[Ntp] Benjamin Kaduk's Abstain on draft-ietf-ntp-interleaved-modes-06: (with COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Wed, 14 July 2021 19:28 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: ntp@ietf.org
Delivered-To: ntp@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C9513A15E7; Wed, 14 Jul 2021 12:28:40 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-ntp-interleaved-modes@ietf.org, ntp-chairs@ietf.org, ntp@ietf.org, odonoghue@isoc.org, odonoghue@isoc.org
X-Test-IDTracker: no
X-IETF-IDTracker: 7.34.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <162629091975.14007.6055328883450643576@ietfa.amsl.com>
Date: Wed, 14 Jul 2021 12:28:40 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/TuS8fEQwbx2q9_66GIge6lvfDc4>
Subject: [Ntp] Benjamin Kaduk's Abstain on draft-ietf-ntp-interleaved-modes-06: (with COMMENT)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jul 2021 19:28:41 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-ntp-interleaved-modes-06: Abstain When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-ntp-interleaved-modes/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- While this is an interesting approach, and a very clever technique to add new functionality in the face of perceived constraints, it's not clear to me that the perceived constraints are indeed constraints in reality -- this possible mismatch between perceived constraints and actual constraints seems to be at the core of Warren and Rob's discuss points, so I will not belabor it further here. Furthermore, the overall quality of the document in terms of describing the protocol does not seem to be at the level that I have come to expect from proposed standards. In particular, if I tried to implement this protocol, I think I would find myself needing to make guesses or choose among multiple possible interpretations of the text in many places. Accordingly, I can't support publishing this document as a proposed standard in its current form, so I'm balloting Abstain. It would certainly be possible to improve the document into a form that I can support, but since I don't have a specific list of actionable changes that would be needed to do so, I have to ballot Abstain rather than Discuss. The discussion of "user space"/"kernel", "system call", and the like seems to implicitly assume a certain architecture and may not be applicable to fully all devices speaking NTP. But these are certainly common architectures and abstractions, and I don't expect that using this framing for the discussion will hamper readability. There seem to be some scenarios where packets can be sent in both basic mode and interleaved mode within the same association, and it cannot always be predicted whether a response or "next message" will be in interleaved mode or not. It seems like this could present significant implementation complexity in terms of deciding whether or not to process a packet "now" as a basic-mode packet or wait for a follow-up that includes the more-accurate interleaved-mode timestamp, or some more complicated combination of the two. Is there any implementation guidance that we can give about how to process packets when there may or may not be a later follow-up with a correction to it? Section 1 Requests and responses cannot always be formed in interleaved mode. Servers, clients, and peers are required to support both interleaved and basic modes. I'm not sure I understand the intended statement of requirement here. Are we proposing (by virtue of Updates: 5905) that all NTP implementations are required to support interleaved mode? Or just that, in order to use interleaved mode, all parties are required to have support for it? Section 2 Breaking this up into subsections might help readability. A client request in the basic mode has an origin timestamp equal to the transmit timestamp from the previous server response, or is zero. A server response in the basic mode has an origin timestamp equal to the transmit timestamp from the client's request. The transmit timestamps correspond to the packets in which they are included. Since we use the receive timestamp from the client's request in some of our later discussion, I would strongly suggest including the receive timestamp in the description of basic mode here (and interleaved mode in the subsequent paragraph). A client request in the interleaved mode has an origin timestamp equal to the receive timestamp from the previous server response. A server response in the interleaved mode has an origin timestamp equal to the receive timestamp from the client's request. The transmit timestamps correspond to the previous packets that were sent to the server or client. Please provide a lot more precision about what "transmit timestamps correspond to the previous packets" means -- I might guess that it's just (client, server) using the same transmit timestamp used by the (client, server) to generate the initial exchange that preceded interleaved mode, but I also might guess a lot of other things. The transmit and receive timestamps in server responses need to be unique to prevent two different clients from sending requests with the same origin timestamp and the server responding in the interleaved mode with an incorrect transmit timestamp. If the IIUC (having read the rest of the document), the requirement here is that if we take the union of all transmit timestamps and all receive timestamps generated by the server, there must be no duplicates. This text as written did not lead me to that conclusion; I had initially assumed that it only meant "for each response packet generated, do not generate x.rec == x.xmt", which is a much weaker condition (and very hard to achieve accidentally!). I strongly suggest rewording to improve clarity. timestamps are not guaranteed to be monotonically increasing, the server SHOULD check that the transmit and receive timestamp is not already saved as a receive timestamp of a previous request (from the same IP address if the server separates timestamps by addresses), and generate a new timestamp if necessary. It would be nice to have a little more exposition on whether it's only monotonicity of transmit timestamps that's important for being able to skip this check, since "the timestamps" as written could also refer to the receive timestamp given the previous discussion. Additionally, the mention of "transmit and receive timestamp is not already saved" implies that this check is only needed when the two timestamps have the same value, and I'm not entirely sure whether that's the case. A response in the interleaved mode MUST contain the transmit timestamp of the response which contained the receive timestamp matching the origin timestamp from the request. [...] "contain" doesn't say much about containing *where*; I suggest being very clear that it contains in the transmit timestamp field the same transmit timestamp used in the previous response. The first request from a client is always in the basic mode and so is the server response. It has a zero origin timestamp and zero receive timestamp. Only when the client receives a valid response from the server, it will be able to send a request in the interleaved mode. While this is true of the first request ever, it's not quite true for the first request of a given exchange, since RFC 5905 allows the client to send the transmit timestamp from a previous server response as the origin timestamp. We do mention at the end of the section that draft-ietf-ntp-data-minimization recommends sending zero as the origin timestamp, but that's of course not something that can be strongly relied upon. I'd actually suggest just noting here that the first request has to be detected to be in basic mode, and forward-reference a dedicated subsection at the end of the section that talks about how to identify such requests. When the client receives a response from the server, it performs the tests described in RFC 5905. Two of the tests are modified for the interleaved mode: Indicating more precisely exactly which tests are modified (e.g., that these are the numbered tests from figure 22 of RFC 5905) could be useful. 1. The check for duplicate packets SHOULD compare both receive and transmit timestamps in order to not drop a valid response in the interleaved mode if it follows a response in the basic mode and they contain the same transmit timestamp. 2. The check for bogus packets SHOULD compare the origin timestamp with both transmit and receive timestamps from the request. If the origin timestamp is equal to the transmit timestamp, the response is in the basic mode. If the origin timestamp is equal to the receive timestamp, the response is in the interleaved mode. If I understand correctly, ignoring either of these SHOULDs would result in completely failing to use interleaved mode. Does that mean that they're MUSTs? A check for a non-zero origin timestamp works with clients that implement NTP data minimization [I-D.ietf-ntp-data-minimization]. To detect requests in the basic mode from clients that do not implement the data minimization, the server can encode in low-order bits of the receive and transmit timestamps below precision of the clock a bit indicating whether the timestamp is a receive timestamp. If the server receives a request with a non-zero origin timestamp which does not indicate it is a receive timestamp of the server, the request is in the basic mode and it is not necessary to save the new receive and transmit timestamp. In the vein of my earlier comment, I'd suggest rewording this significantly and making it a dedicated subsection on detecting if a request is in basic or interleaved mode. That might look something like this: % As part of request processing, the server must determine whether a % given request is in basic or interleaved mode (and thus whether or not % to respond in basic or interleaved mode). A request with a zero % origin timestamp is unambiguously in basic mode, but RFC 5905 allows a % client to send a request with a non-zero origin timestamp copied from % the transmit timestamp of a previous response from that server. While % [I-D.ietf-ntp-data-minimization] recommends always using zero for the % request's origin timestamp, that is not a behavior that the server can % rely upon, and so an additional mechanism is needed in order to detect % whether a request with non-zero origin timestamp is in basic mode. % While having the server store all the transmit timestamps it has % previously used (potentially scoped to just this client), combined % with a requirement to maintain uniqueness across all of the transmit % and receive timestamps the server generates, would perform this % function, it would require an unfeasible amount of resources and % degrade the quality of time synchronization. An alternate approach is % to use a low-order bit in the timestamp field, below the precision of % the server's clock, to indicate whether a timestamp is sent as a % transmit timestamp or a receive timestamp. When processing requests % with non-zero origin timestamps, that bit can then be used to % determine whether the request was in basic mode (transmit timestamp) % or interleaved mode (receive timestamp). Section 3 The interleaved symmetric mode uses the same principles as the interleaved client/server mode. A packet in the interleaved symmetric mode has a transmit timestamp which corresponds to the previous packet sent to the peer [...] Please apply the same change regarding "corresponds to" that was made in §2. In order to prevent the peer from matching the transmit timestamp with an incorrect packet when the peers' transmissions do not alternate (e.g. they use different polling intervals) and a previous packet was lost, the use of the interleaved mode in symmetric associations requires additional restrictions. Though the specific "restrictions" are enumerated as specific conditions below (scare quotes since they are only "SHOULD"-level requirements), the subsequent discussion suggests that in practice there are also implications on the relationship between the polling intervals of the two peers. Should we say something here about how the polling intervals should be within a factor of (1.5? 2?) of each other in order for interleaved mode to be feasible? A peer A SHOULD send a peer B a packet in the interleaved mode only when all of the following conditions are met: What happens if I violate this SHOULD? third packet sent by the peer A is in the interleaved mode. The second packet sent by the peer B is in the interleaved mode, but the following packets sent by the peer are in the basic mode, because multiple responses are sent per request. Please clarify whether the final "the peer" is peer A or peer B (or is meant to be "the peers" plural). The peers SHOULD compute the offset and delay using one of the two sets of timestamps specified in the client/server section. They MAY switch between them to minimize the interval between T1 and T4 in order to reduce the error in the measured delay. One of the sets of timestamps doesn't use T1, so I'm not sure what is supposed to be minimized here. Section 4 If the difference is larger than a specified maximum (e.g. 1 second), the packet SHOULD NOT be used for synchronization. Not used at all, or used only in basic mode? Section 7 Clients using the interleaved mode SHOULD randomize all bits of both receive and transmit timestamps, as recommended for the transmit timestamp in the NTP client data minimization [I-D.ietf-ntp-data-minimization], to make it more difficult for off- path attackers to guess the origin timestamp. [...] I would suggest going into a little more detail on the scope of consequences if an off-path attacker does successfully guess the origin timestamp. Protecting symmetric associations in the interleaved mode against replay attacks is even more difficult than in the basic mode. The NTP state needs to be protected not only between the reception and transmission in order to send the peer a packet with a valid origin timestamp, but all the time to not lose the timestamps which will be needed to complete a measurement when the following packet in the interleaved mode is received. Is there some existing guidance on how to protect symmetric associations that we can refer to (and would be effective under these constraints)? NITS Section 1 This document describes an interleaved client/server, interleaved symmetric, and interleaved broadcast mode. In these modes, the server sends a single packet, which contains a transmit timestamp corresponding to the previous packet that was sent to the client or peer. [...] The "sends a single packet" phrasing is a little weird, since we have a four-packet architecture and the comparison we're making is that any given request gets only a single response, not that there is only one packet needed overall. Section 2 The client SHOULD NOT update its NTP state when an invalid response is received to not lose the timestamps which will be needed to complete a measurement when the subsequent response in the interleaved mode is received. I suggest a comma after "invalid response is received".
- [Ntp] Benjamin Kaduk's Abstain on draft-ietf-ntp-… Benjamin Kaduk via Datatracker
- Re: [Ntp] Benjamin Kaduk's Abstain on draft-ietf-… Miroslav Lichvar