IETF Logo Mail Archive

Re: [Ntp] comments on draft-ietf-ntp-using-nts-for-ntp-23

Ragnar Sundblad <ragge@netnod.se> Thu, 12 March 2020 01:20 UTC

Return-Path: <ragge@netnod.se>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FEA63A108F for <ntp@ietfa.amsl.com>; Wed, 11 Mar 2020 18:20:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=netnod-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DamriuLNWBF5 for <ntp@ietfa.amsl.com>; Wed, 11 Mar 2020 18:20:17 -0700 (PDT)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74FD13A1087 for <ntp@ietf.org>; Wed, 11 Mar 2020 18:20:17 -0700 (PDT)
Received: by mail-lj1-x235.google.com with SMTP id f10so4487291ljn.6 for <ntp@ietf.org>; Wed, 11 Mar 2020 18:20:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netnod-se.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=7Jck9XKt8oSQ+6oDrorgLVeq9zyNDWzxepNT8GsXlMU=; b=BBDuCAzZaWKVQcP+0QBDPXg1GdROeI7qVb04oOtU0XP2Cro6EeMy8E9cO4WL+Uwohl cbbKtBKoaoa7eaMxEwzgkGA8ncKmsziL1yzsre+o2XeAxwSCgWKvnSuRnfGZZ/6LBWMe zM0nIn/4o76cQHQ5MEix3sOTEVA8qB1eOB+wLEaHglmEw0zElNA9FbYbWKiXfF92DDfs ZEvkgDeCoZ09WfElvkGnM8B+1SO7vM3qu+vD+3Px/xS1tFiAMsxTZiqW/5LDdmv8d3Cw 9u9Z3OZaouUvRf+7wzmysygiF+ApajQcVND11tGD5zIRzORzouDTKxokBT0Jmp8VJUAC CGUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=7Jck9XKt8oSQ+6oDrorgLVeq9zyNDWzxepNT8GsXlMU=; b=bvEypJNILNph7IOkKIv1HHkjSOq6IXlHyz2iUnOqDqZVvLbJViex28aI0xeA5TDNAF DG6uw8BcQN2X1YGIKj2C/um0me2wpGlVi3yMYJOk1YPJ/+QncY1hl1RCwZaW+GGHlbHj hHhHanyk5nLI8WzyBWQZk9U32g6TtYIAZRpWOJfgoRz2QHWzDlBflKSuKbO+1jKBV8pT v658ipdVgkD8kSMCG/82bTOxPQunO/cwXtNMZA5vPMwHY6l3eeKjLStGWZIfn4ygw/Nn PGrcg4D08n5Ffslv6RVD0+XraVKLAYVG+0/A36A5a3s4g/NEp9wB0Y3S2xdL1UQ03lOo FLiQ==
X-Gm-Message-State: ANhLgQ3eoF2uUpH+RJ12mITpaunvYC2pMEmOV2yRnNGAjqaKJbsJnL3K QfNvTDWKjs1QuNYk/2a0/68rCod/vlUAAw==
X-Google-Smtp-Source: ADFU+vu6wUeHagqWoLG7me1SUpcn3jOj++XsuZvgWcFRhQ2v93CHNgit3qH8dkLem0ALwIZvdOhLdg==
X-Received: by 2002:a2e:8090:: with SMTP id i16mr3595383ljg.4.1583976015406; Wed, 11 Mar 2020 18:20:15 -0700 (PDT)
Received: from [10.0.1.14] (h-122-211.A530.priv.bahnhof.se. [213.80.122.211]) by smtp.gmail.com with ESMTPSA id f26sm9666821lfl.43.2020.03.11.18.20.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 11 Mar 2020 18:20:14 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
From: Ragnar Sundblad <ragge@netnod.se>
In-Reply-To: <43842926-38F3-4274-904B-AEBE8248E9A2@tislabs.com>
Date: Thu, 12 Mar 2020 02:20:13 +0100
Cc: ntp@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <B709E376-8C7C-4C36-A5D4-687147C77CCB@netnod.se>
References: <F5D62F1F-6705-4DEE-8A24-C7DAEAC02AB0@tislabs.com> <43842926-38F3-4274-904B-AEBE8248E9A2@tislabs.com>
To: Sandra Murphy <sandy@tislabs.com>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/X8NR3CAYF4UdIPYo8HlVo9ZLI7I>
Subject: Re: [Ntp] comments on draft-ietf-ntp-using-nts-for-ntp-23
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2020 01:20:27 -0000

Hello Sandy,

Thank you very much for your thorough review and all your insightful comments!

As Daniel mentioned in another thread, we are working on a new revision of the draft, were we intend to addresses these issues.

Since there were so many detailed comments, to be able to keep track of them and any discussions around them, I have now made “issues” of them, here: <https://github.com/dfoxfranke/nts/issues>
I have also started to insert comments from previous discussions, and pull requests to fix them.
Feel free to comment them there too.

Best regards,

Ragnar

> On 5 Mar 2020, at 15:57, Sandra Murphy <sandy@tislabs.com> wrote:
> 
> I realize that I did not include one concern about the security considerations.  Section 9.7 NTS Stripping talks about the client being deceived into reverting to plain NTP.  There’s no discussion of the server being deceived into responding with plain NTP.  An adversary who stripped the NTS extensions from the a NTP request would lead the server to reply without the expected NTS extensions in the response.  What should/would the client do if it receives a non-NTS enhanced response to a NTS enhanced request?
> 
> [Steve Bellovin would frequently suggest that there should be a way for a recipient to know to expect security protections to prevent such downgrade attacks.  I don’t think there is a way in this case.]
> 
> —Sandy
> 
>> On Mar 4, 2020, at 7:06 PM, Sandra Murphy <sandy@tislabs.com> wrote:
>> 
>> I am not an NTP participant but curious about vulnerabilities of NTP so I looked at NTS on last Fri, 28 Feb.
>> 
>> Unfortunately, that was the last day of the IETF last call, so I have comments and they are arriving after the last call.
>> 
>> So give these comments the consideration they deserve - they come late from someone who lacks context.
>> 
>> Detailed comments attached.  Overall comments here:
>> 
>> Section 1 makes it clear that there is an intentional separation between the NTS-KE server and the NTP server, although it is allowed that both services could be resident on the same host.  Figure 1 also makes it appear that the NTS-KE server may be associated with a large number of NTP servers, with unspecified means of communicating between them.  Reading through, I was struck by how much the NTS-KE server must know about the NTP server - in Section 4.1.5 what algorithms it would support, in Section 6 the keying material it would accept.  I was puzzled at how this could work in the post.ntp.org set of volunteer NTP servers.  Then in Section 6, I saw a reference to “load-balanced cluster”, which would easily account for the NTS-KE server’s knowledge of the NTP servers’ configurations.  More explanations of the supportable (current and potential) architectures would be very helpful.  
>> 
>> I believe it would be helpful for the implementers to have an explicit list of what the NTS-KE server must know about the NTP servers (address, algorithms supported, shared keys in use, cookie construction, protocol IDs accepted, anything else?) and what the communication between the NTS-KE server and the NTP server must provide (what Figure 1 calls “Shared cookie encryption parameters”).
>> 
>> Some of the text concerns the interactions with the NTS-KE server, some concerns the interactions with the NTP server.  The word “server” is used throughout.  There are cases where it is not clear which type of server is meant from context.
>> 
>> I found several cases where I was not sure what the error conditions should be handled, when requirements are not met, when an exchange fails, when an error condition is received, etc.  In some sections, the receiver’s action upon receiving one message is explained but for other messages is not.  
>> 
>> Normative language: There are places where the text says “should” not “SHOULD” and it was not clear the RFC2119 language was intended.  In particular, Section 6 uses “should” many times.  Perhaps that was intentional since this section is not normative.  I’m not sure what should (sic) be the usage in that case.  “In general” appears many times, which begs the question of when it is or is not the case.  On page 21, the text says “In general, however, the server MUST”.  I’m not sure what that means to an implementer.  The following language talks about exceptions, so perhaps the “In general” means “where there is no exception”.
>> 
>> The document sets up an IANA registry for the Protocol ID.  Is it necessary to stipulate what a specification of a new Protocol ID must include?  Must it include a cookie format, for example?
>> 
>> On page 21, the caption for Figure 5 should be “NTS-protected NTP Time Synchronization Messages”.  It is an NTP exchange, not an NTS exchange.
>> 
>> Section 9.4 page 36 - Is there a reference for “NTP_PHASE_MAX?”  A web search found only references to this draft and to a “kernel constant” in various *nx man pages.
>> 
>> In Section 6, the identifier “I” is used as a salt.  RFC5869 says the salt is random.  Should the text about choosing the “non-secret, unique” identifier mention random / unpredictable as well?
>> 
>> —Sandy
>> <draft-ietf-ntp-using-nts-for-ntp.detailedcomments.txt>
>> 
>> 
>> _______________________________________________
>> ntp mailing list
>> ntp@ietf.org
>> https://www.ietf.org/mailman/listinfo/ntp
> 
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp

v2.23.0 | Report a Bug | By Email