IETF Logo Mail Archive

[Ntp] NTP Security (was NTPv5: big picture)

Hal Murray <hmurray@megapathdsl.net> Sat, 02 January 2021 05:05 UTC

Return-Path: <hmurray@megapathdsl.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9ECE3A0CC4 for <ntp@ietfa.amsl.com>; Fri, 1 Jan 2021 21:05:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.036
X-Spam-Level: *
X-Spam-Status: No, score=1.036 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_DYNAMIC_IPADDR=1.951, PDS_RDNS_DYNAMIC_FP=0.001, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id caBqtB9luy1A for <ntp@ietfa.amsl.com>; Fri, 1 Jan 2021 21:05:07 -0800 (PST)
Received: from ip-64-139-1-69.sjc.megapath.net (ip-64-139-1-69.sjc.megapath.net [64.139.1.69]) by ietfa.amsl.com (Postfix) with ESMTP id 2BC323A0CC3 for <ntp@ietf.org>; Fri, 1 Jan 2021 21:05:05 -0800 (PST)
Received: from shuksan (localhost [127.0.0.1]) by ip-64-139-1-69.sjc.megapath.net (Postfix) with ESMTP id 7D0DE40605C; Fri, 1 Jan 2021 21:05:01 -0800 (PST)
X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.3
To: "Salz, Rich" <rsalz@akamai.com>
cc: Hal Murray <hmurray@megapathdsl.net>, NTP WG <ntp@ietf.org>
From: Hal Murray <hmurray@megapathdsl.net>
In-Reply-To: Message from "Salz, Rich" <rsalz@akamai.com> of "Fri, 01 Jan 2021 17:08:01 GMT." <993FEEB5-F498-472E-813E-E684E273612F@akamai.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 01 Jan 2021 21:05:01 -0800
Message-Id: <20210102050501.7D0DE40605C@ip-64-139-1-69.sjc.megapath.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/fR7VeO3_gmCj2n9sbRO5Y4VoTQM>
Subject: [Ntp] NTP Security (was NTPv5: big picture)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Jan 2021 05:05:08 -0000

> I would like to see security on that list.

What do you want that isn't already covered by NTS and/or shared keys?

(I think we need to move the MAC for shared keys into an extension.  That's 
not a "big picture" item.)

-------

As far as I can tell, the problem with NTP security is deployment of NTS.  The 
pool has captured a large portion of the market and it is fundamentally 
insecure.

HTTPs works because lots of sites want your money.  Nobody is paying for NTP.

I see two ways to get a wide deployment.  One is to get ISPs to run secure NTP servers for their clients.  The other is to deploy something similar to the DNS root and top level servers.  I don't know how that works, in particular, who pays for it.


-- 
These are my opinions.  I hate spam.

v2.23.0 | Report a Bug | By Email