IETF Logo Mail Archive

Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-model-10.txt> (A YANG Data Model for NTP) to Proposed Standardsecurity

tom petch <daedulus@btconnect.com> Tue, 09 February 2021 11:24 UTC

Return-Path: <daedulus@btconnect.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D492E3A19CD; Tue, 9 Feb 2021 03:24:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xsWmmieZYdaB; Tue, 9 Feb 2021 03:24:09 -0800 (PST)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30094.outbound.protection.outlook.com [40.107.3.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F8B13A1572; Tue, 9 Feb 2021 03:24:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OEVvfadxdC1x+ZVVHVq9MFkG/bY3ylNKzRox+kM4vOS0EBOmGSHh2uDmvYWLl5NwcM/+0Q2ebxlUJ+HNUPBSoXWmgk8lFfM82vEkhIgefEdcoCvmHK9RqbQGZvSzcNVmKkpjZBn15BbTz7vXxdqTsWSix0E6uhRrzC6V5a77PumuLO7PizZhqZF51C95RUpikpWZnYeuc3J0IsdLfxJj0w7urOzxbBTfsqlzw9yPTVdbNUBtbIUuyhwM1tC4GtGYpYzUF4PNPf/gTccG5/HnxY/L4unszAx/92XthkmilyvWzEB4Mu+jSWNVKGIFdfPW7wDN/Th6LqQDA46ihroKjQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2N2zCjk1hsXnd3n9u72No4rggoWWXlZKzoKImvwAWs8=; b=JC8mFWvqxcy22AOCm0sO8h39y5u9Z56BW+JbV9wJH7OfBZEk43eZyl9vn88Ga9OFVVy9T2UeOvXTFlPEoQQKp1QBtjGNho885LV8i0DStD0MnatuFNqIwc2rFfvyg86G3vAuHr2COH7ZZ4iBclXxPfExpthB5pZL8hVZH6DTbnQOkWSCgeKApZVlsFfXMiJuPPeSYKNdNC2SgtauxPw1Do8hkpx5fM7QNI75knnssrPEZpvnDdsl1873E27Zm7Xc1J8r3rVlpUxd2AAnJ4DbBK0KyyfjVImwsN+MsK1NjgCFz4jwsS+2Drv9tTyNHYA1JZsG/DadQVeVqj/2EB/Iig==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2N2zCjk1hsXnd3n9u72No4rggoWWXlZKzoKImvwAWs8=; b=pI01ndUd8628f2T6axsjtlNKo4W2DEUb0Ocv5FpQCVWXmTwb16ZVoLRyyWWe//Cfd4pPJJ6P/KKp0XHgsxQBezL3oUyiCmN4lzn+es6SExlEkEIjllBU3/kcscq1Egt8j8Pyretz9isiCbPxov0g1t34tzXRQ/A6EgpmelqgdoM=
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=btconnect.com;
Received: from (2603:10a6:800:18b::8) by VI1PR07MB3967.eurprd07.prod.outlook.com (2603:10a6:803:39::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.10; Tue, 9 Feb 2021 11:24:05 +0000
Received: from VI1PR07MB6704.eurprd07.prod.outlook.com ([fe80::181c:709a:6f7a:b811]) by VI1PR07MB6704.eurprd07.prod.outlook.com ([fe80::181c:709a:6f7a:b811%3]) with mapi id 15.20.3825.030; Tue, 9 Feb 2021 11:24:05 +0000
To: Dhruv Dhody <dhruv.ietf@gmail.com>
References: <161195994417.2651.6499166797756243533@ietfa.amsl.com> <60212265.6020204@btconnect.com> <CAB75xn7tXa1BCHd=KFR9DC=+bA01R1A+X2M4oUbrF-YLx8ExJA@mail.gmail.com>
Cc: last-call@ietf.org, ek.ietf@gmail.com, ntp-chairs@ietf.org, NTP WG <ntp@ietf.org>, Dieter Sibold <dsibold.ietf@gmail.com>, draft-ietf-ntp-yang-data-model@ietf.org
From: tom petch <daedulus@btconnect.com>
Message-ID: <602262BD.3050708@btconnect.com>
Date: Tue, 09 Feb 2021 10:23:57 +0000
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101 Thunderbird/38.5.0
In-Reply-To: <CAB75xn7tXa1BCHd=KFR9DC=+bA01R1A+X2M4oUbrF-YLx8ExJA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [86.146.121.140]
X-ClientProxiedBy: LO4P123CA0385.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:18f::12) To VI1PR07MB6704.eurprd07.prod.outlook.com (2603:10a6:800:18b::8)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [192.168.1.65] (86.146.121.140) by LO4P123CA0385.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:18f::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.3825.19 via Frontend Transport; Tue, 9 Feb 2021 11:24:04 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 591f02cc-275b-4c92-cf28-08d8cced357e
X-MS-TrafficTypeDiagnostic: VI1PR07MB3967:
X-Microsoft-Antispam-PRVS: <VI1PR07MB3967A72B26CE14F817AABAFBC68E9@VI1PR07MB3967.eurprd07.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: U7mABkDZGxH+rHfYmgZsfEOPd3deSUNh+Cny+yJpGyZ5VUyMO9KrSwoBHBMtASaoZkxmhj7kotcczxD4UdeL+ehVo9yGBlpZBBP1d/cTYqbP03ZWBvVlf+yh9P041XE9LzteMIcXJePmgkC6s4xrQQL98kkEgTee7X9irptHnbje3pW8zsy5LqiqTQIIkxQ+OBRD5r/MOZo4pd+CK2GZpcmhn3x0TnsA62fKBn1g5IaPa8h2R/eodGk7I0+YRjs9eWK1f6f5rHGHEwDEd81ckgZ9LpYUZoH+d02LnjSrpJGdpyjMojPjkaHMdataFoTb1P+FpUzy0bdVsCW7TtyU+cFA8it5+WqBKaXfQh7TerE2OX3jQlf1atppCgH1SvjZhCL2gmnRSKVn5LvqKZCYC8X8V2PfJ2/cSYTvYM5MgqCdpZlIz0woujh9gbn8h+5ytPzwx6nc1gafTapWpgM/klH43D5W3SbpJBupPVc7Z3dRfzGkliBOzlEIEMOvmoXOffD9+qz2a5VmwLcxqOOJxA==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR07MB6704.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(346002)(366004)(136003)(39860400002)(396003)(36756003)(66946007)(66556008)(16576012)(83380400001)(8936002)(54906003)(4326008)(2616005)(8676002)(956004)(316002)(33656002)(66476007)(16526019)(6666004)(186003)(53546011)(478600001)(6916009)(26005)(2906002)(5660300002)(87266011)(6486002)(86362001)(52116002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData: A2XhdLJinfR1sD6G/GLlGxSoIlmhMQpEvAOfOA3RugtBgPaGLNDkH8f+Gb8XEyNvGwVK8S8SGcHlTtwMbnshmPRTZwGxha3atqPi15bNdn4OmFH6RNN/j63V75IvU93k+JuZZ2mwE5TJLcM1l+w+t/lVSjrVYr+nLT4+xj6orFZJ7pHJh1cwiIkQWX4KR3B/1uzOvqt6lUZ2dMDsT8wpjP2uxLCKwELos1BiLeRzQzMRBaWsjIiJq1WnfBBMSO6VsOZRBbCLWN8FZo7wbkXEXlvmZtG+FKSH/eQM70eoe3Pd3lMPgf4soPQB5ADlvs+dMn81H2RO+VAtk9zgxKFEVOuknp01YDMpCyw5mMekYrLzS8WId/1cJt92mvRHL6MAxQrfh/MbyDgk1kwjJfEEfuWlktO6IiBRqlDLYQn+Ai+izrtf/6xoaxiVVX4Hh3+JjpManQe1SxO7dFJJaTgsEzhlizdN2li4IoN8dg/aFFNV55+hTq3VwKUsEE6OcDLSQ1PL+jJ4kLRtCis73n9pUNrBV0C6wJ5OO8sD4Efea6A4x5yJAJXIdGQ9QBECNEdKiOkkBaDgwy5O1mfNL68BuFnKo/9xC2RJwbu9LBadQtKlaMH0ZtveQQwVa+UwhVonaJkxyM4ut/TOSwe3nTjshjEpjf0rCUwFpfZ4JuNq1Mb6/57CLEE/u6ZEJhjf7GsYsUCTf6+oWucZ9J780FQUdtvVHQn2qdrL2fxKQYe8B/z+U6+yaVuGEi/69aMZ6ukBiuEaOLZU8HaWiHrmQXt+e1bq4Rwli4YpnhtVzH/9+aSBWb6d3lmq5WIBUigCHPJ/VUUCDWgJMcPdYzxmkJJIk3MEfYgbIfBYPw/i0fstfTLEefwbzumOb/bEzrWPXJaaVJH4+WOrTze4y31f6esYb2zEhvfrtkNnCEsg2tmG1q9rY9d6RBZRFwmlKYcAvSXz2pL8l1nLI6XFUtVwf5L4OxnlFZDLxGSZlF8tNzhr4WoD/WZHpGpx3m3i9gl18JQ2BzNsPM0q7iotJSq5HoWsKoA9ONbtresF2Eiu8ikET7XVs+QH/LqFaP8Cm4lYNTd0nmwSR7t4O/AUDuhukyjn6oWWt/eu6biDcgtrVvBiPL5qNeNR8m2lZIVeTznhBUL0RszCElC05AoGL6l1JdQNWMX3DyX6OKfwC0DKlb7xhFM73GUnbSb2A9iiwEuZp2JTCaCZKa/mDuMICHEwZvMHV1zlQIpyGQiQ+c7rllBIoGAlzGtrFWcvmvH9cqgahQR/VadCRytsehMzkIwz2SfDV4vtQx29Yhl5aC5q5eXqV0Fzp0JMkAgvtxMX3t6RiFsA
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 591f02cc-275b-4c92-cf28-08d8cced357e
X-MS-Exchange-CrossTenant-AuthSource: VI1PR07MB6704.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Feb 2021 11:24:05.2182 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 4FekUGMnR/xfQFeqFHMYmmraF+6OZ8GBx+MmgGlRlfFh9siE09shA2D+GtkA2kRmIlfaSc7U+KIfjJKRNK3Qiw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB3967
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/c2gwIU6uZY7NcEVyDCyf68ax3mI>
Subject: Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-model-10.txt> (A YANG Data Model for NTP) to Proposed Standardsecurity
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Feb 2021 11:24:11 -0000

On 08/02/2021 17:05, Dhruv Dhody wrote:
> Hi Tom,
>
> Thanks for your detailed review. Lets discuss the security first -
>
> On Mon, Feb 8, 2021 at 6:07 PM tom petch <daedulus@btconnect.com> wrote:
>>
>> This is my second response to this Last Call, about a possible security
>> issue.
>>
>> RFC8573 seems clear that MD5 must not be used to effect security for NTP
>> but this I-D imports iana-crypt-hash which allows MD5 without any
>> restriction, so is MD5 allowed or not?
>
> Good question. While it is easy to restrict the use of MD5 by adding a
> must statement, I want to check if it is a good idea. The YANG model
> is written in such a way that it supports older versions of NTP as
> well. Would barring MD5 configuration be an issue if there are older
> implementations in the network still? I think perhaps adding a warning
> in the description is a good idea. I did a quick search and dont see
> other YANG models doing a check either. Would be good to get some
> guidance on this.

Dhruv

After many years, Security (AD, secdir, advisor) still have the power to 
surprise me but I would still be surprised if Security were happy with 
an I-D which places no constraint on MD5 when the IETF has published RFC 
deprecating its use and NTP has RFC8573 which specifically deprecates it.

Yet Security may not realise this from reading this I-D since the 
unrestricted use of MD5 is not immediately apparent so my post was aimed 
at bringing this to the attention of Security.  As to whether this needs 
a note in Security Considerations or enforcing by YANG or both I am less 
clear on - that is up to Security.  If the YANG is to deprecate it, then 
the features in ianach make that possible.

Whether or not MD5 is widely used in the field is irrelevant.  The IETF 
consensus it to deprecate its use and I am sure that the IESG will want 
this I-D to do just that.

Tom Petch


>
>> There are features defined which allow the hash in iana-crypt-hash to be
>> restricted but this I-D does not use them.
>>
>
> I didn't see any reason to use them in the NTP Yang. Can you?
>
>> Probably iana-crypt-hash should be updated - I will raise that on the
>> NETMOD WG list.
>>
>> The I-D also uses MD5 in a way that would appear not to be security
>> related, to hash an IPv6 address.
>>
>
> This is as per RFC 5905 -
>
>     If using the IPv4 address family, the identifier is the four-
>     octet IPv4 address.  If using the IPv6 address family, it is the
>     first four octets of the MD5 hash of the IPv6 address.
>
>
>> In passing, this I-D has three references to RFC7317.  This is wrong -
>> the module is IANA-maintained and so the references should be to the
>> IANA website.
>>
>
> But even the iana-crypt-hash YANG model put RFC 7317 as a reference -
>
>       revision 2014-08-06 {
>         description
>           "Initial revision.";
>         reference
>           "RFC 7317: A YANG Data Model for System Management";
>       }
>
> I will start working on your other comments and prepare a new version.
>
> Thanks!
> Dhruv
>
>> The secdir reviewer might be interested in my thoughts.
>>
>> Tom Petch
>>
>> On 29/01/2021 22:39, The IESG wrote:
>>>

v2.23.0 | Report a Bug | By Email