IETF Logo Mail Archive

Re: [Ntp] NTP Security (was NTPv5: big picture)

Philip Prindeville <philipp@redfish-solutions.com> Sun, 17 January 2021 02:13 UTC

Return-Path: <philipp@redfish-solutions.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98BA13A1B5B for <ntp@ietfa.amsl.com>; Sat, 16 Jan 2021 18:13:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wbjJLytxvITT for <ntp@ietfa.amsl.com>; Sat, 16 Jan 2021 18:13:53 -0800 (PST)
Received: from mail.redfish-solutions.com (mail.redfish-solutions.com [45.33.216.244]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68A1A3A1B5A for <ntp@ietf.org>; Sat, 16 Jan 2021 18:13:53 -0800 (PST)
Received: from [192.168.3.4] ([192.168.3.4]) (authenticated bits=0) by mail.redfish-solutions.com (8.16.1/8.16.1) with ESMTPSA id 10H2Dppr439651 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 16 Jan 2021 19:13:52 -0700
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.40.0.2.32\))
From: Philip Prindeville <philipp@redfish-solutions.com>
In-Reply-To: <CAFTY+dAMNZF_qPbzo2Fsj1LtF5+s-cze5s52rxBZSk6ofzG9gQ@mail.gmail.com>
Date: Sat, 16 Jan 2021 19:13:51 -0700
Cc: NTP WG <ntp@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <82F5AB50-6A66-45B0-8FA7-3D64811DF7A5@redfish-solutions.com>
References: <rsalz@akamai.com> <993FEEB5-F498-472E-813E-E684E273612F@akamai.com> <20210102050501.7D0DE40605C@ip-64-139-1-69.sjc.megapath.net> <26A97601-BEB4-4914-B570-6C8BD9C72FAD@akamai.com> <CACsn0cm=d3z+ceTDMaw2LDHg_AeNoxbs411iEFNpGpnWcyvZvw@mail.gmail.com> <CAFTY+dAMNZF_qPbzo2Fsj1LtF5+s-cze5s52rxBZSk6ofzG9gQ@mail.gmail.com>
To: James Browning <jamesb.fe80@gmail.com>
X-Mailer: Apple Mail (2.3654.40.0.2.32)
X-Scanned-By: MIMEDefang 2.84 on 192.168.1.3
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/c-qNPtzqjZpjt6m43RK6hFuI52g>
Subject: Re: [Ntp] NTP Security (was NTPv5: big picture)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Jan 2021 02:13:55 -0000


> On Jan 16, 2021, at 3:49 PM, James Browning <jamesb.fe80@gmail.com> wrote:
> 
> On Sat, Jan 16, 2021, at 11:02 AM Watson Ladd <watsonbladd@gmail.com> wrote:
> I'd like to see some input from people who operate the pool on what
> solutions would work for them. Right now we're sort of flying blind.
> Perhaps we can discuss at IETF 110?
> 
> Only a user of the pool, but I basically see three ways to manage that.
> 1) Have the pool serve up SRV records and rewrite the pool code, the spec, and clients to compensate.
> 2) Have the pool run a common NTS-KE server for all NTS servers in the pool.
> 3) Convince TLS certificate vendors to sell IP based certificates.
> I am not particularly fond of any. Someone should find a fourth way.
> 


(2) seems very insecure.

(3) SAN (Subject Alternate Name) can be a domain name OR an IP address.

v2.23.0 | Report a Bug | By Email