Re: [Ntp] NTS pool support

"Patrik Fältström " <paf@frobbit.se> Mon, 22 July 2019 07:07 UTC

Return-Path: <paf@frobbit.se>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4904B120106 for <ntp@ietfa.amsl.com>; Mon, 22 Jul 2019 00:07:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=frobbit.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JQ1_VcCWraiQ for <ntp@ietfa.amsl.com>; Mon, 22 Jul 2019 00:07:50 -0700 (PDT)
Received: from mail.frobbit.se (mail.frobbit.se [IPv6:2a02:80:3ffe::176]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C8E81200E9 for <ntp@ietf.org>; Mon, 22 Jul 2019 00:07:49 -0700 (PDT)
Received: from [172.18.207.64] (w193-11-200-250.eduroam.sunet.se [193.11.200.250]) by mail.frobbit.se (Postfix) with ESMTPSA id 0753A27397; Mon, 22 Jul 2019 09:07:46 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=frobbit.se; s=mail; t=1563779267; bh=owbO8yu4filau1zb2qxMFK3z7iAY/2HaLYDZj4l1hXQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rpk6TAp627znpvJ42edJq5eA35hbqy/Ix4F4OcPjViRp88xRkAf1WwljmoIPWGXLx mTH4v517HrFsiFeNBnJULfo0dsmjc4grzS32nvt8+Ml3sSigTGoYig+t2YhBu5QjMF KxMwVzdkSDZ7D+2ig45OZwx087kX+sohUK+lvy8Q=
From: "Patrik =?utf-8?b?RsOkbHRzdHLDtm0=?=" <paf@frobbit.se>
To: "Ask =?utf-8?q?Bj=C3=B8rn?= Hansen" <ask@develooper.com>
Cc: "Hal Murray" <hmurray@megapathdsl.net>, "Christer Weinigel" <christer@weinigel.se>, ntp@ietf.org
Date: Mon, 22 Jul 2019 09:07:46 +0200
X-Mailer: MailMate (1.12.5r5635)
Message-ID: <EE28DF78-8706-45EA-B5CD-955F7ED1F3E2@frobbit.se>
In-Reply-To: <C0905BA5-14F8-4F03-A1B7-499582E42C04@develooper.com>
References: <20190721221505.ECA5C40605C@ip-64-139-1-69.sjc.megapath.net> <C0905BA5-14F8-4F03-A1B7-499582E42C04@develooper.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_2CAD5C35-7F5B-494B-A44D-D6DED4F70B2F_="; micalg=pgp-sha1; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/OTF_PLr2T99wCty_-45WMGD57q0>
Subject: Re: [Ntp] NTS pool support
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jul 2019 07:07:52 -0000

On 22 Jul 2019, at 8:25, Ask Bjørn Hansen wrote:

>> On Jul 21, 2019, at 3:15 PM, Hal Murray <hmurray@megapathdsl.net>; wrote:
>>
>>> Here's my naive suggestion on how to handle NTS pools.
>>
>> I think you have to be very careful about what you mean by "pool".  In most
>> NTP discussions, "the pool" usually means pool.ntp.org, a large collection of
>> NTP servers run by volunteers.  Trust and secure don't make sense with that
>> type of operation.  There is no point in using NTS.
>
> I don’t think that’s true. Implemented right a client could know for sure who it’s talking to.

I must think quite a bit on this proposal, and I completely trust you guys doing NTS right, BUT, my view is:

1. Keep the pool-mechanisms as separate from "NTS-server" mechanisms -- i.e. I am always nervous of feature creep in protocols.

2. We must trust the DNS anyways, and whether one sign and/or validate DNS is a question orthogonal to this discussion. The use of DNSSEC is today *strongly* encouraged, and if you choose to still not do it, you are to some degree toast. But that is a choice.

3. We can not design NTS to be robust if people have chosen other insecure things regarding their environment. There must be a known context within which we design the NTS (and NTS-pool) related issues. We can for example not solve routing problems, and we can not solve DNS security issues, or issues with fake SSIDs (evil hot spots), fake bootp or neighbor discovery messages, or other things.

4. What we *can* do is to make a robust protocol that to some degree for example withstand MITM attacks, but, to get complete protection one must do validation of DNSSEC signed responses, one must have RPKI "strict" for the IP addresses, one must... etc, and that list which is "basic" for todays Internet start to be quite long :-) NTS should fit in that echo system so that other people say "you should use NTS (+roughtime for bootstrap) or else..." i.e. I do not want DNS or HTTP or BGP people start to expand their protocols "just because people might only use NTP and not NTS because NTS is so hard". ;-)

Given that context, on a quick read, I sort of like the below, but think we can do slightly better IF we rely on DNS a bit more. I.e. we can do something that is easy for everyone, and get a good pool structure, and then we say "if the zone is signed, and validation takes place, THEN the whole thing is...".

But I must think a bit more.

   Patrik

> With short lived certificates, the client could know that the pool system had validated the monitoring data within X hours/days. It could be a solution to having a client know if the server had been removed from the pool system.
>
> One suggestion for this that’d work, I think, with Christer’s SRV suggestion would be (as I suggested a few days ago) to configure the client with a certificate authority that’s managed by the pool system and only trust this CA for servers returned by that specific pool DNS name.  (Basically Christer’s TLSA suggestion, but for clients not doing DNSSEC they could configure the CA in their configuration).
>
> The servers participating in the pool would (automatically) request/get an updated certificate every so many days.
>
> This would be an improvement over the current system in that the client will know for sure who it’s talking to and that the server it’s talking to is part of the pool.
>
> (DNSSEC would still be an improvement in that the client would know the particular DNS response was generated by the pool system and not “improvised”, but it wouldn’t be required for NTS to work).
>
> (Another version, as per what Ragner Sundblad suggested last year in https://tools.ietf.org/html/draft-dansarie-nts-00#section-8 <https://tools.ietf.org/html/draft-dansarie-nts-00#section-8> would be to require the pool system to run the NTSKE servers and have another key exchange method with the servers. I think that proposal underestimated the number of distinct clients using the big public pool-like systems (NTP Pool Project and NIST, as two of them).  Christer’s proposal would support “load balancing” the NTPKE work better).
>
>
>
> Ask
>
>
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp