Re: [Ntp] [EXT] Re: NTPv5 KISS code support

Hal Murray <halmurray+ietf@sonic.net> Fri, 17 November 2023 20:20 UTC

Return-Path: <halmurray+ietf@sonic.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A8B8C151980 for <ntp@ietfa.amsl.com>; Fri, 17 Nov 2023 12:20:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mbynau-nYhy7 for <ntp@ietfa.amsl.com>; Fri, 17 Nov 2023 12:20:01 -0800 (PST)
Received: from d.mail.sonic.net (d.mail.sonic.net [64.142.111.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C38DC151539 for <ntp@ietf.org>; Fri, 17 Nov 2023 12:20:01 -0800 (PST)
Received: from 107-137-68-211.lightspeed.sntcca.sbcglobal.net (104-182-38-69.lightspeed.sntcca.sbcglobal.net [104.182.38.69]) (authenticated bits=0) by d.mail.sonic.net (8.16.1/8.16.1) with ESMTPSA id 3AHKJx5d018575 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Fri, 17 Nov 2023 12:19:59 -0800
Received: from hgm (localhost [IPv6:::1]) by 107-137-68-211.lightspeed.sntcca.sbcglobal.net (Postfix) with ESMTP id 2CAB428C20C; Fri, 17 Nov 2023 12:19:59 -0800 (PST)
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8
To: David Venhoek <david@venhoek.nl>
cc: NTP WG <ntp@ietf.org>, Hal Murray <halmurray+ietf@sonic.net>
From: Hal Murray <halmurray+ietf@sonic.net>
In-Reply-To: Message from David Venhoek <david@venhoek.nl> of "Thu, 16 Nov 2023 13:29:05 +0100." <CAPz_-SWb4ZS+M_4Em4+aazT1yKDuFys0B+z8GU=HCV57X2zz+w@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 17 Nov 2023 12:19:59 -0800
Message-Id: <20231117201959.2CAB428C20C@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
X-Sonic-CAuth: UmFuZG9tSVaqGkLNfzYNFv0oqRoG9AZObgpojVeyv827Voku/ilnD2sb9JsRPCDmy6FzY7/oP+R8f+jnu66dM38NGtDgPOhOKiwkMBG2/h4=
X-Sonic-ID: C;yiplroaF7hG1zJ0CP63e0g== M;zsl7roaF7hG1zJ0CP63e0g==
X-Sonic-Spam-Details: -1.5/5.0 by cerberusd
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/LhWr9EPFJEF8S_s5toRLtL4rrLA>
Subject: Re: [Ntp] [EXT] Re: NTPv5 KISS code support
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Nov 2023 20:20:02 -0000

david@venhoek.nl said:
> For ease of debugging, I want to be able to give at least some reply so the
> client can see that it is at least talking to an NTP server in these
> situations. Also, I feel that on cryptographically secured 

In the Cryptographic failure case, it might be reasonable to send back a 
non-authenticated message saying why the crypto didn't work.  The catch is 
that the receiver would have to not take any action since it might be forged, 
but it could be logged for debugging.

Is that layer of complexity worthwhile?  How do people debug crypto troubles 
today?

What fraction of "crypto" troubles are due to filtering UDP port 123?


If the reply has a cookie, that can be used to filter out simple forged 
attacks.  That doesn't cover the MitM case.  Note that V4 with 
data-minimization repurposes the transmit timestamp field to be a cookie.


-----

I like the idea of some way to say "not allowed".  How many cases are there?

1) NTS: If the server stops responding, the client will run out of cookies and 
try NTS-KE again.  That is a secure channel where we could say "no".

2) Pool:  If the server just stops responding and the client does another DNS 
lookup, it will probably get a different IP Address.

3) Moved to new IP Address: 
3a) If the client used the DNS name, trying again will get the new address.
3b) If the client used the IP Address...  ??

4) Server turning off (or reducing service area)
4a) Remove DNS entry
4b) ???

Can we steer people to use cases that are easy to implement?
Does that boil down to use DNS rather than IP Addresses?



-- 
These are my opinions.  I hate spam.