IETF Logo Mail Archive

Re: [Ntp] Antw: Re: Antw: [EXT] Re: Benjamin Kaduk's Discuss on draft-ietf-ntp-mode-6-cmds-09: (with DISCUSS and COMMENT)

Miroslav Lichvar <mlichvar@redhat.com> Mon, 31 August 2020 12:24 UTC

Return-Path: <mlichvar@redhat.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30F5A3A12EE for <ntp@ietfa.amsl.com>; Mon, 31 Aug 2020 05:24:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xE5hXxt6t0S4 for <ntp@ietfa.amsl.com>; Mon, 31 Aug 2020 05:24:42 -0700 (PDT)
Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0978A3A12ED for <ntp@ietf.org>; Mon, 31 Aug 2020 05:24:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1598876680; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=bQ62ifJ12JBFdoOMZqW2tRnqYv2vgJYKOURRyAUMEZk=; b=caA2TInp8mXn+DIrqF3W1HLrM3aXv29P71qeSgOYLajj5KGKVpr422I6BgzJpwrczj0i8K dzOwZrQ8OolwTROod/2ALhOI6cz0oHtn/dpzhcS/P7g8KUhCP//jMgbykYC9fC2S0fcDNr UbMBlFQ0Nj0C2Vv7tSClwqljjEQrYvU=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-258-CONLGMyXOmmCAkhxwh3iow-1; Mon, 31 Aug 2020 08:24:36 -0400
X-MC-Unique: CONLGMyXOmmCAkhxwh3iow-1
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id AE8001074641; Mon, 31 Aug 2020 12:24:35 +0000 (UTC)
Received: from localhost (holly.tpb.lab.eng.brq.redhat.com [10.43.134.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8BD245D9D3; Mon, 31 Aug 2020 12:24:34 +0000 (UTC)
Date: Mon, 31 Aug 2020 14:24:32 +0200
From: Miroslav Lichvar <mlichvar@redhat.com>
To: Harlan Stenn <stenn@nwtime.org>
Cc: "ntp@ietf.org" <ntp@ietf.org>, Hal Murray <hmurray@megapathdsl.net>, Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>
Message-ID: <20200831122432.GA1592837@localhost>
References: <20200829084626.C0F2E40605C@ip-64-139-1-69.sjc.megapath.net> <b262735b-19fb-21ba-891f-5de33ab2a488@nwtime.org> <5F4CC110020000A10003B016@gwsmtp.uni-regensburg.de> <20200831102453.GR2752765@localhost> <12a4db4f-108c-dedd-9c1d-421dc83b9b6a@nwtime.org> <20200831113210.GB4155245@localhost> <e0a093c6-2ffb-1402-2974-d2fe100f3e13@nwtime.org>
MIME-Version: 1.0
In-Reply-To: <e0a093c6-2ffb-1402-2974-d2fe100f3e13@nwtime.org>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@redhat.com
X-Mimecast-Spam-Score: 0.001
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/kDijD_0nxJ0uo_HCgoRgJtBLbq0>
Subject: Re: [Ntp] Antw: Re: Antw: [EXT] Re: Benjamin Kaduk's Discuss on draft-ietf-ntp-mode-6-cmds-09: (with DISCUSS and COMMENT)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Aug 2020 12:24:43 -0000

en Mon, Aug 31, 2020 at 04:52:36AM -0700, Harlan Stenn wrote:
> On 8/31/2020 4:32 AM, Miroslav Lichvar wrote:
> > Yes, I agree it's possible, but there doesn't seem to be a good reason
> > to do that.
> 
> Likely true.  But even so, a good reason could present itself an I don't
> see any compelling reason we should proactively limit this possibility.

A strong reason for not allowing responses authenticated with other
keys is avoiding insecure configurations. We have discussed this
before. I'd say most users that have enabled multiple symmetric keys
in ntpd don't know they need to be limited to IP addresses to prevent
the MITM attacks.

> > The additional configuration required to keep it secure is
> > impractical.
> 
> Really?  I can see how to do a straightforward implementation of this in
> the Reference Implementation.

Why is it not implemented?

-- 
Miroslav Lichvar

v2.23.0 | Report a Bug | By Email