IETF Logo Mail Archive

Re: [Ntp] NTP Security (was NTPv5: big picture)

"Salz, Rich" <rsalz@akamai.com> Sat, 02 January 2021 14:01 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77B7D3A0813 for <ntp@ietfa.amsl.com>; Sat, 2 Jan 2021 06:01:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UCcmxhzJH8Cb for <ntp@ietfa.amsl.com>; Sat, 2 Jan 2021 06:01:31 -0800 (PST)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 773F43A0809 for <ntp@ietf.org>; Sat, 2 Jan 2021 06:01:31 -0800 (PST)
Received: from pps.filterd (m0122331.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 102E0KcH013796; Sat, 2 Jan 2021 14:01:30 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=dFdoI0oOG8Z9LNyAa2bu2FqvQbiiC8QTYOd8XTXqpnc=; b=XdfwXT2brY0USobMFfRRJlh1ZbRlk/52d30cSDZZEcgMqzk1ZpqbXOpQgFlOk/pIiQ7X IomQDhjfZW/lOJSOZw0w5Uvsj/npabDNJvnraNfcqyCerQ0UeeR0AEBelbPUvlOV6bDP j/I0DMPH0UzyI1oxbg4ff/PSzuRQmex+Me1OTdeTtEPvoWSp+/u+tdEqDvSsLWDB7EFi tNsZQIjhxzG8sMIZoRj4QghbJRkra0fR1YxPIsBM51bQ3UCRMIGgyv/S/7XtCmg7wGwQ FQcSMhDRS62w8vOMVTPYLecFaDkfPqh7pmQ20SPefB02PsaoLdZl2s4i+GuNRsWRPubn TQ==
Received: from prod-mail-ppoint7 (a72-247-45-33.deploy.static.akamaitechnologies.com [72.247.45.33] (may be forged)) by mx0b-00190b01.pphosted.com with ESMTP id 35tek16nu0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 02 Jan 2021 14:01:30 +0000
Received: from pps.filterd (prod-mail-ppoint7.akamai.com [127.0.0.1]) by prod-mail-ppoint7.akamai.com (8.16.0.43/8.16.0.43) with SMTP id 102Do7G2014451; Sat, 2 Jan 2021 09:01:29 -0500
Received: from email.msg.corp.akamai.com ([172.27.123.32]) by prod-mail-ppoint7.akamai.com with ESMTP id 35tn229cku-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sat, 02 Jan 2021 09:01:29 -0500
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com (172.27.123.105) by usma1ex-dag1mb1.msg.corp.akamai.com (172.27.123.101) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sat, 2 Jan 2021 09:01:28 -0500
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb5.msg.corp.akamai.com (172.27.123.105) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sat, 2 Jan 2021 09:01:28 -0500
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1497.010; Sat, 2 Jan 2021 09:01:28 -0500
From: "Salz, Rich" <rsalz@akamai.com>
To: Hal Murray <hmurray@megapathdsl.net>
CC: NTP WG <ntp@ietf.org>
Thread-Topic: NTP Security (was NTPv5: big picture)
Thread-Index: AQHW4MTZ/zBMZQ9OXEWRsJy/0nNXMqoUXfyA
Date: Sat, 02 Jan 2021 14:01:27 +0000
Message-ID: <26A97601-BEB4-4914-B570-6C8BD9C72FAD@akamai.com>
References: <rsalz@akamai.com> <993FEEB5-F498-472E-813E-E684E273612F@akamai.com> <20210102050501.7D0DE40605C@ip-64-139-1-69.sjc.megapath.net>
In-Reply-To: <20210102050501.7D0DE40605C@ip-64-139-1-69.sjc.megapath.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.44.20121301
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.27.118.139]
Content-Type: text/plain; charset="utf-8"
Content-ID: <573746DC11D74D4BAB85658558084F43@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.343, 18.0.737 definitions=2021-01-02_08:2020-12-31, 2021-01-02 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 mlxlogscore=877 adultscore=0 bulkscore=0 suspectscore=0 spamscore=0 phishscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2101020085
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.343, 18.0.737 definitions=2021-01-02_08:2020-12-31, 2021-01-02 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 adultscore=0 malwarescore=0 priorityscore=1501 mlxscore=0 suspectscore=0 lowpriorityscore=0 mlxlogscore=801 clxscore=1015 impostorscore=0 spamscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2101020086
X-Agari-Authentication-Results: mx.akamai.com; spf=${SPFResult} (sender IP is 72.247.45.33) smtp.mailfrom=rsalz@akamai.com smtp.helo=prod-mail-ppoint7
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/l9fae_hWTxken0H-CKNdPuuJEs0>
Subject: Re: [Ntp] NTP Security (was NTPv5: big picture)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Jan 2021 14:01:34 -0000

>    What do you want that isn't already covered by NTS and/or shared keys?

Perhaps nothing.  But not seeing security on the NTPv5 list as a first-class requirement does not engender good thoughts.

>    As far as I can tell, the problem with NTP security is deployment of NTS.  The 
    pool has captured a large portion of the market and it is fundamentally 
    insecure.

Then we should consider making NTPv5 require security.

>    HTTPs works because lots of sites want your money.  Nobody is paying for NTP.

Nobody pays for much of the Internet, including DNS BGP etc. But those protocols are moving toward secure-by-default.

v2.23.0 | Report a Bug | By Email