Re: [Ntp] Antw: [EXT] Re: Quick review of WGLC for status change for draft‑ietf‑ntp‑update‑registries

Martin Burnicki <martin.burnicki@meinberg.de> Tue, 09 August 2022 10:39 UTC

Return-Path: <martin.burnicki@meinberg.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17E4FC13CCDF for <ntp@ietfa.amsl.com>; Tue, 9 Aug 2022 03:39:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meinberg.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oyOtpMgtBOcq for <ntp@ietfa.amsl.com>; Tue, 9 Aug 2022 03:39:09 -0700 (PDT)
Received: from server1a.meinberg.de (server1a.meinberg.de [176.9.44.212]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47673C13CCDC for <ntp@ietf.org>; Tue, 9 Aug 2022 03:39:08 -0700 (PDT)
Received: from seppmail.py.meinberg.de (unknown [193.158.22.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by server1a.meinberg.de (Postfix) with ESMTPSA id 1441871C0065; Tue, 9 Aug 2022 12:39:06 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meinberg.de; s=d2021; t=1660041546; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=5WjsQ27eGMzGWl1ak74+yAl+0uou6BqihlXUxPq8jZs=; b=BAzh4nyW4xvXVaqtkz9hddtt6v0OMcjhUpemY5XL23WUADi5syAjVawf5nUYFf9+Yje/M+ lb10uRnC1lhNQwCvS23TKVJcnz//fA2Ikvf9t4005tIUHBRqN6Zruzu3NLS403awZXDJwb 0EKldssGb8eOLfDczGWLWSjjRxzb6Zd+G/3IAjBhj8LhnlmL6JSBzebXfgNpg4Kai4wSIJ cKCe+m9dfP5MDqMn7FIu+wSXO9eo6Ofskc2UTTfapUWXZCPO6JHbnzZkh4ELGlF1m4xBBJ mxhpbbPaAUBiwc1IFHyjAS27cM9Typ/EuVMHZBBc8BYGZAePpP+KwGqN9wFKKg==
Received: from srv-kerioconnect.py.meinberg.de (srv-kerioconnect.py.meinberg.de [172.16.3.65]) (using TLSv1.3 with cipher AEAD-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by seppmail.py.meinberg.de (Postfix) with ESMTPS; Tue, 9 Aug 2022 12:39:05 +0200 (CEST)
X-Footer: bWVpbmJlcmcuZGU=
Received: from localhost ([127.0.0.1]) by srv-kerioconnect.py.meinberg.de with ESMTPSA (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)); Tue, 9 Aug 2022 12:39:03 +0200
Message-ID: <01a9d920-3009-fdc0-07c1-68f5563bf130@meinberg.de>
Date: Tue, 9 Aug 2022 12:39:02 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.0
Content-Language: en-US
To: Miroslav Lichvar <mlichvar@redhat.com>
Cc: Hal Murray <halmurray@sonic.net>, "ntp@ietf.org" <ntp@ietf.org>, Harlan Stenn <stenn@nwtime.org>
References: <20220809030711.F00DC28C1CA@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <8122203e-ac66-e4d7-5a52-5d053d8fa06a@nwtime.org> <YvIXDS2EkxzI0nTh@localhost> <9d304a6f-5570-0dad-d64d-b8ade71871e3@nwtime.org> <YvIthoUI7HtKpD9E@localhost>
From: Martin Burnicki <martin.burnicki@meinberg.de>
Organization: Meinberg Funkuhren GmbH & Co. KG, Bad Pyrmont, Germany
In-Reply-To: <YvIthoUI7HtKpD9E@localhost>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------2Y5Lpv2xRRCgd0CzZlfdv76h"
X-SM-outgoing: yes
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/Zec1QAlrvXdNu3KQa-Wz67p7WN0>
Subject: Re: [Ntp] =?utf-8?q?Antw=3A_=5BEXT=5D_Re=3A_Quick_review_of_WGLC_for?= =?utf-8?b?IHN0YXR1cyBjaGFuZ2UgZm9yIGRyYWZ04oCRaWV0ZuKAkW50cOKAkXVwZGF0?= =?utf-8?q?e=E2=80=91registries?=
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Aug 2022 10:39:14 -0000

Miroslav Lichvar wrote:
> On Tue, Aug 09, 2022 at 02:22:32AM -0700, Harlan Stenn wrote:
>> On 8/9/2022 1:13 AM, Miroslav Lichvar wrote:
>>> On Mon, Aug 08, 2022 at 10:33:12PM -0700, Harlan Stenn wrote:
>>>>> NIST servers respond to NTPV4 requests with NTPv3.
>>>>
>>>> which works perfectly with V4 clients, and it works because of the way the
>>>> protocol was designed and has worked for ntp V1-V4.
>>>
>>> It works only with clients that support NTPv3. Not all clients do
>>> that. And v1 is not compatible with v2-v4. There is no mode field yet.
>>
>> I don't understand "clients that support NTPv3".  I know that ntpd (which
>> has been v4 for nearly 25 years' time) talks with NIST just fine.
> 
> Because ntpd kept the NTPv3 support when it added NTPv4. The NTPv3
> support is broken in some ways, e.g. it accepts Autokey extension
> fields which is not possible in NTPv3.

Hm, your statement is basically correct. However, given the explanation 
from the email I wrote just a minute ago, there are 2 possible reasons 
why a client may receive a v3 response from a server in practice:

1.) The client is v3, in which case it doesn't support autokey at all, 
and won't send requests with autokey extensions to the server.

2.) The server is v3, in which case it supports symmetric keys, but not 
autokey. So it is unable to send a response with autokey extensions.

Of course you can have a real v4 client use autokey but send a faked v3 
version, in which case it might get a v3 response with autokey extensions.

I've never heard that this caused any problem. On the contrary, the high 
level of compatibility between v3 and v4 made the slow changeover from 
v3 to v4 very user-friendly.

> Some client implementations support NTPv4 only and don't accept an
> NTPv3 response.

Unless there is some faking around, the server runs a v3 implementation 
in this case. If the client doesn't accept this, the admin has to 
configure the client to use a different server that supports v4.

The same thing will happen if v5 is not compatible with v4, and a 
v5-only client is configured to use a v4-only server.

>>> NTPv5 needs to be designed in such a way that if it is misinterpreted
>>> as NTPv3 or NTPv4, it will produce an invalid response that will be
>>> ignored by the client. The current proposal has that property.
>>
>> I submit better behavior would be for a v3 or v4 client to be able to *use*
>> a v5 response.
> 
> That is not possible if we want to make incompatible changes in NTPv5.

Yes, that's why I believe the acceptance of v5 will grow very much 
slower than the acceptance of v4.

>>>> It sure looks to me like the NTPv5 work will be breaking this.
>>>
>>> Well, if NTPv5 is expected to have incompatible changes like shorter
>>> extension fields, it cannot be compabile with NTPv4. If it was
>>> compatible with NTPv4, it wouldn't have to change to NTPv5.
>>
>> Where is it written that a v4 EF must be compatible with a v5 packet?
> 
> It's not written anywhere. It will save us a lot of work if we can
> reuse the existing EFs (e.g. NTS) as they are specified for NTPv4.
> 
>> And if one requires 7822 header lengths for compatibility, great.
>>
>> The reference implementation supports both, but we do not require 7822
>> minimum lengths because they are demonstrably not needed.
> 
> As I understand it, ntpd doesn't support 7822 yet. It is still
> responding to unknown extension fields with a crypto NAK.

I still don't see why it should not be possible at the server to first 
try to decode the new EF (chain), and if that fails, try the old format, 
as I explained in my previous email.

Of course the server implementation has to support the new EFs, too. 
Otherwise it can only send a crypto NAK when it receives an extension 
field that it doesn't understand.


Martin
-- 
Martin Burnicki

Senior Software Engineer

MEINBERG Funkuhren GmbH & Co. KG
Email: martin.burnicki@meinberg.de
Phone: +49 5281 9309-414
Linkedin: https://www.linkedin.com/in/martinburnicki/

Lange Wand 9, 31812 Bad Pyrmont, Germany
Amtsgericht Hannover 17HRA 100322
Geschäftsführer/Managing Directors: Günter Meinberg, Werner Meinberg, 
Andre Hartmann, Heiko Gerstung
Websites: https://www.meinberg.de  https://www.meinbergglobal.com