Re: [Ntp] I-D Action: draft-ietf-ntp-ntpv5-requirements-01.txt
David Venhoek <david@venhoek.nl> Tue, 21 February 2023 13:20 UTC
Return-Path: <david@venhoek.nl>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E720C1524A3 for <ntp@ietfa.amsl.com>; Tue, 21 Feb 2023 05:20:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.896
X-Spam-Level:
X-Spam-Status: No, score=-6.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=venhoek-nl.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XnQbGzaS_gqg for <ntp@ietfa.amsl.com>; Tue, 21 Feb 2023 05:20:51 -0800 (PST)
Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD520C1522C2 for <ntp@ietf.org>; Tue, 21 Feb 2023 05:20:50 -0800 (PST)
Received: by mail-pg1-x530.google.com with SMTP id 132so2205556pgh.13 for <ntp@ietf.org>; Tue, 21 Feb 2023 05:20:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=venhoek-nl.20210112.gappssmtp.com; s=20210112; t=1676985650; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=3raBu81UCxWAt9dULC4wtZktkyHIspdIb2qNzKw5Pw0=; b=XGCFRcihq+1edcWK8ju/oRSBiswNN1xZJQeGMRbc94qpjvLYSgC5FvkU3+5FpLQzaX mIPawT582JRqc9LRPa10L7uhd63Ji2wbE4QY1ua3/FqbKy7RlD6/5uHCpFgauR9MwCoY wgLMJU4Sf8Vk1sMqka6TOHt6U2QRVs5knznQ6OyWeT0q0X5/dyxR6enSX8hrFjLkjk3h CHi5AmhpcGSqB6StOrO8fVR018JKbV0G4VBq6OUQNfm7dL54Kv6LgjZpWgMPmf7zCqJR 2g7RlONQ4boIi8RMKXh7PH6cYVX2zrq+TO7R4NAeCVJaT0NfxKgMbZ2wtrcJu5bXbxxz 6f9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1676985650; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3raBu81UCxWAt9dULC4wtZktkyHIspdIb2qNzKw5Pw0=; b=tPjBV4cf8xhxiuBPxDxFnQERmONJwXH7UWfL+Od69JqIX4SB6UWp8gXSFIkwgWe3fN 2eG/g8pZdGXxZ2xUliLSBcEq6FBY95VeZe6jSCsMEt1G3B7yrjhp6PectN7gwGtbfsoD KxGw/9YNSMdzTtsnoVioFqDr0FJzuWiLICTgOmLgD/aESaU4o80iKKftUIwV7ufTzZfB l9XVDq4At9MJzq33+wTvb8IRDUcxhgEFgmZEzSzsJ7/ClhGqtBEVOaVRTfOafIeHF2BG L9hvlanHxqvAcjPNFuGgOZDZyShPBhEBr+29flnRomIpeK0000P6d6j2cl/1TVwO3NBK s59Q==
X-Gm-Message-State: AO0yUKVE5dmJIgjERB5TooXjfdh9epdDN5UelvqEkgUiQI2n+SdSTVMe poSPAuUpGdQ56TAoH1knaGmbbIo5+uIRorCj+Nv1Uj3kYcVrNw==
X-Google-Smtp-Source: AK7set/mWqkpQIX/ZJQBhhvCGmUC83FtpnKuthi34SZGIvapFm5ip22TJSnokqZbepB1CDxmuYEf7ykFzIojVKSNfHU=
X-Received: by 2002:a05:6a00:2129:b0:5a8:adc8:6de7 with SMTP id n9-20020a056a00212900b005a8adc86de7mr651326pfj.38.1676985649938; Tue, 21 Feb 2023 05:20:49 -0800 (PST)
MIME-Version: 1.0
References: <167406509279.8060.1009165838491116090@ietfa.amsl.com> <Y8/frEvjBTeFwG1k@localhost> <D07EFED9-DF04-4F7A-8FE7-DF1F8ACADCC3@gmail.com>
In-Reply-To: <D07EFED9-DF04-4F7A-8FE7-DF1F8ACADCC3@gmail.com>
From: David Venhoek <david@venhoek.nl>
Date: Tue, 21 Feb 2023 14:21:29 +0100
Message-ID: <CAPz_-SW3gWPWNnauwwtgfHhZZNXryjRzj4xR-S=uqWaxODfERA@mail.gmail.com>
To: James <james.ietf@gmail.com>
Cc: ntp@ietf.org, Miroslav Lichvar <mlichvar@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/Kp8Y7M0OpONRmCYtHTrvn59BiZA>
Subject: Re: [Ntp] I-D Action: draft-ietf-ntp-ntpv5-requirements-01.txt
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2023 13:20:55 -0000
Apologies for the (very) late reaction. James, your comments on the purpose of that paragraph are completely accurate with how I remember it. As some additional background, this came out of someone (can't remember who) suggesting on the mailing list they were (or at least could possibly) using the current reference id for some form of access filtering. On Tue, Feb 7, 2023 at 1:39 PM James <james.ietf@gmail.com> wrote: > > Miroslav, > > Thanks for reviewing the document, and apologies for my delay in response. > > See inline. > > - J > > > On 24 Jan 2023, at 14:39, Miroslav Lichvar <mlichvar@redhat.com> wrote: > > > > On Wed, Jan 18, 2023 at 10:04:52AM -0800, internet-drafts@ietf.org wrote: > >> > >> A New Internet-Draft is available from the on-line Internet-Drafts directories. > >> This draft is a work item of the Network Time Protocols WG of the IETF. > >> > >> Title : NTPv5 use cases and requirements > >> Author : James Gruessing > >> Filename : draft-ietf-ntp-ntpv5-requirements-01.txt > > > > The new version added the following paragraph: > > > > An additional identifier mechanism MAY be considered for the > > purposes of client allow/deny lists, logging and monitoring. Such a > > mechanism, when included, SHOULD be independent of any loop > > avoidance mechanism, and authenticity requirements SHOULD be > > considered. > > > > It's not very clear to me what feature of the protocol is this > > supposed to allow or prevent. Any examples? > > J: My interpretation of the text David provided (also based on our discussions) is to ensure a decoupling of access control (allow/deny list) from loop detection functionality as the two are orthogonal concepts and should have no dependency. The choice of MAY is that it's entirely optional for this capability to be provided in the protocol specification, recognising it's additional (optional) bytes on the wire, and potential complexity. > > David: Is this right? Or do you have a differing view? > > > > > In 5.1. there is: > > The risk that an on-path attacker can delay packets between a > > client and server exists in all time protocols operating on > > insecure networks and its mitigations within the protocol are > > limited for a clock which is not yet synchronised. > > > > I think I suggested this before. It would be good to add a requirement > > here for the protocol to MUST be able to prevent attackers from > > injecting unlimited offsets to the measurements, i.e. not allow the > > broadcast mode in NTPv5. We should support only the most secure mode > > (client-server). > > J: Whilst I agree with this, at the last interim we had an unresolved discussion about which modes should/shouldn't be in scope. I've raised https://github.com/fiestajetsam/draft-gruessing-ntp-ntpv5-requirements/issues/14 but haven't had feedback yet. > > > -- > > Miroslav Lichvar > > > > _______________________________________________ > > ntp mailing list > > ntp@ietf.org > > https://www.ietf.org/mailman/listinfo/ntp >
- [Ntp] I-D Action: draft-ietf-ntp-ntpv5-requiremen… internet-drafts
- Re: [Ntp] I-D Action: draft-ietf-ntp-ntpv5-requir… Miroslav Lichvar
- [Ntp] Antw: [EXT] Re: I-D Action: draft-ietf-ntp-… Ulrich Windl
- Re: [Ntp] I-D Action: draft-ietf-ntp-ntpv5-requir… James
- Re: [Ntp] I-D Action: draft-ietf-ntp-ntpv5-requir… David Venhoek