[Ntp] Antw: Re: Adam Roach's No Objection on draft-ietf-ntp-mac-05: (with COMMENT)
"Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de> Thu, 22 November 2018 07:28 UTC
Return-Path: <Ulrich.Windl@rz.uni-regensburg.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F257E130DC3; Wed, 21 Nov 2018 23:28:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1FIQOlnP1VCd; Wed, 21 Nov 2018 23:28:09 -0800 (PST)
Received: from rrzmta1.uni-regensburg.de (rrzmta1.uni-regensburg.de [194.94.155.51]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75932128C65; Wed, 21 Nov 2018 23:28:09 -0800 (PST)
Received: from rrzmta1.uni-regensburg.de (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 823C5647B8; Thu, 22 Nov 2018 08:28:05 +0100 (CET)
Received: from gwsmtp1.uni-regensburg.de (gwsmtp1.uni-regensburg.de [132.199.5.51]) by rrzmta1.uni-regensburg.de (Postfix) with ESMTP id A5B3D610AE; Thu, 22 Nov 2018 08:28:03 +0100 (CET)
Received: from uni-regensburg-smtp1-MTA by gwsmtp1.uni-regensburg.de with Novell_GroupWise; Thu, 22 Nov 2018 08:28:03 +0100
Message-Id: <5BF65A81020000A10002E335@gwsmtp1.uni-regensburg.de>
X-Mailer: Novell GroupWise Internet Agent 18.1.0
Date: Thu, 22 Nov 2018 08:28:01 +0100
From: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>
To: Kyle Rose <krose@krose.org>
Cc: "draft-ietf-ntp-mac@ietf.org" <draft-ietf-ntp-mac@ietf.org>, The IESG <iesg@ietf.org>, "ntp@ietf.org" <ntp@ietf.org>, "ntp-chairs@ietf.org" <ntp-chairs@ietf.org>
References: <adam@nostrum.com> <154269649579.26521.17016787490324740775.idtracker@ietfa.amsl.com> <20181120200757.1BDB240605C@ip-64-139-1-69.sjc.megapath.net> <CAJU8_nUV+m-7f+1gLD4Uu__sNnkT1MTpY62hO2CmRLT2=N1Lmw@mail.gmail.com>
In-Reply-To: <CAJU8_nUV+m-7f+1gLD4Uu__sNnkT1MTpY62hO2CmRLT2=N1Lmw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/eGh2pQumxa-e7imdkMmPld9OPUI>
Subject: [Ntp] Antw: Re: Adam Roach's No Objection on draft-ietf-ntp-mac-05: (with COMMENT)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Nov 2018 07:28:13 -0000
>>> Kyle Rose <krose@krose.org> schrieb am 21.11.2018 um 19:01 in Nachricht <CAJU8_nUV+m-7f+1gLD4Uu__sNnkT1MTpY62hO2CmRLT2=N1Lmw@mail.gmail.com>: > I think the objection about backwards compatibility is more easily > addressed by noting that deployments currently using MD5 authentication > have a pre-existing relationship that presumes the existence of pre-shared > keys and an implied agreement on MD5. If a new version of the software > allows for selection of the MAC algorithm on a per keyid basis, then there > is a natural rollout path that does not require an atomic upgrade of all > servers in a cluster. (keyid here refers to section 7.3 of RFC 5905.) > > So, one potential rollout option is to upgrade all NTP servers in a mutual > trust network, keeping the existing keyid, key, and algorithm (MD5) but > adding an additional keyid, key, and algorithm (AES-CMAC). Once the > software upgrade is complete, alter the servers' configurations to use the > new keyid. This kind of two-phase commit is less flexible than online > negotiation of cipher suites, but it seems fine given the constraints of an > existing wire image and the need to be backwards-compatible. I have not > looked at either the code or the config to know if the necessary degree of > algorithmic agility is currently supported, but I can't imagine it would be > difficult to add. Hi! It's not related to the draft, but, there is no command to _easily_ change the key of a server/peer only, meaning one must drop the assoc and reestablish a new one. That means a temporary drop of quality from that assoc. Maybe the reference implementation could add some command like "usekey <keynumber> <assoc>..." that would also allow to add a key where no one existed before... Regards, Ulrich P.S. CC list trimmed somewhat. > > Other use cases should look to NTS. > > Kyle > > On Tue, Nov 20, 2018 at 3:08 PM Hal Murray <hmurray@megapathdsl.net> wrote: > >> >> > I agree with Mirja's concerns about the backwards compatibility aspects, >> > especially from an operational perspective -- in particular, is there >> some >> > way to roll this change out incrementally, or does it require a flag >> day? It >> > seems to me that this document really needs an "operational >> considerations" >> > section that either explains how this change might be deployed or cites >> some >> > already existing NTP document that does so. >> >> No flag day. The config files specify the crypto algorithm. Current code >> supports MD5 and SHA1. AES128CMAC gets added. >> >> If you are thinking about that area, I'd worry about the opposite. As far >> as >> I can tell, crypto isn't used much. News about a new RFC isn't likely to >> get >> to the admins who are actually in charge of the machines using it so they >> will >> continue to use whatever they are currently using. >> >> >> -- >> These are my opinions. I hate spam. >> >> >> >> _______________________________________________ >> ntp mailing list >> ntp@ietf.org >> https://www.ietf.org/mailman/listinfo/ntp >>
- Re: [Ntp] Adam Roach's No Objection on draft-ietf… Paul Gear
- [Ntp] Adam Roach's No Objection on draft-ietf-ntp… Adam Roach
- Re: [Ntp] Adam Roach's No Objection on draft-ietf… Hal Murray
- Re: [Ntp] Adam Roach's No Objection on draft-ietf… Kyle Rose
- Re: [Ntp] Adam Roach's No Objection on draft-ietf… Harlan Stenn
- [Ntp] Antw: Re: Adam Roach's No Objection on draf… Ulrich Windl
- [Ntp] Antw: Re: Adam Roach's No Objection on draf… Ulrich Windl
- Re: [Ntp] Antw: Re: Adam Roach's No Objection on … Miroslav Lichvar