IETF Logo Mail Archive

Re: [Ntp] NTP Security (was NTPv5: big picture)

James Browning <jamesb.fe80@gmail.com> Sat, 16 January 2021 22:49 UTC

Return-Path: <jamesb.fe80@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14EE83A1A04 for <ntp@ietfa.amsl.com>; Sat, 16 Jan 2021 14:49:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UvioO0KFNlJt for <ntp@ietfa.amsl.com>; Sat, 16 Jan 2021 14:49:57 -0800 (PST)
Received: from mail-ua1-x930.google.com (mail-ua1-x930.google.com [IPv6:2607:f8b0:4864:20::930]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 151643A1A03 for <ntp@ietf.org>; Sat, 16 Jan 2021 14:49:50 -0800 (PST)
Received: by mail-ua1-x930.google.com with SMTP id j59so4242217uad.5 for <ntp@ietf.org>; Sat, 16 Jan 2021 14:49:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=twjQNSRg5+FCGisgP/aWz4wTQAiOV41RJXZ1zSqLEhY=; b=gxyhZ4MdCEtgMrlDZ/z+gE30FFeHlg0vy6iDxVKT9SJ7ljBWZGpBAjA3ZM2SgAkHmG ZtiqtUQWqsaWCBfQ0Qd93D20mPk/WSS5s12uNqTmbDeRFTBtDd5C9Y4xIV4XcP2Y+eds 0TOb0KS7bIu5d9FESYRd1sA2aAg+azK4HJPaa+YxB4FRbIyFO4vu6vHFIgEdIXVGSWhK 6pJKaZGWhFXZ9i9inpRMlTHGtl6iOG48OQ4NgIlR3i+XHMl/WLTPMd+taSZwvDC0hpKL 2HwF9MXNO9S3ak2cOqNWU6UKki1GzugYX3GtVUyLDK/q8/Ls4mnFqaX68Sww/YqVOBjp csmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=twjQNSRg5+FCGisgP/aWz4wTQAiOV41RJXZ1zSqLEhY=; b=I6MRvhWjzYjlFhh6T1PgJr0NDzeCo8q1I/acukEo+i+XXXphjUM4QcxxywB9NhipUq vVGPjrEW2UoqGk2QLsvfaiZvpKZFKKHQh/Q37LBbcQZi4aQgNmZGKabtB73+bu6xueAf 1Te7llXxtiC1G5/T8ERjl00kO1vfI0QqwTI/BTEJSkf46H93tTkw6KDKYdrGsc8n90kS Pk5DlrxBk/lAeJ7pBN6kXviNztoStw83y2xf/2Tv/+E3QZxGiLVt/xVtq2Jy+krzX801 YXnTR7yeZOfzqXWENd2LutxO7JsRE32NS1X+UI47Xod81ZUEulz4rl3HviJiibkghr0Z dAlA==
X-Gm-Message-State: AOAM532fgV4V958smLJdCmNdL9/cRKaJoG3vtDnz2fIVDSEsDakdLrgr 5SORqdA/kaT38Q4+VyCrm7Kug2v+qqFhIeIMEXGuw184OA==
X-Google-Smtp-Source: ABdhPJy6adyO+W2KJGpVH3PQZZzAqNvTG7R4QONCnoEKCZaFL2hfAF8bqpD8jHFCzHtXi5PidcxI1/swI1okDIOyMrY=
X-Received: by 2002:ab0:6386:: with SMTP id y6mr13104443uao.14.1610837388683; Sat, 16 Jan 2021 14:49:48 -0800 (PST)
MIME-Version: 1.0
References: <rsalz@akamai.com> <993FEEB5-F498-472E-813E-E684E273612F@akamai.com> <20210102050501.7D0DE40605C@ip-64-139-1-69.sjc.megapath.net> <26A97601-BEB4-4914-B570-6C8BD9C72FAD@akamai.com> <CACsn0cm=d3z+ceTDMaw2LDHg_AeNoxbs411iEFNpGpnWcyvZvw@mail.gmail.com>
In-Reply-To: <CACsn0cm=d3z+ceTDMaw2LDHg_AeNoxbs411iEFNpGpnWcyvZvw@mail.gmail.com>
From: James Browning <jamesb.fe80@gmail.com>
Date: Sat, 16 Jan 2021 14:49:33 -0800
Message-ID: <CAFTY+dAMNZF_qPbzo2Fsj1LtF5+s-cze5s52rxBZSk6ofzG9gQ@mail.gmail.com>
To: NTP WG <ntp@ietf.org>
Cc: James Browning <jamesb.fe80@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000057ee4105b90c4ea3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/NUmLeS2R4VlBRWOaws_lMrR7DZ4>
Subject: Re: [Ntp] NTP Security (was NTPv5: big picture)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Jan 2021 22:49:59 -0000

On Sat, Jan 16, 2021, at 11:02 AM Watson Ladd <watsonbladd@gmail.com> wrote:

> I'd like to see some input from people who operate the pool on what
> solutions would work for them. Right now we're sort of flying blind.
> Perhaps we can discuss at IETF 110?
>

Only a user of the pool, but I basically see three ways to manage that.
1) Have the pool serve up SRV records and rewrite the pool code, the spec,
and clients to compensate.
2) Have the pool run a common NTS-KE server for all NTS servers in the pool.
3) Convince TLS certificate vendors to sell IP based certificates.
I am not particularly fond of any. Someone should find a fourth way.

----
Removing all doubt.

v2.23.0 | Report a Bug | By Email