IETF Logo Mail Archive

Re: [Ntp] Antw: I-D Action: draft-ietf-ntp-bcp-07.txt

Denis Reilly <denis.reilly@orolia.com> Wed, 31 October 2018 18:24 UTC

Return-Path: <denis.reilly@orolia.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0B51130E69 for <ntp@ietfa.amsl.com>; Wed, 31 Oct 2018 11:24:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=orolia.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JgvOJtErdQyj for <ntp@ietfa.amsl.com>; Wed, 31 Oct 2018 11:24:03 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60075.outbound.protection.outlook.com [40.107.6.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0965F12D4F2 for <ntp@ietf.org>; Wed, 31 Oct 2018 11:24:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orolia.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AQlW8kPmuj12XIZ67U8YY3lwyXV9YyTfxaK+ACn8kV4=; b=zEgUYymCl4o4dw8JuGLT/XY3kkZ2GqP9XhaJ5cz96ROITZ4WnZ0Tpci2Om6LWBkURhRZ0xYQzvAumDd/UjBIdI28uMeuIBacoLhzOCOrQ6XiPGt8JcahFIEitJXXFkybBo24nDCu8mDe/kI8jDjzk4zkscLvZ0MdhJW/wdAsf+w=
Received: from AM0PR0602MB3730.eurprd06.prod.outlook.com (52.133.40.31) by AM0PR0602MB3362.eurprd06.prod.outlook.com (52.133.48.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1273.21; Wed, 31 Oct 2018 18:23:59 +0000
Received: from AM0PR0602MB3730.eurprd06.prod.outlook.com ([fe80::64b9:97ca:1bf0:ac9f]) by AM0PR0602MB3730.eurprd06.prod.outlook.com ([fe80::64b9:97ca:1bf0:ac9f%2]) with mapi id 15.20.1273.027; Wed, 31 Oct 2018 18:23:59 +0000
From: Denis Reilly <denis.reilly@orolia.com>
To: 'Ulrich Windl' <Ulrich.Windl@rz.uni-regensburg.de>
CC: "ntp@ietf.org" <ntp@ietf.org>
Thread-Topic: Antw: [Ntp] I-D Action: draft-ietf-ntp-bcp-07.txt
Thread-Index: AQHUVWBELEsPn05JW0KyFucBL+7q8qU54HLg
Date: Wed, 31 Oct 2018 18:23:59 +0000
Message-ID: <AM0PR0602MB37300CBDDEA3D55223E699D0FFCD0@AM0PR0602MB3730.eurprd06.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=denis.reilly@orolia.com;
x-originating-ip: [66.193.84.98]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM0PR0602MB3362; 6:29+z3AfDxY+g8jdCgPLlJ5kN7HeVp73ir4Ptiwb8nynhr275a8m//bB9ZGF2YrWXNBS9Ab9RW9hUjkXrPJ0BhTbRrxK45Fjt7lMMnny+Fb3yooBp/mUQRN/MAy+kI/9rQnS0GGKYssI5T7bWLPKfsO/WusNz+NDEkzSlUuHp0bOTWXjyWpridzePQqG+Im9mZRkMMwzAhHYcREvsGLRHw9UlglDo8NVUjPLEq47pv2oYr+8kDztMu9alrVJIA6sIqQesJQadiiE3sYgT/o/3ZZZLB7tAL+NlVSVMmJB4AEVw/5PImrPNiKxRHYWQQ3XH8S3L3j/S1hOvQej+NnkOi+683SthnkjAJPoFyj7a8CEcWBPgC/0iRwNtRMFw+3L1kK/nDqAkR1kq1F7lj3C0mGFYksysNP/znDzg0OpddJ0eyleoCARsKj9+3qC+/pI0P9+z/EMMjF2MJZlo7lvVYA==; 5:ZeuDNr4Z1AVkvtQW7UAkyo3dzloNS5goh3mGv9lRQyy/55Zg1XLZUwwSjSMpDr9JKrjzILPcgraaifFvDcy4x88IAZobimdqFEQ4Zj4mOFN6Ov+Af2+FO03I2uNYzbuXUybQchhvSo83gK9TyVCeEvfb9NDEx3jIv+gBMVnIRmo=; 7:4Pl3jzAsG33d4dpB8R34+i4HBYxIqoKaq4iPt65Pl30pg3SDHftRY5GUu1nBFw8bmH5Y3mwtFVfUe9zbsQNjDG+JxQqxHTWFA7nYcqdUeQdt3xOXjgwLgsKpR37ywsRGX8Toi9ze8/n7TO6kaudoAw==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 3fa7e4b4-69f0-4387-b4b2-08d63f5e06ee
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:AM0PR0602MB3362;
x-ms-traffictypediagnostic: AM0PR0602MB3362:
x-microsoft-antispam-prvs: <AM0PR0602MB33625A1C218C68B58D6270DAFFCD0@AM0PR0602MB3362.eurprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(788757137089)(192374486261705)(120809045254105);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231382)(944501410)(4982022)(52105095)(93006095)(93001095)(3002001)(10201501046)(148016)(149066)(150057)(6041310)(20161123560045)(20161123564045)(20161123558120)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699051)(76991095); SRVR:AM0PR0602MB3362; BCL:0; PCL:0; RULEID:; SRVR:AM0PR0602MB3362;
x-forefront-prvs: 084285FC5C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39850400004)(346002)(396003)(136003)(376002)(366004)(13464003)(199004)(189003)(66066001)(186003)(478600001)(5250100002)(71200400001)(71190400001)(9686003)(6306002)(229853002)(4326008)(2900100001)(4744004)(25786009)(2906002)(486006)(86362001)(14444005)(256004)(476003)(44832011)(3846002)(55016002)(6436002)(316002)(6116002)(74316002)(8936002)(966005)(105586002)(106356001)(81156014)(53546011)(53936002)(26005)(8676002)(97736004)(33656002)(7696005)(6506007)(99286004)(5660300001)(68736007)(6916009)(102836004)(7736002)(6246003)(81166006)(305945005)(14454004); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR0602MB3362; H:AM0PR0602MB3730.eurprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: orolia.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: DLb9OSueOOPbdEZTCs53AdSh0LFpJBBpHwM33S8joTYIe9hwyfRhiYSS9IqiTttmnYzP7y2vIyROwsH1KRF7JI67brlyLQ44BcdPHktXOODNHe7fJEOOIU/WORNLqAkMK9N3RfuVRL/rvjcXSU7fu+GxEiHLdM15tNRsbD1mEala7TLqKkFaeE8dr08lz2H48SbqhTNcEpJQIILlGbrLsfruuFpDFweJjjYo9DYMPD7n1l5RfBkaNJBjMQ+6CluZCWM4Xr4ThYfK0e84IsJ7HCBlCancYNkxv1T3p16OaqRlafni3bWpeBC8dFwMpsqxvd23We8J1fVttv9s0K0b4NqTopfRwHQgxX3wa0doALg=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: orolia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3fa7e4b4-69f0-4387-b4b2-08d63f5e06ee
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Oct 2018 18:23:59.4349 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a263030c-9c1b-421f-9471-1dec0b29c664
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR0602MB3362
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/gaL8-AmO1ORfmhDiq6JzmUlnckM>
Subject: Re: [Ntp] Antw: I-D Action: draft-ietf-ntp-bcp-07.txt
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Oct 2018 18:24:14 -0000

Hello, Ulrich! We did see this note of yours from August, but didn't address it at the time. I am in the process of answering all the NTP BCP feedback. Please see our answers inline below.

And for the rest of you on the list who submitted feedback, rest assured you will be receiving them soon!

Best Regards,


--
Denis Reilly  |  Technical Lead  |  denis.reilly@orolia.com  (585)321-5837

-----Original Message-----
From: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de> 
Sent: Saturday, August 25, 2018 6:42 PM
To: i-d-announce@ietf.org
Cc: ntp@ietf.org
Subject: Antw: [Ntp] I-D Action: draft-ietf-ntp-bcp-07.txt

Hi!

Another remark on "The NTP Control Messages responses are much larger than the
   corresponding queries.  Thus, they can be abused in high-bandwidth
   DDoS attacks.  To provide protection for such abuse NTP server
   operators should deploy ingress filtering BCP 38 [RFC2827].": If I understood it correctly, the ingress filtering has to be done by the attacker's ISP (where the bad packet enters the net). At the destination you possibly cannot do ingress filtering unless you want to disallow any packets outside the current subnet or the company's nets. If I misunderstood the advice, others may do as well, so please elaborate what operators should actually do.

DR: we note that BCP38 advises that corporate network administrators should implement filtering to make sure that their network cannot be the source of spoofed packets. So while you are correct that it is most useful at the ISP, it does offer benefits for corporate networks. We can clarify that "all large corporate networks" can benefit from this to reduce the scope a bit.


On "If a system is a broadcast client and its syslog shows that it is
   receiving "early" time messages from its server, that is an
   indication that somebody may be forging packets from a broadcast
   server.":
Maybe elaborate on use of authentication for broadcast clients: Should use of (strong) authentication keys be recommended?

DR: This section recommends to use broadcast in trusted networks only, so we make no recommendation on encryption here.



On "If a system is using broadcast mode and is running ntp-4.2.8p6 or
   later, use the 4th field of the ntp.keys file to specify the IPs of
   machines that are allowed to serve time to the group.":
I think it's too specific: Why not state "If your NTP client (it's describing a client, right?) allows to filter valid time sources, please use it (for eaxmple ntp-4.2.8p6 allows to put valid IP... in the 4th field of ..."

DR: This text had previously been moved to the ntpd appendix, where the specificity is more appropriate, but I forgot to remove it here. That will be fixed in the next submission.



Maybe rename "Using Pool Servers" to "Selecting Servers to use", because it's more general than just pool servers.
I would prefix the paragraph starting with "The NTP pool project is a group ..." with a general explanation that some NTP software is able to process a DNS response for a server name containing multiple IP addresses of different servers to pick some of those servers as time sources. THEN proceed explaining the NTP pool server project. Maybe also emphasize that "ingress filtering should not block pool servers" if they are intended to be used.

DR: We would prefer to keep the original title, because we feel the pool project is an important service for the community to know about. The link to the pool project has a good explanation of the DNS activity that does not need to be duplicated here.




I would combine these two paragraphs: "If you are a vendor who wishes to provide time service to your
   customers or clients, consider joining the pool and providing a
   "vendor zone" through the pool project." and "If you would like to contribute a server with a static IP address and
   a permanent Internet connection to the pool, please consult the
   instructions at http://www.pool.ntp.org/en/join.html [3] .".

DR: We will eliminate the second paragraph -- you are not the only person to note they are redundant.



You could add "up to twice a year" at the end of: "UTC is kept in agreement with the astronomical time UT1 [4] to within
   +/- 0.9 seconds by the insertion (or possibly a deletion) of a leap
   second."

DR: We don't think that change is necessary. 



I would change "and the protocol has the capability to broadcast leap second information" to "and the protocol has the capability to broadcast and process leap second information".

DR: I personally think that the way to view this is that the protocol will broadcast the leap second information, and the clients receiving the protocol messages would process the information. So I don't think the change is necessary.


Change "Note well that NTPv4 allows a maximum poll interval of 17, or 131,072 seconds, which is longer than a day." to "Note well that NTPv4's longest polling interval exceeds one day and thus a leap second announcement may be missed."

DR: Agreed



Change "keys have to be exchanged securely by external
   means." to "keys have to be exchanged securely by external
   means, and they have to be protected from disclosure."

DR: Agreed



I would swap the two sentences "NTP does not provide a mechanism to automatically
   refresh the applied keys.  It is therefore recommended that the
   participants periodically agree on a fresh key.". (Its recommended to refresh keys periodically, but (unfortunately) NTP dies not assist you in doing so (excpet from "readkeys").

DR: Personally I like how that language flows a bit better, we changed to:
"It is recommended that participants agree to refresh keys periodically. 
However, NTP does not provide a mechanism to assist in doing so."


On "Some implementations store the key in clear text.": Which do not?
DR: I don't know of any, but we can't guarantee that future implementation won't. In any case, we don't think the text needs to change.


I would re-word "An NTP client establishes a protected association by appending the
   key to the server statement in its configuration file." as "Authentication is requested by the client by specifying a key and adding a valid MAC to the request. This happens when a key number is specified with the server configuration (value and type of the key are read from a secret key file)."

I'd replace "Autokey was designed in 2003 to provide a means for clients to
   authenticate servers." with "Autokey was designed in 2003 to provide automatic key selection and updates for clients to
   authenticate servers."

DR: Dieter recommends "Autokey was specified in 2010 to provide automated key management and authentication of NTP servers".



The sentence "As such, access control should be used to limit the exposure of this
   information to inappropriate third parties." is quite confusing, because when a server serves a client, it will provide such information. Despite from updating the software, the operator can do little about that.

DR: I see now, we will reword to match language that was changed for the "control messages" section:
"As such, mechanisms outside of the NTP protocol, such as Access Control Lists, should be used to limit the exposure of this information to allowed IP addresses, and keep it from remote attackers not on the list.

On "Prevent the NTP daemon from taking time steps that set the clock
      to a time earlier than the compile date of the NTP daemon.": This would be a recommendation to an implementer, right? The operator cannot do much about it, I guess.

DR: We will clarify this for implementors.



Before the paragraph on "Kiss-o'-Death (KoD)" the concept should be explained in one sentence. (Like "KoD is a mechanism for a server to tell a client to stop polling it (that fast).)
And: The heading "KISS Packets" should be "Kiss-of-Death Packets". Generally I would remove some of the details that describe the implementation and are not related to actual recommendations.

DR: We feel that the introductory sentence "The "Kiss-o'-Death" (KoD) packet is a rate limiting mechanism where a server can tell a misbehaving client to "back off" its query rate." is a clear enough explanation. But we agree that the heading can be changed.



In 6.6 explain that a passive peer receives time messages from a server that has not been configured at the client.

DR: Can you explain this further? We don't see how it fits here.



For 7. maybe note that embedded devices sometimes do not have a battery-buffered clock, so using NTP successfully to set the time may be critical for proper operation.

DR: Excellent point, thanks!




Maybe add: "Avoid devices that use a fixed built-in configuration for NTP" (meaning: YOu cannot configure its servers or security).

Maybe also differ between embedded clients and embedded servers...

DR: We feel this advice can be difficult for some of these new small IoT devices, we prefer to put the onus on vendors to be responsible.




For 8.: Maybe clarify the difference between "manycast", "anycast" and "multicast" (not to talk abut broadcast).

DR: We feel that Manycast and Multicast are already covered in RFC 5905.

Regards,
Ulrich


>>> <internet-drafts@ietf.org> 31.07.18 21.18 Uhr >>>

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Network Time Protocol WG of the IETF.

        Title           : Network Time Protocol Best Current Practices
        Authors         : Denis Reilly
                          Harlan Stenn
                          Dieter Sibold
    Filename        : draft-ietf-ntp-bcp-07.txt
    Pages           : 23
    Date            : 2018-07-31

Abstract:
   NTP Version 4 (NTPv4) has been widely used since its publication as
   RFC 5905 [RFC5905].  This documentation is a collection of Best
   Practices from across the NTP community.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-ntp-bcp/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-ntp-bcp-07
https://datatracker.ietf.org/doc/html/draft-ietf-ntp-bcp-07

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-ntp-bcp-07


Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

_______________________________________________
ntp mailing list
ntp@ietf.org
https://www.ietf.org/mailman/listinfo/ntp

v2.23.0 | Report a Bug | By Email