IETF Logo Mail Archive

Re: [Ntp] Eric Rescorla's No Objection on draft-ietf-ntp-mac-05: (with COMMENT)

Eric Rescorla <ekr@rtfm.com> Mon, 07 January 2019 15:45 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A711126CC7 for <ntp@ietfa.amsl.com>; Mon, 7 Jan 2019 07:45:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XvQS4KD3Gg0p for <ntp@ietfa.amsl.com>; Mon, 7 Jan 2019 07:45:07 -0800 (PST)
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8080130EDE for <ntp@ietf.org>; Mon, 7 Jan 2019 07:45:01 -0800 (PST)
Received: by mail-lf1-x131.google.com with SMTP id a16so626838lfg.3 for <ntp@ietf.org>; Mon, 07 Jan 2019 07:45:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HH7Kw7/Z/LxF4tAw1eZuUXcvLtQtrSjJyaWr4Ve0wtM=; b=N/xcEpDq+kexz3tmUxJh4rXrF2xFbRwdpKQCkw0uJQeNap4maLTCQGsEdi/mb3Q/BZ CbUnvAsuOCbQyP9gqv5aLlIbY7SYZjQO/RcD3YIG3ZAPjBmShIfN0vyDw6dPphJT3E/Q N0KOD1lZfrDte5NeAila70kYNchwSxi0WuNG46UI9HwySP+Z7LwyddiFvuCymX7j1ygZ UEsPz3bc+uMQRY2uc8uhAUiwgf30pzFaMg5idckVw2EKIP8MBWH9x2Xr8aVgGucsEUYa jN0Im2XzNQP1v1j4kyKwI+sM0rvqa2orJQJcg/9nN5MGBLpfTeVl+AsQpl7EtX2sUk3T UOIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HH7Kw7/Z/LxF4tAw1eZuUXcvLtQtrSjJyaWr4Ve0wtM=; b=WTDHYnD3LU9+jBhWjg8YtVGvn7QFBjvHVhASffH7BJRov4C9WuxM1BxaH6DEqtLpC/ ZqfflKY0j99TM1EweQ6xOsGGTjCnAR/8lhPJSjAeqZ0vyckD+9uyB51wX/UiIAWQhhxk zsvs6FHPgUFXEifFrPur7QKmk7xnN/p6NBrT7G1lxbZvIu8r886NulxogUBP4zCQCQDv 5DQO2/6+RXIczK3iGLvPY2YvWQ6ZNdJZz57yLkbnCmvHzC99bWdvJxZO1Cr7E6G0Ttlh zSxOHXHd0jifo+SROYsbgjpopHOwLy/gJV443FotbQihzi1gsyoaJJ+swNugocDxWiQm X0Gw==
X-Gm-Message-State: AJcUukdvPJcDYBVt5VwxwIfaRk6Tv0MH70xkgVKQbX8Mi96StmF8kgLu P0C119od7b+vMJVG+3rJ8hj6aj2oBJ0Gg8cPh3WkwYg47iw=
X-Google-Smtp-Source: ALg8bN7PPWwqUAPC0QkbIOj71tRTjYCiZ9JQ3e1wRUKSrvHg79nhwF63d6PNO04HvoDuF4P5Z3bybodD8/6zHjl1Qpc=
X-Received: by 2002:a19:910d:: with SMTP id t13mr1141054lfd.98.1546875899226; Mon, 07 Jan 2019 07:44:59 -0800 (PST)
MIME-Version: 1.0
References: <154249556260.15903.907105541022924420.idtracker@ietfa.amsl.com> <CAMbs7ktx_s+-Mg7xt+h+J5DuC=w6LoEAFYCbctHmMds2WSD4GA@mail.gmail.com> <CABcZeBMzzaxtYxLG1-rDFv6vC3_utd2d-i2cd2OSRvBnnf+Fug@mail.gmail.com> <CAMbs7ku=ydF6VSTG7mhDTbTGfPGztm=t43v33+xLFzYurt6FQA@mail.gmail.com> <CABcZeBOXfvzs3=A6BYP8sxg3=FeYST0eFBFyK8t3aEf5emACGQ@mail.gmail.com> <CAMbs7kuebqAxXw9-714f9LvhF+4SGJQqnLXps1AukUFwBfNs+w@mail.gmail.com>
In-Reply-To: <CAMbs7kuebqAxXw9-714f9LvhF+4SGJQqnLXps1AukUFwBfNs+w@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 07 Jan 2019 07:44:21 -0800
Message-ID: <CABcZeBP2=7_z=1Z9pAyM1XwGMjcPJ_P6_sTYgYxpHON=t+mTmg@mail.gmail.com>
To: Aanchal Malhotra <aanchal4@bu.edu>
Cc: ntp-chairs@ietf.org, ntp@ietf.org, draft-ietf-ntp-mac@ietf.org, The IESG <iesg@ietf.org>, Karen O'Donoghue <odonoghue@isoc.org>
Content-Type: multipart/alternative; boundary="0000000000007c437a057ee01ce2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/btU8Mt8_a1nzUwHunstssnYgxc4>
Subject: Re: [Ntp] Eric Rescorla's No Objection on draft-ietf-ntp-mac-05: (with COMMENT)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jan 2019 15:45:09 -0000

On Mon, Jan 7, 2019 at 6:47 AM Aanchal Malhotra <aanchal4@bu.edu> wrote:

>
>
> On Fri, Jan 4, 2019 at 12:53 PM Eric Rescorla <ekr@rtfm.com> wrote:
>
>>
>>
>> On Fri, Jan 4, 2019 at 9:49 AM Aanchal Malhotra <aanchal4@bu.edu> wrote:
>>
>>> HI Eric,
>>>
>>>
>>>
>>> On Fri, Jan 4, 2019 at 12:25 PM Eric Rescorla <ekr@rtfm.com> wrote:
>>>
>>>>
>>>>
>>>> On Fri, Jan 4, 2019 at 8:24 AM Aanchal Malhotra <aanchal4@bu.edu>
>>>> wrote:
>>>>
>>>>> Hi Eric,
>>>>>
>>>>> Thanks for the comments.
>>>>>
>>>>> On Sat, Nov 17, 2018 at 5:59 PM Eric Rescorla <ekr@rtfm.com> wrote:
>>>>>
>>>>>> Eric Rescorla has entered the following ballot position for
>>>>>> draft-ietf-ntp-mac-05: No Objection
>>>>>>
>>>>>> When responding, please keep the subject line intact and reply to all
>>>>>> email addresses included in the To and CC lines. (Feel free to cut
>>>>>> this
>>>>>> introductory paragraph, however.)
>>>>>>
>>>>>>
>>>>>> Please refer to
>>>>>> https://www.ietf.org/iesg/statement/discuss-criteria.html
>>>>>> for more information about IESG DISCUSS and COMMENT positions.
>>>>>>
>>>>>>
>>>>>> The document, along with other ballot positions, can be found here:
>>>>>> https://datatracker.ietf.org/doc/draft-ietf-ntp-mac/
>>>>>>
>>>>>>
>>>>>>
>>>>>> ----------------------------------------------------------------------
>>>>>> COMMENT:
>>>>>> ----------------------------------------------------------------------
>>>>>>
>>>>>> Rich version of this review at:
>>>>>> https://mozphab-ietf.devsvcdev.mozaws.net/D3591
>>>>>>
>>>>>>
>>>>>>
>>>>>> COMMENTS
>>>>>> S 3.
>>>>>> >      If authentication is implemented, then AES-CMAC as specified
>>>>>> in RFC
>>>>>> >      4493 [RFC4493] SHOULD be computed over all fields in the NTP
>>>>>> header,
>>>>>> >      and any extension fields that are present in the NTP packet as
>>>>>> >      described in RFC 5905 [RFC5905].  The MAC key for NTP MUST be
>>>>>> at
>>>>>> >      least 128 bits long AES-128 key and the resulting MAC tag MUST
>>>>>> be at
>>>>>> >      least 128 bits long as stated in section 2.4 of RFC 4493
>>>>>> [RFC4493].
>>>>>>
>>>>>> Is there a way for either of these values to be > 128 bits? If not,
>>>>>> maube just say "must be 128 buts:
>>>>>>
>>>>>
>>>>> How about the following?
>>>>> "The MAC key for NTP MUST be 128 bits long AES-128 key and the
>>>>> resulting MAC tag MUST be at least 128 bits long as stated in section 2.4
>>>>> of RFC 4493 [RFC4493]."
>>>>>
>>>>> This is to make sure that the MAC tag is not truncated to < 128 bits.
>>>>>
>>>>
>>>> As I understand it, this text is specifying just AES-CMAC (otherwise
>>>> the text about it being an AES key doesn't make sense) and AES-CMAC has a
>>>> 128 bit output. And thus the "at least 128 bits" text  doesn't do anything
>>>> and just says "MUST be 128 bits".
>>>>
>>>
>>> I see what you are saying but here is what I am worried about. Section
>>> 2.4 of RFC 4493 says the following:
>>>
>>> "It is possible to truncate the MAC. According to [NIST-CMAC
>>> <https://tools.ietf.org/html/rfc4493#ref-NIST-CMAC>], at least a 64-bit
>>> MAC should be used as protection against guessing attacks. "
>>>
>>> And I do not want to NTP MAC tag to be truncated to < 128 bits. So here
>>> is a possible rephrasing:
>>>
>>
>> Well, I'm not quite sure why you think truncating is bad in this case,
>> but ignoring that.
>>
>> "The MAC key for NTP MUST be 128 bits long AES-128 key and the resulting
>>> MAC tag MUST be 128 bits long as stated in section 2.4 of RFC 4493
>>> [RFC4493]. Truncation as permitted in Section 2.4 of RFC 4493 MUST not be
>>> used. "
>>>
>>> What do you think?
>>>
>>
>> This just seems redundant. You can't use truncation and have the MAC be
>> != 128 bits, and your first sentence says it's 128 bits long.
>>
>
> I want to make the point clear but also agree that redundancy is bad. So
> how about the following:
>
> "The MAC key for NTP MUST be 128 bits long AES-128 key.  Truncation as
> permitted in Section 2.4 of RFC 4493 [RFC4493] MUST not be used and
> therefore the resulting MAC tag MUST be 128 bits long."
>

I think you're overindexing on this and the point is clear. Lots of MACs
have truncation features, and we regularly specify the length without any
extra emphasis on not truncating. In which protocol have you seen (a) the
MAC length explicitly specified and (b) people truncating anyway?

-Ekr


>> -Ekr
>>
>>
>>>> -Ekr
>>>>
>>>> _______________________________________________
>>>> ntp mailing list
>>>> ntp@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/ntp
>>>>
>>>

v2.23.0 | Report a Bug | By Email