Re: [ntpwg] The next step of draft-ietf-ntp-checksum-trailer
Harlan Stenn <stenn@ntp.org> Mon, 07 March 2016 23:28 UTC
Return-Path: <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
X-Original-To: ietfarch-ntp-archives-ahFae6za@ietfc.amsl.com
Delivered-To: ietfarch-ntp-archives-ahFae6za@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 39E381CDDE7 for <ietfarch-ntp-archives-ahFae6za@ietfc.amsl.com>; Mon, 7 Mar 2016 15:28:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.41]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vcGMCDX5ORlf for <ietfarch-ntp-archives-ahFae6za@ietfc.amsl.com>; Mon, 7 Mar 2016 15:28:12 -0800 (PST)
Received: from lists.ntp.org (lists.ntp.org [IPv6:2001:4f8:fff7:1::7]) by ietfc.amsl.com (Postfix) with ESMTP id 3E2161CDDE9 for <ntp-archives-ahFae6za@lists.ietf.org>; Mon, 7 Mar 2016 15:28:12 -0800 (PST)
Received: from lists.ntp.org (lists.ntp.org [149.20.68.7]) by lists.ntp.org (Postfix) with ESMTP id DBF0686DB3E for <ntp-archives-ahFae6za@lists.ietf.org>; Mon, 7 Mar 2016 23:28:11 +0000 (UTC)
X-Original-To: ntpwg@lists.ntp.org
Delivered-To: ntpwg@lists.ntp.org
Received: from stenn.ntp.org (stenn.ntp.org [IPv6:2001:4f8:fff7:1::30]) by lists.ntp.org (Postfix) with ESMTP id 415FD86D9BE; Mon, 7 Mar 2016 22:57:14 +0000 (UTC)
Received: from [::1] (helo=stenn.ntp.org) by stenn.ntp.org with esmtp (Exim 4.86 (FreeBSD)) (envelope-from <stenn@stenn.ntp.org>) id 1ad42y-000EfP-Da; Mon, 07 Mar 2016 22:54:40 +0000
From: Harlan Stenn <stenn@ntp.org>
To: dieter.sibold@ptb.de
In-reply-to: <OFD1361D67.E13510CC-ONC1257F6F.005BF6CC-C1257F6F.005E2416@ptb.de>
References: <4569da98236441699fb26aebb71f90a7@IL-EXCH01.marvell.com> <E1acVNL-000CK8-RW@stenn.ntp.org> <20160307093202.GJ20222@localhost> <E1acsHr-000Dmy-Bf@stenn.ntp.org> <20160307112840.GK20222@localhost> <E1acuOC-000Dwm-SV@stenn.ntp.org> <20160307131625.GA3209@localhost> <OFD1361D67.E13510CC-ONC1257F6F.005BF6CC-C1257F6F.005E2416@ptb.de>
Comments: In-reply-to dieter.sibold@ptb.de message dated "Mon, 07 Mar 2016 18:08:16 +0100."
X-Mailer: MH-E 7.4.2; nmh 1.6; XEmacs 21.4 (patch 24)
Mime-Version: 1.0 (generated by tm-edit 1.8)
Date: Mon, 07 Mar 2016 22:54:40 +0000
Message-Id: <E1ad42y-000EfP-Da@stenn.ntp.org>
Subject: Re: [ntpwg] The next step of draft-ietf-ntp-checksum-trailer
X-BeenThere: ntpwg@lists.ntp.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: IETF Working Group for Network Time Protocol <ntpwg.lists.ntp.org>
List-Unsubscribe: <http://lists.ntp.org/options/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=unsubscribe>
List-Archive: <http://lists.ntp.org/pipermail/ntpwg/>
List-Post: <mailto:ntpwg@lists.ntp.org>
List-Help: <mailto:ntpwg-request@lists.ntp.org?subject=help>
List-Subscribe: <http://lists.ntp.org/listinfo/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=subscribe>
Cc: "Karen ODonoghue (odonoghue@isoc.org)" <odonoghue@isoc.org>, "'ntpwg@lists.ntp.org'" <ntpwg@lists.ntp.org>, Suresh Krishnan <suresh.krishnan@ericsson.com>, ntpwg <ntpwg-bounces+dieter.sibold=ptb.de@lists.ntp.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org
Sender: ntpwg <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
Hi Dieter, dieter.sibold@ptb.de writes: > "ntpwg" <ntpwg-bounces+dieter.sibold=ptb.de@lists.ntp.org> schrieb am > 07.03.2016 14:16:25: > > > Von: Miroslav Lichvar <mlichvar@redhat.com> > > An: Harlan Stenn <stenn@ntp.org> > > Kopie: "'ntpwg@lists.ntp.org'" <ntpwg@lists.ntp.org>, "Karen > > ODonoghue \(odonoghue@isoc.org\)" <odonoghue@isoc.org>, Suresh > > Krishnan <suresh.krishnan@ericsson.com> > > Datum: 07.03.2016 14:40 > > Betreff: Re: [ntpwg] The next step of draft-ietf-ntp-checksum-trailer > > Gesendet von: "ntpwg" <ntpwg-bounces+dieter.sibold=ptb.de@lists.ntp.org> > > > > On Mon, Mar 07, 2016 at 12:35:56PM +0000, Harlan Stenn wrote: > > > Originally, if there was an extension field there MUST be a MAC. > > > > Right. That requirement was not necessary and it was later removed. The above claim has not yet been proven. > > > Tal wrrote Errata 3627 (or whatever) and removed that requirement. > > > > Yes, but why is that a problem? The above is under discussion. > > > MAC protection is good. NTS uses a 'single' Field Type, but the first > > > few packets have no MAC protection. Therefore, the first few packets > of > > > an NTS exchange arguably MUST have MAC protection outside the NTS > > > packet > > > > With what key would that MAC be generated? Unless I misunderstood how > > NTS is supposed to work, the first few packets are simply not > > authenticated and can't be used for anything except initialization of > > the NTS association. Answered in a separate email - symmetric key is AVAILABLE for this. Doing this is a MAY/SHOULD. Not a MUST. > Harlan, I do not agree that you need to protect the association and key > exchange of NTS. The goal of the first exchanged messages of NTS is to > securely authenticate the server and exchange the cookie. And yes, tough > these messages are piggybacked on NTP messages, they do not protect NTP's > time stamps. However the NTS messages in itself and especially the cookie > exchange message are cryptographically protected. A client has the choice > to trust or not to trust the time stamps exchanged during the association > and cookie exchange. After the cookie is being exchanged all following > time requests and responses are of course protected by a MAC. So, a client > always has the option only to trust the authenticated time stamps. I don't > see that anyone want to distribute manually symmetric keys only for the > purpose to protect the first three message exchanges of NTS. And if you > are in a situation in which you can exchange symmetric keys with your > customers you don't need to apply NTS. But in most cases, distribution of > symmetric keys are realistically not an option. Correct. I am not saying MUST. Are you saying that each of these 6 initial packets MUST NOT be protected by any sort of MAC? H _______________________________________________ ntpwg mailing list ntpwg@lists.ntp.org http://lists.ntp.org/listinfo/ntpwg
- [ntpwg] The next step of draft-ietf-ntp-checksum-… Tal Mizrahi
- Re: [ntpwg] The next step of draft-ietf-ntp-check… Harlan Stenn
- Re: [ntpwg] The next step of draft-ietf-ntp-check… Miroslav Lichvar
- Re: [ntpwg] The next step of draft-ietf-ntp-check… Tal Mizrahi
- Re: [ntpwg] The next step of draft-ietf-ntp-check… Harlan Stenn
- Re: [ntpwg] The next step of draft-ietf-ntp-check… Miroslav Lichvar
- Re: [ntpwg] The next step of draft-ietf-ntp-check… Harlan Stenn
- Re: [ntpwg] The next step of draft-ietf-ntp-check… Miroslav Lichvar
- Re: [ntpwg] The next step of draft-ietf-ntp-check… dieter.sibold
- Re: [ntpwg] The next step of draft-ietf-ntp-check… Harlan Stenn
- Re: [ntpwg] The next step of draft-ietf-ntp-check… Harlan Stenn
- Re: [ntpwg] The next step of draft-ietf-ntp-check… Danny Mayer
- Re: [ntpwg] The next step of draft-ietf-ntp-check… Danny Mayer
- Re: [ntpwg] The next step of draft-ietf-ntp-check… Harlan Stenn
- Re: [ntpwg] The next step of draft-ietf-ntp-check… Harlan Stenn
- Re: [ntpwg] The next step of draft-ietf-ntp-check… kristof.teichel
- Re: [ntpwg] The next step of draft-ietf-ntp-check… Danny Mayer