Re: [Ntp] [EXT] Re: NTPv5 KISS code support
Hal Murray <halmurray+ietf@sonic.net> Fri, 17 November 2023 20:20 UTC
Return-Path: <halmurray+ietf@sonic.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A8B8C151980 for <ntp@ietfa.amsl.com>; Fri, 17 Nov 2023 12:20:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mbynau-nYhy7 for <ntp@ietfa.amsl.com>; Fri, 17 Nov 2023 12:20:01 -0800 (PST)
Received: from d.mail.sonic.net (d.mail.sonic.net [64.142.111.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C38DC151539 for <ntp@ietf.org>; Fri, 17 Nov 2023 12:20:01 -0800 (PST)
Received: from 107-137-68-211.lightspeed.sntcca.sbcglobal.net (104-182-38-69.lightspeed.sntcca.sbcglobal.net [104.182.38.69]) (authenticated bits=0) by d.mail.sonic.net (8.16.1/8.16.1) with ESMTPSA id 3AHKJx5d018575 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Fri, 17 Nov 2023 12:19:59 -0800
Received: from hgm (localhost [IPv6:::1]) by 107-137-68-211.lightspeed.sntcca.sbcglobal.net (Postfix) with ESMTP id 2CAB428C20C; Fri, 17 Nov 2023 12:19:59 -0800 (PST)
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8
To: David Venhoek <david@venhoek.nl>
cc: NTP WG <ntp@ietf.org>, Hal Murray <halmurray+ietf@sonic.net>
From: Hal Murray <halmurray+ietf@sonic.net>
In-Reply-To: Message from David Venhoek <david@venhoek.nl> of "Thu, 16 Nov 2023 13:29:05 +0100." <CAPz_-SWb4ZS+M_4Em4+aazT1yKDuFys0B+z8GU=HCV57X2zz+w@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 17 Nov 2023 12:19:59 -0800
Message-Id: <20231117201959.2CAB428C20C@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
X-Sonic-CAuth: UmFuZG9tSVaqGkLNfzYNFv0oqRoG9AZObgpojVeyv827Voku/ilnD2sb9JsRPCDmy6FzY7/oP+R8f+jnu66dM38NGtDgPOhOKiwkMBG2/h4=
X-Sonic-ID: C;yiplroaF7hG1zJ0CP63e0g== M;zsl7roaF7hG1zJ0CP63e0g==
X-Sonic-Spam-Details: -1.5/5.0 by cerberusd
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/LhWr9EPFJEF8S_s5toRLtL4rrLA>
Subject: Re: [Ntp] [EXT] Re: NTPv5 KISS code support
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Nov 2023 20:20:02 -0000
david@venhoek.nl said: > For ease of debugging, I want to be able to give at least some reply so the > client can see that it is at least talking to an NTP server in these > situations. Also, I feel that on cryptographically secured In the Cryptographic failure case, it might be reasonable to send back a non-authenticated message saying why the crypto didn't work. The catch is that the receiver would have to not take any action since it might be forged, but it could be logged for debugging. Is that layer of complexity worthwhile? How do people debug crypto troubles today? What fraction of "crypto" troubles are due to filtering UDP port 123? If the reply has a cookie, that can be used to filter out simple forged attacks. That doesn't cover the MitM case. Note that V4 with data-minimization repurposes the transmit timestamp field to be a cookie. ----- I like the idea of some way to say "not allowed". How many cases are there? 1) NTS: If the server stops responding, the client will run out of cookies and try NTS-KE again. That is a secure channel where we could say "no". 2) Pool: If the server just stops responding and the client does another DNS lookup, it will probably get a different IP Address. 3) Moved to new IP Address: 3a) If the client used the DNS name, trying again will get the new address. 3b) If the client used the IP Address... ?? 4) Server turning off (or reducing service area) 4a) Remove DNS entry 4b) ??? Can we steer people to use cases that are easy to implement? Does that boil down to use DNS rather than IP Addresses? -- These are my opinions. I hate spam.
- [Ntp] NTPv5 KISS code support David Venhoek
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Windl, Ulrich
- Re: [Ntp] [EXT] KISS => NAT => Rate limiting Windl, Ulrich
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Daniel Franke
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Ira McDonald
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support David Venhoek
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- [Ntp] KISS => NAT => Rate limiting Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Daniel Franke
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support David Venhoek
- [Ntp] Rate limiting/reflection prevention (Was: N… David Venhoek
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Danny Mayer
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Salz, Rich
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Danny Mayer
- Re: [Ntp] [EXT] Re: Re: NTPv5 KISS code support Windl, Ulrich
- Re: [Ntp] [EXT] Re: Re: NTPv5 KISS code support Danny Mayer
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Forrest Christian (List Account)