[ntpwg] Fwd: secdir review of draft-ietf-ntp-extension-field
Karen ODonoghue <kodonog@pobox.com> Fri, 28 August 2015 14:41 UTC
Return-Path: <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
X-Original-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Delivered-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2ACD51B3003 for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Fri, 28 Aug 2015 07:41:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.799
X-Spam-Level:
X-Spam-Status: No, score=-1.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, T_DKIM_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q4lGnHF3QeOI for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Fri, 28 Aug 2015 07:41:45 -0700 (PDT)
Received: from lists.ntp.org (lists.ntp.org [IPv6:2001:4f8:fff7:1::7]) by ietfa.amsl.com (Postfix) with ESMTP id D54A81B2FF7 for <ntp-archives-ahFae6za@lists.ietf.org>; Fri, 28 Aug 2015 07:41:45 -0700 (PDT)
Received: from lists.ntp.org (lists.ntp.org [149.20.68.7]) by lists.ntp.org (Postfix) with ESMTP id C636A86DB5F for <ntp-archives-ahFae6za@lists.ietf.org>; Fri, 28 Aug 2015 14:41:45 +0000 (UTC)
X-Original-To: ntpwg@lists.ntp.org
Delivered-To: ntpwg@lists.ntp.org
Received: from mail1.ntp.org (mail1.ntp.org [IPv6:2001:4f8:fff7:1::5]) by lists.ntp.org (Postfix) with ESMTP id 5084986D77B for <ntpwg@lists.ntp.org>; Fri, 28 Aug 2015 14:39:21 +0000 (UTC)
Received: from mail-qk0-x235.google.com ([2607:f8b0:400d:c09::235]) by mail1.ntp.org with esmtps (TLSv1:RC4-SHA:128) (Exim 4.77 (FreeBSD)) (envelope-from <kodonog@gmail.com>) id 1ZVKoE-0006Ou-Ah for ntpwg@lists.ntp.org; Fri, 28 Aug 2015 14:39:21 +0000
Received: by qkfh127 with SMTP id h127so29367051qkf.1 for <ntpwg@lists.ntp.org>; Fri, 28 Aug 2015 07:39:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:reply-to:user-agent:mime-version:to :subject:references:in-reply-to:content-type; bh=A1Zk5oZ3Fecte+OioSXBJVtWmWdwt/+LYWoxGOLtvtc=; b=t0sFFbRqZKT7Utn88+BvTKvFzh40j1lxUqFiMR/WC4IjpaBGmd5njos3PttqaWbqpN AKQJ/MOpp0i9Zn/0V5acThmI5xrWiBgJxH9acxpy5eQwD35K4WsHnAnOX6xI3gjhfr3u g2wjrtRi1EXK5uRGJvOyYpp0xtI2pSk9rrrI7Ju+vkudhibHmQ7DMQPPnW2v0PerIJBe J4EreOYzxsIkqpGlABW1Ak2aDZoLKgJFQdstKUrAAeKfBTdpjUuh2kLniKwPs/+4005O rC/vydT6AApAmYjd5fT53nz3CfbG+sgOcVfr6PxoqHicjFpUOcZ3rvtGUBzL7Xj20Jta brtg==
X-Received: by 10.55.201.83 with SMTP id q80mr15966157qki.58.1440772753343; Fri, 28 Aug 2015 07:39:13 -0700 (PDT)
Received: from ISOC-REM-MBA2187.local ([173.226.66.172]) by smtp.googlemail.com with ESMTPSA id z128sm3499006qhd.43.2015.08.28.07.39.10 for <ntpwg@lists.ntp.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 28 Aug 2015 07:39:11 -0700 (PDT)
Message-ID: <55E0728E.5090104@pobox.com>
Date: Fri, 28 Aug 2015 10:39:10 -0400
From: Karen ODonoghue <kodonog@pobox.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: ntpwg@lists.ntp.org
References: <C8043253-10DE-4877-ADC5-E4A67E4DD812@ieca.com>
In-Reply-To: <C8043253-10DE-4877-ADC5-E4A67E4DD812@ieca.com>
X-Forwarded-Message-Id: <C8043253-10DE-4877-ADC5-E4A67E4DD812@ieca.com>
X-SA-Exim-Connect-IP: 2607:f8b0:400d:c09::235
X-SA-Exim-Rcpt-To: ntpwg@lists.ntp.org
X-SA-Exim-Mail-From: kodonog@gmail.com
X-SA-Exim-Version: 4.2
X-SA-Exim-Scanned: Yes (on mail1.ntp.org)
Subject: [ntpwg] Fwd: secdir review of draft-ietf-ntp-extension-field
X-BeenThere: ntpwg@lists.ntp.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: IETF Working Group for Network Time Protocol <ntpwg.lists.ntp.org>
List-Unsubscribe: <http://lists.ntp.org/options/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=unsubscribe>
List-Archive: <http://lists.ntp.org/pipermail/ntpwg/>
List-Post: <mailto:ntpwg@lists.ntp.org>
List-Help: <mailto:ntpwg-request@lists.ntp.org?subject=help>
List-Subscribe: <http://lists.ntp.org/listinfo/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=subscribe>
Reply-To: kodonog@pobox.com
Content-Type: multipart/mixed; boundary="===============5300598528699576888=="
Errors-To: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org
Sender: ntpwg <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
-------- Forwarded Message -------- Subject: secdir review of draft-ietf-ntp-extension-field Resent-Date: Thu, 27 Aug 2015 06:09:28 -0700 (PDT) Resent-From: turners@ieca.com Resent-To: draft-ietf-ntp-extension-field.all@ietf.org Date: Thu, 27 Aug 2015 09:08:54 -0400 From: Sean Turner <turners@ieca.com> To: draft-ietf-ntp-extension-field.all@tools.ietf.org, The IESG <iesg@ietf.org>, secdir@ietf.org Fear not as this is just the secdir review! I have reviewed this document as part of the security directorate’s ongoing effort to review all IETF documents being processed by the IESG. These comments were written with the intent of improving security requirements and considerations in IETF drafts. Comments not addressed in last call may be included in AD reviews during the IESG review. Document editors and WG chairs should treat these comments just like any other last call comments. draft summary: This draft updates NTPv4 Protocol and Algorithm Specification (aka RFC 5905) s7.5, which is the section that describes extension fields, and to paraphrase the: clarify the relationship between extension fields and MACs and define the behavior of a host that receives an unknown extension field. Note that when comparing the “OLD” section to RFC 5905, you’ll should note that the “OLD” text incorporates a verified errata (http://www.rfc-editor.org/errata_search.php?eid=3627). The “NEW" text requires things like when defining an extension the definition must specify whether it must be MACed or not, the MTI MAC, the length of the MAC, etc. secdir status summary: I need to clarify something in my mind, which I hope fall into the “you missed that in this spec over here” or the “these are *NOT* the droids you’re looking for” bucket, before I can say "ready with nits": 0) 7.5.1.1 says an extension can support multiple MACs, that the extension’s document defines the MTI algorithm & MAC length, and that if more than one algorithm is allowed the extension includes an indication of which one was actually used; all great. But, I’m trying to figure out how that fits with RFC 5905: - In s7.3, I see "dgst (128)” in f8 - In s9.2, I see "There is no specific requirement for authentication; however, if authentication is implemented, then the MD5-keyed hash algorithm described in [RFC1321] must be supported” Doesn’t s7.3 limit the MAC to HMAC-MD5 and the length to 128? I mean if you’re going to allow an extension to override s9.2 that seems like something worth noting in say the abstract/intro. Thinking there’s got to be a reason for this I went off and looked at the other NTP WG drafts … after finding the NTS & CMS-based specs, are the changes proposed in this draft to to allow an NTP packet blob that doesn’t use the MAC mechanism described in RFC 5905 but instead use the NTS/CMS “scheme”, i.e., an NTP extension that is a CMS object, with no MAC in the 5905 sense - the CMS object instead of the NTP MAC field gives you the authentication? 1) s7.5.1.2 seems to be saying if extension A specifies alg X, and extension B specifies alg X and Y, and extension C specifies alg Y then extension A and B can appear together as can extension B and C, but A and C can’t appear together? Sounds great, but what if A and C do appear together what happens? 2) Still on 7.5.12: "If there are multiple extension fields that require a MAC they MUST all require use of the same algorithm and MAC length.” So if I specify extension A with X as the MUST, and extension B with X as the SHOULD and Y as the MUST, then I can’t include both extension A and B? Extension A requires X, but extension B requires Y. 3) s7.5.1.3: What’s the 24-octet limitation based on? Minor: 0) The new s7.5 says: The Field Type field is specific to the defined function and is not elaborated here. If a …. 0.a) I think what you’re trying to say is that the Field Type field is defined in an IANA registry and it’s length and value are defined by the document referred to by the registry? 0.b) Neither RFC5905 nor this document specify how the padding is done. Is padding determined by the document referred to by the field type? I.e., can I do padding with all 1s and somebody else do it with all zeros? Maybe: The Field Type field defines the extension’s semantics as well as the extension’s syntax, i.e., length, value, and padding. This document defines no extensions. If a … Nits: 0) process wise: RFC 5905 has a lot of other errata; some marked verified some marked HFDU. Since this document updates RFC 5905, did the WG consider including the other verified errata and resolving whether the errata marked HFDU were worth including? I’ll also readily admit that this could have been found in the WG archives, but I didn’t search them. 1) s3: Might be worth noting that the “OLD” text includes the errata text. I can’t remember whether you can normatively or informatively point to errata (sorry). 2) The new s7.5 includes: If a host receives an extension field with an unknown Field Type value … I was like hmm there’s a Field Type value, which is # that goes in Field Type and there’s the Value field for the Field Type. Maybe dropping “value” from the quoted sentence makes it clearer that you’re really talking about the # that goes in Field Type and not the Value? 2) s5: Might be worth a reference to the NTP Extension Field Type IANA registry. Though obviously folks reading the base spec and extensions are going to find it though. spt PS - RFC 5905 KoD packets are my favorite packets now.
_______________________________________________ ntpwg mailing list ntpwg@lists.ntp.org http://lists.ntp.org/listinfo/ntpwg
- [ntpwg] Fwd: secdir review of draft-ietf-ntp-exte… Karen ODonoghue