Re: [Ntp] I-D Action: draft-ietf-ntp-ntpv5-requirements-01.txt
Miroslav Lichvar <mlichvar@redhat.com> Tue, 24 January 2023 13:40 UTC
Return-Path: <mlichvar@redhat.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81DB4C14CF0C for <ntp@ietfa.amsl.com>; Tue, 24 Jan 2023 05:40:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NU029RNw_sNf for <ntp@ietfa.amsl.com>; Tue, 24 Jan 2023 05:40:01 -0800 (PST)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D83A4C14F72D for <ntp@ietf.org>; Tue, 24 Jan 2023 05:40:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1674567599; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=7UPOKldTUr0b2Q6rGhv2z+hkX8zZsilLT66flj9AFWE=; b=QfDlWaeSrsG9u3BWy6oYJdsZZgdCQqbvAelpsa9LDVDXjh1Ox9ZUMSTNBixVZmUkNqURjm Uzs5xPkerh+C7FnRHgxV1dQ3MH1VUmfLyeiBLtnm9GKvAzSgQcn7/QqSoL+bwNuGFOFwkj 528NFXGJ1KVvaMs9s20Q7WPWSmIra3Y=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-63-mPIjJCaPNT6ZHMPqCFhJ7A-1; Tue, 24 Jan 2023 08:39:58 -0500
X-MC-Unique: mPIjJCaPNT6ZHMPqCFhJ7A-1
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 4910818E0043 for <ntp@ietf.org>; Tue, 24 Jan 2023 13:39:58 +0000 (UTC)
Received: from localhost (unknown [10.43.135.229]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E6F81C15BA0 for <ntp@ietf.org>; Tue, 24 Jan 2023 13:39:57 +0000 (UTC)
Date: Tue, 24 Jan 2023 14:39:56 +0100
From: Miroslav Lichvar <mlichvar@redhat.com>
To: ntp@ietf.org
Message-ID: <Y8/frEvjBTeFwG1k@localhost>
References: <167406509279.8060.1009165838491116090@ietfa.amsl.com>
MIME-Version: 1.0
In-Reply-To: <167406509279.8060.1009165838491116090@ietfa.amsl.com>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.8
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/e40E28f9JsaiYnW2S-e3m3aRSRo>
Subject: Re: [Ntp] I-D Action: draft-ietf-ntp-ntpv5-requirements-01.txt
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jan 2023 13:40:01 -0000
On Wed, Jan 18, 2023 at 10:04:52AM -0800, internet-drafts@ietf.org wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Network Time Protocols WG of the IETF. > > Title : NTPv5 use cases and requirements > Author : James Gruessing > Filename : draft-ietf-ntp-ntpv5-requirements-01.txt The new version added the following paragraph: An additional identifier mechanism MAY be considered for the purposes of client allow/deny lists, logging and monitoring. Such a mechanism, when included, SHOULD be independent of any loop avoidance mechanism, and authenticity requirements SHOULD be considered. It's not very clear to me what feature of the protocol is this supposed to allow or prevent. Any examples? In 5.1. there is: The risk that an on-path attacker can delay packets between a client and server exists in all time protocols operating on insecure networks and its mitigations within the protocol are limited for a clock which is not yet synchronised. I think I suggested this before. It would be good to add a requirement here for the protocol to MUST be able to prevent attackers from injecting unlimited offsets to the measurements, i.e. not allow the broadcast mode in NTPv5. We should support only the most secure mode (client-server). -- Miroslav Lichvar
- [Ntp] I-D Action: draft-ietf-ntp-ntpv5-requiremen… internet-drafts
- Re: [Ntp] I-D Action: draft-ietf-ntp-ntpv5-requir… Miroslav Lichvar
- [Ntp] Antw: [EXT] Re: I-D Action: draft-ietf-ntp-… Ulrich Windl
- Re: [Ntp] I-D Action: draft-ietf-ntp-ntpv5-requir… James
- Re: [Ntp] I-D Action: draft-ietf-ntp-ntpv5-requir… David Venhoek