Re: [Ntp] Last Call: <draft-ietf-ntp-using-nts-for-ntp-22.txt> (Network Time Security for the Network Time Protocol) to Proposed Standard

Watson Ladd <watsonbladd@gmail.com> Mon, 24 February 2020 16:16 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F5DC3A0EFD; Mon, 24 Feb 2020 08:16:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eGqO5kKhVBl1; Mon, 24 Feb 2020 08:16:03 -0800 (PST)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C4BB3A0EEE; Mon, 24 Feb 2020 08:16:02 -0800 (PST)
Received: by mail-lj1-x22d.google.com with SMTP id h23so10750714ljc.8; Mon, 24 Feb 2020 08:16:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=eN3OsmWu7A7npFAgsnUX4CfBmQ7rCRakmkhc1LNlL6I=; b=SiPF59WnTJ2+oqiI7Vzbix7EY93vnKJxbJi+TyfSF+oTRb9E8zd0lqT12RmZ2oE582 tHpS2IKl3qtdxZdSVBaV4wJuofQbuOhtfGHJjj6hF7J2Uirf3rHfJtQBzx5hotYzzVlG O0w/ITZpKDJiQtvaFN6XBig3rL4iCe9eHZ8fAADWl9Bz2wwU3mwKDPOay/uChNBkOG85 hg9pIQTtJtxSzjXincHQ53ouRY6OfHKl3Ka7L5LwSAWDWyJE7GXCns3EJS5B72QdP698 sEyKUEUEKvbOo97Ofb0/r/dOy9tM5v+S0zUseULIaagc7Ad1EzzNIwhBGe7uG7uDLZx9 wrcQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=eN3OsmWu7A7npFAgsnUX4CfBmQ7rCRakmkhc1LNlL6I=; b=s/cP0vJ+mZi3pkRC/zOPHvRgVhV8aSaQXz4CZ4EmcdLfPSISCcEDbJD6GW36Fkz2Bu cUdFpMFYWpSJkSgNszR0oJC843Fm5OQdPfVSip3favhEM71wLEZb6m3KXGxoJek6xf9n 9a8QHdoficzHsrP7+dPZkdfFfhpjsEOrQSKturyF/mARseZkYFoiKZNNkm5mORaMnJiI NpVK+SfW/4ScE/gs8iDL9Tdh35zDhO/GGQGZvTHdxh0O+huNiEdeQ9q3eGxWhmxFtlCo CfbnafYc2p+DFp2liNH0rjJpQEF0JPKaLvq0njEWaMBGbnmojR1hSQGmTGioM7bGtObP qmmQ==
X-Gm-Message-State: APjAAAX2ItDMzESSXw/gL/rhZLuU+tR+Wn0cmUtKw6xtkc7zH/wF8eKy wqpbp6clkvmj3yr4XPDGN2SJ14E6bCs09K/GXuw=
X-Google-Smtp-Source: APXvYqy96tA9dKXndcXD0Xt1xwHav2Gwr1RQFuqCj8jrEMYJS/EylJTKqfdP03FQzMLzniobHdaoSZ0TuDFBtlQXaDk=
X-Received: by 2002:a2e:9b90:: with SMTP id z16mr31834199lji.254.1582560960669; Mon, 24 Feb 2020 08:16:00 -0800 (PST)
MIME-Version: 1.0
References: <158169157632.16127.5189378582509283109.idtracker@ietfa.amsl.com> <CAD4huA6nNtJB5=E+dxBvmsLrozkgZ3f-3P=NydCsm8=F2Tj_Fw@mail.gmail.com>
In-Reply-To: <CAD4huA6nNtJB5=E+dxBvmsLrozkgZ3f-3P=NydCsm8=F2Tj_Fw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Mon, 24 Feb 2020 08:14:58 -0800
Message-ID: <CACsn0c=kOdh3yxOLDNP6GNprOHxAWVv6wgynWj2eq9SOFwR5_A@mail.gmail.com>
To: Steven Sommars <stevesommarsntp@gmail.com>
Cc: last-call@ietf.org, NTP WG <ntp@ietf.org>, Karen O'Donoghue <odonoghue@isoc.org>, draft-ietf-ntp-using-nts-for-ntp@ietf.org, ntp-chairs@ietf.org, suresh@kaloom.com, IETF-Announce <ietf-announce@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e56a20059f54af55"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/hWhJda8qSYJUOkiYwuIoE5ElGRM>
Subject: Re: [Ntp] Last Call: <draft-ietf-ntp-using-nts-for-ntp-22.txt> (Network Time Security for the Network Time Protocol) to Proposed Standard
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Feb 2020 16:16:13 -0000

On Mon, Feb 24, 2020, 6:52 AM Steven Sommars <stevesommarsntp@gmail.com>
wrote:

> There is substantial size-based blocking of UDP port 123 IPv4 packets by
> ISPs/IXPs.  From one NTP monitoring point I saw about one third of the NTP
> destinations unreachable (dropped en route) for  212-460 byte port 123
> UDP.  Another monitoring point experienced blocking for all NTP
> destinations when the size was greater than 428 bytes.  Size-based NTP
> blocking is not a secret; it was discussed on the NANOG mailing list in
> 2014 (see for example
> https://mailman.nanog.org/pipermail/nanog/2014-February/064634.html ).
> NTP requests can be dropped, so  section 9.3 of draft 22 does not address
> the problem.   While NTS will not be a DDoS amplification source, it will
> be affected by existing DDoS countermeasures.
>
> How will NTS work in today's UDP-unfriendly Internet?
>

NTS-KE can advertise an alternate port for NTP.


> On Fri, Feb 14, 2020 at 8:47 AM The IESG <iesg-secretary@ietf.org> wrote:
>
>>
>> The IESG has received a request from the Network Time Protocol WG (ntp) to
>> consider the following document: - 'Network Time Security for the Network
>> Time Protocol'
>>   <draft-ietf-ntp-using-nts-for-ntp-22.txt> as Proposed Standard
>>
>> The IESG plans to make a decision in the next few weeks, and solicits
>> final
>> comments on this action. Please send substantive comments to the
>> last-call@ietf.org mailing lists by 2020-02-28. Exceptionally, comments
>> may
>> be sent to iesg@ietf.org instead. In either case, please retain the
>> beginning
>> of the Subject line to allow automated sorting.
>>
>> Abstract
>>
>>
>>    This memo specifies Network Time Security (NTS), a mechanism for
>>    using Transport Layer Security (TLS) and Authenticated Encryption
>>    with Associated Data (AEAD) to provide cryptographic security for the
>>    client-server mode of the Network Time Protocol (NTP).
>>
>>    NTS is structured as a suite of two loosely coupled sub-protocols.
>>    The first (NTS-KE) handles initial authentication and key
>>    establishment over TLS.  The second handles encryption and
>>    authentication during NTP time synchronization via extension fields
>>    in the NTP packets, and holds all required state only on the client
>>    via opaque cookies.
>>
>>
>>
>>
>> The file can be obtained via
>> https://datatracker.ietf.org/doc/draft-ietf-ntp-using-nts-for-ntp/
>>
>> IESG discussion can be tracked via
>> https://datatracker.ietf.org/doc/draft-ietf-ntp-using-nts-for-ntp/ballot/
>>
>>
>> No IPR declarations have been submitted directly on this I-D.
>>
>>
>> The document contains these normative downward references.
>> See RFC 3967 for additional information:
>>     rfc5297: Synthetic Initialization Vector (SIV) Authenticated
>> Encryption Using the Advanced Encryption Standard (AES) (Informational -
>> IETF stream)
>>
>>
>>
>> _______________________________________________
>> ntp mailing list
>> ntp@ietf.org
>> https://www.ietf.org/mailman/listinfo/ntp
>>
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp
>