IETF Logo Mail Archive

Re: [Ntp] [EXT] Re: Secdir last call review of draft-ietf-ntp-mode-6-cmds-08

Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de> Sun, 14 June 2020 20:06 UTC

Return-Path: <Ulrich.Windl@rz.uni-regensburg.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4C0D3A11D9 for <ntp@ietfa.amsl.com>; Sun, 14 Jun 2020 13:06:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2YNpeX7D6l_l for <ntp@ietfa.amsl.com>; Sun, 14 Jun 2020 13:06:07 -0700 (PDT)
Received: from mx3.uni-regensburg.de (mx3.uni-regensburg.de [IPv6:2001:638:a05:137:165:0:4:4e79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D4953A11B7 for <ntp@ietf.org>; Sun, 14 Jun 2020 13:06:06 -0700 (PDT)
Received: from mx3.uni-regensburg.de (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 392D1600004F for <ntp@ietf.org>; Sun, 14 Jun 2020 22:06:04 +0200 (CEST)
Received: from smtp2.uni-regensburg.de (smtp2.uni-regensburg.de [194.94.157.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.uni-regensburg.de", Issuer "DFN-Verein Global Issuing CA" (not verified)) by mx3.uni-regensburg.de (Postfix) with ESMTPS id E28E1600004D for <ntp@ietf.org>; Sun, 14 Jun 2020 22:06:03 +0200 (CEST)
To: ntp@ietf.org
References: <159206148916.27533.2080482554461273224@ietfa.amsl.com> <4251f262-22f7-3b7d-41d4-e0c3ef1da1b8@innovationslab.net> <5927_1592094476_5EE56F0C_5927_359_1_ea8aff7c-35fa-6d64-3a75-21b31b45a9d9@nwtime.org>
From: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>
Message-ID: <ad9890f1-1326-ec9e-4f74-037ddd82036f@rz.uni-regensburg.de>
Date: Sun, 14 Jun 2020 22:04:57 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0
MIME-Version: 1.0
In-Reply-To: <5927_1592094476_5EE56F0C_5927_359_1_ea8aff7c-35fa-6d64-3a75-21b31b45a9d9@nwtime.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/CKaicgjs4_WQkBjJiuw_AmSG-XI>
Subject: Re: [Ntp] [EXT] Re: Secdir last call review of draft-ietf-ntp-mode-6-cmds-08
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Jun 2020 20:06:10 -0000

On 6/14/20 2:26 AM, Harlan Stenn wrote:
> On 6/13/2020 11:15 AM, Brian Haberman wrote:
>> Thanks for the review, Daniel. A quick follow-up below for those of you
>> playing along at home...
>>
>> On 6/13/20 11:18 AM, Daniel Franke via Datatracker wrote:
>>> Reviewer: Daniel Franke
>>> Review result: Ready
>>>
>>> I have reviewed this document as part of the security directorate's ongoing
>>> effort to review all IETF documents being processed by the IESG.  These
>>> comments were written with the intent of improving security requirements and
>>> considerations in IETF drafts.  Comments not addressed in last call may be
>>> included in AD reviews during the IESG review.  Document editors and WG chairs
>>> should treat these comments just like any other last call comments.
>>>
>>> This document describes a historic protocol whose design falls far short of
>>> modern IETF standards. Its myriad issues are well-described in the Security
>>> Considerations section.
>>>
>>> There has been some debate as to whether the appropriate status for this
>>> document is Historic or Informational. I believe the currently-intended
>>> Historic status is more appropriate. The argument I have heard repeatedly in
>>> favor of Informational status is that it is not appropriate to classify a
>>> protocol as Historic until a better alternative exists with a published
>>> specification. I believe that better alternative exists, which is to have no
>>> standard at all. It's perfectly fine for NTP monitoring and management
>>> protocols to be vendor-specific. In virtually all legitimate uses ("legitimate"
>>> so as to exclude RDoS attacks), both sides of the protocol run on systems
>>> managed by the same organization and the need for vendor-specific tools is not
>>> a practical issue. Lack of standardization is the already the status quo, since
>>> there are many widely-used NTP implementations out there but only the Network
>>> Time Foundation implementation and its derivatives (such as NTPsec) support
>>> this protocol. I know of nobody who has ever been inconvenienced by this;
>>> standardization is a solution in search of a problem.
>>>
>>>
>>
>> Interestingly enough, RFC 1305 actually says this...
>>
>> "Ordinarily, these functions can be implemented using a
>> network-management protocol such as SNMP and suitable extensions to the
>> MIB database. However, in those cases where such facilities are not
>> available, these functions can be implemented using special NTP control
>> messages described herein."
> 
> Why is RFC 1305 even being brought up in this situation?
> 
> NTPv3 was updated to NTPv4.
> 
> During that update, mode 6 and mode 7 were inadvertently not included.
> 
> RFC 5905 was developed, as was 5906 and 5907.  But mode 6 is still in
> active use and deserves a proper, updated specification.
> 
>> SNMP exists and the NTP WG published RFC 5907 to cover the MIB support
>> needed by NTP. I believe that also counts as a better alternative.
> 
> Unbelievable.
> 
> TTBOMK, the only implementation of 5907 is the one in the reference
> implementation, and in the 12 years it has been out there we have had NO
> reports of it being used.  Furthermore, it was implemented USING MODE 6
> PACKETS!
> 
> The only known SNMP interface to ntpd, ntpsnmpd has not seen significant
> updates since 2010.
> 
> The mode 6 interface to ntpd, ntpq, remains in continuous development
> and evolution.
> 
> Please identify any other implementations of 5907.  If you find any, how
> significant are they?  Are they proprietary 5907 implementations?  What
> implementations to they work on?
> 
> Please show how SNMP is a better way to monitor and control NTP than ntpq.

SNMP may be more standard _if_ there is a stable set of NTP operations 
established, but the latter obviously is not the case.

> 
> Please show me a working deployment of SNMP controlling NTP, and then
> please compare the number and quality of these deployments with those
> that do the same with ntpq.

With the instability of mode 6 commands this is not a fair comparison IMHO.

> 
>> Regards,
>> Brian
>>
>>
>> _______________________________________________
>> ntp mailing list
>> ntp@ietf.org
>> https://www.ietf.org/mailman/listinfo/ntp
>>
>

v2.23.0 | Report a Bug | By Email