Re: [Ntp] I-D Action: draft-ietf-ntp-ntpv5-requirements-02.txt
James <james.ietf@gmail.com> Mon, 14 August 2023 11:48 UTC
Return-Path: <james.ietf@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65168C14F749 for <ntp@ietfa.amsl.com>; Mon, 14 Aug 2023 04:48:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G-k4Rpp1CfLy for <ntp@ietfa.amsl.com>; Mon, 14 Aug 2023 04:47:56 -0700 (PDT)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C209C14F5E0 for <ntp@ietf.org>; Mon, 14 Aug 2023 04:47:56 -0700 (PDT)
Received: by mail-lf1-x135.google.com with SMTP id 2adb3069b0e04-4fe0c566788so6522571e87.0 for <ntp@ietf.org>; Mon, 14 Aug 2023 04:47:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1692013674; x=1692618474; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=H9RD2E1BqOSQA3lXOVsWMyhS1Av8EfaTlkmcu6tUtQo=; b=iK24oAWFHhk2mO/6Ltq80MSQ6zaLkeUZCF0Qesf9fkphexF8XpTR/Pxge+/x8wBH0O EQkq/uMCHbnknIo/cYrpatzYGitmokLY6TXktL3y206sM/+6Fbp6OgUJ/CyPbNzhQbDe pS00achlCJKEMgCDlQnvcd1FH+0B2wwk3RpI2irwwwaWEwlcVUcR+qgmWmUBc6tZwyWN ZJ3gNVDuRfGkgz81d2QSxZhneXebW8p8t7Hpx/u+xrINce71Icv//TDbLGFbWIiZx+zT TsJCLFugIWdNOV6D9Il80siCp21NF423Y+wTxL04WomCXxgz9ykHssOxEi1NZWsBry01 K+tw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692013674; x=1692618474; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=H9RD2E1BqOSQA3lXOVsWMyhS1Av8EfaTlkmcu6tUtQo=; b=ORLUmqJaXMRQ1AAAj0BtimCPXuPpNcxxoIldwnFQMmQMT0h6bO1NoxwbM1YIrhlvTD 5LB58+hBR1Hoy56z/e9NIX1K+J+uk7K4tFMX++P0laQ9rfVw9B/IpXsw7vS0iznmESFN 7bcVl0JO8Y+z6DXW4jBW0GOHt11C59DIBsLjdR2cLgxIJ1g3BNYVkxIGZKtg4zpx3/LA voj1R8F3yslsEnzZ2f78To7cuZZnTNf8Ll9zdjkY3kkaJxtv7xAUtVrEXVdtBdK7FZxi 4sg1uNJ7wNqrLUQD+cpItsujEXa5BOSptIXI9VJJepwuj31n0VPijLyPnVTqd5SaKNwg Ougw==
X-Gm-Message-State: AOJu0YzDnPzAKkyy01MZpBMveNFbczmTnHTCST9v1yrpzBpToELutY6c mc20f3uQ0/mCpg/qqSEgt95HY2ezsbs=
X-Google-Smtp-Source: AGHT+IESAl7b6ab0YRGvk7zkcy4f4mkF5poY/jWyePbA2TiwIvduHFyCHnYFZHclp6/C6TZbPQF0SQ==
X-Received: by 2002:a05:6512:3c8a:b0:4fe:1d71:6076 with SMTP id h10-20020a0565123c8a00b004fe1d716076mr7579359lfv.46.1692013673960; Mon, 14 Aug 2023 04:47:53 -0700 (PDT)
Received: from smtpclient.apple (2a02-a468-ca02-2-40c0-9071-2826-549e.fixed6.kpn.net. [2a02:a468:ca02:2:40c0:9071:2826:549e]) by smtp.gmail.com with ESMTPSA id r15-20020a056402034f00b005255991c576sm2012056edw.66.2023.08.14.04.47.53 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 14 Aug 2023 04:47:53 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
From: James <james.ietf@gmail.com>
In-Reply-To: <ZNnoW2ncJvkGSFmr@localhost>
Date: Mon, 14 Aug 2023 13:47:43 +0200
Cc: NTP WG <ntp@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <32D1615C-A880-49FA-848C-1CCCE73F931D@gmail.com>
References: <169064555203.48214.10785823343496948104@ietfa.amsl.com> <ZNnoW2ncJvkGSFmr@localhost>
To: Miroslav Lichvar <mlichvar@redhat.com>
X-Mailer: Apple Mail (2.3731.700.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/_1N3Fd17qg25oKI3C5pU-DGkI-o>
Subject: Re: [Ntp] I-D Action: draft-ietf-ntp-ntpv5-requirements-02.txt
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2023 11:48:00 -0000
Thanks for the feedback. Comments in-line. - J > On 14 Aug 2023, at 10:39, Miroslav Lichvar <mlichvar@redhat.com> wrote: > > On Sat, Jul 29, 2023 at 08:45:52AM -0700, internet-drafts@ietf.org wrote: >> >> A New Internet-Draft is available from the on-line Internet-Drafts >> directories. This Internet-Draft is a work item of the Network Time Protocols >> (NTP) WG of the IETF. >> >> Title : NTPv5 use cases and requirements >> Author : James Gruessing >> Filename : draft-ietf-ntp-ntpv5-requirements-02.txt > > Thanks for updating the draft. > >> From 3.1: > NTPv4 has previously suffered from DDoS amplification attacks using a > combination of IP address spoofing and private mode commands used in > many NTP implementations, > > I suggest replacing "many" with "some". AFAIK only the ntp.org ntpd > and its fork ntpsec have this issue. I intend on updating that section also based on feedback from Ulrich - I've added your suggestion onto the issue https://github.com/fiestajetsam/draft-gruessing-ntp-ntpv5-requirements/issues/24 so I don't lose track. > >> From 4.1: > Client and server protocol modes MUST be supported, and other modes > such as symmetric and broadcast MAY be supported and SHOULD NOT be > required by implementors to implement. Considerations should be > made in these modes to avoid implementations and deployments from > vulnerabilities and attacks. > > So we are postponing the decision on which modes to support to the > protocol specification? I was hoping the requirements draft would > provide more guidance than "MAY". > > I think I suggested this before. Instead of naming modes, why not > simply say: "NTPv5 MUST be resilient to off-path and replay attacks"? > I think that is a reasonable requirement for any internet protocol > that nobody should have any objections to it. > > The people who think symmetric and/or broadcast need to be > supported will be forced to find a fix, or if they cannot do that at > least understand it well enough to realize why they shouldn't be > supported. The text that I ended up ultimately putting in was based in part on the discussion at IETF 117. I don't immediately disagree with your proposal, however given as this point went through a consensus call such a change may cause even further discussion being required. https://github.com/fiestajetsam/draft-gruessing-ntp-ntpv5-requirements/issues/41 > > -- > Miroslav Lichvar > > _______________________________________________ > ntp mailing list > ntp@ietf.org > https://www.ietf.org/mailman/listinfo/ntp
- [Ntp] I-D Action: draft-ietf-ntp-ntpv5-requiremen… internet-drafts
- Re: [Ntp] [EXT] I-D Action: draft-ietf-ntp-ntpv5-… Windl, Ulrich
- Re: [Ntp] [EXT] I-D Action: draft-ietf-ntp-ntpv5-… James
- Re: [Ntp] I-D Action: draft-ietf-ntp-ntpv5-requir… Miroslav Lichvar
- Re: [Ntp] I-D Action: draft-ietf-ntp-ntpv5-requir… James