255F7E2B6604C2999@PH0PR06MB7061.namprd06.prod.outlook.com> <0b4c7efa-3977-b588-0974-33b6a9437e52@nwtime.org> <62F0E9D3020000A10004C2EC@gwsmtp.uni-regensburg.de> <2d66fa3e-f750-e3d2-511e-594fa40d993d@nwtime.org> <62F0F4C7020000A10004C310@gwsmtp.uni-regensburg.de> <8faf7c64-8896-97ca-fa2e-2d762c7da1d8@nwtime.org> <YvEIf3g+Jjm27pUz@localhost> <f6b2b8ce-c4f8-72d9-8004-2bb13e1176e4@nwtime.org> <YvIUeUAkpXR7/lDS@localhost> <c109d057-bcce-862a-e264-69523f232fed@nwtime.org> <1835216B0200005A6A6A8CFC@gwsmtp.uni-regensburg.de> <B8BB1800020000C0822C0D04@gwsmtp.uni-regensburg.de> <62F2382C020000A10004C389@gwsmtp.uni-regensburg.de> <d72a0d3b-1441-e70d-56b1-ef3f02d12785@nwtime.org> <62F4E20E020000A10004C47A@gwsmtp.uni-regensburg.de>
From: Harlan Stenn <stenn@nwtime.org>
In-Reply-To: <62F4E20E020000A10004C47A@gwsmtp.uni-regensburg.de>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/BL_PTgTWw79Iy0MybAm3f8aelDo>
Subject: Re: [Ntp] Antw: Re: Antw: [EXT] Re: Quick review of WGLC for status change for draft‑ietf‑ntp‑update‑registries
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Aug 2022 12:06:51 -0000

Hi Ulrich,

On 8/11/2022 4:03 AM, Ulrich Windl wrote:
> Hi Harlan,
> 
> if you have ntpd with a key configuration file all is fine:
> Known keys are processed, and unknown keys are dropped.
> BUT: If you want to analyze packets on the wire (tcpdump, wireshark) without
> having the key definitions, it's hard to impossible.
> 
> That was my point of criticism: I think the packet structure should be
> parsable without knowing the keys behind the key ID.

OK.

I'm OK with what we've implemented.  If tcpdump/wireshark has difficulty 
with certain packets because it doesn't have enough context, I'm OK with 
that too.  If whoever is debugging things does not have all the 
information they need to do that sort of deep packet inspection, that's 
a valid policy choice, and the consequences of that policy choices are 
part of the package.

If different choices need to be made in this regard, people are free to 
make different choices.

H
--
> Regards,
> Ulrich
> 
>>>> Harlan Stenn <stenn@nwtime.org> schrieb am 11.08.2022 um 11:50 in
> Nachricht
> <d72a0d3b-1441-e70d-56b1-ef3f02d12785@nwtime.org>:
>> On 8/9/2022 3:34 AM, Ulrich Windl wrote:
>>>>>> Harlan Stenn <stenn@nwtime.org> schrieb am 09.08.2022 um 11:11 in
>>> Nachricht
>>> <c109d057-bcce-862a-e264-69523f232fed@nwtime.org>:
>>>> On 8/9/2022 1:02 AM, Miroslav Lichvar wrote:
>>>>> On Mon, Aug 08, 2022 at 06:48:28PM ‑0700, Harlan Stenn wrote:
>>>>>> On 8/8/2022 5:58 AM, Miroslav Lichvar wrote:
>>>>>>> If you allow short extension fields, you will not be able to detect
>>>>>>> whether a request contains an unknown extension field or an Autokey
>>>>>>> MAC using an old cookie. The protocol may be able recover, but that's
>>>>>>> not how things should be done.
>>>>>>>
>>>>>>> Here is an example:
>>>>>>>
>>>>>>> 04 1b 00 14 cc e2 c8 47 71 95 79 64 c4 71 e8 72 7e bf fb cd
>>>>>>>
>>>>>>> Which of the two is it?
>>>>>>>
>>>>>>
>>>>>> More context, please.
>>>>>>
>>>>>> What is that set of bytes?
>>>>>
>>>>> It's the UDP data following the NTP header.
>>>>
>>>> I don't do this stuff in my head as well as I used to.
>>>>
>>>> Is there a symmetric key for keyID 1051?  If so, what hash algorithm was
>>>> used?
>>>
>>> Should the parsing of the packet really depend on knowing what hash
>> algorithm
>>> a specific key ID uses?
>>
>> In general, no.
>>
>> More below.
>>
>>> It's quite likely that a server receives packets with a key it does not
>> know.
>>
>> If a packet is authenticated with a keyID the receiving system does not
>> understand, then the receiving system CANNOT authenticate the packet.
>> In this case, it's expected that the receiving system will drop the packet.
>>
>> Do you disagree?
>>
>> I asked about the algorithm that was used because it is possible for
>> MACs to have different payload lengths.
>>
>> The receiving system can see if the keyID is known, and if it is, the
>> expected algorithm will dictate the length of the MAC payload.
>>
>> If that payload length does not match, then the field in question cannot
>> be a legacy MAC.
>> -- 
>> Harlan Stenn <stenn@nwtime.org>
>> http://networktimefoundation.org - be a member!
> 
> 
> 
> 

-- 
Harlan Stenn <stenn@nwtime.org>
http://networktimefoundation.org - be a member!

v2.23.0 | Report a Bug | By Email