IETF Logo Mail Archive

Re: [Ntp] [EXT] Consensus call: NTPv5 and supported modes

David Venhoek <david@venhoek.nl> Mon, 03 July 2023 14:14 UTC

Return-Path: <david@venhoek.nl>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63D5AC151538 for <ntp@ietfa.amsl.com>; Mon, 3 Jul 2023 07:14:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.897
X-Spam-Level:
X-Spam-Status: No, score=-6.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=venhoek-nl.20221208.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jDooEvw0y2vr for <ntp@ietfa.amsl.com>; Mon, 3 Jul 2023 07:14:32 -0700 (PDT)
Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CAC6C151080 for <ntp@ietf.org>; Mon, 3 Jul 2023 07:14:31 -0700 (PDT)
Received: by mail-pl1-x62a.google.com with SMTP id d9443c01a7336-1b89bc52cd1so3212895ad.1 for <ntp@ietf.org>; Mon, 03 Jul 2023 07:14:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=venhoek-nl.20221208.gappssmtp.com; s=20221208; t=1688393670; x=1690985670; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=PC9owFfwmmExsgAdhqxa/V1Re3bBhuheqfBdCWCI4oA=; b=AE6B3WwNzASfmH09S6/IVWcJAErnshlxInigiAh3qjC6Tqqrkc5Gk0lVWNWu/hPKNn vllwQW25nzkfIyxxOxd6RVNdRxDq68CcXjIx/l9O7WHuClN3FiA1VHcMFrd6+Y9c3Nnz rj4itbRxiZD9QfyKxP+GtguEnVbMFSdxbNW5KMtDDA8HJnkJRLRHhugOaWGcoAmnLJxi r9Vc0qrYxlG5lUN7syXn3mJXU0cU/sq0VLDakOaIWCfhfquEnv1Bi2ShjFhPehX88YqI q6VN6LOoj7j5ABmtq9kBztqWZFWEwX7/5CqmC8hREughdeQqxCK/EM9YV9tvmxq4QX0D 4Gow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688393670; x=1690985670; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PC9owFfwmmExsgAdhqxa/V1Re3bBhuheqfBdCWCI4oA=; b=LvWsfs2eaLlvTNIVplBJ6ZMeZnfKypRw4I//Bu+pJfXWZ/64Q8iKL8Wla4vX0xbmr1 4o0HcYFbyBKsxpJF8NHi9YqtMB8Pat40svXeX5rVnxr3uJ+lnraJvwh+HvaQ+z349qRy P1q3o2k82C6N6gC2LQKgJ64zLoQIG6uhoYOLdFfPfMGvlss+xKUqylDBk/60qMiUydcB yiaZcvKV7xqxDivG0DvpYFb5xGpuVPFn4xqpIQc6hqJSBqLr/kcl4gl+hmlgz0Iv0EBj LYcxQbq6jgoGnGJT4Bjd6MwweZJq9cEbhMLhow6+Nbe3Qa8WdvGUx6fxnIlP0M1wd7My 2n6Q==
X-Gm-Message-State: ABy/qLZzgH0H4Qi7HwmZL7DFydoH3YiQCeKpaO0hkTlThJWKr8dyrgZR SwHYCvsWVfi9svQr95w7nMUC2H7Uows1HW4AkVGKDQ==
X-Google-Smtp-Source: APBJJlE58ZgYcOLs9d+JsiU12xIRnm4Tajmydhc2Bp3LIO0ti3rWyr666btWAar4bWZvCFEcuixB/mfgsvwBDj1lOoA=
X-Received: by 2002:a17:902:7781:b0:1b1:9272:55f3 with SMTP id o1-20020a170902778100b001b1927255f3mr8053518pll.66.1688393670501; Mon, 03 Jul 2023 07:14:30 -0700 (PDT)
MIME-Version: 1.0
References: <72794CC8-DC52-4F1D-B5A9-8A9FBFB0750D@gmail.com> <c2a6a80754d54cadbb1046a80d76d3c7@ukr.de> <CAPz_-SWv-Ba9O8-B7qKzp5gJB6fcY8FxFuHTJtNKBGLirQDhpw@mail.gmail.com> <5434c9a1-388b-f281-5434-dddbf8747592@pdmconsulting.net>
In-Reply-To: <5434c9a1-388b-f281-5434-dddbf8747592@pdmconsulting.net>
From: David Venhoek <david@venhoek.nl>
Date: Mon, 03 Jul 2023 16:14:57 +0200
Message-ID: <CAPz_-SWU3Z6=b76srPWXtXGv_E4ObUji2_56pRQ0nRFyR8VPLQ@mail.gmail.com>
To: Dieter Sibold <dsibold.ietf@gmail.com>
Cc: ntp@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/hlX3PSyy9aTODm4LueWYGawxONM>
Subject: Re: [Ntp] [EXT] Consensus call: NTPv5 and supported modes
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jul 2023 14:14:36 -0000

As a further clarification on my earlier arguments, below my analysis
as to why I think the current status of both the broadcast modes and
peer modes could still be security risks. Please note that these do
not constitute fully realizable active attacks, but are merely
observations as to why I see these modes as significantly more risky
than the client-server mode.

For broadcast mode, when using no authentication, anyone with the
capabality of sending network packets to the clients can get them to
set arbitrary time quite trivially. However, even with some form of
authentication, there is the difficulty that there is no way for a
client to send any sort of challenge to the server. As such, it
becomes hard to impossible for a client to put any bound on how far in
the past the particular packet it received was generated, leaving it
vulnerable to replay attacks. As far as I am aware, outside of using a
shared notion of time (which we can't rely on as providers of that
shared notion) there is no good solution for protection against replay
attacks in broadcast-style protocols.

For peer modes, having a system accept ephemeral associations is
trivial to exploit if authentication is not present. However, even
with authentication, and even with both peers being in active mode,
the interdependence between the packets going from A to B and those
going from B to A makes it tricky as to when an association between
two peers should be reset, when it should be demobilize and other
decisions regarding state changes and packet acceptance. Getting this
wrong has caused multiple security issues in the reference
implementation (see for example CVE-2016-1547, CVE-2016-1549,
CVE-2018-7170), and to be honest I am not convinced that there is
currently an implementation that is fully immune from issues in this
area.

I might be missing something though, and perhaps there has been more
complete modelling done of how either of these modes can be done
securely, in which case I would love to see those models and proofs.

As for your response Danny, I was wondering what you mean by
Anderson's work needing broadcast mode? As far as I can tell, his
research stems rather from the opposite, namely that any securing  a
broadcast type signal (in his research specifically, gnss based
signals) through the TESLA scheme requires preexisting rough agreement
on the current time. However, I didn't really dive all that deeply
into his work so if you could explain what I am missing that would be
very welcome.

Kind regards,
David Venhoek

On Sun, Jul 2, 2023 at 5:43 PM Danny Mayer <mayer@pdmconsulting.net> wrote:
>
>
> On 6/30/23 5:05 AM, David Venhoek wrote:
> > I am of the opinion that we should not include the modes 1, 2 and 5,
> > based on the following arguments (in order of importance):
> There are a lot of assumptions made here which are probably not valid.
> >   - They are known to be vulnerable (about 50% of all ntp reference
> > implementation vulnerabilities over the past years came from these
> > modes alone, and I for one am not convinced that they are in any way
> > securely usable today).
>
> What evidence to you have of this and which modes do you think that they
> apply to? Certainly modes 1 and 2 are able to use the same security as
> modes 3 and 4.
>
> There are ways of dealing with mode 5 (broadcast and multicast) and I
> seem to remember that autokey works for that. Yes, I know that autokey
> is vunerable but it means that there are ways to deal with it.
>
> >   - There seems to be limited interest in working towards fixes for
> > their vulnerability, and I have not seen concrete ideas as to how.
> I don't know what that means. See above.
> >   - The use cases for these modes have reasonable alternatives
> > available today: dhcp can distribute the address of an ntp server as
> > replacement for mode 5, and mutual client-server connections can be
> > used in the same situations as modes 1/2 (if needed with configuration
> > settings in the implementation for special algorithmic treatment).
> That not a substitute for multicast and cannot handle changes in servers
> sending multicast packets. Furthermore many servers have fixed IP
> addresses and do not use dhcp.
> >   - Removing them would significantly simplify both the NTPv5 standard
> > and the process of creating it.
> Simplication of a standard is not a goal merely because it's easier.
> >   - They are already not supported in 2 of the 4 major implementations
> > (ntpsec, ntpd-rs), and only partially in a 3rd (chrony).
> That's irrelevant since it ignores the many systems that use it today.
> >
> > I would prefer we mark them as obsolete/deprecated or something like
> > that, as I don't see a realistic path to getting them to the point
> > where the security concerns are going to be allayed, but am willing to
> > leave them open as potential future extensions to NTPv5.
> No. The NTP reference implementation will continue to support them and
> it is straightforward to implement NTS for modes 1 and 2. Mode 5 will
> probably need additional work. I need to remind everyone of Jason
> Anderson's work on needing Broadcast mode (though I would change this to
> Multicast since Broadcast is not available in IPv6).
> > On the idea that this might inhibit adoption, I am not convinced of
> > that. Based on contacts I have had through the ntpd-rs project with
> > users, these modes are not among the missing features people seem
> > interested in. I know there have been claims that this is absolutely
> > critical for some users, but we have not seen anything concrete as to
> > for whom and why, and I am therefore not inclined to take those claims
> > seriously.
> >
> > Kind regards,
> > David Venhoek
> >
> > On Thu, Jun 29, 2023 at 3:13 PM Windl, Ulrich <u.windl@ukr.de> wrote:
> >> Hi!
> >>
> >> On " Should NTPv5 additionally support also the modes 1, 2 and 5 known from NTPv4?": If not, what should the document say about those? Obsolete? An extension?
> >> IMHO being too restrictive may delay adoption or acceptance of NTPv5 after it is available.
> >>
> >> Kind regards,
> >> Ulrich Windl
> >>
> >>
> >> -----Original Message-----
> >> From: ntp <ntp-bounces@ietf.org> On Behalf Of Dieter Sibold
> >> Sent: Wednesday, June 28, 2023 9:53 PM
> >> To: NTP WG <ntp@ietf.org>
> >> Subject: [EXT] [Ntp] Consensus call: NTPv5 and supported modes
> >>
> >> Dear all,
> >>
> >> at IETF 116 we decided to have two consensus calls regarding the content of the NTPv5 requirement draft. These are consensus calls that we would like to conduct to help progress the NTPv5 requirements document (https://datatracker.ietf.org/doc/draft-ietf-ntp-ntpv5-requirements/). Both consensus calls will run until July 21st 2023 and will be discussed at the next NTP wg meeting at IETF 117 in San Francisco.
> >>
> >> The first consensus call (the second comes in a follow up mail):
> >>
> >> Regarding supported modes:
> >>
> >> Currently, the NTPv5 requirement draft considers a client-server communication mode only. Should NTPv5 additionally support also the modes 1, 2 and 5 known from NTPv4?
> >>
> >>
> >> Greetings
> >> Karen and Dieter
> >>
> >>
> >> _______________________________________________
> >> ntp mailing list
> >> ntp@ietf.org
> >> https://www.ietf.org/mailman/listinfo/ntp
> > _______________________________________________
> > ntp mailing list
> > ntp@ietf.org
> > https://www.ietf.org/mailman/listinfo/ntp
>
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp

v2.23.0 | Report a Bug | By Email