[Ntp] Secdir telechat review of draft-ietf-ntp-interleaved-modes-07

Catherine Meadows via Datatracker <noreply@ietf.org> Thu, 01 August 2024 18:57 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: ntp@ietf.org
Delivered-To: ntp@ietfa.amsl.com
Received: from [10.244.2.81] (unknown [104.131.183.230]) by ietfa.amsl.com (Postfix) with ESMTP id 60BCBC15152B; Thu, 1 Aug 2024 11:57:46 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Catherine Meadows via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 12.19.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <172253866599.2383132.10845117436057873309@dt-datatracker-659f84ff76-9wqgv>
Date: Thu, 01 Aug 2024 11:57:46 -0700
Message-ID-Hash: L67TGJ64GLSFOG24T5E3NOP6QEOYQQON
X-Message-ID-Hash: L67TGJ64GLSFOG24T5E3NOP6QEOYQQON
X-MailFrom: noreply@ietf.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ntp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-ntp-interleaved-modes.all@ietf.org, last-call@ietf.org, ntp@ietf.org
X-Mailman-Version: 3.3.9rc4
Reply-To: Catherine Meadows <catherine.meadows@nrl.navy.mil>
Subject: [Ntp] Secdir telechat review of draft-ietf-ntp-interleaved-modes-07
List-Id: Network Time Protocol <ntp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/VTdhQwP5hT_FRyUFLKbPPvadHGA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Owner: <mailto:ntp-owner@ietf.org>
List-Post: <mailto:ntp@ietf.org>
List-Subscribe: <mailto:ntp-join@ietf.org>
List-Unsubscribe: <mailto:ntp-leave@ietf.org>

Reviewer: Catherine Meadows
Review result: Not Ready

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

The summary of the review is Not Ready.

This ID presents a variant of NTP that provides more accurate time measurements
than basicNTP.  In basic NTP, the origin timestamp of a message is placed in
the message itself, so the time taken in processing the send after the message
creation cannot be taken into account.  In interleaved NTP,  the timestamp is
place in a later message, and a procedure is given for the determining which
timestamps go with which messages.  The procedure is relatively complex, and it
introduces security vulnerabilities.  These, and appropriate countermeasures,
are described in the Security Considerations Section.  This is well written and
sets out the issues clearly, and I don’t see any problems with it.

The ID also includes a new section, on protocol failures, which describes the
various ways in which incorrect implementations can cause the protocol to fail.
 I have some problems with this section.  First of all, it begins as follows:

An incorrect client implementation of the basic mode (RFC 5905) can
work reliably with servers that implement only the basic mode, but
the protocol can fail intermittently with servers that implement the
interleaved mode.

First of all, it’s not clear what “can work reliably” means here.   Does “work
reliably”  mean that the client and server get accurate time measurements? 
Does the “can” means it can work reliably sometimes but not all of the time? 
Then the paragraph goes on to say “but the protocol can fail intermittently
with servers that implement the interleaved mode.”  I assume we are not talking
about the protocol failing with client with an incorrect basic mode and a
server that is implementing interleaved mode.  Do we mean the client is
implementing interleaved mode incorrectly, and the server is implementing it
correct?,   That seems to be the case given the examples that follow.  But it
should be made clear in the first paragraph.

What follows is a laundry list of incorrect client implementations and the
problems they cause.  But I don’t have an idea of whether this is intended to
be complete or not.  I also don’t have much of a feel as to how interleaved
mode compares with basic mode in terms of reliability, which I think is the
point of this section.

In order to make this section useful the document should at very least 1) make
it clear what the tolerance of basic mode is to incorrect protocol
implementations, 2) give an idea of how much less tolerant interleaved mode is
of incorrect implementations than basic mode, and 3) give the reader some
indication of how this information should be used.   With respect to 3) my
impression is that the takeaway should be that interleaved mode should be used
with great care, preferably in closed environments in which the quality of the
implementations can be controlled, and only in cases in which the accuracy of
the time measures is paramount. Is that the case?

 I also don’t think it is necessary to give a complete or even a very long list
 of things that can go wrong, just enough to give justification to your
 conclusions.