IETF Logo Mail Archive

Re: [Ntp] NTP Security (was NTPv5: big picture)

Watson Ladd <watsonbladd@gmail.com> Fri, 22 January 2021 02:46 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 725D43A00C9 for <ntp@ietfa.amsl.com>; Thu, 21 Jan 2021 18:46:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ghBgwJaP7tH6 for <ntp@ietfa.amsl.com>; Thu, 21 Jan 2021 18:46:17 -0800 (PST)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1A1E3A017E for <ntp@ietf.org>; Thu, 21 Jan 2021 18:46:17 -0800 (PST)
Received: by mail-ed1-x52d.google.com with SMTP id dj23so4860812edb.13 for <ntp@ietf.org>; Thu, 21 Jan 2021 18:46:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=x2ZCyn3aO1O8X0Lx+6gpy+OQBrEJMygRJmf7WUxI1LI=; b=Gnu1RqQhULZJ71YpCe13l7RBO+4N+74aQfHywP6N3w4TclUjdMtSc9BdfprJY8Egjg eM+rTAOt8yiazp7W/Hi3BrqOWIM3nFnTWjoijdGWpttL1bhQ6rCYI74yYdW/44X7WebL MflzTM1NegbovhLvu8fCl3Sf345nu4//7iTlOWKfcg8FUlVsuHKzlp+ucH7vIS+n6E1h uJsrLhWJlO+rvXEH6Ok2q4YArAdhsx+XWXsseHBo0rAgwlu8I8w03W5VVJxCfy/JM0Zd BDJkfQ8Kmglo3UGTY/Y4G5FttKELgLyYRn+o2WYEACwcqL6i9mFHTv64T5juxYoJkhaj dlRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=x2ZCyn3aO1O8X0Lx+6gpy+OQBrEJMygRJmf7WUxI1LI=; b=NKbYfP3oWwq158fWz2h96pEPPvSecRzUfwGj9sFYus6vnF3aNVyUqPnodEGR+88zaA Blh+AFpc0GADkxR2ueIeOjPF1YhVzvpkqI3lweJotcjwI/0LKPJ1O15Dzj8sHTqvq/AD m8FRE/fTaZKl/4JKV4XHYbKKR1EkS1cZlpi1HyRWV6TzB4/h09goB0Rua/OIwpi+rEX4 RXNt947nPKUXFMf73Kmw1d64OMPEIzvznDUfzKDOEKLycf0Z0NWZ1GIUlqmx0rGgmbEp ratqEqfVyBut55SvzbAQhBmao+y/wv95IKkYskp1YFQyottZVVBEmCQBY0vVuvz+S+uS 1Qgw==
X-Gm-Message-State: AOAM533ZbbRgvN+1dBh81NjVxjMYiQOOoTYxfDt0V8IpjWqPe/doXjwf 6nzPXpxhHYrX8tCIbFrfxeKAbSgwxLjwzksGCbc=
X-Google-Smtp-Source: ABdhPJzYCtjSNjD62vNc5IEMnd8DRmLDdPM/EE3bXzvMvs3T99pClp2NiTCjKma3GeV1+F3Tf3XG2OXdklW+GR9WVWo=
X-Received: by 2002:aa7:d4d2:: with SMTP id t18mr1643171edr.238.1611283576239; Thu, 21 Jan 2021 18:46:16 -0800 (PST)
MIME-Version: 1.0
References: <20210118113806.33BBE40605C@ip-64-139-1-69.sjc.megapath.net> <c6fda979-0b3e-99fc-2dc5-25b7cde4c42b@rubidium.se> <20210118162517.GA2410317@localhost> <acdd42d0-9b58-4b26-0798-55a42bc0b6de@rubidium.se> <YAX6gJiREb2RE6Gs@roeckx.be> <c5378682-e03f-9e46-24d5-025eb4a57c05@rubidium.se> <20210119094217.GB2430794@localhost> <68c0d807-2290-3c44-d760-35306af20434@rubidium.se> <20210119130408.GD2430794@localhost> <ed1de364-ab7c-86f4-2390-8d96ca708321@thalesgroup.com> <20210119135115.GF2430794@localhost> <F2EE68D7-F9BC-4F2E-BF67-3868DD8F834C@meinberg-usa.com>
In-Reply-To: <F2EE68D7-F9BC-4F2E-BF67-3868DD8F834C@meinberg-usa.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Thu, 21 Jan 2021 18:46:04 -0800
Message-ID: <CACsn0cknL942x_1PrriGWB0WC5yPcGbjtxxUnKV+a0qEb018Dw@mail.gmail.com>
To: Doug Arnold <doug.arnold@meinberg-usa.com>
Cc: Miroslav Lichvar <mlichvar@redhat.com>, FUSTE Emmanuel <emmanuel.fuste@thalesgroup.com>, "ntp@ietf.org" <ntp@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/H0dCUkmY8gpcnoOKCRGVP9cjxy0>
Subject: Re: [Ntp] NTP Security (was NTPv5: big picture)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2021 02:46:19 -0000

On Tue, Jan 19, 2021, 8:36 AM Doug Arnold <doug.arnold@meinberg-usa.com> wrote:
>
> Isn't this the problem that roughtime is trying to solve?


Yes! But solving requires more implementations, more text on
impeachment, more monitors, and yes more code by me. Our deployment
isn't implementing the latest draft yet.

Send comments! Run servers! Run monitors! Roughtime, like CT, is an
ecosystem. It's beyond my resources to do it myself, but I hope to
have good news to share at IETF about deployments of the draft
version.


> Maybe ntpv5 should have some simple semi-secure options for start up:
> RTCs,
> setting the time from your watch,
> getting time from multiple insecure servers.
>
> After one of these, move to ntp + nts.
>
> If the device is in a less secure network or is mission critical, then start with roughtime before moving to ntp + nts.
>
> Doug

v2.23.0 | Report a Bug | By Email