IETF Logo Mail Archive

Re: [Ntp] NTPv5 draft

Philip Prindeville <philipp@redfish-solutions.com> Mon, 07 December 2020 22:25 UTC

Return-Path: <philipp@redfish-solutions.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F1463A0C28 for <ntp@ietfa.amsl.com>; Mon, 7 Dec 2020 14:25:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7KkF2Oe9TOLl for <ntp@ietfa.amsl.com>; Mon, 7 Dec 2020 14:25:54 -0800 (PST)
Received: from mail.redfish-solutions.com (mail.redfish-solutions.com [45.33.216.244]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E00C93A0C00 for <ntp@ietf.org>; Mon, 7 Dec 2020 14:25:53 -0800 (PST)
Received: from [192.168.3.4] ([192.168.3.4]) (authenticated bits=0) by mail.redfish-solutions.com (8.16.1/8.16.1) with ESMTPSA id 0B7MPoC5118766 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 7 Dec 2020 15:25:50 -0700
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.20.0.2.21\))
From: Philip Prindeville <philipp@redfish-solutions.com>
In-Reply-To: <4719090B-86D5-4BB5-BCBE-E0DF739D6816@meinberg-usa.com>
Date: Mon, 07 Dec 2020 15:25:50 -0700
Cc: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, Miroslav Lichvar <mlichvar@redhat.com>, "ntp@ietf.org" <ntp@ietf.org>, Dieter Sibold <dsibold.ietf@gmail.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E67C9778-5EAF-42F8-805A-F64BEA8FF44A@redfish-solutions.com>
References: <20201111161947.GG1559650@localhost> <AA848C67-CFB7-43FC-B190-FD3911360373@gmail.com> <20201201081203.GB1900232@localhost> <2B8C7410-DFA7-4A87-A33E-F50FFA96D0F9@gmail.com> <20201201100305.GK1900232@localhost> <F62C1325-8409-474C-9650-FA96405D0F4B@gmail.com> <20201207104541.GE2352378@localhost> <E0159612-5D83-4A0E-BBD1-1D75C0B49226@akamai.com> <20201207153444.GO2352378@localhost> <1204B871-7728-45DA-B628-8F79BD074A96@akamai.com> <4719090B-86D5-4BB5-BCBE-E0DF739D6816@meinberg-usa.com>
To: Doug Arnold <doug.arnold@meinberg-usa.com>
X-Mailer: Apple Mail (2.3654.20.0.2.21)
X-Scanned-By: MIMEDefang 2.84 on 192.168.1.3
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/aMkk1ljaaSfG-1TEtgEMawkiNMo>
Subject: Re: [Ntp] NTPv5 draft
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Dec 2020 22:26:02 -0000

If you’re saying “we all agree […] it could be optional” then I dissent.

I think that “private networks” and the notion of “the Intranet as implicitly secure” and the term “inside the perimeter” will fall by the wayside before 2030.

One of my previous employers (Gigamon) built an entire business model on the assumption that you need to monitor internal traffic for malware, insider attacks, etc. and hence marketed “network visibility appliances” (i.e. switches and taps that could intercept traffic and clone it to an IDS for real-time analysis).  The market apparently agrees.

Those that don’t think they need security inside their perimeter are simply those that haven’t had an insider attack, or someone bring in a contaminated laptop onto the campus network, etc… or haven’t yet realized that they have.



> On Dec 7, 2020, at 3:10 PM, Doug Arnold <doug.arnold@meinberg-usa.com> wrote:
> 
> I think that we all agree that ntpv5 has to have a security mechanism,  but it could be optional and/or described in a separate document.  Time over the open internet is a popular use case, and it must be covered.  But there is a lot of ntp in private networks.  Many network operators in these networks will want to turn on security, but probably not all.
> 
> Doug
> 
> On 12/7/20, 11:38 AM, "ntp on behalf of Salz, Rich" <ntp-bounces@ietf.org on behalf of rsalz=40akamai.com@dmarc.ietf.org> wrote:
> 
>    My view is that it is no longer acceptable to design a protocol for deployment on the open Internet that has no authentication or message integrity and that people who disagree are out of consensus.
> 
>    Does someone want to ask the current IESG for their view?
> 
> 
>    _______________________________________________
>    ntp mailing list
>    ntp@ietf.org
>    https://www.ietf.org/mailman/listinfo/ntp
> 
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp

v2.23.0 | Report a Bug | By Email