IETF Logo Mail Archive

Re: [Ntp] Roughtime and Delay Attacks

Stewart Bryant <stewart.bryant@gmail.com> Thu, 04 April 2019 09:00 UTC

Return-Path: <stewart.bryant@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB958120086 for <ntp@ietfa.amsl.com>; Thu, 4 Apr 2019 02:00:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9EDdW4JWtYzm for <ntp@ietfa.amsl.com>; Thu, 4 Apr 2019 02:00:10 -0700 (PDT)
Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [IPv6:2a00:1450:4864:20::332]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09F40120059 for <ntp@ietf.org>; Thu, 4 Apr 2019 02:00:10 -0700 (PDT)
Received: by mail-wm1-x332.google.com with SMTP id w15so2381212wmc.3 for <ntp@ietf.org>; Thu, 04 Apr 2019 02:00:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=pTQyed9plBKskKITAbsB5+AZ2thBEIEwKdLDBYvDsgw=; b=Ttwc7wZ4bi0xk+ez27SbalvQlmu0SwXto6siPNFaTTbNNPEMfNnyAzAQd39DpUdaVi EnP0Zzx/VEVlvyY/09eSrd0fqX0I+Sti8AHnFdTPKiEPCVZOWsqLGg4oHkJjVKou8dnx AZ0hKjJ79chfSL/SvKKgnngGX9alXIfnCRAMjzZDGwUPN79lc4fxpvIVPngT+gWlPHYj PnPKfkd8SkrFxq1vVMDS46Js1FOziR+TcjGnGjsGku7KnKkGyHWw5u4cJjJxUS+vBz+g 0ajV/svL0WHRfM9OYOzUzSUiRAIv9lZW9+yRXRGSsHvQz9JwXPCDlKVy87UNWxhWimS9 AvsA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=pTQyed9plBKskKITAbsB5+AZ2thBEIEwKdLDBYvDsgw=; b=Mi29vUPle6yyAZGTC/s2AhSoc06aZBv/ElVHzQRt1y7X5VyZedgwQ5sA4wz3VPIrZh +Z7Cfxwy8sDnSlAyCooz4A3YQ0aUE8oSr+/Mu2eirWVTxJXQkHuULhtYScI3jqXKLnXj 9rT0mt2WZKZWO5p3Wt+XGQSuUGhICuIwxIRD6U5ZfHYdDZ0jQB5QmIxYhvN8IQ8ei9zH ZVxnjGI8mYOx0FuHxtNDD84/DjDBa0DtbpI8C6pjvC9KW/psO+rUVzu3pq43Y1XPo6D7 fCM3kR0hGxLUFy+coXf0DHz2Ja5+xzVUVxYiWV6MLRc9HI3X6CKWRN3WZM2WR+pWUMtb IrfA==
X-Gm-Message-State: APjAAAWtX98/XQmyOUidfjyc/i+aldpvpyiCJ+gtOaYC9S3RmlAWr6s4 KD78YYIh4AlmBtv6TzGo3mVgK9oy
X-Google-Smtp-Source: APXvYqwVcFftQ/q3+kRekmX5e5V15hLt8azEKOOW5E1zm3Wbwy3TfrW4aZL2wPPzaLjnNCVJKCwKiQ==
X-Received: by 2002:a1c:4e0a:: with SMTP id g10mr3248248wmh.128.1554368408289; Thu, 04 Apr 2019 02:00:08 -0700 (PDT)
Received: from [192.168.178.22] ([62.3.64.16]) by smtp.gmail.com with ESMTPSA id 204sm34979494wmc.1.2019.04.04.02.00.07 for <ntp@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 04 Apr 2019 02:00:07 -0700 (PDT)
To: ntp@ietf.org
References: <20190403072255.EA16E40605C@ip-64-139-1-69.sjc.megapath.net> <OF1EB096AA.8F10FC47-ONC12583D1.002B338D-C12583D1.002C46D5@ptb.de>
From: Stewart Bryant <stewart.bryant@gmail.com>
Message-ID: <47b2705b-e29b-320b-c832-3d6c4e7feeb9@gmail.com>
Date: Thu, 04 Apr 2019 10:00:05 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <OF1EB096AA.8F10FC47-ONC12583D1.002B338D-C12583D1.002C46D5@ptb.de>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/SMNkhWV-Yfv9uEAQTYD3QkppqiY>
Subject: Re: [Ntp] Roughtime and Delay Attacks
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2019 09:00:12 -0000

Sorry I am struggling to understand how the protection works.

If C (who has just woken) sends a request to S, then all C knows is that 
T ~ Ts - 1/2 RTT. C can know that it was S that replied, but C cannot 
possibly know if S was lying or if an on-path router delayed the packet.

C can keep asking S, and within the limits of the server delay and the 
variation in the routing path and queuing delays RTT stay sort of 
constant, so C can be suspicious if it changes after it has been running 
or if Ts - 1/2 RTT changes by more than the known drift in its local 
clock. However routing paths do change and there are traffic congestion 
delays in networks.

C can ask S', S'' etc and build up a picture of various servers time, 
but it has to be careful that the paths are disjoint and that S, S' and 
S'' have truly independent and authoritative master clocks.

On the other hand, if the routers are compromised, then there are much 
worse things that can do, so we normally assume that they are truthful.

So how does this design do better than "T ~ Ts - 1/2 RTT assuming S did 
not lie and also was not simply wrong"?

- Stewart

v2.23.0 | Report a Bug | By Email