Re: [Ntp] Ben Campbell's No Objection on draft-ietf-ntp-bcp-10: (with COMMENT)
Denis Reilly <denis.reilly@orolia.com> Thu, 17 January 2019 18:15 UTC
Return-Path: <denis.reilly@orolia.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06F9F130EEB; Thu, 17 Jan 2019 10:15:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=orolia.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dEAOiwnxdwKe; Thu, 17 Jan 2019 10:14:58 -0800 (PST)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-he1eur02on061c.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe05::61c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57578130ECD; Thu, 17 Jan 2019 10:14:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orolia.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eGXqwCTYd0z1Zu1+7ou82ub1h6RKpy17GN2lLEwIOVY=; b=RSsmEHskNSksn3GULXfyo7eR4+lKypP8jXW8k9Z/YCRQLuzddEToBkoMuDukNv7CTOGrjhL4rLLK0cGo6mKw9B3sBdaOZsunfAovmF7o6td28HyAwDFAchJVZHE0SBDuk/l7Ewdmm211LXIxmtKBfU8pRu9waTEi2zQrae9+9sI=
Received: from AM0PR0602MB3730.eurprd06.prod.outlook.com (52.133.40.31) by AM0PR0602MB3825.eurprd06.prod.outlook.com (52.133.35.33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1516.19; Thu, 17 Jan 2019 18:14:53 +0000
Received: from AM0PR0602MB3730.eurprd06.prod.outlook.com ([fe80::d29:a937:724f:81b2]) by AM0PR0602MB3730.eurprd06.prod.outlook.com ([fe80::d29:a937:724f:81b2%2]) with mapi id 15.20.1516.019; Thu, 17 Jan 2019 18:14:53 +0000
From: Denis Reilly <denis.reilly@orolia.com>
To: Ben Campbell <ben@nostrum.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-ntp-bcp@ietf.org" <draft-ietf-ntp-bcp@ietf.org>, Karen O'Donoghue <odonoghue@isoc.org>, "ntp-chairs@ietf.org" <ntp-chairs@ietf.org>, "odonoghue@isoc.org" <odonoghue@isoc.org>, "ntp@ietf.org" <ntp@ietf.org>
Thread-Topic: Ben Campbell's No Objection on draft-ietf-ntp-bcp-10: (with COMMENT)
Thread-Index: AQHUl/QPY3YsHzK09kqwreOelRE0JKWzyylw
Date: Thu, 17 Jan 2019 18:14:53 +0000
Message-ID: <AM0PR0602MB37304AA2408B902A77ABE451FF830@AM0PR0602MB3730.eurprd06.prod.outlook.com>
References: <154526275269.1860.6857870320043081494.idtracker@ietfa.amsl.com>
In-Reply-To: <154526275269.1860.6857870320043081494.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=denis.reilly@orolia.com;
x-originating-ip: [66.193.84.98]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM0PR0602MB3825; 6:r8U74ixzCNa+8zCCpfKJJXCLxHCOAH5Wtp+sS6WS/8EC8DMIoYDmL2vAuP2SoobqYy+dhdzse8Ww81nAe0Bp19xl8kYqY6xy7rqVCGlTUZh7gVeuN0//jxnE0TIsGjrfstVHK7CQexWhEHd04zOYKrzQD1gKrXPgzk9BROPmqDAu+ErJLMTyhtijOkQ0RhQEUmGMUQpSGzMWQcfxubzzSHva5SUHzCd4XsV+D3KRhK2rWbnxhwAWO7XGlkAEecN3ZIv52pQMnLFPqe/BhpPKY1f0F3rrNOBcONS4rSIPOcat7fgAddZaKDHUF/0dggqiMWB2qHuW4cLyqq53auFeOytnjlfOPp3vllkjSAwEtW9QOb0QC+S7JdV7+VlCFZCHQjY3r5hy3f4yOJ6YkBxNRoNkPXh847U4ZgvoiQmFpnX4jRt86ipoVRaIhutouFjLHl/O+fS2AvibC+zNOZwN9A==; 5:jBOIdVqmqQvcFZMSmdj/5VOC/1cRCRVRJmXW0cf/EziD+mnUPYnaGILtuKjhuULpobLNFAT6Niw8/kacA4ZiYhYMRJr8CN58lmVNYHfewIMhIBFE2d3B99VnsHi+P0MOjagPU0dqBpviGXWhLw3WvOCOfCELfqokyX7tC3jGd+ERQUlyM6clY2Emqvm627aMzEo9Q8bLvK8QcecrjQhZAw==; 7:z3M0b3SH47f33HDV65yZNrDxaaIvgmmjbR/vIQCbnlNJOWpu7YfHL+GUhvyT6rXTXjJMAczZKJfp5rFUm/re4A1e1D1wIHO/NE3FQgVPxP2BcjekqQH28qMQ/Fm1wJaQciS6pEBciea/knN50ekRHA==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: f3a282e2-ffff-4e2b-cc26-08d67ca7adc8
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600109)(711020)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:AM0PR0602MB3825;
x-ms-traffictypediagnostic: AM0PR0602MB3825:
x-microsoft-antispam-prvs: <AM0PR0602MB3825847C7BDA71A2683838FEFF830@AM0PR0602MB3825.eurprd06.prod.outlook.com>
x-forefront-prvs: 0920602B08
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(39850400004)(346002)(366004)(396003)(376002)(13464003)(189003)(199004)(51914003)(105586002)(86362001)(5024004)(229853002)(53546011)(106356001)(6506007)(8676002)(316002)(102836004)(68736007)(8936002)(71190400001)(71200400001)(81156014)(81166006)(4326008)(7696005)(74316002)(25786009)(97736004)(14454004)(478600001)(14444005)(256004)(66066001)(55016002)(3846002)(446003)(7736002)(6246003)(54906003)(305945005)(2906002)(9686003)(6306002)(33656002)(53936002)(110136005)(476003)(6116002)(44832011)(5660300001)(11346002)(186003)(486006)(26005)(76176011)(99286004)(6436002)(966005); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR0602MB3825; H:AM0PR0602MB3730.eurprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: orolia.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: EM820EZzM816epoxeOL73+3vlpPFtTUQ8OiDTJWYd7Mt5ZfR2PCeeKgzHW1I8wqnLlM0WB813ubKSom6Dme6LbHnsltJI0yikDyvIXFOXL0UPj51zcT0h+c0i+tYY2H/Ftvaxg7MWvy3ZDxj9ytX7ja6LcVrQf7jyC/9+97JiS6E+B7+z8vx7KkGOIxxYyW/+vY6fW5S8azqE0Uny25YL1aGFAPHeybWvH69ZagI23v1aVQCbhFtlRKHB/tblrrhyUUbtK5WT1N1/9VyTzqtNxvS8na6JIh6qcdVvtYhu+ddree4YAlVNTUP/UfMZNQzGd/AVXC62dAhj2A+movvp0/IZS0d+AdSzJvlpvn9awwEpy9RU77Bc2/rDTp6R6Zxq0pc9emQkEyk0jPs8xWr9KmLhgTN8HvptgeClHdEKUo=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: orolia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f3a282e2-ffff-4e2b-cc26-08d67ca7adc8
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jan 2019 18:14:53.5254 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a263030c-9c1b-421f-9471-1dec0b29c664
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR0602MB3825
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/1aZjqYkpK-UPdHrUvHUgk_DYdSg>
Subject: Re: [Ntp] Ben Campbell's No Objection on draft-ietf-ntp-bcp-10: (with COMMENT)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jan 2019 18:15:01 -0000
Hello, Ben! Thanks for the review. I've posted a new version of the draft which incorporate the feedback from the review. Please see responses in-line: -- Denis Reilly | Technical Lead | denis.reilly@orolia.com (585)321-5837 -----Original Message----- From: Ben Campbell <ben@nostrum.com> Sent: Wednesday, December 19, 2018 6:39 PM To: The IESG <iesg@ietf.org> Cc: draft-ietf-ntp-bcp@ietf.org; Karen O'Donoghue <odonoghue@isoc.org>; ntp-chairs@ietf.org; odonoghue@isoc.org; ntp@ietf.org Subject: Ben Campbell's No Objection on draft-ietf-ntp-bcp-10: (with COMMENT) Ben Campbell has entered the following ballot position for draft-ietf-ntp-bcp-10: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-ntp-bcp/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Hi, thanks for this work. I'm balloting "no objection", but have a few comments/questions: *** Substantive Comments *** General observation: I was surprised to find that that a lot of the recommendations here don't seem especially specific to NTP. (E.g. keeping implementations up to date.) But I don't suppose that's really an problem, so I don't expect action here. -- §2.1, last paragraph: "It is RECOMMENDED that large corporate networks (and ISP’s of any size) implement ingress and egress filtering." Is that a new normative requirement, or an existing requirement from BCP38? If the latter, please consider using description language rather than normative keywords. Response: BCP38 / RFC 2827 doesn't use any normative language, so it's a new normative recommendation from this BCP. -- §3.3: This section recommends that operators choose time servers with different implementations/technology. Are time sources expected to publicize that sort of information? Response: We're calling attention to the fact that having a diversity of timing sources is not as simple as having two boxes from the same vendor. If you are using time sources that are not under your direct control, it can be hard to obtain this information, but perhaps operators would have better luck with servers within their own organizations. -- §3.4: Am I correct to assume that "control messages" and "mode 6 messages" are the same thing? Please use consistent terminology. Response: We'll choose "NTP Control Messages". -- §3.6: - First Paragraph: "Users who want to synchronize their computers SHOULD only synchronize to servers that they have permission to use." Why not MUST? Response: We originally made this SHOULD because we felt that many users don't really have control over which servers they use, and so we couldn't realistically make the guidance that strong. But in response to another comment, we changed this text to "Network operators and advanced users", so with that narrower focus now MUST is more appropriate. We also changed the similar guidance in the section on embedded devices to MUST. -- - 2nd paragraph: Is the NTP Pool stabile enough for a plug like this in an RFC? Remember, RFCs live "forever". (see also §6.2.1) Response: It's been around for quite a while and the members of the working group think it's stable enough to include. -- §3.7: "Note well that NTPv4’s longest polling interval exceeds one day and thus a leap second announcement may be missed." Is that okay? Is there any action recommended due to this? Response: Changed to read: When implementing this recommendation, operators should ensure that clients are not configured to use polling intervals greater than 24 hours, so the leap second notification is not missed -- §3.7.1, last paragraph: How does a client know if the server does leap second smearing? Response: There is no standard way to detect this at this time. Someone has to ask the server administrator. -- §4.1: - "Therefore, for each association, keys SHOULD be exchanged securely by external means, and they SHOULD be protected from disclosure." Why not MUST (both times)? Response: Several others have brought this up, we're changing these to MUSTs. -- - "Implementations will soon be available based on AES-128-CMAC [I-D.ietf-ntp-mac], and users are encouraged to use that when it is available." Is that worth a normative requirement? Response: Yes, especially since it seems that draft will emerge first. -- - "Some implementations store the key in clear text" Wouldn't the better practice to be not to do that? Response: Yes, but we need to address the current state of things. -- §5.1: - 3rd paragrap: "A host that is not supposed to act as an NTP server that provides timing information to other hosts MAY additionally log and drop incoming mode 3 timing queries from unexpected sources." i don't understand the point. Also, is the upper-case "MAY''intended as permission to do that? Response: we changed this to non-normative in the latest draft. This section is about minimizing information leakage. One way to do this is simply to not respond to packets that it doesn't have to. -- - last paragraph: "Note well that proper monitoring of an NTP server instance includes checking the time of that NTP server instance." Should there be normative guidance here? (Also, the sentence seems out of place.) Response: The normative guidance is at the end now. We are pointing out here that while you might want to drop all Mode 3 packets, they do have some use for monitoring within your organization. -- §6.1: "Vendors of embedded devices MUST pay attention" Can you recommend something more concrete (and verifiable) than "pay attention"? Response: We've made this non-normative in response to another comment. -- *** Editorial Comments *** §2.1: "more susceptible to spoofing attacks then other connection-oriented protocols": s/then/than Also, it seems like "other" is not descriptive here, since UDP is not a connection-oriented protocol. Response: We removed the "other" in the latest draft. -- §3.4: - first paragraph: The last sentence will not hold up well to the passage of time. Please consider adding something to the effect of "At the time of this writing..." - Last paragraph: The last sentence seems redundant to the section on BCP38. Response: Agree on both points. The last paragraph now directly references the BCP38 section instead of repeating the recommendation. -- §5.1, 3rd paragraph: It is recommended that operators SHOULD filter mode 3 queries at the edge "recommended that...SHOULD" is redundant. Please consider just saying "Operators SHOULD..." Response: We Agree. -- §5.4: Is a KoD packet and a RATE packet the same thing? (Please use consistent terminology) Response: We discuss both the broader KoD packets here, and the RATE packets which are a primary use of the KoD mechanism. We've made some changes to the text to clarify the distinction between the two. §11.2: Is there a reason [BCP38INFO] is here and not in the URL references? Response (From Denis): Actually, this was an attempt to fix how that URL is rendered on the HTML view of the document. (See https://tools.ietf.org/html/draft-ietf-ntp-bcp-10 ) I guess since this URL has the text "BCP" in it, it doesn't render properly. I will revert it back to a URL reference, but then I will need to get some professional help on this, perhaps from the RFC Editor? ATTENTION: This email came from an external source. Do not open attachments or click on links from unknown senders or unexpected emails.
- [Ntp] Ben Campbell's No Objection on draft-ietf-n… Ben Campbell
- Re: [Ntp] Ben Campbell's No Objection on draft-ie… Denis Reilly