IETF Logo Mail Archive

Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-model-10.txt> (A YANG Data Model for NTP) to Proposed Standardsecurity

tom petch <daedulus@btconnect.com> Tue, 09 February 2021 12:08 UTC

Return-Path: <daedulus@btconnect.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E33B93A1A18; Tue, 9 Feb 2021 04:08:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L1oINJADgwoc; Tue, 9 Feb 2021 04:08:01 -0800 (PST)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60103.outbound.protection.outlook.com [40.107.6.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B99043A195B; Tue, 9 Feb 2021 04:07:59 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=g271C/FO1ETtF4olNSpBBDBbQAhVvE6ve6otgt5GuErgfd4/A5uWG2WSJlsVCP7HMEcBN9JjVuTwBIjRmgOoMghHpfdm4q+QKIoslUNOXQy0n4+nrPf13mOaZuuD695FIBFfKOg9n50EVGfLYy3wOLs+hQ8mb0HLYHcORzWOu8kkpbmW3GEtV8vlwDEx4RrGgFOhG40eIHJpG++1ap1VIl0w5Ddh8fUZP4YYriApKBLfMqpjcT9biu4h7xorrQ3pZI3D7krNRjkRGTj+cSiaWnPTSDcYL7iF0WKS77f8QCD7cANlDwUdQYAYI6oodPU61xanagFNPsywbJSOWv6XOA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=syZzh9dX813CvGIDs+sNLEB2FkDUdMFFT5XhqniCK0o=; b=eo8NUZorcLNAD2qS1VIiAiAba+10nMmxarDy2QXx6syNc/0qrBF42PSINYmCspc0mTDrraCRGO/E7lf9eEFMh3T8CwELtRdG+aI8y9nkq2w8ssXlE0vBgT6x/TGE/keieTR/UZE1wr/D2bjP/7q8F6cYFz8ZJFsM14qzewDhQaAolEqdI+EiNfeGXEFLvmT2Buot3ZNx6xReeHbh6o/SKaKpaLpEZC2pLa7c27hCNyELtjcyQkvpAenkh2kKwLpnjx/dctEgln1RO5xGs9L6RtE5lRBB85unhwWwYAEZDv40igpb8a9YPyngiIDghW3hD9aFglndUR0GW5KdOlWiZw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=syZzh9dX813CvGIDs+sNLEB2FkDUdMFFT5XhqniCK0o=; b=TKZfqdYqfvOLDHyL53PROqPLeo1b4cFjksbkitibktinC1iuWVnM2di5JhM9EDByoYG+aiz003h3vpPBa8zODpzpVrIpiDjG0vhKicdD6N+yXmdvKhrKucF+SvaSqTD1QZDHvt2Pyb1Z/YMhriPonNb+tgMcjfio2hvLdVHNJ28=
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=btconnect.com;
Received: from (2603:10a6:800:18b::8) by VI1PR0701MB2719.eurprd07.prod.outlook.com (2603:10a6:801:7::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.10; Tue, 9 Feb 2021 12:07:57 +0000
Received: from VI1PR07MB6704.eurprd07.prod.outlook.com ([fe80::181c:709a:6f7a:b811]) by VI1PR07MB6704.eurprd07.prod.outlook.com ([fe80::181c:709a:6f7a:b811%3]) with mapi id 15.20.3825.030; Tue, 9 Feb 2021 12:07:57 +0000
To: Hal Murray <hmurray@megapathdsl.net>
References: <20210209093446.E11F8406061@ip-64-139-1-69.sjc.megapath.net>
Cc: last-call@ietf.org, ek.ietf@gmail.com, ntp-chairs@ietf.org, ntp@ietf.org, dsibold.ietf@gmail.com, draft-ietf-ntp-yang-data-model@ietf.org
From: tom petch <daedulus@btconnect.com>
Message-ID: <60226D05.6010508@btconnect.com>
Date: Tue, 09 Feb 2021 11:07:49 +0000
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101 Thunderbird/38.5.0
In-Reply-To: <20210209093446.E11F8406061@ip-64-139-1-69.sjc.megapath.net>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [86.146.121.140]
X-ClientProxiedBy: LO2P265CA0499.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:13b::6) To VI1PR07MB6704.eurprd07.prod.outlook.com (2603:10a6:800:18b::8)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [192.168.1.65] (86.146.121.140) by LO2P265CA0499.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:13b::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.3825.17 via Frontend Transport; Tue, 9 Feb 2021 12:07:56 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: fc1a8598-a1fb-4833-e26f-08d8ccf35688
X-MS-TrafficTypeDiagnostic: VI1PR0701MB2719:
X-Microsoft-Antispam-PRVS: <VI1PR0701MB2719BE70CE9784CD1D3AE0C5C68E9@VI1PR0701MB2719.eurprd07.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: iCDD2NR4yFJEjA5ATsQqZJtS2VnRLXxTKrLOPZhiRVO4d66XoWlTjt1vvXRNfZjmz4aQ0jYr1Tg945StIDoTXfFIwMUqco47R4XyXnDITXWoXyap42Fd62WnIhktayQjY0zEuEV0NxwDaxRMwPt6HEHX94REcYCEGsOs+WkbJwjoUlzA2e0Trw7r8YHkj8noMnJaS2KFG11cKQHJtYg+hZARgNiUUQ2izdQMAOAtxnhAtEXo4fz/mjHpkNnILQMSwpCfxq4WXngDA4/e++Z9iOLGSV0cJqwHobX9+3px4goiLen8oRSZFtu92RrfumLPm6RxvVI44YXvvbFcM6qeGPGYUpplKoTv9Mra4pTCi0pEv9BF7zwpkSgkhrjXU17B8vxkMRcySx7PcKnjGltAFkmGb5weC23qxHfTKXLCFW390HksMQWLBtEuAvAHS6TmTWCBfZJvOWgKZyRbvIbDv1e7sDiwP6qbd4yDvZJWEbfVqVT0xzC0AfT89l8+WhfaEmq6vRXpAbadFe1uv0/oZA==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR07MB6704.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(39860400002)(376002)(396003)(366004)(136003)(346002)(86362001)(26005)(478600001)(2616005)(956004)(52116002)(66556008)(66476007)(16526019)(186003)(33656002)(53546011)(5660300002)(6916009)(8936002)(6486002)(83380400001)(2906002)(316002)(66946007)(16576012)(6666004)(87266011)(36756003)(4326008)(8676002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData: +8mhO8qHmzV30NZz2QI13LV2sJFwn/0dPGziJVEDeuqIqMh4helVY1LW7id0xdee/aNoa3CrQYe4fq8kUaOzb/boFi2eVOKh1CPYLvDCVA3NDQqriyrv3UIW9ky9W9vmOF/loXX0ziZ2ycbBpdiErLJZvR68B7HE1HISR87AwBjWHkrwtEMadtg0klWRF5EAnDpZO61wWwZXAayBo5IJBkQp+jdSCYmWozaVIn7hMvGxrGzYtKtKnNhtwkXyI+hMziDM+hLtXpvqWbN4XURiGQS9pr+9G0zTZL8Lhmo2gBY284mimrKQEXsDGTRawCcZ42V7PjswMGcvWwSPJ+831UaQFbEwTBKWiRrQXdonprcndpoibJ3X/+R6Ej4PZVLlXXah6EMIgoWG3I/lFjzLeLvD1+dj40yQYle3X0dzgbCuyv7e9bT7KU6R6tOgWSF5mTf642gFmg9tbpTSFoFD0PENbN2OHiJWLAjo0InoAQ1HplA8H6EgJrHuA6HMpbpHhAGb8wbez4rKK+yvhnoVr4QevzQkBwmGt76vt9IEE/Rai6LM/e6n2P/oo4l/zVIythXkqajOP0RGW+4iKiyFmHysYsT52pyX9hrA8S185kJIHVrstiPHXLkmgPo96sDdm4NXMgyllPKJkoYq/sG5CUxG1V4CjSMHbC7/1iy3J6ywrKD4yxX6IhdbtDEIO3zBaz0/UgxzqjGh2ATMpZ0WOt9SJZfOVExrjajkXPwbSsOKD4sDluJJtXs2GAUAjThpcNYINDymaQ9qGVJAKybrbJ/JHBxO91be5rJDrdQthGkvtrdKlo/MRsKYv/NZwlNHY6NrnLCQiT4qaaciTGZmmnUunO6LVS4iKfqLv/1taCfG0VkiMHcN6VsLVb+bR+9zjSTe/QCgFEnDwtlXK2NBHQIvgzlkfGn1oUOn505+df0xuDN5PaRWq9LU7H4Zkm2irR6mxtL1KOjMH3+zxO3GfWaangeoL7U3zhJ5d4Pmzi0nJVFZ/9I0v0iSTZL6vWGPE2pAwW2uw1WDhbWQkFovcarIRxBWV/otn5IuU+R8cU43jDzsssLE+EEDuEawIfy/RZffpeLmT6Lea85y+edY9C6nH4IdqSndoJF+tWcqLz6AZ38MCUEpVax4Neu1nh62RxGmLYKi/mU+dttn3t22tKaxobustjXLyCmYkbX4EaSycyyRWmnRkHUjgNFhORRr+0EVbzs8loIGZL6MNEDlqo5WxodNPSDPVa/98BgqKGIwolQewHWUS9tHVMWPkTVDlAavrH/1k8roxbuHkVJ7taLuJRGE/1eRN7tII1OmmxubFyOJ5tJePNcjB7VwQw01
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fc1a8598-a1fb-4833-e26f-08d8ccf35688
X-MS-Exchange-CrossTenant-AuthSource: VI1PR07MB6704.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Feb 2021 12:07:57.6384 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: eurHAcPITAbiUDWvpF4Jxc2LRRrSTHwXypsBeqsoUH0Aj/cbg1pMMJMGItcFhleCwnC/z1x/kUvwE+AKPHQCdQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0701MB2719
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/iJH0mC7dKoJOmEecjfA8Yrp_mRA>
Subject: Re: [Ntp] Last Call: <draft-ietf-ntp-yang-data-model-10.txt> (A YANG Data Model for NTP) to Proposed Standardsecurity
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Feb 2021 12:08:03 -0000

On 09/02/2021 09:34, Hal Murray wrote:
>
> daedulus@btconnect.com said:
>> RFC8573 seems clear that MD5 must not be used to effect security for NTP  but
>> this I-D imports iana-crypt-hash which allows MD5 without any  restriction,
>> so is MD5 allowed or not?
>
> "Allowed" is the key word.  Just because somebody published an RFC doesn't
> mean that all the gear out in the field will get updated.  As Harlan pointed
> out, there is a very very long tail on NTP deployments.
>
> I think it makes sense for iana-crypt-hash to include slots for historic
> items.  If nothing else, it is a good place to say "historic" or "deprecated"
> and give references to the details.
>
> If you think a Yang model should discourage using MD5, then I suggest adding
> words to say that.  Better would be to phrase things so that it also includes
> other algorithms that get kicked out of the club after the RFC is published.
> I don't know of any place that publishes an up-to-date list of crypto-hashing
> algorithms and their status.

IANA TLS HashAlgorithm

It lacks a Recommended column which other TLS registries often have.

This is the sort of service that the Security Area could provide for the 
rest of the IETF, but then, this is the IETF:-)

iana-crypt-hash belongs to the NETMOD WG which is why I said that I 
would raise the issue there.  That WG IMHO lacks the expertise to 
specify a status so that would have to come from SAAG, a Security AD or 
some such.

That module is IANA-maintained and is Expert Review so I think that the 
consensus of the NETMOD WG to make MD5 status deprecated would be 
feasible.  (It would not be possible, or sensible, to remove MD5 - that 
would be a new module and an RFC).

Tom Petch
>
> ----------
>
> I'm looking at iana-crypt-hash@2014-08-06.yang
>
> It says:
>           id | hash function | feature
>           ---+---------------+-------------------
>            1 | MD5           | crypt-hash-md5
>            5 | SHA-256       | crypt-hash-sha-256
>            6 | SHA-512       | crypt-hash-sha-512
>
> If NTP is the only use, then I'd suggest adding a deprecated note.  But I
> assume that is used by other than NTP so that may not be appropriate.  But
> maybe if MD5 is deprecated for NTP it should be deprecated for other uses too.
>   ???
>
> What happened to slots 2, 3, and 4?
>
> Existing NTP code also supports SHA-1
>
> RFC 8573 that deprecated using MD5 with NTP suggests using AES-CMAC.  Note
> that is CMAC rather than HMAC and that NTP uses it's own scheme rather than
> HMAC as described in RFC 6151.
>
> The NTPsec code supports any hash (or CMAC) algorithm that the underlying
> library from OpenSSL supports.
>

v2.23.0 | Report a Bug | By Email