IETF Logo Mail Archive

Re: [Ntp] An NTPv5 design sketch

Daniel Franke <dfoxfranke@gmail.com> Wed, 15 April 2020 15:57 UTC

Return-Path: <dfoxfranke@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3E7E3A0B53 for <ntp@ietfa.amsl.com>; Wed, 15 Apr 2020 08:57:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L0z0neaYUdEH for <ntp@ietfa.amsl.com>; Wed, 15 Apr 2020 08:57:58 -0700 (PDT)
Received: from mail-il1-x12c.google.com (mail-il1-x12c.google.com [IPv6:2607:f8b0:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58B813A0B2B for <ntp@ietf.org>; Wed, 15 Apr 2020 08:57:58 -0700 (PDT)
Received: by mail-il1-x12c.google.com with SMTP id i75so3752443ild.13 for <ntp@ietf.org>; Wed, 15 Apr 2020 08:57:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=il57opLKc6do0kBZjKdgvQPL4tS5sj4u8l5OAF6is8U=; b=CXnz6jNQ0LTB25saCswWIJ9Y8j83J5AUwTWbC6PwW3nBKaushF/q+xTPi+W7NnuMNe Z5NWceHi10mTp0AwhhHBTeCfW1l8aPOYH5Glp1DqUGa4wfMNxVuF+qdMOlmlfgSyXrp/ hXa+mknucpSeHUr/Nypuj1KxVnfo+02/Rd5dHi7PdHaqBZVjzuPHw4sPqybjBzY+m6Ei 1vLwVat/LzgSRawblSWM8GWC6rZA9T5MSkL2VXWf9PzwyhsHfdNaA7mY1nSQo+V3v4Gp /aAjZA9NZM5XdadRyP/3l9+xaqMiebV2V21Dqv+yDSDELxfSmnXQovpnerPjiArgu9Yf RXpg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=il57opLKc6do0kBZjKdgvQPL4tS5sj4u8l5OAF6is8U=; b=uAFpbpmBrJIPGwUKR0v+nLQPYztEFj0ARLtkIqW/q9LCSBft4pJyFXfULn3izf8Lg5 MGmuDgzDxcM29lmXozQregFP3cMZZ94X9vjC8jl3iD79sC1k8ei0JiKxYBCopoHhVwcY rpU0wqHDXwXSstNXevqH5rL/9Mf1D1eDrAfEfcYv+x5bxm0gkElVkUdWWv2IcGIMqLTE m1wG9iiqCBqpSOHyKV6z0Gf4tvglp1VOctAVYRS+fLZ/WVtjKYm0M5SUy8ejx14ryF+I 5a9ilqmgGA/0K0JXPz8GV/iHGo9aMrSJw/ObNCDsnjbKO4+OBulkgB7KAI2Zu2RNKZRd etTQ==
X-Gm-Message-State: AGi0PuanjrydmpTmpU1Q7K6NvNO9r2Peign4MoX7auM8oWccLgmAU3w4 2mzBIlpL1WvkJCeo3rNjS1gPvOCW8O1QG6ShjhY=
X-Google-Smtp-Source: APiQypKgo/Z7ZVgM2Z2vh6rhJUyeXLPGl3EbLQzr+bGGP68vX91l9LIC3Mb/3jgtPhT6b0XyfBQVLfdxR1FxILnLrco=
X-Received: by 2002:a92:d447:: with SMTP id r7mr6175851ilm.76.1586966277263; Wed, 15 Apr 2020 08:57:57 -0700 (PDT)
MIME-Version: 1.0
References: <CAJm83bBV+Pox3r6KU49ShwMOvr=R+U_vDKJtSZhfT6XX4qWmbA@mail.gmail.com> <20200414112541.GD1945@localhost> <CAJm83bCxuS_X68-pvpOWCPSmjAjTeYNJVuuOEhV-i82R7B28Mg@mail.gmail.com> <20200414155241.GF1945@localhost> <CAJm83bC1EhwQQ=+B7XPbEkvhOWvxU8zjCd290Fj5N43aMJQTkg@mail.gmail.com> <20200415072023.GG1945@localhost>
In-Reply-To: <20200415072023.GG1945@localhost>
From: Daniel Franke <dfoxfranke@gmail.com>
Date: Wed, 15 Apr 2020 11:57:45 -0400
Message-ID: <CAJm83bAEDuLk6vSa82D3smXO4x7iDywoy+FpC=gdm=m3SLrVLg@mail.gmail.com>
To: Miroslav Lichvar <mlichvar@redhat.com>
Cc: NTP WG <ntp@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/NXD66oznwQ3Iz75UrKtBMXH_v2g>
Subject: Re: [Ntp] An NTPv5 design sketch
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Apr 2020 15:58:00 -0000

On Wed, Apr 15, 2020 at 3:20 AM Miroslav Lichvar <mlichvar@redhat.com> wrote:
>
> That code will likely need to be updated to fix security issues.

So will the NTP code itself, not to mention the OS kernel and whatever
else your device is running. Different NTP implementations have had
serious security issues with widely varying frequency; so have
different TLS implementations. I'm not going to engage in arguments
about the precise quantity, severity, or inevitability of these
vulnerabilities; I'm just asserting the lack of a qualitative
difference in the historical need for patching.

> Crypto is hard. NTS
> requires other things that were not needed with plain NTP. It needs a
> full TCP stack and AES-SIV-CMAC. It needs certificates, NTS-KE servers
> and some naming for the servers (e.g. DNS). It needs a much more
> powerful CPU to be able to perform a TLS handshake in reasonable time
> and processing of NTP packets is orders of magnitude slower even with
> a hardware AES support. There is also the requirement on having a
> rough idea of current time in order to validate the certificates.
>
> For people who need to synchronize computers in an isolated network it
> is a lot of extra work. SNTP or NTPv4 may not be good enough for
> accuracy (unless they support correction fields).
>
> There are other authentication mechanisms with different tradeoffs
> that people might want to use.

You're mixing concerns about constrained devices with concerns about
isolated networks and system administration, which are two very
different spaces with different considerations, so I'll address those
separately.

Constrained devices: microcontrollers from the mid-range upward are
plenty capable of TLS and most of them explicitly advertise as much.
The ones smaller than that aren't designed for networked applications
at all; they're designed for like, tying a few pins from an LED or a
motion sensor together with a with a few pins on an I2C bus. The gap
in capabilities between being able to handle all of the network stack
except TLS and being able to handle TLS is tiny, and I assert that in
practice it's non-existent — because TLS is already so ubiquitous that
there's no market for a networked µC that can't handle it.

Isolated networks: TLS doesn't require certificates or DNS! X.509
supports IP-based SANs, and TLS supports PSKs, bypassing X.509
altogether. If today's software support for such options is lacking or
its UX is poor, remember that none of this is getting deployed
tomorrow; if we get this done in three years I'll consider it to have
gone smoothly. When we first decided on AES-SIV for NTS, there was
barely any support for that either. That situation changed because of
the interest that this WG generated.

> I don't see a single reason why NTS should be a requirement of NTPv5.
> It would help if you could explain why do you think it should.

NTPv5 (as I've sketched it) depends on NTS for more than just
cryptographic security; it's also version negotiation (NTS Next
Protocol), server discovery (Server and Port Negotation), and
anti-amplification (address-bound cookies). Making NTS optional would
require alternative approaches to all these issues. It would also
complicate the packet format and add landmines for implementers
(granted, already present in v4 NTS) around correct handling of
unprotected responses.

v2.23.0 | Report a Bug | By Email