Re: [Ntp] Antw: [EXT] Re: Quick review of WGLC for status change for draft‑ietf‑ntp‑update‑registries

Martin Burnicki <martin.burnicki@meinberg.de> Tue, 09 August 2022 11:01 UTC

Return-Path: <martin.burnicki@meinberg.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B410EC15A737 for <ntp@ietfa.amsl.com>; Tue, 9 Aug 2022 04:01:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meinberg.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9x-r8PG2-hYI for <ntp@ietfa.amsl.com>; Tue, 9 Aug 2022 04:01:26 -0700 (PDT)
Received: from server1a.meinberg.de (server1a.meinberg.de [176.9.44.212]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5EC16C16ECF1 for <ntp@ietf.org>; Tue, 9 Aug 2022 04:01:25 -0700 (PDT)
Received: from seppmail.py.meinberg.de (unknown [193.158.22.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by server1a.meinberg.de (Postfix) with ESMTPSA id AB80671C0065; Tue, 9 Aug 2022 13:01:23 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meinberg.de; s=d2021; t=1660042883; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=R0htf6HgL+EeAimrIdDZ6YcRpAyUFjtc7lnHGxaC1ow=; b=nRboAhqivOv0sNf0AtKMSb/dH5y5rKLKZAJ6XKgi6kNrXNZLt3zSpH1SySoOWhJtDkTLBL WN6d3ji61QizBnGMCpKcPoGe3rKUkfVILO78/qQjBKJ149QkGBm76EOwm+8XwmJ5xx0z+I bBm5APxPEE7EGLGIg7b7XY6rVhOeCh8Et0ujdVKLvbA/j0AioVFY345AeR67a1mBtD3ZNu jbzj98jTWXGNnyY1MaxffKlOuEgXwrumrpElJfDn/O1pIgV5CMTK22p7uhYhcPDXs5a9U5 dztZaBi1O+WAkEQWrKC7u2ZbAoNL/TAEHL6Sl7VhjYS2H4rUs3mQP6bmP+sQlg==
Received: from srv-kerioconnect.py.meinberg.de (srv-kerioconnect.py.meinberg.de [172.16.3.65]) (using TLSv1.3 with cipher AEAD-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by seppmail.py.meinberg.de (Postfix) with ESMTPS; Tue, 9 Aug 2022 13:01:22 +0200 (CEST)
X-Footer: bWVpbmJlcmcuZGU=
Received: from localhost ([127.0.0.1]) by srv-kerioconnect.py.meinberg.de with ESMTPSA (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)); Tue, 9 Aug 2022 13:01:20 +0200
Message-ID: <ff74f4d3-7533-2165-10c9-f1bce2166688@meinberg.de>
Date: Tue, 09 Aug 2022 13:01:20 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.0
Content-Language: en-US
To: Miroslav Lichvar <mlichvar@redhat.com>
Cc: Hal Murray <halmurray@sonic.net>, "ntp@ietf.org" <ntp@ietf.org>, Harlan Stenn <stenn@nwtime.org>
References: <20220809030711.F00DC28C1CA@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <8122203e-ac66-e4d7-5a52-5d053d8fa06a@nwtime.org> <YvIXDS2EkxzI0nTh@localhost> <9d304a6f-5570-0dad-d64d-b8ade71871e3@nwtime.org> <YvIthoUI7HtKpD9E@localhost> <01a9d920-3009-fdc0-07c1-68f5563bf130@meinberg.de> <YvI8RYIUNJvPI96W@localhost>
From: Martin Burnicki <martin.burnicki@meinberg.de>
Organization: Meinberg Funkuhren GmbH & Co. KG, Bad Pyrmont, Germany
In-Reply-To: <YvI8RYIUNJvPI96W@localhost>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------J00rG4f8ruH0il5QgNJSLIPN"
X-SM-outgoing: yes
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/_3kbk_J4r64T-Pr8PxBcsqmjExY>
Subject: Re: [Ntp] Antw: [EXT] Re: Quick review of WGLC for status change for draft‑ietf‑ntp‑update‑registries
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Aug 2022 11:01:30 -0000

Miroslav Lichvar wrote:
> On Tue, Aug 09, 2022 at 12:39:02PM +0200, Martin Burnicki wrote:
>> Of course you can have a real v4 client use autokey but send a faked v3
>> version, in which case it might get a v3 response with autokey extensions.
>>
>> I've never heard that this caused any problem. On the contrary, the high
>> level of compatibility between v3 and v4 made the slow changeover from v3 to
>> v4 very user-friendly.
> 
> It doesn't cause problems if you use a compatible client and server,
> but it's out of the specification. The client shouldn't send an
> NTPv3 request with extension fields and the server shouldn't accept it
> and respond.

That's basically what I meant, except that even v3 already supported 
symmetric keys, and a v4 server can handle that without problems.

> The Windows NTP client and server use 64-byte MACs. They use NTPv3 and
> I think that is ok. There are no extension fields yet which could be
> confused with the MAC. In NTPv4 that would be a problem.
> 
>>> That is not possible if we want to make incompatible changes in NTPv5.
>>
>> Yes, that's why I believe the acceptance of v5 will grow very much slower
>> than the acceptance of v4.
> 
> How long it took for NTPv4 to reach a majority of NTP traffic?
> 
>>> As I understand it, ntpd doesn't support 7822 yet. It is still
>>> responding to unknown extension fields with a crypto NAK.
>>
>> I still don't see why it should not be possible at the server to first try
>> to decode the new EF (chain), and if that fails, try the old format, as I
>> explained in my previous email.
> 
> It depends on the context and it's 100% reliable (e.g. due to expired
> or misconfigured keys). Messages in well-designed protocols should be
> parseable with no context.

Anyway, what I described was to first try to use the new EFs, and *only* 
if that fails try to fall back to try the old EFs, if it is 
supported/configured?

Isn't this the same with other protocols which try the new stuff first, 
and can fallback to older stuff, if the admin allows it?


Martin
-- 
Martin Burnicki

Senior Software Engineer

MEINBERG Funkuhren GmbH & Co. KG
Email: martin.burnicki@meinberg.de
Phone: +49 5281 9309-414
Linkedin: https://www.linkedin.com/in/martinburnicki/

Lange Wand 9, 31812 Bad Pyrmont, Germany
Amtsgericht Hannover 17HRA 100322
Geschäftsführer/Managing Directors: Günter Meinberg, Werner Meinberg, 
Andre Hartmann, Heiko Gerstung
Websites: https://www.meinberg.de  https://www.meinbergglobal.com