IETF Logo Mail Archive

Re: [Ntp] NTP Security (was NTPv5: big picture)

Miroslav Lichvar <mlichvar@redhat.com> Tue, 19 January 2021 13:04 UTC

Return-Path: <mlichvar@redhat.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47C663A14D2 for <ntp@ietfa.amsl.com>; Tue, 19 Jan 2021 05:04:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.37
X-Spam-Level:
X-Spam-Status: No, score=-2.37 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3whbx6idZipK for <ntp@ietfa.amsl.com>; Tue, 19 Jan 2021 05:04:53 -0800 (PST)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 828E93A14D0 for <ntp@ietf.org>; Tue, 19 Jan 2021 05:04:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1611061492; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=J5g0OZuAsW7aIbnycwi1P90n/gH4KglKQHzPq69zYOE=; b=GJAK+cW2kyuCvEXk+g/QzgpGTp980VtWszEYl3egqFzEONtJ/hcYFYle/dYqAmSMWKJ2K1 P3E63s8f4GXyKDDK9+IdMwaXY5PXwAPPyB5+/M/eo75g3AtpWx31lVzgUl+YY6AXlD11sQ zrIGM9A8SLoM7o2OI4ww5Lg+P8jIHAw=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-509-sGJmN01aN2-szy9_JFzJCw-1; Tue, 19 Jan 2021 08:04:12 -0500
X-MC-Unique: sGJmN01aN2-szy9_JFzJCw-1
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 6559910054FF; Tue, 19 Jan 2021 13:04:11 +0000 (UTC)
Received: from localhost (holly.tpb.lab.eng.brq.redhat.com [10.43.134.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8EC4910013BD; Tue, 19 Jan 2021 13:04:09 +0000 (UTC)
Date: Tue, 19 Jan 2021 14:04:08 +0100
From: Miroslav Lichvar <mlichvar@redhat.com>
To: Magnus Danielson <magnus@rubidium.se>
Cc: Kurt Roeckx <kurt@roeckx.be>, ntp@ietf.org
Message-ID: <20210119130408.GD2430794@localhost>
References: <20210118113806.33BBE40605C@ip-64-139-1-69.sjc.megapath.net> <c6fda979-0b3e-99fc-2dc5-25b7cde4c42b@rubidium.se> <20210118162517.GA2410317@localhost> <acdd42d0-9b58-4b26-0798-55a42bc0b6de@rubidium.se> <YAX6gJiREb2RE6Gs@roeckx.be> <c5378682-e03f-9e46-24d5-025eb4a57c05@rubidium.se> <20210119094217.GB2430794@localhost> <68c0d807-2290-3c44-d760-35306af20434@rubidium.se>
MIME-Version: 1.0
In-Reply-To: <68c0d807-2290-3c44-d760-35306af20434@rubidium.se>
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/kKydccOW8EXH3isCalY8B6ZUA7U>
Subject: Re: [Ntp] NTP Security (was NTPv5: big picture)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jan 2021 13:04:56 -0000

On Tue, Jan 19, 2021 at 01:24:37PM +0100, Magnus Danielson wrote:
> RTC is not a trusted time source. I can be just as much a false-ticker
> as any source you see. Do not trust the RTC to be near true time, it's
> failed before and it will fail again. It's just another source of time,
> it can be helpful to bootstrap things, but until validated you do not
> trust it. This is really about doing a trust analysis.

Yes, RTC can fail, but it's the only source of time you usually have
for time validation of certificates, DNSSEC records, etc. The idea is
that you check or set it manually once, and then allow it to be
synchronized to secure time sources only, so it can be always be
trusted to be close to the true time.

If you cannot trust the RTC and you don't have a different trusted
time source, it's game over. You cannot perform a full validation. You
can accept the security implications and disable the time checks, but
that's not generally acceptable.

> In this process we only assumed that the original timestamp was valid
> durign the data-validation phase, and we already stated that we trust
> the data validation part, and later test that assumption.

In this process you have only verified consistency of the time and
other data you have received. It was valid some time ago, but it may
not be valid now. If the attacker captured all that data, it can be
reused later in a MITM attack. You need to know the current date to
avoid that. That's why certificates and DNSSEC records have a validity
period.

You have a loop in your trust analysis.

-- 
Miroslav Lichvar

v2.23.0 | Report a Bug | By Email