IETF Logo Mail Archive

Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-yang-data-model-10.txt> (A YANG Data Model for NTP) to Proposed Standardsecurity

Hal Murray <hmurray@megapathdsl.net> Wed, 17 February 2021 02:50 UTC

Return-Path: <hmurray@megapathdsl.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2ADF33A11FF; Tue, 16 Feb 2021 18:50:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.045
X-Spam-Level: *
X-Spam-Status: No, score=1.045 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_DYNAMIC_IPADDR=1.951, PDS_RDNS_DYNAMIC_FP=0.01, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mqnQApXQQySC; Tue, 16 Feb 2021 18:50:48 -0800 (PST)
Received: from ip-64-139-1-69.sjc.megapath.net (ip-64-139-1-69.sjc.megapath.net [64.139.1.69]) by ietfa.amsl.com (Postfix) with ESMTP id 48C5C3A11BB; Tue, 16 Feb 2021 18:50:45 -0800 (PST)
Received: from shuksan (localhost [127.0.0.1]) by ip-64-139-1-69.sjc.megapath.net (Postfix) with ESMTP id C239240605C; Tue, 16 Feb 2021 18:50:40 -0800 (PST)
X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.3
To: tom petch <daedulus@btconnect.com>
cc: NTP WG <ntp@ietf.org>, last-call@ietf.org, draft-ietf-ntp-yang-data-model@ietf.org, ek.ietf@gmail.com, ntp-chairs@ietf.org, hmurray@megapathdsl.net
From: Hal Murray <hmurray@megapathdsl.net>
In-Reply-To: Message from tom petch <daedulus@btconnect.com> of "Mon, 15 Feb 2021 17:36:46 GMT." <602AB12E.9040701@btconnect.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Tue, 16 Feb 2021 18:50:40 -0800
Message-Id: <20210217025040.C239240605C@ip-64-139-1-69.sjc.megapath.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/h0h2cfbI1Mc6wbtH5vbkpg79I98>
Subject: Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-yang-data-model-10.txt> (A YANG Data Model for NTP) to Proposed Standardsecurity
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Feb 2021 02:50:50 -0000

daedulus@btconnect.com said:
> The -10 that I reviewed had
> - MD5 is used to turn an IPv6 address into a 32-bit identifier
> - MD5 can be used for authentication without constraint
> - AES-CMAC cannot be used for authentication.

SHA-1 is also in use.

> I do not have a view on the first but see the second and third as 
> contradicting RFC8573 and so in need of change.  Allowing AES-CMAC I see 
> as not controversial but do not have a view as to what to do with MD5 
> used for authentication e.g.
> - allow without constraint
> - allow, but deprecated, in the YANG
> - allow with a note in Security COnsiderations
> - do not allow in the YANG

I would suggest adding a short note at the point of use indicating that it has 
been deprecated with a pointer to the Security Considerations section and a 
paragraph there summarizing RFC 8573.


-- 
These are my opinions.  I hate spam.

v2.23.0 | Report a Bug | By Email