[Ntp] Roughtime update
Marcus Dansarie <marcus@dansarie.se> Wed, 06 November 2024 20:55 UTC
Return-Path: <marcus@dansarie.se>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03038C169425 for <ntp@ietfa.amsl.com>; Wed, 6 Nov 2024 12:55:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dansarie.se
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JoZjdRRtnfAN for <ntp@ietfa.amsl.com>; Wed, 6 Nov 2024 12:55:48 -0800 (PST)
Received: from mail.dansarie.se (mail.dansarie.se [185.82.126.120]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B84AC180B57 for <ntp@ietf.org>; Wed, 6 Nov 2024 12:55:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dansarie.se; s=mail; t=1730926543; bh=imdW85RYc/JX7qbFjTV+Adjv2S/Psyi0VUKG6y8DcPA=; h=Date:From:Subject:To:From; b=qKGNilEkuSeX6EFSZaWdZrh9xFGYrYat7AE386M4hHkR7cVurUgCHT7HI9O1Ok78u s0n7fsqeqEZDg/i6Pi/48MBiSiF9/UmC0xutqu9dyq6HT77SovGCEZGG9PS/ixfpNd eJeEr0LL63cmRjjmsa2FH0lCToARqa//vk1/qqdCIjHnOnIL4U4NbjuGfRK0fXqLky MAOFYDj/qzLn2Ov9301HIRc+zK42uLVm3quLEnUw2r5RYeX4DB+Ws8+09OothxVAGi AvTL9MoRrZYCOU2zYbSgnbDnWbV6DRP+THrhWhxVDZmQVizHic02BlCrXQjJXpBqBp Hor5KskDsqNfg==
Message-ID: <cb842889-ed9a-46e3-addb-0d509986b352@dansarie.se>
Date: Wed, 06 Nov 2024 21:55:41 +0100
MIME-Version: 1.0
Content-Language: sv-SE, en-US
From: Marcus Dansarie <marcus@dansarie.se>
To: "ntp@ietf.org" <ntp@ietf.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Message-ID-Hash: HEFLBNNDVWA6SBCKIYWEGEYKGWEXONQ7
X-Message-ID-Hash: HEFLBNNDVWA6SBCKIYWEGEYKGWEXONQ7
X-MailFrom: marcus@dansarie.se
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ntp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Ntp] Roughtime update
List-Id: Network Time Protocol <ntp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/X10V7mpU9the2m2dDcjoVyOExDY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Owner: <mailto:ntp-owner@ietf.org>
List-Post: <mailto:ntp@ietf.org>
List-Subscribe: <mailto:ntp-join@ietf.org>
List-Unsubscribe: <mailto:ntp-leave@ietf.org>
All, Here comes a quick summary of Roughtime developments during the Hackathon and NTP WG meeting at IETF 121 in Dublin. # Hackathon results We participated with Roughtime in the Hackathon this weekend. Overall, I think our participation was very successful, considering that we uncovered important issues with both the draft and several implementations. Me and Sarah Grant worked on Plummet, an interoperability testing framework for Roughtime. Plummet creates a Docker container for each Roughtime implementation and uses the containers for testing each client against each server, logging outputs and packets. Results are available as individual log and pcap files as well as in condensed json and html formats. The result.html file produced by Plummet also contains a handy interoperability matrix and parsed Roughtime packets. Plummet can be found at https://github.com/ietf-wg-ntp/Roughtime-interop-code. The following implementations are currently tested by Plummet: * Cloudflare Roughtime (https://github.com/cloudflare/roughtime) * Craggy (https://github.com/nahojkap/craggy) * Node-Roughtime (https://github.com/bnoordhuis/node-roughtime) * Pyroughtime (https://github.com/dansarie/pyroughtime) * Roughtimed (https://github.com/dansarie/roughtimed) * Roughenough (https://github.com/int08h/roughenough) * Vroughtime (https://github.com/oreparaz/vroughtime) Only Cloudflare Roughtime, Pyroughtime, Roughenough, and Roughtimed currently support draft-11. Pyroughtime and Roughtimed were updated to support draft-11 by me during the Hackathon. We also found bugs in other implementations which were reported to the respective authors. After the bug fixes, the four draft-11 implementations appear to interoperate. There are however issues with some clients and the Roughenough server, which is not due to a problem with the wire protocol, but with how keys are defined. This is described below. Additionally, Ruben Nijveld started work on a Roughtime server implementation in Rust. # RFC 8032 and Roughtime keys During testing with Plummet, there was problems getting interoperability between the Roughenough server and the Cloudflare and Pyroughtime clients. The reason for this was identified as being due to Roughenough treating key seeds/private keys different than other implementations. RFC 8032 specifies EdDSA and specifies how private keys should be generated from a random seed. In particular, certain bits of the private key have to be cleared and one has to be set in order to prevent small-subgroup attacks and timing side-channel leaks. Depending on which Ed25519 libraries the different implementations use and how those libraries are called, this requirement may not be met or treated in the same way by all implementations. I will do some investigation and report when I know more. In any case, the draft needs to be updated with language that requires private keys to be generated in accordance with RFC 8032. The draft should also clearly specify how the expressions "public key" and "private key" in the draft relate to the definitions in RFC 8032. # Version downgrade attacks During discussions at the Hackathon between myself, David, and Ruben, we realized that man-in-the middle attacks are possible on the versions sent in the VER tag by both servers and clients. The suggested fix to this is to include a hash of the entire request packet in the Merkle tree, instead a hash of just the NONC value. This will make possible for the client to detect changes to any and all bits of the request. Additionally, the VER tag in the server's response should be moved into the SREP tag. (We should also add a recommendation in the security considerations that any new or implementation-specific tags SHOULD be added to SREP, so that tampering can be detected.) A new tag, containing a list of the server's supported versions should also be added to the SREP tag. # Lack of client checks During the Hackathon, we noticed that many clients do not do proper checking of received responses. This highlights the need for greasing by servers. # Possible regression between draft-07 and draft-08 In draft-07, the context string "RoughTime v1 delegation signature--" was changed to "RoughTime v1 delegation signature", for consistency with the other context string used in Roughtime. However, this was reverted in draft-08. I do not recall if this was deliberate or if it appeared accidentally when other changes were reverted. Does anyone else remember? For consistency, I think we should remove the dashes again, at the same time as we make other breaking changes. # Max Merkle tree height Ruben pointed out that the maximum Merkle tree height is not explicitly specified in the document. It is implicitly specified, since response messages are limited in length. To help implementation developers, perhaps we should specify the maximum height explicitly? # Multiple version numbers allowed in requests Ruben also pointed out that the multiple version numbers in requests are tricky to implement. On the other hand, there are currently client implementations that make use of this feature for interoperability between different draft versions and it seems to be working well. Are there any opinions or experiences on this? # Editorial issues Dieter and I discussed a number of editorial issues with the draft during the Hackathon. In particular, Dieter pointed out that the language about what Roughtime guarantees is unclear and has changed between draft versions. # The way forward I was hoping to release a new version of the draft this weekend, without any breaking changes to the on-wire protocol. However, since we are going to need to make changes, at least when it comes to VER tag handling, I decided to wait with publishing a new version until those fixes have been included. Hopefully, implementations can be quickly updated to support that draft and interoperate, which would enable us to move towards WG last call. The full list of current issues with the draft is available on Github: https://github.com/ietf-wg-ntp/draft-roughtime/issues. Any input or suggestions on the above - or anything else Roughtime-related - is greatly appreciated. Kind regards, Marcus
- [Ntp] Roughtime update Marcus Dansarie
- [Ntp] Re: Roughtime update Marcus Dansarie
- [Ntp] Re: Roughtime update Erik Kline
- [Ntp] Re: Roughtime update Marcus Dansarie
- [Ntp] Re: Roughtime update Erik Kline