IETF Logo Mail Archive

Re: [Ntp] NTPv5 draft

James <james.ietf@gmail.com> Mon, 07 December 2020 16:57 UTC

Return-Path: <james.ietf@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D17B3A12E7 for <ntp@ietfa.amsl.com>; Mon, 7 Dec 2020 08:57:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ORXCTLoNs9Aa for <ntp@ietfa.amsl.com>; Mon, 7 Dec 2020 08:57:33 -0800 (PST)
Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3EAD3A15DD for <ntp@ietf.org>; Mon, 7 Dec 2020 08:57:31 -0800 (PST)
Received: by mail-ed1-x531.google.com with SMTP id cw27so14468996edb.5 for <ntp@ietf.org>; Mon, 07 Dec 2020 08:57:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=OHFpwL40+SDA0DinRuouoX+ceABuiJqcfxtqjtXqyzw=; b=T9XVHkpef8Tv7C3lOKSulbcPSqfzcO9hHcYXSdBMH0Q3CPNmm2dyFYUZejg+6vsyR2 nxlYMYAffbT4k0TU8NaU8uPao8/+AR05xcgMV82DzUDGQlnVPyD6U/Sr4eRrwoKpGUVd HYssyrwlQnw5X/7ZfOwUcSQhMRDBMzO4eZxcvpc6wSP1Zq1ecAVq0aCTRSw/g2HkYbvM mJglo0oIL1pHz0lW6o986tlmCLsfg+rOF4BbCBPkX3yavk90BvIXbaqzgtfSXRjUhuP6 j89ctrySaj22Dri9A8NorNRZcpRh/Wr63dimU3FrPrI/KxQg2GtrMjc9J/Z1agtvEu3z cd2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=OHFpwL40+SDA0DinRuouoX+ceABuiJqcfxtqjtXqyzw=; b=Yo4zQ82KQ7glMH+V5+deSCVeH/00W30AUrXL6qwhgTpTi+mVsk8PV3eHVnWrqaCoVo SBVR33T/yop2+KHlpLPCoR0u2lSGbsaq5EKZ9JQaPLVzbphQbBOz9xulFOUg7CW2YkvV lPwI9NV2kBLbuSyjEgEUAYItsYidv8sp5P1rpa2VpDNtMs+TA5nhWXpvxssP8Q6veaCI mGBWZgBW+Kw9O4259D5X8vxAfdjc2rsrMeO6QWMwqXo+mR0+m+NFQYWDZeUFF4lBx5Y/ rcUOqTXkB10aae8UlS3rYJaQ0YI4PEIosaGg9qVu4pHu+39oU2FHguQ7hN7xsJsDdadz AXaA==
X-Gm-Message-State: AOAM532gduSez0QxxsHcjx+QfM3DT+L7KwGJ75Fwyz5xQSHF+S1VJuxQ C35DGnimBAdapoUbqkQrH7zTN9PHbp1ApD5i
X-Google-Smtp-Source: ABdhPJwpvl+dmVDEvRnxaOQy8fYA21E/V+3EYR4qZwpJLKdMlHVrdMDtT4WR3QX9tscW9s2gcqrZFA==
X-Received: by 2002:aa7:c558:: with SMTP id s24mr21012718edr.257.1607360250366; Mon, 07 Dec 2020 08:57:30 -0800 (PST)
Received: from ?IPv6:2001:984:65b0:2:1884:f40d:c0f:7982? ([2001:984:65b0:2:1884:f40d:c0f:7982]) by smtp.gmail.com with ESMTPSA id u5sm14013479edp.5.2020.12.07.08.57.29 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 07 Dec 2020 08:57:29 -0800 (PST)
To: Miroslav Lichvar <mlichvar@redhat.com>
Cc: "ntp@ietf.org" <ntp@ietf.org>, Dieter Sibold <dsibold.ietf@gmail.com>, "Salz, Rich" <rsalz@akamai.com>
References: <20201111161947.GG1559650@localhost> <AA848C67-CFB7-43FC-B190-FD3911360373@gmail.com> <20201201081203.GB1900232@localhost> <2B8C7410-DFA7-4A87-A33E-F50FFA96D0F9@gmail.com> <20201201100305.GK1900232@localhost> <F62C1325-8409-474C-9650-FA96405D0F4B@gmail.com> <20201207104541.GE2352378@localhost> <E0159612-5D83-4A0E-BBD1-1D75C0B49226@akamai.com> <20201207153444.GO2352378@localhost>
From: James <james.ietf@gmail.com>
Message-ID: <27e7bc98-07c7-8130-d0a4-b2d3b5617ad8@gmail.com>
Date: Mon, 07 Dec 2020 17:57:28 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:78.0) Gecko/20100101 Thunderbird/78.5.1
MIME-Version: 1.0
In-Reply-To: <20201207153444.GO2352378@localhost>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-AU
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/l0P0p-Cl0WMDo6COZItFuwEkR1E>
Subject: Re: [Ntp] NTPv5 draft
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Dec 2020 16:57:38 -0000

I'm also interested in NTPv5. Based on my current use cases, the 
protocol having downgrade-resistant authentication as a core function of 
the protocol would simplify my deployments and improve the overall 
security of them and that deploying extensions, IPSec or other measures 
increase risk and complexity. Other use cases I have outlined[1] may 
also benefit as well. As an example, consider that several issues[2] (#5 
and #8) focus around the use of IP addresses in refid - if the 
identifier for a server was replaced with a identifier tied to a 
certificate or signature that was used as part of negotiating the 
primitives to provide authentication, this could theoretically address both.

As for your comment earlier around browsers defaulting to HTTP not 
HTTPS, consider that many browsers only support HTTP/2 with TLS and not 
"h2c", and that HTTP/3 requires QUIC (thus requiring TLS exclusively) - 
if implementations and deployments wish not to use TLS with HTTP, their 
only choice is to use older versions of the protocol.

- J

1: 
https://tools.ietf.org/html/draft-gruessing-ntp-ntpv5-requirements-00#section-2

2: https://trac.ietf.org/trac/ntp/wiki/NtpVersionFourIssues

On 07-12-2020 15:34, Miroslav Lichvar wrote:
> On Mon, Dec 07, 2020 at 03:09:15PM +0000, Salz, Rich wrote:
>>>     NTS just become a thing. Forcing people to NTS by removing
>>      unauthenticated NTP from NTPv5 won't work.
>>
>> We're not forcing anyone.  Folks who want unauthenticated NTP can stay on NTPv4.
> None of the issues that have been proposed for fixing in NTPv5 are
> related to authentication. Why should folks interested in NTPv5 be
> forced to use/implement authentication if they are perfectly ok with
> unsecured NTP?
>
> If you feel NTP needs a new name for "secure NTP", specify NTPS in a
> separate document. You can apply it to NTPv5, NTPv4 and even NTPv3 if
> you allow authentication with a symmetric key. This has nothing to do
> with NTPv5 specifically.
>

v2.23.0 | Report a Bug | By Email