IETF Logo Mail Archive

[Ntp] Antw: Re: Antw: [EXT] Re: Benjamin Kaduk's Discuss on draft-ietf-ntp-mode-6-cmds-09: (with DISCUSS and COMMENT)

Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de> Mon, 31 August 2020 08:58 UTC

Return-Path: <Ulrich.Windl@rz.uni-regensburg.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 400053A1126; Mon, 31 Aug 2020 01:58:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zvZyfL5xzB4T; Mon, 31 Aug 2020 01:58:54 -0700 (PDT)
Received: from mx1.uni-regensburg.de (mx1.uni-regensburg.de [194.94.157.146]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F4833A1127; Mon, 31 Aug 2020 01:58:53 -0700 (PDT)
Received: from mx1.uni-regensburg.de (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 5FFB16000050; Mon, 31 Aug 2020 10:58:51 +0200 (CEST)
Received: from gwsmtp.uni-regensburg.de (gwsmtp1.uni-regensburg.de [132.199.5.51]) by mx1.uni-regensburg.de (Postfix) with ESMTP id 43DC1600004D; Mon, 31 Aug 2020 10:58:51 +0200 (CEST)
Received: from uni-regensburg-smtp1-MTA by gwsmtp.uni-regensburg.de with Novell_GroupWise; Mon, 31 Aug 2020 10:58:51 +0200
Message-Id: <5F4CBBC9020000A10003B009@gwsmtp.uni-regensburg.de>
X-Mailer: Novell GroupWise Internet Agent 18.2.1
Date: Mon, 31 Aug 2020 10:58:49 +0200
From: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>
To: Hal Murray <hmurray@megapathdsl.net>
Cc: draft-ietf-ntp-mode-6-cmds@ietf.org, The IESG <iesg@ietf.org>, "ntp@ietf.org" <ntp@ietf.org>, "ntp-chairs@ietf.org" <ntp-chairs@ietf.org>, odonoghue@isoc.org, kaduk@mit.edu
References: <2BFF872A0200004AAB822621@gwsmtp.uni-regensburg.de> <F491F1910200008C43047E14@gwsmtp.uni-regensburg.de> <D034AC67020000DF84283561@gwsmtp.uni-regensburg.de> <5F48A499020000A10003AF47@gwsmtp.uni-regensburg.de> <20B5016D0200004143047E14@gwsmtp.uni-regensburg.de>
In-Reply-To: <20B5016D0200004143047E14@gwsmtp.uni-regensburg.de>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/Nhxhu6YBn8RKE9OMbd0J1UEs098>
Subject: [Ntp] Antw: Re: Antw: [EXT] Re: Benjamin Kaduk's Discuss on draft-ietf-ntp-mode-6-cmds-09: (with DISCUSS and COMMENT)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Aug 2020 08:58:59 -0000

>>> Hal Murray <hmurray@megapathdsl.net> schrieb am 29.08.2020 um 10:46 in
Nachricht <20200829084626.C0F2E40605C@ip-64-139-1-69.sjc.megapath.net>:

> Ulrich.Windl@rz.uni‑regensburg.de said:
>> While many decisions in the past were made to keep up backwards
>> compatibility, the encryption type is set up indirectly vie the ntp.keys
>> file. However (AFAIR) the file is not part of the NTP specification, so
for
>> the on‑wire protocol there's no change to get the encryption type. One
might
>> guess, however.
> 
>> Probably this was an omission after the only encryption type (DES) had
been
>> extended to allow MD5 also (in NTPv3 AFAIR). The later on it was still
>> forgotten. 
> 
> No, it's not an omission.  There is no need for the encryption type to be on

> 
> the wire.  The admins for the client and server agree on the type while they

> 
> are agreeing on the key and keyid.

Well, if there's only one algorithm, you don't need to specify it, but if
there are multiple, it would be quite helpful. It's not needed, maynbe, but the
code tried to guess from the packet sizes what type of algorithm it might be.
DES vs. MD5 vs. SHA-a may be easy, but the more algorithms are allowed, the
trickier it becomes...

Original comment from NTP source:
        /*
         * Parse the extension field if present. We figure out whether
         * an extension field is present by measuring the MAC size. If
         * the number of words following the packet header is 0, no MAC
         * is present and the packet is not authenticated. If 1, the
         * packet is a crypto-NAK; if 3, the packet is authenticated
         * with DES; if 5, the packet is authenticated with MD5; if 6,
         * the packet is authenticated with SHA. If 2 or * 4, the packet
         * is a runt and discarded forthwith. If greater than 6, an
         * extension field is present, so we subtract the length of the
         * field and go around again.
         */

> 
> The backwards compatibility was just good luck.
> 
> 
>> Actually I don't understand the part: "The client and server or peer can
use
>> different values, but they must map to the same key." 
> 
> I think it's a bug.
> 
> 
> ‑‑ 
> These are my opinions.  I hate spam.

v2.23.0 | Report a Bug | By Email