Re: [Ntp] Antw: [EXT] Re: Post NTS, Is shared key authentication interesting?
Kurt Roeckx <kurt@roeckx.be> Wed, 27 May 2020 10:02 UTC
Return-Path: <kurt@roeckx.be>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 674D13A0C6F for <ntp@ietfa.amsl.com>; Wed, 27 May 2020 03:02:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tle_KAfTDvgB for <ntp@ietfa.amsl.com>; Wed, 27 May 2020 03:02:37 -0700 (PDT)
Received: from excelsior.roeckx.be (excelsior.roeckx.be [IPv6:2a05:7300:0:100::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F2F53A0C6D for <ntp@ietf.org>; Wed, 27 May 2020 03:02:37 -0700 (PDT)
Received: from intrepid.roeckx.be (localhost [127.0.0.1]) by excelsior.roeckx.be (Postfix) with ESMTP id E9358A8A010D; Wed, 27 May 2020 10:02:35 +0000 (UTC)
Received: by intrepid.roeckx.be (Postfix, from userid 1000) id 8C5F41FE0D1D; Wed, 27 May 2020 12:02:32 +0200 (CEST)
Date: Wed, 27 May 2020 12:02:32 +0200
From: Kurt Roeckx <kurt@roeckx.be>
To: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>
Cc: mlichvar@redhat.com, Hal Murray <hmurray@megapathdsl.net>, "ntp@ietf.org" <ntp@ietf.org>
Message-ID: <20200527100232.GS2915@roeckx.be>
References: <68248D4C020000916A6A8CFC@gwsmtp.uni-regensburg.de> <54A83DA70200003B43047E14@gwsmtp.uni-regensburg.de> <5ECE33E0020000A10003934B@gwsmtp.uni-regensburg.de> <20200527095536.GR2915@roeckx.be>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20200527095536.GR2915@roeckx.be>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/U-_MygK6V8NsqRS8kIE7bmGE_ec>
Subject: Re: [Ntp] Antw: [EXT] Re: Post NTS, Is shared key authentication interesting?
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2020 10:02:39 -0000
On Wed, May 27, 2020 at 11:55:36AM +0200, Kurt Roeckx wrote: > On Wed, May 27, 2020 at 11:33:20AM +0200, Ulrich Windl wrote: > > >>> Hal Murray <hmurray@megapathdsl.net> schrieb am 26.05.2020 um 20:37 in > > Nachricht > > <15818_1590518253_5ECD61ED_15818_1499_1_20200526183714.6514740605C@ip-64-139-1-6 > > .sjc.megapath.net>: > > > > [...] > > > > > > Are crypto NACs interesting? Is the added complexity worth the benefit? > > > > > > If all you get is "NAC", what do you do next when trying to debug things? > > > What's different from what you would do if you didn't get any reaponse? > > > > Just assume on any error that can happen for a https connection you don't get > > a response... > > I fyou are in control of client AND server, you may not need crypto NACs. If > > you are in control of the server, you also may not need crypto nacs, but if you > > only have access to the client and the responses, crypto nacs seem valuable > > IMHO. > > > > > > > > Should we have a separate extension type for Crypto NAC, possibly with a > > > text > > > payload. How many sub‑types are there? Will that leak information? ... > > > > I think it will not leak more information than before. An optional textual > > description seems like a good idea. Maybe the server could be restricted to > > provide such, or not. A model like SMTP's extended status codes sounds like a > > good idea to me (codes for computers, messages for humans (and maybe computers, > > too). > > I'm not sure I fully understand what you're talking about, but > sending an error message that something with the crypto was bad > it a bad idea. You should pretend that everything was ok. An > attacker should not be able to see the difference between an ok > and a not ok message. Look for instance at the TLS RFCs what they > write about a Bleichenbacher attack. Since we're talking about a shared (symatric) key, it's probably not that important. Kurt
- [Ntp] Antw: [EXT] Re: Post NTS, Is shared key aut… Ulrich Windl
- Re: [Ntp] Antw: [EXT] Re: Post NTS, Is shared key… Kurt Roeckx
- Re: [Ntp] Antw: [EXT] Re: Post NTS, Is shared key… Kurt Roeckx
- Re: [Ntp] Antw: [EXT] Re: Post NTS, Is shared key… Miroslav Lichvar
- Re: [Ntp] Antw: [EXT] Re: Post NTS, Is shared key… Harlan Stenn
- [Ntp] Antw: Re: Antw: [EXT] Re: Post NTS, Is shar… Ulrich Windl
- [Ntp] Antw: Re: Antw: [EXT] Re: Post NTS, Is shar… Ulrich Windl
- Re: [Ntp] Antw: [EXT] Re: Post NTS, Is shared key… Salz, Rich
- Re: [Ntp] Antw: [EXT] Re: Post NTS, Is shared key… Harlan Stenn
- Re: [Ntp] Antw: [EXT] Re: Post NTS, Is shared key… Salz, Rich
- Re: [Ntp] Antw: [EXT] Re: Post NTS, Is shared key… Daniel Franke
- Re: [Ntp] Antw: [EXT] Re: Post NTS, Is shared key… Harlan Stenn
- Re: [Ntp] Antw: [EXT] Re: Post NTS, Is shared key… Daniel Franke