IETF Logo Mail Archive

Re: [Ntp] Draft extension NTS for pools

David Venhoek <david@venhoek.nl> Fri, 12 January 2024 08:11 UTC

Return-Path: <david@venhoek.nl>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36110C14F690 for <ntp@ietfa.amsl.com>; Fri, 12 Jan 2024 00:11:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=venhoek-nl.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1wnaA0oVHwHG for <ntp@ietfa.amsl.com>; Fri, 12 Jan 2024 00:11:47 -0800 (PST)
Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FD2CC14F68C for <ntp@ietf.org>; Fri, 12 Jan 2024 00:11:45 -0800 (PST)
Received: by mail-ej1-x630.google.com with SMTP id a640c23a62f3a-a28f66dc7ffso1311293166b.0 for <ntp@ietf.org>; Fri, 12 Jan 2024 00:11:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=venhoek-nl.20230601.gappssmtp.com; s=20230601; t=1705047104; x=1705651904; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=sV//2W+hybeDtRFCtkKIJkXJKzhGzHcQ9TYnb7Lj/KI=; b=qX/4Pc4uOmnWephjnrTEigwaoMWIGhmwfKnrJiIqwvjdpQw9J9iYwBKItO1TKe2K5c jPLvSbRE3l0zkGlqYs/2BWDcYIsF9/8gSbB9QRd0Ure2stusiEvAANNkVfKT6iG6I57S SXLlXLb1NAKyhBrJCgKO+JsoCClx6bi8zNCaeCe/xxg7PZaOsL9ZEA1ahnj40CZfONYi adBfrp31VKoS4vY7z0PWmIRi1re2eAk6s4aKiMvXh+5pczP31HawNU5W2s3F5fBcj9lF fyEZfznJ2DXY4n38c28gUTLJoHtQTqdKCa7ghsLROEytiXOWMV70gDAAMhK0zgcHdzL+ 47gQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705047104; x=1705651904; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=sV//2W+hybeDtRFCtkKIJkXJKzhGzHcQ9TYnb7Lj/KI=; b=ej7OanXRN53NKJQHrtHDZ5BQabIqWyoTbn4GfbF+C0oSKc41jk3dat2PBCthcEQIt2 ukuAe9ImHqaphp5BoHapJfhQ83Fd37K6tPUKHWeFUXVsgeViI4FjsOoip5z0TSUWFld+ R91JUVs5sXfxvRCis9B0jkSDQ8gNNmrEhLImQQ+1X9/eo94hebOzOsgAT9sE1bgdmuna /rxJ/lweRm3yg3vwNBk8oOAeUh0/w43726rcIfb7W2bo30ZRmYHDD8h4ZLnTfOKuYc7c LBFh2SunVBstw9n7SrzKA297lb8KDSiSqFC3I9xL+F2ovMQvaaQjXMHjn5t56oOBNANC iG1w==
X-Gm-Message-State: AOJu0YyOe0xO4UYpIj2Gfiw44hBmFP61utjTS5GRb3Rr3c5u/Z7pXr41 sMPnAM+eKWw2J7IxaA4QBQ+VGGr4BLDjitn+s5yuk7IU4jn9Cw==
X-Google-Smtp-Source: AGHT+IHzFyU0DogiF2EvswrOkZGgLk2jARngpq/Z4YXfvnLnZdRlBXWaLsLtVi41yDZ77F+HfWZz9S03nkLQKrvUm6M=
X-Received: by 2002:a17:907:3181:b0:a26:8c4d:b0b6 with SMTP id xe1-20020a170907318100b00a268c4db0b6mr2266480ejb.9.1705047103625; Fri, 12 Jan 2024 00:11:43 -0800 (PST)
MIME-Version: 1.0
References: <CAPz_-SWidPW1bACgt_dN7saGfjPYbXtZLbqFpTGhPj5OOK4xYg@mail.gmail.com> <ZZUIG_6jxqtb0e5T@localhost> <CAPz_-SVpt_oz2GxO7Tn=0=tXxYdMnFWvtmFyAG4HgFipvku29g@mail.gmail.com> <ZZ_Xgzq2TqjpVbNS@localhost>
In-Reply-To: <ZZ_Xgzq2TqjpVbNS@localhost>
From: David Venhoek <david@venhoek.nl>
Date: Fri, 12 Jan 2024 09:11:32 +0100
Message-ID: <CAPz_-SVdoovN+A2Q97uVOmG7-hWYDt7BWKRt230iKTKH8PBrOQ@mail.gmail.com>
To: Miroslav Lichvar <mlichvar@redhat.com>
Cc: NTP WG <ntp@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/a9pQT0x3CyDL13HzhYij0vCl4Ag>
Subject: Re: [Ntp] Draft extension NTS for pools
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jan 2024 08:11:49 -0000

We chose not to go that route for two reasons:

1) it wouldn't actually be enough to just exchange server keys and
standardize that. This would mean standardizing the format and
cryptographic algorithms used in encoding the cookies for the ntp
client as well. That is significantly more involved both in actually
implementing the changes, as well as standardizing it. This would
involve significantly more opinionated choices than the current
proposal. In particular, it would remove a lot, if not all, of the
cryptographic agility the suggestion we made has. Furthermore, given
the fact that hardware implementations already exist for the cookie
parsing and that these tend to be much harder to change on this point,
this would effectively lock out those implementations.

2) Although subtle, and in some cases of debatable value, there is a
minor gain in security with the current setup, in that the pool cannot
decode any of the cookies used by the individual pool servers. This
has a primary benefit when a server is both in the pool and offered
separately, as there is no need to keep two sets of keys in that
situation, giving significant extra security for direct users of that
server essentially by default. But even for pool servers it becomes
somewhat harder for the pool to attack traffic from individual pool
users as it cannot use the cookie to determine the key to use once it
has missed the first 8 polls.

On Thu, Jan 11, 2024 at 12:56 PM Miroslav Lichvar <mlichvar@redhat.com> wrote:
>
> On Wed, Jan 10, 2024 at 12:26:18PM +0100, David Venhoek wrote:
> > We have thought about similar approaches (in particular the suggestion
> > from Christer Weinigel at the hackaton in London to do this with dns
> > SRV records), but we in particular decided very early on to focus on
> > an approach which doesn't require any modifications to the client.
> >
> > We made this decision because we feel that this drop-in compatibility
> > is one of the key factors also behind the success of the original ntp
> > pool. Requiring modifications to clients would slow adoption and will
> > likely result in clients (at least in the short and medium term) that,
> > although they do support nts, will not work together with such a pool.
>
> I don't see advantages of this approach over what is already possible.
>
> If you are willing to modify the servers (but not clients), why do all
> this complicated proxying when the server accessible under the pool
> name could be running full NTS-KE itself and generating keys (e.g.
> once per week) for the other servers running only NTS-NTP?
>
> The TLS load of the NTS-KE server would be halved as it doesn't
> have to connect to other servers as a client. The keys don't have to
> be shared among the NTS-NTP servers (potentially running by different
> people). The NTS-KE server can select the keys according to the NTP
> server negotiation record.
>
> If the goal is to interoperate between different NTS-NTP/NTS-KE
> implementations, we can specify a protocol or file format for
> exchanging the server keys and their validity period.
>
> --
> Miroslav Lichvar
>

v2.23.0 | Report a Bug | By Email