IETF Logo Mail Archive

Re: [ntpwg] [dhcwg] Fwd: New Version Notification for draft-ogud-dhc-udp-time-option-01.txt

TSG - personal <tglassey@earthlink.net> Mon, 02 December 2013 17:02 UTC

Return-Path: <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
X-Original-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Delivered-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 006F81ACCE8 for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Mon, 2 Dec 2013 09:02:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.801
X-Spam-Level:
X-Spam-Status: No, score=-1.801 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T75hHVFSn3He for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Mon, 2 Dec 2013 09:02:17 -0800 (PST)
Received: from lists.ntp.org (lists.ntp.org [IPv6:2001:4f8:fff7:1::7]) by ietfa.amsl.com (Postfix) with ESMTP id 135781A1F76 for <ntp-archives-ahFae6za@lists.ietf.org>; Mon, 2 Dec 2013 09:02:17 -0800 (PST)
Received: from lists.ntp.org (lists.ntp.org [149.20.68.7]) by lists.ntp.org (Postfix) with ESMTP id 18E5686DAF3 for <ntp-archives-ahFae6za@lists.ietf.org>; Mon, 2 Dec 2013 17:02:15 +0000 (UTC)
X-Original-To: ntpwg@lists.ntp.org
Delivered-To: ntpwg@lists.ntp.org
Received: from mail1.ntp.org (mail1.ntp.org [IPv6:2001:4f8:fff7:1::5]) by lists.ntp.org (Postfix) with ESMTP id 9347886D422 for <ntpwg@lists.ntp.org>; Mon, 2 Dec 2013 17:02:04 +0000 (UTC)
Received: from elasmtp-galgo.atl.sa.earthlink.net ([209.86.89.61]) by mail1.ntp.org with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <tglassey@earthlink.net>) id 1VnWsk-000EJQ-83 for ntpwg@lists.ntp.org; Mon, 02 Dec 2013 17:02:04 +0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=earthlink.net; b=Pdl3de3z/ihHCVJN1kWouLcV6lalohWa+jM0RNlp8QkIAEphpzUjFLhvnvzDYnTp; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP;
Received: from [67.180.133.21] (helo=localhost.localdomain) by elasmtp-galgo.atl.sa.earthlink.net with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.67) (envelope-from <tglassey@earthlink.net>) id 1VnWsd-0005Og-HH for ntpwg@lists.ntp.org; Mon, 02 Dec 2013 12:01:55 -0500
Message-ID: <529CBD01.3010303@earthlink.net>
Date: Mon, 02 Dec 2013 09:01:53 -0800
From: TSG - personal <tglassey@earthlink.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20131030 Thunderbird/17.0.10
MIME-Version: 1.0
To: ntpwg@lists.ntp.org
References: <20131201204227.7978.2067.idtracker@ietfa.amsl.com> <83842BD2-0261-472F-9CA1-AFBFB47EAD91@ogud.com> <C0A2F49F-7695-47E9-8AB0-7F94116437F9@nominum.com> <B0A571B5-438A-47AB-AAA4-00D3FC077E22@ogud.com> <331C154E-1A09-4BDD-A70A-AB67BEA2E1E8@nominum.com> <529BD4CF.6000408@ntp.org>
In-Reply-To: <529BD4CF.6000408@ntp.org>
X-ELNK-Trace: 01b7a7e171bdf5911aa676d7e74259b7b3291a7d08dfec79c943fbc76109c25575394d9f319d79ef350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 67.180.133.21
X-SA-Exim-Connect-IP: 209.86.89.61
X-SA-Exim-Rcpt-To: ntpwg@lists.ntp.org
X-SA-Exim-Mail-From: tglassey@earthlink.net
X-SA-Exim-Version: 4.2
X-SA-Exim-Scanned: Yes (on mail1.ntp.org)
Subject: Re: [ntpwg] [dhcwg] Fwd: New Version Notification for draft-ogud-dhc-udp-time-option-01.txt
X-BeenThere: ntpwg@lists.ntp.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: IETF Working Group for Network Time Protocol <ntpwg.lists.ntp.org>
List-Unsubscribe: <http://lists.ntp.org/options/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=unsubscribe>
List-Archive: <http://lists.ntp.org/pipermail/ntpwg>
List-Post: <mailto:ntpwg@lists.ntp.org>
List-Help: <mailto:ntpwg-request@lists.ntp.org?subject=help>
List-Subscribe: <http://lists.ntp.org/listinfo/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="windows-1252"; Format="flowed"
Errors-To: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org
Sender: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org

On 12/01/2013 04:31 PM, Danny Mayer wrote:

Danny many entities running DNSSEC dont have the option to continue 
operations until such time as they get better time data under the certs. 
This is a policy level thing so its not something that they can 
technically ignore either.

Todd
> On 12/1/2013 5:29 PM, Ted Lemon wrote:
>> On Dec 1, 2013, at 5:05 PM, Olafur Gudmundsson <ogud@ogud.com> wrote:
>>> The "threat" the document is trying to address, device wants to
> DNSSEC or CERT validation but clock is far off thus VALID credentials
> fail validation.
>> Ah, thanks for explaining. This is what I was missing—you're not
>> doing
> this to avoid a threat at all, but rather to simply make DNSSEC work in
> a possibly non-secure mode until such time as you can bootstrap better
> time information.
>> This would be worth mentioning in the introduction and/or the
>> security
> considerations section. You allude to it in the security considerations,
> but it's pretty oblique.
>> It is worth pointing out that NTP doesn't actually need DNS to
> work—DHCP can deliver NTP server addresses as IP addresses. That said,
> this option seems to add value, since there is no guarantee that devices
> that implement the existing DHCP NTP will not send FQDNs rather than IP
> addresses.
>
> I had a long discussion with Bernie over the issue of delivering NTP IP
> addresses via DHCP. We understand the issues you raised concerning
> DNSSEC and have no disagreement about that. The problem is that for NTP
> DNS names are preferred over IP addresses because that allows a server
> maintainer to retire an NTP server. With an IP address there is no
> chance that your local instance will know about this and continue to
> bombard the old address. Moreover the newer pool option cannot be used
> to any advantage.
>
> When was the last time you looked at your NTP configuration and verified
> that all of the servers listed are still valid? How often will DHCP
> servers do this as a matter of course before providing such
> provisioning? We have systems that are being bombarded by requests even
> though no NTP server is responding to queries. We have plenty of
> evidence of this. Even worse we have seen home routers which have
> hard-coded IP addresses for NTP servers embedded. How long are those
> going to be in operation?
>
> I think we need to figure out how to get around the Catch-22 situation
> of DNSSEC requiring relatively good time and NTP wanting to be able to
> use DNS to find valid NTP servers.
>
> We need a joint agreement on how to deal with this between DHCP and NTP
> Working Groups assuming that is a viable option in the first place.
> RFC5908 was not a good indication of this.
>
> Danny
>
> _______________________________________________
> ntpwg mailing list
> ntpwg@lists.ntp.org
> http://lists.ntp.org/listinfo/ntpwg
>

_______________________________________________
ntpwg mailing list
ntpwg@lists.ntp.org
http://lists.ntp.org/listinfo/ntpwg

v2.23.0 | Report a Bug | By Email