IETF Logo Mail Archive

Re: [Ntp] NTPv5 draft

Miroslav Lichvar <mlichvar@redhat.com> Tue, 01 December 2020 09:37 UTC

Return-Path: <mlichvar@redhat.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7582E3A0E78 for <ntp@ietfa.amsl.com>; Tue, 1 Dec 2020 01:37:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.121
X-Spam-Level:
X-Spam-Status: No, score=-2.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KiciSB5O33a9 for <ntp@ietfa.amsl.com>; Tue, 1 Dec 2020 01:37:34 -0800 (PST)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 773CE3A0B12 for <ntp@ietf.org>; Tue, 1 Dec 2020 01:37:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1606815453; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=55hvzf1x1nrcC5XJE4DYFtbz/kYPNEW8m4CVQWsN1TA=; b=UV02ZiaDhVabE65vn13wC6v9KBS1QY4/nZULz98P1chz3hKjA83jcSqrwBdSAjYNBqa3La p6+wT4kfABR/yh442SATxVGfC7X/BT0U31GJz4qU2cX0ZE5N2755LGGkIdMVau8YZcsfUK S3v92l3VPDcf5ZTC68vvznAbl+jNWO0=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-451-quary2KoMSiUMlPfcDuWgA-1; Tue, 01 Dec 2020 04:37:31 -0500
X-MC-Unique: quary2KoMSiUMlPfcDuWgA-1
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 72C178030A1; Tue, 1 Dec 2020 09:37:30 +0000 (UTC)
Received: from localhost (holly.tpb.lab.eng.brq.redhat.com [10.43.134.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C89E15D9C2; Tue, 1 Dec 2020 09:37:28 +0000 (UTC)
Date: Tue, 01 Dec 2020 10:37:26 +0100
From: Miroslav Lichvar <mlichvar@redhat.com>
To: James <james.ietf@gmail.com>
Cc: Dieter Sibold <dsibold.ietf@gmail.com>, ntp@ietf.org
Message-ID: <20201201093726.GI1900232@localhost>
References: <20201111161947.GG1559650@localhost> <AA848C67-CFB7-43FC-B190-FD3911360373@gmail.com> <20201201081203.GB1900232@localhost> <246642c8-18eb-d062-81bb-f6e6fa6f73e7@gmail.com>
MIME-Version: 1.0
In-Reply-To: <246642c8-18eb-d062-81bb-f6e6fa6f73e7@gmail.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/QTY3jxtgA9HkUSnqUefTHZdtr5w>
Subject: Re: [Ntp] NTPv5 draft
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2020 09:37:37 -0000

On Tue, Dec 01, 2020 at 10:20:48AM +0100, James wrote:
> Given that largest number of deployments of NTPv4 operate on public
> internet, if our intention is to have a protocol to supersede NTPv4 and
> solve the issues of those existing use cases, the protocol must provide
> mitigation to the existing threats of both server malfeasance and middlebox
> tampering and prevent downgrading that would enable either.

Which security-related issues of existing use cases do you expect
NTPv5 to solve?

> NTS is not the
> only option and roughtime has shown it is possible to provide authentication
> primitives as a core part of the protocol without the larger overheads that
> a bolt-on requires.

Symmetric keys are not practical on public internet. If roughtime has
some significant advantages over NTS that would be useful in NTP,
there is nothing stopping us from specifying a roughtime extension for
NTP. I'm not sure why it would need to be included in the core protocol.

-- 
Miroslav Lichvar

v2.23.0 | Report a Bug | By Email