IETF Logo Mail Archive

Re: [ntpwg] Parsing NTP packets regarding MACs and EXTs.

Daniel Franke <dfoxfranke@gmail.com> Wed, 22 June 2016 14:46 UTC

Return-Path: <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
X-Original-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Delivered-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CEA812D98E for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Wed, 22 Jun 2016 07:46:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.015
X-Spam-Level:
X-Spam-Status: No, score=-8.015 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, DKIM_SIGNED=0.1, FREEMAIL_FORGED_FROMDOMAIN=0.198, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DD8sh44n9BTs for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Wed, 22 Jun 2016 07:46:03 -0700 (PDT)
Received: from lists.ntp.org (lists.ntp.org [IPv6:2001:4f8:fff7:1::7]) by ietfa.amsl.com (Postfix) with ESMTP id 1B56C12D858 for <ntp-archives-ahFae6za@lists.ietf.org>; Wed, 22 Jun 2016 07:40:54 -0700 (PDT)
Received: from lists.ntp.org (lists.ntp.org [149.20.68.7]) by lists.ntp.org (Postfix) with ESMTP id BDEDA86DB1D for <ntp-archives-ahFae6za@lists.ietf.org>; Wed, 22 Jun 2016 14:40:54 +0000 (UTC)
X-Original-To: ntpwg@lists.ntp.org
Delivered-To: ntpwg@lists.ntp.org
Received: from mail1.ntp.org (mail1.ntp.org [IPv6:2001:4f8:fff7:1::5]) by lists.ntp.org (Postfix) with ESMTP id B64C086D55E for <ntpwg@lists.ntp.org>; Tue, 21 Jun 2016 14:51:35 +0000 (UTC)
Received: from mail-io0-x22c.google.com ([2607:f8b0:4001:c06::22c]) by mail1.ntp.org with esmtps (TLSv1:AES128-SHA:128) (Exim 4.77 (FreeBSD)) (envelope-from <dfoxfranke@gmail.com>) id 1bFN1a-000HxM-5j for ntpwg@lists.ntp.org; Tue, 21 Jun 2016 14:51:35 +0000
Received: by mail-io0-x22c.google.com with SMTP id g13so11646788ioj.1 for <ntpwg@lists.ntp.org>; Tue, 21 Jun 2016 07:51:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=YQLrP5T4qTY9tqrOXj/h1Qb6cgVLWHzYrGkwTpdciR8=; b=y6atoE3KXGKhh9pvKieBAHLEc1g10Oe8Z+nkhntbF7RYpeweXXNDHrurUv9VpyVthB p2+soenjP/qjpLFd8Sao/iHvts5e35sShs77kPMyB8O+ceRMf+e7d78blnUObhx54DPs VPRyOIIi9TdMxoJPW15tVJB64poSCcIdwHBFV0QIh7DhjHm1ggE0ACWZxJAzhGq8W4/u Vb5/RXsG3k+E+SuyEDF+UcTsNPhG1GlsDVOa9hgLjre+5Pe10q200qPWcNWepBMCjy20 HO6I0KukzcEDtebMz2bWjn9VcxysmafsVNwv1Jziyyk1hYekJO3jPKwmMVffM/QlageI rYYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=YQLrP5T4qTY9tqrOXj/h1Qb6cgVLWHzYrGkwTpdciR8=; b=CoXCFvDTD4bZLhNJhZ2BQU2e8EOSKSQap0etk4a2pn8/27qG6voREPqBheeaEcyq7Y yCQZ1PZrDKh5sVFClIgwcMn4ZcH3ZmJC2Y4zL1jKj7gG4vOt4GoJDUr0qVBCVavAySTo tFU3ZWTQY2ctAR2nq8pc3a132yjhqeBmQKMAgP6CydrOJt8I7/D3dB6yC1T6/IlciBPZ dl1XPV1LruvRyG22e2yBeb1FUPxPiBCpgBKtY8oEIC8eAf7aGXTD46OvnXETSZhVjycN uU9J8BOq5T14FHvCDPAB9gD1mfGpt8QrvY1gyNNoRjOjQtpo4PIHE4Wt4LpXz0BHSnlZ Po0Q==
X-Gm-Message-State: ALyK8tKHJ9Z7OuCiodRA3mAKW4QtukpMsXohHYlMKH1wxgnyBa1/IUauLVkvCEKCMjB2o5pxhn7lL1Tuu8Ntsw==
X-Received: by 10.157.37.242 with SMTP id q105mr14861671ota.29.1466520692963; Tue, 21 Jun 2016 07:51:32 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.224.234 with HTTP; Tue, 21 Jun 2016 07:51:32 -0700 (PDT)
In-Reply-To: <d5934cd7-5808-3e2b-3ed6-b5e1b3f9e2df@ntp.org>
References: <stenn@ntp.org> <E1bFCJh-000G0C-Bf@stenn.ntp.org> <20160621093932.BD9A7406057@ip-64-139-1-69.sjc.megapath.net> <f4f6f8f969ac49ff819ccae06ec2e3db@usma1ex-dag1mb1.msg.corp.akamai.com> <d5934cd7-5808-3e2b-3ed6-b5e1b3f9e2df@ntp.org>
From: Daniel Franke <dfoxfranke@gmail.com>
Date: Tue, 21 Jun 2016 10:51:32 -0400
Message-ID: <CAJm83bAHcSQtOHRjUHVk7o27KmbSqH_dad+dLMAhQ6Vh3hnsWw@mail.gmail.com>
To: mayer@ntp.org
X-SA-Exim-Connect-IP: 2607:f8b0:4001:c06::22c
X-SA-Exim-Rcpt-To: ntpwg@lists.ntp.org
X-SA-Exim-Mail-From: dfoxfranke@gmail.com
X-SA-Exim-Version: 4.2
X-SA-Exim-Scanned: Yes (on mail1.ntp.org)
X-Mailman-Approved-At: Wed, 22 Jun 2016 14:40:42 +0000
Subject: Re: [ntpwg] Parsing NTP packets regarding MACs and EXTs.
X-BeenThere: ntpwg@lists.ntp.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: IETF Working Group for Network Time Protocol <ntpwg.lists.ntp.org>
List-Unsubscribe: <http://lists.ntp.org/options/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=unsubscribe>
List-Archive: <http://lists.ntp.org/pipermail/ntpwg/>
List-Post: <mailto:ntpwg@lists.ntp.org>
List-Help: <mailto:ntpwg-request@lists.ntp.org?subject=help>
List-Subscribe: <http://lists.ntp.org/listinfo/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=subscribe>
Cc: "ntpwg@lists.ntp.org" <ntpwg@lists.ntp.org>, Hal Murray <hmurray@megapathdsl.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org
Sender: ntpwg <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>

On 6/21/16, Danny Mayer <mayer@ntp.org> wrote:
> Yes. The reference code supports the creation of better hashes than MD5
> and SHA-1, since OpenSSL supports it, but the parsing code does not and
> that's what needs to get fixed. This is not a NTP WG issue, it's a
> problem with the reference implementation that needs to get fixed. I do
> note that RFC5905 only references MD5 and that IS a WG problem.

A bigger problem than MD5 is the fact that NTP's  "HMAC" isn't HMAC;
it's the H(K||V) construction vulnerable to length-extension attacks.

However, supporting better hash functions shouldn't require any
changes to parsing. The length of a MAC tag doesn't have to be the
same as the digest size of the hash function you're using. It's
perfectly safe, e.g., to truncate HMAC-SHA256 to 128 bits.

I oppose putting the legacy MAC field to any new uses or allowing it
take on anything other than its current size. Any new crypto should be
done in extension fields. The parsing rules should be as follows:

If the packet is 48 bytes, it has no extensions and no MAC.
If the packet is between 49 and 67 bytes inclusive, it's malformed; discard it.
If the packet is 68 bytes, it has a legacy MAC and no extensions.
If the packet is more than 68 bytes, the last 20 bytes are the keyid
and MAC, the first 48 bytes are the standard fields, and everything in
between is extension fields. If the keyid field is 0, then the MAC
field is ignored, and these last 20 bytes are basically just filler to
make the packet parse correctly.

At such time as we publish a standard for NTPv5, we can get rid of the
legacy MAC fields and move their functionality into extension fields,
so that the 20 bytes of wasted filler is no longer necessary.
_______________________________________________
ntpwg mailing list
ntpwg@lists.ntp.org
http://lists.ntp.org/listinfo/ntpwg

v2.23.0 | Report a Bug | By Email