IETF Logo Mail Archive

Re: [Ntp] WGLC: draft-ietf-ntp-using-nts-for-ntp

"Dieter Sibold" <dsibold.ietf@gmail.com> Sat, 15 December 2018 17:32 UTC

Return-Path: <dsibold.ietf@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FD5E130DE8 for <ntp@ietfa.amsl.com>; Sat, 15 Dec 2018 09:32:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9JaJ5UcTffZW for <ntp@ietfa.amsl.com>; Sat, 15 Dec 2018 09:32:33 -0800 (PST)
Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49E97126F72 for <ntp@ietf.org>; Sat, 15 Dec 2018 09:32:33 -0800 (PST)
Received: by mail-wm1-x334.google.com with SMTP id a62so8522962wmh.4 for <ntp@ietf.org>; Sat, 15 Dec 2018 09:32:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=qDbquDZn/Ck3bpj1decelJy4tP81uJHpW1Wa5IJ60vI=; b=ps8QRR+ErDQFjCScU+oLOfJl8Di3WFmu8LazXmIKotAfhuscM2EuPosKv+mqeg3Qiy jur3ouhqagmoHAlzzixNRHOzkBiLuNqJVzr9KnqALqeR4AOGXTVMzatnaZ+twci7AsW7 Lzcjk/f7plHcn0xJfSnMlYZ0XsWecSLXqgtJj1XiBmEzIyXmuE49FkL7K+jBwRzOv729 wE93s23MUP/UvwllvJ1i0sYri27bTW7xXjdC9TQybwWAZ4EhMXpmXzeqSJMvHg2qznKf 5Req3CEooq/T7BHGSwwDdZTPa1s1NyuJfa81iUALQPd+m2cwy6YWptDAjyRMX5AgpQs2 rIQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=qDbquDZn/Ck3bpj1decelJy4tP81uJHpW1Wa5IJ60vI=; b=Cd11RUugl5kkIjjdWbOzTIHbjXJUQqi4exwqcG6heUVIpnh8Rk0w27jJflF5oKg7b7 ZiP+XPdqbSTadOEMy/Dox3WPFleJ8CvYtAgFjagmQS8iYibK0Q6UoCo4O1H6Eka+cyHj g1Ngbbwl/foNq8XFqzG7jlYYvOsrYpLLfnInONK00mAesvNEyg6swwml/hlon9aNnbkp 0xENbgHorGcsp2/kbx4Qw5pHX/7vXEuCf/RXqB9TWmJ4mW0+C0Usja4ADnERvTb7V2RA akFxFnYYqHmcTpoSnrAN0Rj3Kpiu6TkOs6T0IvX+5CEb+JYVqtHNM5lUwOVp3fyGZ4jc LTHw==
X-Gm-Message-State: AA+aEWaUVSS7WcInvFlC8CtDb1yBp34SEeWG/dDbAGNyugRjJsQyEQTl 6lXeqwCpOvh+59pu3vJHnC8=
X-Google-Smtp-Source: AFSGD/Uk8ByFHLJt5gcuuQSs9CCeNxfc3KTqEEhudJF9QnpcfwvwitDYFFglzuuv1hv7wiPY34WEUg==
X-Received: by 2002:a1c:44d6:: with SMTP id r205mr7053361wma.50.1544895151697; Sat, 15 Dec 2018 09:32:31 -0800 (PST)
Received: from [192.168.178.23] (p200300D17F118400ED1A9D5942A0503F.dip0.t-ipconnect.de. [2003:d1:7f11:8400:ed1a:9d59:42a0:503f]) by smtp.gmail.com with ESMTPSA id q9sm7037359wrv.26.2018.12.15.09.32.30 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 15 Dec 2018 09:32:31 -0800 (PST)
From: Dieter Sibold <dsibold.ietf@gmail.com>
To: Miroslav Lichvar <mlichvar@redhat.com>
Cc: ntp@ietf.org
Date: Sat, 15 Dec 2018 18:32:29 +0100
X-Mailer: MailMate Trial (1.12.3r5579)
Message-ID: <A3054870-621C-49CD-89EF-87DBC8A6B9A9@gmail.com>
In-Reply-To: <20181206121656.GI28938@localhost>
References: <FF5E07A6-6F59-4D45-A186-7FC7C9B4A41C@isoc.org> <20181206121656.GI28938@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/Z3P9_mWILKEi7LkfbcFgyFuvCs0>
Subject: Re: [Ntp] WGLC: draft-ietf-ntp-using-nts-for-ntp
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Dec 2018 17:32:37 -0000

Dear Miroslav,
sorry for the late reply. See my comments inline.

Dieter Sibold
dsibold.ietf@gmail.com

On 6 Dec 2018, at 13:16, Miroslav Lichvar wrote:

> On Tue, Nov 06, 2018 at 08:46:12PM +0000, Karen O'Donoghue wrote:
>> Folks,
>>
>> This message initiates a three plus week working group last call for:
>>
>> Network Time Security for the Network Time Protocol
>> https://datatracker.ietf.org/doc/draft-ietf-ntp-using-nts-for-ntp/
>
> I support advancing this document. It's well written and it secures
> the most important mode of NTP - client-server.
>
> From an implementor's point of view, I'd prefer if TLS 1.3 was
> required, but I don't know much about TLS or crypto in general.

Martin also expressed preferences of TLS 1.3. See my reply to his email.

>
> I still think it would be good to specify the maximum length of the
> cookie. This would simplify the client implementation. From a previous
> discussion, it looks like 256 octets should be enough.

The cookie contained in the Cookie EF is implementation specific.
Therefore in my opinion the size should not be specified, although
it might simplify implementation.

>
> In 5.2 there is "Possibly, some additional extension fields which are
> neither encrypted nor authenticated.  These are discarded by the
> receiver." I'd suggest to change the last sentence to "These are
> normally discarded by the receiver". This is explained later in the
> document for both client and server sides.

I see. I would like to phrase it „In general, these are discarded by
the receiver.“ in order to emphasize the normal behavior.

>
> In 5.6 there are two instances "zero-padded to a word (four octets)
> boundary" and two instances of "bytes". The size of a word and byte is
> specific to the architecture, so just use "to a four-octet boundary"
> and "octets".

Thanks. I replaced the bytes by octets.
>
> In 5.7 there are typos in "but MUST be encrypted from sent from
> server to client." and "comply with RFC 5095, Section 7.4".

Thanks.
>
> In 5.7 there is "In that case, it MUST be able to detect and stop
> looping between the NTS-KE and NTP servers.". This could be explained
> in a more detail. The detection here means that the client should
> check if there were no good NTP packets received between NTS-KE
> exchanges?
>
> -- 
> Miroslav Lichvar
>
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp

v2.23.0 | Report a Bug | By Email