IETF Logo Mail Archive

Re: [Ntp] NTP Security (was NTPv5: big picture)

FUSTE Emmanuel <emmanuel.fuste@thalesgroup.com> Wed, 20 January 2021 09:43 UTC

Return-Path: <emmanuel.fuste@thalesgroup.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36F9D3A0E0E for <ntp@ietfa.amsl.com>; Wed, 20 Jan 2021 01:43:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.632
X-Spam-Level:
X-Spam-Status: No, score=-2.632 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.262, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=thalesgroup.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b1k_x4mhi5sc for <ntp@ietfa.amsl.com>; Wed, 20 Jan 2021 01:43:57 -0800 (PST)
Received: from thsbbfxrt01p.thalesgroup.com (thsbbfxrt01p.thalesgroup.com [192.54.144.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C56D3A0E07 for <ntp@ietf.org>; Wed, 20 Jan 2021 01:43:57 -0800 (PST)
Received: from thsbbfxrt01p.thalesgroup.com (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 4DLLFQ2kFhz45RM for <ntp@ietf.org>; Wed, 20 Jan 2021 10:43:54 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thalesgroup.com; s=xrt20181201; t=1611135834; bh=pXSy7QA+MajTF3UVPiwukF6Z56JuhdxbOiX7SvsfUA4=; h=From:To:Subject:Date:Message-ID:References:In-Reply-To: Content-Transfer-Encoding:MIME-Version:From; b=w2ngP7Mk3IEpiuIMR60Cn5UNMQ1I3tKVE36p2pRU9dmHIliLt2ZExej4Ix6ZC9TBN TGk6vGBdf2zAgmSdRanP/TY9ldJtxbxw/4+mldKSaTtjTIW4VbAvLORpvfrW6nkYaL rN65la9tlQKga/YEYzb+Bxm1wY7SGb5Eneu/K3U73gBd8BkR5BvVDmbm5Rtn7RAa0g gvpZn/bu2UcHnyWQZ3Qdx05+sPVCVLLNrDbWapObPcKJp1+5zPwxhxbJE69sBQRXdA wU8s7uWABEvvjCFWbMZDr15q5Ay9t81PhKsD2l5AEkzta84Gd6Hm2PTojhQyXNoajp o8DpEoIfiKaQg==
From: FUSTE Emmanuel <emmanuel.fuste@thalesgroup.com>
To: "ntp@ietf.org" <ntp@ietf.org>
Thread-Topic: [Ntp] NTP Security (was NTPv5: big picture)
Thread-Index: AQHW7Y5jCWcm9A+sZEOhE3CV1WddQKotdkMAgAAK4ICAAED4gIAAEC4AgAADnoCAAMz4gIAALVuAgAALCgCAAANMAIAACd6AgAAyCQCAAAoUAIAABj6AgAEAoYCAAAo6gA==
Date: Wed, 20 Jan 2021 09:43:53 +0000
Message-ID: <b78952f6-3a4e-1a02-5277-6cb6d038d8fa@thalesgroup.com>
References: <YAX6gJiREb2RE6Gs@roeckx.be> <c5378682-e03f-9e46-24d5-025eb4a57c05@rubidium.se> <20210119094217.GB2430794@localhost> <68c0d807-2290-3c44-d760-35306af20434@rubidium.se> <20210119130408.GD2430794@localhost> <ed1de364-ab7c-86f4-2390-8d96ca708321@thalesgroup.com> <20210119135115.GF2430794@localhost> <ec32ae0b-e0bc-f337-4934-1518ff491879@rubidium.se> <20210119172624.GL2430794@localhost> <YAcbffNC0YA2IW7W@roeckx.be> <20210120090715.GN2430794@localhost>
In-Reply-To: <20210120090715.GN2430794@localhost>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.3.1
x-pmwin-version: 4.0.3, Antivirus-Engine: 3.79.0, Antivirus-Data: 5.81
Content-Type: text/plain; charset="utf-8"
Content-ID: <C5DD4B81F19BB14389C79E06315F7FF0@iris.infra.thales>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/V9vQpoLYEZBoGD06oqOmaA0M7k4>
Subject: Re: [Ntp] NTP Security (was NTPv5: big picture)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jan 2021 09:43:59 -0000

Le 20/01/2021 à 10:07, Miroslav Lichvar a écrit :
> On Tue, Jan 19, 2021 at 06:48:45PM +0100, Kurt Roeckx wrote:
>> I agree that you can't combine two things that are not validated
>> and end up with something that's validated. But everything really
>> is about probabilities and amount of work needed to break it. The
>> more keys that need to be compromised before you accept something
>> wrong, the more unlikely it is. I think it's really up to the
>> users to decide what is an acceptable risk.
> Ok, as long as it is clear that the proposed mechanism for
> bootstrapping time it is not supposed to be secure (in threat models
> commonly assumed with DNSSEC and TLS), just more difficult to be
> exploited, I have no problem with that.
>
> There are other recommendations that could be made if you cannot
> perform the certificate time check using a trusted time source, which
> might be easier to implement, e.g. require multiple independent NTS
> sources.
>
Which was always been part of the proposed mechanism too.
DNSSEC should be put into the equation because it is a necessity to 
have/use at term.
So you have do to exactly the same: disable DNSSEC validation, acquire 
the time using multiple independent NTS sources, re-enable DNSSEC and 
re-enable DNSSEC/re-validate the server direct/reverse records and be done.
If we do not explicit this scenario, some will object that they do-not 
will-not implement DNSSEC validation because it is incompatible with NTP 
bootstrap/startup.
Using locally configured CA or the proposed DANE refinement for the NTS 
certificate validation is just another possibility/trade-of. Your could 
put the cursor where you want/need.

Emmanuel.

v2.23.0 | Report a Bug | By Email