Re: [Ntp] [EXT] Re: Secdir last call review of draft-ietf-ntp-mode-6-cmds-08
Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de> Sun, 14 June 2020 20:06 UTC
Return-Path: <Ulrich.Windl@rz.uni-regensburg.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4C0D3A11D9 for <ntp@ietfa.amsl.com>; Sun, 14 Jun 2020 13:06:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2YNpeX7D6l_l for <ntp@ietfa.amsl.com>; Sun, 14 Jun 2020 13:06:07 -0700 (PDT)
Received: from mx3.uni-regensburg.de (mx3.uni-regensburg.de [IPv6:2001:638:a05:137:165:0:4:4e79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D4953A11B7 for <ntp@ietf.org>; Sun, 14 Jun 2020 13:06:06 -0700 (PDT)
Received: from mx3.uni-regensburg.de (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 392D1600004F for <ntp@ietf.org>; Sun, 14 Jun 2020 22:06:04 +0200 (CEST)
Received: from smtp2.uni-regensburg.de (smtp2.uni-regensburg.de [194.94.157.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.uni-regensburg.de", Issuer "DFN-Verein Global Issuing CA" (not verified)) by mx3.uni-regensburg.de (Postfix) with ESMTPS id E28E1600004D for <ntp@ietf.org>; Sun, 14 Jun 2020 22:06:03 +0200 (CEST)
To: ntp@ietf.org
References: <159206148916.27533.2080482554461273224@ietfa.amsl.com> <4251f262-22f7-3b7d-41d4-e0c3ef1da1b8@innovationslab.net> <5927_1592094476_5EE56F0C_5927_359_1_ea8aff7c-35fa-6d64-3a75-21b31b45a9d9@nwtime.org>
From: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>
Message-ID: <ad9890f1-1326-ec9e-4f74-037ddd82036f@rz.uni-regensburg.de>
Date: Sun, 14 Jun 2020 22:04:57 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0
MIME-Version: 1.0
In-Reply-To: <5927_1592094476_5EE56F0C_5927_359_1_ea8aff7c-35fa-6d64-3a75-21b31b45a9d9@nwtime.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/CKaicgjs4_WQkBjJiuw_AmSG-XI>
Subject: Re: [Ntp] [EXT] Re: Secdir last call review of draft-ietf-ntp-mode-6-cmds-08
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Jun 2020 20:06:10 -0000
On 6/14/20 2:26 AM, Harlan Stenn wrote: > On 6/13/2020 11:15 AM, Brian Haberman wrote: >> Thanks for the review, Daniel. A quick follow-up below for those of you >> playing along at home... >> >> On 6/13/20 11:18 AM, Daniel Franke via Datatracker wrote: >>> Reviewer: Daniel Franke >>> Review result: Ready >>> >>> I have reviewed this document as part of the security directorate's ongoing >>> effort to review all IETF documents being processed by the IESG. These >>> comments were written with the intent of improving security requirements and >>> considerations in IETF drafts. Comments not addressed in last call may be >>> included in AD reviews during the IESG review. Document editors and WG chairs >>> should treat these comments just like any other last call comments. >>> >>> This document describes a historic protocol whose design falls far short of >>> modern IETF standards. Its myriad issues are well-described in the Security >>> Considerations section. >>> >>> There has been some debate as to whether the appropriate status for this >>> document is Historic or Informational. I believe the currently-intended >>> Historic status is more appropriate. The argument I have heard repeatedly in >>> favor of Informational status is that it is not appropriate to classify a >>> protocol as Historic until a better alternative exists with a published >>> specification. I believe that better alternative exists, which is to have no >>> standard at all. It's perfectly fine for NTP monitoring and management >>> protocols to be vendor-specific. In virtually all legitimate uses ("legitimate" >>> so as to exclude RDoS attacks), both sides of the protocol run on systems >>> managed by the same organization and the need for vendor-specific tools is not >>> a practical issue. Lack of standardization is the already the status quo, since >>> there are many widely-used NTP implementations out there but only the Network >>> Time Foundation implementation and its derivatives (such as NTPsec) support >>> this protocol. I know of nobody who has ever been inconvenienced by this; >>> standardization is a solution in search of a problem. >>> >>> >> >> Interestingly enough, RFC 1305 actually says this... >> >> "Ordinarily, these functions can be implemented using a >> network-management protocol such as SNMP and suitable extensions to the >> MIB database. However, in those cases where such facilities are not >> available, these functions can be implemented using special NTP control >> messages described herein." > > Why is RFC 1305 even being brought up in this situation? > > NTPv3 was updated to NTPv4. > > During that update, mode 6 and mode 7 were inadvertently not included. > > RFC 5905 was developed, as was 5906 and 5907. But mode 6 is still in > active use and deserves a proper, updated specification. > >> SNMP exists and the NTP WG published RFC 5907 to cover the MIB support >> needed by NTP. I believe that also counts as a better alternative. > > Unbelievable. > > TTBOMK, the only implementation of 5907 is the one in the reference > implementation, and in the 12 years it has been out there we have had NO > reports of it being used. Furthermore, it was implemented USING MODE 6 > PACKETS! > > The only known SNMP interface to ntpd, ntpsnmpd has not seen significant > updates since 2010. > > The mode 6 interface to ntpd, ntpq, remains in continuous development > and evolution. > > Please identify any other implementations of 5907. If you find any, how > significant are they? Are they proprietary 5907 implementations? What > implementations to they work on? > > Please show how SNMP is a better way to monitor and control NTP than ntpq. SNMP may be more standard _if_ there is a stable set of NTP operations established, but the latter obviously is not the case. > > Please show me a working deployment of SNMP controlling NTP, and then > please compare the number and quality of these deployments with those > that do the same with ntpq. With the instability of mode 6 commands this is not a fair comparison IMHO. > >> Regards, >> Brian >> >> >> _______________________________________________ >> ntp mailing list >> ntp@ietf.org >> https://www.ietf.org/mailman/listinfo/ntp >> >
- [Ntp] Secdir last call review of draft-ietf-ntp-m… Daniel Franke via Datatracker
- Re: [Ntp] Secdir last call review of draft-ietf-n… Brian Haberman
- Re: [Ntp] Secdir last call review of draft-ietf-n… Harlan Stenn
- Re: [Ntp] Secdir last call review of draft-ietf-n… Karen O'Donoghue
- Re: [Ntp] Secdir last call review of draft-ietf-n… Harlan Stenn
- Re: [Ntp] Secdir last call review of draft-ietf-n… Brian Haberman
- Re: [Ntp] [EXT] Re: Secdir last call review of dr… Ulrich Windl
- Re: [Ntp] Secdir last call review of draft-ietf-n… Harlan Stenn
- Re: [Ntp] [EXT] Re: Secdir last call review of dr… Ulrich Windl
- Re: [Ntp] [EXT] Re: Secdir last call review of dr… Harlan Stenn
- [Ntp] Antw: Re: [EXT] Re: Secdir last call review… Ulrich Windl
- Re: [Ntp] Secdir last call review of draft-ietf-n… Brian Haberman
- Re: [Ntp] Antw: Re: [EXT] Re: Secdir last call re… Harlan Stenn
- Re: [Ntp] Secdir last call review of draft-ietf-n… Harlan Stenn
- Re: [Ntp] [EXT] Re: Secdir last call review of dr… Harlan Stenn