Re: [Ntp] [internet-drafts@ietf.org: New Version Notification for draft-gruessing-ntp-ntpv5-requirements-02.txt]

Danny Mayer <mayer@pdmconsulting.net> Tue, 15 June 2021 17:19 UTC

Return-Path: <mayer@pdmconsulting.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1DA73A3712 for <ntp@ietfa.amsl.com>; Tue, 15 Jun 2021 10:19:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K0TPfpujs0C6 for <ntp@ietfa.amsl.com>; Tue, 15 Jun 2021 10:19:18 -0700 (PDT)
Received: from chessie.everett.org (chessie.everett.org [66.220.13.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B5903A3710 for <ntp@ietf.org>; Tue, 15 Jun 2021 10:19:16 -0700 (PDT)
Received: from newusers-MBP.fios-router.home (pool-108-26-179-179.bstnma.fios.verizon.net [108.26.179.179]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by chessie.everett.org (Postfix) with ESMTPSA id 4G4FRQ5hm6zMNVB; Tue, 15 Jun 2021 17:19:14 +0000 (UTC)
To: Miroslav Lichvar <mlichvar@redhat.com>
Cc: ntp@ietf.org, James <james.ietf@gmail.com>
References: <20210522183113.7ovb2crqg7h5q6fs@de970ef05f79> <YMc3qU1UHSvQT/Gu@localhost> <20be95b2-5d71-7c5f-eda0-2a4de57c6da4@pdmconsulting.net> <YMij41T+OEVXdVky@localhost>
From: Danny Mayer <mayer@pdmconsulting.net>
Message-ID: <c4b8c962-84f1-d4ab-eefa-8001471ea450@pdmconsulting.net>
Date: Tue, 15 Jun 2021 13:19:13 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <YMij41T+OEVXdVky@localhost>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/WLEv761KkG6Pnk4h5Ta1pY40d54>
Subject: Re: [Ntp] [internet-drafts@ietf.org: New Version Notification for draft-gruessing-ntp-ntpv5-requirements-02.txt]
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2021 17:19:22 -0000

On 6/15/21 8:58 AM, Miroslav Lichvar wrote:
> On Mon, Jun 14, 2021 at 02:25:21PM -0400, Danny Mayer wrote:
>>> - "Encryption and authentication MUST be provided by the protocol
>>>      specification as a default"
>>>
>>>     It's not clear to me what the default means here. That it is enabled
>>>     by default in all implementations that support it?
>> We should certainly NOT be doing encryption on an NTP packet? What are you
>> trying to hide? Timestamps are obsolete almost before you use them and there
>> is nothing confidential about them. Authentication IS important and should
>> be secured by protocols like NTS or MAC's or (let me say it anyway!)
>> Autokey.
> Encryption is needed for privacy. It's an NTS feature. It encrypts
> cookies in server responses to prevent a passive observer from
> matching client requests using the cookies.

On the cookie, it's okay as long as it's not the whole packet.

Danny