IETF Logo Mail Archive

Re: [Ntp] NTPv5 draft

James <james.ietf@gmail.com> Tue, 01 December 2020 09:20 UTC

Return-Path: <james.ietf@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DF353A0E15 for <ntp@ietfa.amsl.com>; Tue, 1 Dec 2020 01:20:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RXFEF-BDLcEQ for <ntp@ietfa.amsl.com>; Tue, 1 Dec 2020 01:20:51 -0800 (PST)
Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13A2B3A0E14 for <ntp@ietf.org>; Tue, 1 Dec 2020 01:20:51 -0800 (PST)
Received: by mail-ej1-x62d.google.com with SMTP id f23so2647862ejt.8 for <ntp@ietf.org>; Tue, 01 Dec 2020 01:20:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=gnXM8SJ0Fwjfh9V9OLzVTpaD2h9zSfTlrpzbS74huJg=; b=nFKC0vIldylxWGjU73Xs1e6npxa/pkX/JDs9iVVh17Y4N3Af70ybYegjy4PzjZJsqT Mr5gX9ZXHD1ZHhPH+zIxrYeAFqcdXEm6tu8LYFnLcoX6aSdcljPvCSsuwhDVS9jpCVD/ 0Je0fgoAMfwPWF3Uz5jfmCTkn5P25207X02Q9iRbUCHW59sTNmsFBkZDqwAKltpVEDTJ 7yaGsbV57GPmQBasmKqRDio7b3nmeIyoWLD+AMi1YlHsuAzpbSoRN8bmJFUqAq9+/L9j kaPHBGBgK0/9UXQV4T/sxUW01fDIcMZ5gZows+uRYij9EIOBmfhxz2iyn3Hyn9O2/Okv 22bA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=gnXM8SJ0Fwjfh9V9OLzVTpaD2h9zSfTlrpzbS74huJg=; b=BaI11qNG4LbP51sWyy3B/mrumjzXxb5H5PeT+lufGsNc9kagVn/HD4AUEy5pPxMrew 7XA5Ydnqorkwln55GJyMMLF9R5KaTEATAx1oLF5rT8EslpnXgc06ZYy2tNZrt5HNJli4 DEjZZ0O7lIAjXSJkcXLqkgmd+ybtdNAOu33I0bjnMrrXb8aXzI/R6Uj5qbuzzJMUxGW3 +ph1rDLmxYyG+2qW3AMud5Z5UTtF+pkv2X/3R8pjqMm7U3u3hcUALC/kTFd1bvug5twd V6w6QUEL+pWm3HvS3q5BUzGJsNMmfN1DVgxwmWIszpAhrfoDmg+SzfUrhWTMAiEBPsoy GVHw==
X-Gm-Message-State: AOAM533rZGKvF3Q2WSIL19PwDocjC05AHYTvtH7K2TddkT31ZLGf7Und oJ4mSvij+CgYq6CDa8eM4+z3pZgjGpQmRw==
X-Google-Smtp-Source: ABdhPJxHVV0kCbSMHOqSLPftiCRJ5NVVyJ0yvwOO0gcQQoLMMOb3k+x5uVtD/OqjEfpxFTQXAr0Ykw==
X-Received: by 2002:a17:906:3ac2:: with SMTP id z2mr2029203ejd.26.1606814449247; Tue, 01 Dec 2020 01:20:49 -0800 (PST)
Received: from ?IPv6:2001:984:65b0:2:8c01:7e89:cf1d:d404? ([2001:984:65b0:2:8c01:7e89:cf1d:d404]) by smtp.gmail.com with ESMTPSA id dx10sm521664ejb.35.2020.12.01.01.20.48 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 01 Dec 2020 01:20:48 -0800 (PST)
To: Miroslav Lichvar <mlichvar@redhat.com>, Dieter Sibold <dsibold.ietf@gmail.com>
Cc: ntp@ietf.org
References: <20201111161947.GG1559650@localhost> <AA848C67-CFB7-43FC-B190-FD3911360373@gmail.com> <20201201081203.GB1900232@localhost>
From: James <james.ietf@gmail.com>
Message-ID: <246642c8-18eb-d062-81bb-f6e6fa6f73e7@gmail.com>
Date: Tue, 01 Dec 2020 10:20:48 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:78.0) Gecko/20100101 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <20201201081203.GB1900232@localhost>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-AU
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/PMO9mlaamF48IJL3x-kCV70Bia0>
Subject: Re: [Ntp] NTPv5 draft
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2020 09:20:52 -0000

On 01-12-2020 08:12, Miroslav Lichvar wrote:
>> I very much agree with Jame’s proposed draft that a new
>> version of NTP must provide these mechanisms by default.  Sure, you can add
>> NTS to protect the NTPv5 packets. But in this case protection is always an
>> optional add-on whereas it needs to be an inherent part of the basic
>> protocol. To achieve this the NTS approach certainly can be transferred to
>> the basic v5 protocol and packet format.
> You mean to require all NTP packets to be authenticated? I don't like
> that idea. The improvements in NTPv5 are orthogonal to authentication.
> NTPv5 is not supposed to be more secure. An NTP client that doesn't
> want to implement the complexity of NTS shouldn't be restricted to
> NTPv4.

Given that largest number of deployments of NTPv4 operate on public 
internet, if our intention is to have a protocol to supersede NTPv4 and 
solve the issues of those existing use cases, the protocol must provide 
mitigation to the existing threats of both server malfeasance and 
middlebox tampering and prevent downgrading that would enable either. 
NTS is not the only option and roughtime has shown it is possible to 
provide authentication primitives as a core part of the protocol without 
the larger overheads that a bolt-on requires.

- J

v2.23.0 | Report a Bug | By Email