Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-yang-data-model-10.txt> (A YANG Data Model for NTP) to Proposed Standardsecurity
tom petch <daedulus@btconnect.com> Mon, 15 February 2021 12:15 UTC
Return-Path: <daedulus@btconnect.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F36AB3A1205; Mon, 15 Feb 2021 04:15:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.002
X-Spam-Level:
X-Spam-Status: No, score=-0.002 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id doyirwO01ABp; Mon, 15 Feb 2021 04:15:45 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80097.outbound.protection.outlook.com [40.107.8.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D40613A1203; Mon, 15 Feb 2021 04:15:44 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LwcvKrAJbgZOL3S1Ra6pfHbrfYqxuJ83qp0BCXnmCl/VUzR6fPfRYrEcW1SouQyq8Ie8DnEdiqE7Slqmyig38sQGVmQoqZVOnRrT5RECFNf0dcBmL9DCqW81RqU/8taeyo19un40MGiuQG5s09kZQc4NAjHgqwcqOSKKvBL5SNqBccf/drfD9ZS9AjNndwnrV5ZqqArP+6d66PNHwgVANKf2v4C1bYIXvxwROXmDCjdti6772gR/fLAxpw6qL4B4HjxyijTHcXh6phbJI/1rw6uPvw9nyocXkI1N8ErIL+MdFOD+JH8ofEyhm1Veu8UWm1gVEAHWBbxGC7hcUvd5WQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pL8Ns8NpPDpbj8UGv6NCycE5kGWViDBpmM5kF2hbJA0=; b=ZZvfP6RNZBJAQcP9tQjy1Cd6CwCVQ6wtwLkprw3mQDjkUnFedxaODLOPvEAvKF2GtXbzXGZwTmzzvD9Io2nCx7fLUGKvYGh9vhC5Znrvw33Z8zOBLuFeCIAs+cCe7+u887kByoGqmsYhoD+Y/uP3VNgD7NQLUjIJEe739Y95ct8z1o9DOKy5TUdJ4i+SyzC/1AW+iuNL8Anc8N0edxLSB4UpvbXPXTEQQDgs6F39/92minP6+hZylu3/atDDfRvvASVXUq0RZtwTa2Z66S1TuFHMM5hulKAQwcjze9BG6vvDr6JueeJYlqRPZcK2keIfeaAicyPYG0QlkfeUrx27mQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pL8Ns8NpPDpbj8UGv6NCycE5kGWViDBpmM5kF2hbJA0=; b=VfD/h0L1jFtyG8tlA7blGBrceso4uUmQs+vvb25jz3YT2Ob2AqA+8dxLFXjdIO4vorNs1N3QcgauYCMNbtSaPtrcYaVGI4vm08gahmHOTzrAs/wjodkca3dAvdyOLsSapu1xPklApf2BtYFizV8LhpthAk7Qsp2IwggyP628tmI=
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=btconnect.com;
Received: from VI1PR07MB6704.eurprd07.prod.outlook.com (2603:10a6:800:18b::8) by VI1PR07MB3088.eurprd07.prod.outlook.com (2603:10a6:802:24::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3868.12; Mon, 15 Feb 2021 12:15:41 +0000
Received: from VI1PR07MB6704.eurprd07.prod.outlook.com ([fe80::181c:709a:6f7a:b811]) by VI1PR07MB6704.eurprd07.prod.outlook.com ([fe80::181c:709a:6f7a:b811%3]) with mapi id 15.20.3868.022; Mon, 15 Feb 2021 12:15:41 +0000
To: Hal Murray <hmurray@megapathdsl.net>, Benjamin Kaduk <kaduk@mit.edu>
References: <20210215032339.B658F40605C@ip-64-139-1-69.sjc.megapath.net>
Cc: Dhruv Dhody <dhruv.ietf@gmail.com>, NTP WG <ntp@ietf.org>, last-call@ietf.org, draft-ietf-ntp-yang-data-model@ietf.org, ek.ietf@gmail.com, Dieter Sibold <dsibold.ietf@gmail.com>, ntp-chairs@ietf.org
From: tom petch <daedulus@btconnect.com>
Message-ID: <602A65E6.3090107@btconnect.com>
Date: Mon, 15 Feb 2021 12:15:34 +0000
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101 Thunderbird/38.5.0
In-Reply-To: <20210215032339.B658F40605C@ip-64-139-1-69.sjc.megapath.net>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [86.146.121.140]
X-ClientProxiedBy: LO2P265CA0319.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:a4::19) To VI1PR07MB6704.eurprd07.prod.outlook.com (2603:10a6:800:18b::8)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [192.168.1.65] (86.146.121.140) by LO2P265CA0319.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:a4::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.3846.35 via Frontend Transport; Mon, 15 Feb 2021 12:15:41 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 6ceb7099-9bc2-4aaa-15fc-08d8d1ab69ae
X-MS-TrafficTypeDiagnostic: VI1PR07MB3088:
X-Microsoft-Antispam-PRVS: <VI1PR07MB3088671C6BD7990E71D867A5C6889@VI1PR07MB3088.eurprd07.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 3eXwAVJHrDSijEQdar/ffjXclyx/iKnGW+9TPy4VN7J0iDxNMiBR5C8IdtlCl2JMfFUFt9gk2T9DtyZzCsWdmg5ARW3pSMZQ0gdp+Zt0iV4ArL9fReIPr8IOVeJ/ydmP8AZ9ELNTSpKyBFQL12jmIbSjKGFIaDIn6EixKTzoDrGproaGiEXVEkWssQNdMSDF0x1LjgPNsY3yNK4BJXF1KUDh5Orp4W9tXjn7m2Bu2FgsegoIeHps/09pLAw6EUKsNPwFVJiNLRgJ2mkaAdVOpVTqyh4hDvpVPVGPSA11FaP+xaK4gupvOJf4L+RMw5OqNDiFpRaV4JUjOy+bxj0UeZBmdzmCdy/DAg6nJzFr/vA59cUcPrOQv0cx6AiQpE7k3/6vMMmLZjGTUAhvbvPV4aWu/5v7DYfhPfYZmiX9HbUXDeAgWeW5s8FBZ8RZcuEBGnHs8Z7Mar4u+Ks34Coar/7k3WRNY9KWHMtD6FvTKWGaaeWsNpOyvOvx93lTlcNeTcCg7O3Oo7NhpSW/FKseDg==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR07MB6704.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(136003)(366004)(39860400002)(396003)(346002)(53546011)(478600001)(66574015)(52116002)(36756003)(86362001)(66946007)(54906003)(26005)(316002)(8676002)(5660300002)(87266011)(4326008)(110136005)(66476007)(16576012)(186003)(6486002)(2616005)(2906002)(956004)(8936002)(66556008)(6666004)(33656002)(16526019)(83380400001); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData: YP7KPde+TV19dhVBLgQhNqU5oVtDDUQ7AiWZHfcXcilDFIluyb2CEPR2pd60SDCxhi0Er0MhwTVOgbk9BOzrXgBasPiOcON5EhepXnBjs0PvWBjZm7qfw9KbrvlqFzezyoOYaMFDIuFWBrIZRRBdPnicZoGpCadrv+pSWlqnmW4khZDa074qKFQkzi+qszsD2ytMgrfHgnYbeOmBWNdyEVE7YyZ/Ypy6/nMuchk+lnGhiJzkp7wAUpPZ7PCZygkUxfVd2UlUk7WK6dj0VpBBYn3gtTRmhfV652NOHh2jrWTV+UoQkdRARc3lT9IhqhRafIpc+IJ3wmHZfHweyCx7DZ9tClDSeGQXDQenyWS+WCkM5/eN/dPDpwOWi1ObebatMuJmLD5Huo4RbHyHs/W8jJA7m3MuV4c9iPNJokXac8Wm0VLulU9IA63YiX0LcIzgD7IeEVFpm8P5B8hQ30IG3unepo7JJgD1GwuSdpzxKqiDlJYyhXALyaS9LnrqnfYUVaHr+5wwD5Wc3i5kQ6fBGFGHxWKfECCtQkDsVn6ucoQmO8G+cI0crP2s1sTCqL+LUHSijIYonOJyyQitx+uGI0ccAONcQi8oKbQOOOWmRoJbD5edWNLp9YbFc4oEXPJ27+3yPtfsf0rkoQ9Xf6AlJPVfhsUTAYKOIzvmUMruC4vu4kGqlL0Bmaqk4jYIYu/rES9njN3sKc/Da5ogNoJgiLJ7qgiDZPuzg5CEAxiCNYg8hFwCJyDEX7asXy9gnPWbPB5SWpqIxxYB2QOfIm2n7Mncj1Svbq2pMY+U/ntoVTE22o1AuSPOu9LPICMtoHD8xWSu1qHi/km56+soWMDWfJb2JQhTgyGNpBmIMp1svDkF4gf1cfLMPoLAZLF1TDWx9hp7b27EO1q96h+qq1s8lJNPv/dFyo+g9myrf/tGQWfehEjc+SuZc2p51DklFTPZGc0vmUnrx4etCqrd8w591Ol6c+PQrkzos3z0YnoH4gt4bkaN73wMyydWwGWGkpHbPKoqS+5kndUM5uUrm/huSPifF/fG1K90uO5Ko7YCju5LiLWcGB9nnlG3sApLtZxCEH/TsRMhDoxvF743t+kaU5QhAoXpe0i1oaSUavBqWt95iofbwfJyPN2cBXTXbwj68nVOZBGbSrJ5hYroDMeFJN5dHAAS3zeA66ltkDdiLYi1B2JOi40HfR3sA6mNcqyN8O5cDu5qILIXkc/Wa9SOUxaLZ+iodWPQyDE5+QSZBTnAtya4vJM76BszYHIqCgzQFffxLYDblobe/C04N5SdL+0I5W3yGI8kdfFTELdIX4N/XwJf+Q2hNBo1Z4ELBgIh
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6ceb7099-9bc2-4aaa-15fc-08d8d1ab69ae
X-MS-Exchange-CrossTenant-AuthSource: VI1PR07MB6704.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Feb 2021 12:15:41.8013 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: hSe7ZulB3ot4/2T8udbFpqM7kyLdGDsBR7GhYohr01cG7XcRsUtM9lR/opeVfvkuNd2pMbzdKsCYm9pDmxyeQQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB3088
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/M93TKHn9r55oCrISP8AUwrNNsTM>
Subject: Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-yang-data-model-10.txt> (A YANG Data Model for NTP) to Proposed Standardsecurity
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2021 12:15:47 -0000
On 15/02/2021 03:23, Hal Murray wrote: > >> That said, I think recent practice has been to not take a strict hard line >> that MD5 cannot be used ever, and that non-cryptographic uses for legacy >> compatibility can be retained, when accompanied by a disclaimer that the use >> of MD5 is not for cryptographic purposes and that MD5 is not a secure >> cryptographic hash function. > > I'm missing the big picture. What is Yang supposed to do? > > I'd expect it would be describing existing practices. I don't expect it to be > trying to add MUSTs to other RFCs. > > I'd be happy with notes that a use case has been deprecated, especially if > there is an RFC to point to. > > But unless I'm missing something, Yang is not the place to be trying to > enforce good crypto practices. Most people working on NTP won't pay any > attention to Yang if they even know it exists. > > > NTP uses MD5 in two places. One is hashing IPv6 addresses to make something > that fits into a slot that only has room for IPv4 addresses. I don't think > there are any crypto/security considerations. > > The other is for authenticating packets. RFC 8573 deprecates that usage. A > note in a Yang document saying "using MD5 for authenticating NTP has been > deprecated by RFC 8573" seems like a good idea. I think anything stronger > will be inappropriate. But maybe I don't understand what Yang is all about. Hal YANG provides configuration and management for IETF (and other protocols). I am not sure which MUST you have in mind but RFC5905 is updated by RFC8573 and I see nothing in this I-D as it stands that goes beyond those RFC. It is not the job of YANG to enforce good practice but it is the job of an author to produce something that gets through the IESG and, in some areas, the IESG is ahead of common practice, the use of IPv6 and Security being two where I regularly see the IESG wanting more than I see in the world at large. (Thus the IETF has just produced an I-D updating 100 or so RFC to deprecate the use of older versions of TLS; this does not surprise me but I do not seeing increasing the security of the Internet, perhaps the opposite, but then this is security!) So MD5 may be in widespread use for security in lots of protocols but that does not mean that an I-D (implicitly) recommending its use will pass the IESG! I do not know the answer to that which is why I posted a separate e-mail on the topic intending to catch the eye of a Security I-D:-). The I-D has passed a secdir review but that may not have realised the implication buried in the YANG. Perhaps a note in the Security Considerations deprecating MD5 is enough but that is not my call. Tom Petch
- [Ntp] Last Call: <draft-ietf-ntp-yang-data-model-… The IESG
- Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-mo… Harlan Stenn
- Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-mo… Dhruv Dhody
- Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-mo… tom petch
- Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-mo… tom petch
- Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-mo… Dhruv Dhody
- Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-mo… Harlan Stenn
- [Ntp] Antw: [EXT] Re: Last Call: <draft-ietf-ntp-… Ulrich Windl
- Re: [Ntp] Antw: [EXT] Re: Last Call: <draft-ietf-… Harlan Stenn
- Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-mo… Hal Murray
- Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-mo… Dhruv Dhody
- Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-mo… Miroslav Lichvar
- Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-mo… Dhruv Dhody
- Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-mo… tom petch
- Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-mo… tom petch
- Re: [Ntp] Antw: [EXT] Re: Last Call: <draft-ietf-… tom petch
- Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-mo… tom petch
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Salz, Rich
- Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-mo… Dhruv Dhody
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… tom petch
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Harlan Stenn
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Benjamin Kaduk
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… tom petch
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… tom petch
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Hal Murray
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… tom petch
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Benjamin Kaduk
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… tom petch
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Harlan Stenn
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Hal Murray
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Dhruv Dhody
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Harlan Stenn
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Dhruv Dhody
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Harlan Stenn
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Harlan Stenn
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Hal Murray
- [Ntp] Antw: [EXT] Re: [Last-Call] Last Call: <dra… Ulrich Windl
- Re: [Ntp] Antw: [EXT] Re: [Last-Call] Last Call: … Harlan Stenn
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… tom petch
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… tom petch
- [Ntp] Antw: [EXT] Re: [Last-Call] Last Call: <dra… Ulrich Windl
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Danny Mayer
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Salz, Rich
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… James Browning
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… tom petch
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Christian Huitema
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Salz, Rich
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… Martin Burnicki
- [Ntp] Antw: [EXT] Re: [Last-Call] Last Call: <dra… Ulrich Windl
- Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-… tom petch