[Ntp] Antw: [EXT] Re: I-D Action: draft-ietf-ntp-ntpv5-requirements-01.txt
Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de> Tue, 24 January 2023 15:07 UTC
Return-Path: <Ulrich.Windl@rz.uni-regensburg.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C219C14EB1A for <ntp@ietfa.amsl.com>; Tue, 24 Jan 2023 07:07:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.897
X-Spam-Level:
X-Spam-Status: No, score=-6.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c2gijpqhLcht for <ntp@ietfa.amsl.com>; Tue, 24 Jan 2023 07:07:40 -0800 (PST)
Received: from mx2.uni-regensburg.de (mx2.uni-regensburg.de [IPv6:2001:638:a05:137:165:0:3:bdf8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86777C14CE24 for <ntp@ietf.org>; Tue, 24 Jan 2023 07:07:38 -0800 (PST)
Received: from mx2.uni-regensburg.de (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id EACC46000051 for <ntp@ietf.org>; Tue, 24 Jan 2023 16:07:32 +0100 (CET)
Received: from gwsmtp.uni-regensburg.de (gwsmtp1.uni-regensburg.de [132.199.5.51]) by mx2.uni-regensburg.de (Postfix) with ESMTP id C8B23600004D for <ntp@ietf.org>; Tue, 24 Jan 2023 16:07:32 +0100 (CET)
Received: from uni-regensburg-smtp1-MTA by gwsmtp.uni-regensburg.de with Novell_GroupWise; Tue, 24 Jan 2023 16:07:33 +0100
Message-Id: <63CFF433020000A100051757@gwsmtp.uni-regensburg.de>
X-Mailer: Novell GroupWise Internet Agent 18.4.2
Date: Tue, 24 Jan 2023 16:07:31 +0100
From: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>
To: "ntp@ietf.org" <ntp@ietf.org>, mlichvar@redhat.com
References: <167406509279.8060.1009165838491116090@ietfa.amsl.com> <Y8/frEvjBTeFwG1k@localhost>
In-Reply-To: <Y8/frEvjBTeFwG1k@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/ldSY0-lscN0oP2gND-zhgt8bO4w>
Subject: [Ntp] Antw: [EXT] Re: I-D Action: draft-ietf-ntp-ntpv5-requirements-01.txt
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jan 2023 15:07:44 -0000
>>> Miroslav Lichvar <mlichvar@redhat.com> schrieb am 24.01.2023 um 14:39 in Nachricht <Y8/frEvjBTeFwG1k@localhost>: > On Wed, Jan 18, 2023 at 10:04:52AM -0800, internet-drafts@ietf.org wrote: >> >> A New Internet-Draft is available from the on-line Internet-Drafts > directories. >> This draft is a work item of the Network Time Protocols WG of the IETF. >> >> Title : NTPv5 use cases and requirements >> Author : James Gruessing >> Filename : draft-ietf-ntp-ntpv5-requirements-01.txt > > The new version added the following paragraph: > > An additional identifier mechanism MAY be considered for the > purposes of client allow/deny lists, logging and monitoring. Such a > mechanism, when included, SHOULD be independent of any loop > avoidance mechanism, and authenticity requirements SHOULD be > considered. > > It's not very clear to me what feature of the protocol is this > supposed to allow or prevent. Any examples? > > In 5.1. there is: > The risk that an on-path attacker can delay packets between a > client and server exists in all time protocols operating on > insecure networks and its mitigations within the protocol are > limited for a clock which is not yet synchronised. > > I think I suggested this before. It would be good to add a requirement > here for the protocol to MUST be able to prevent attackers from > injecting unlimited offsets to the measurements, i.e. not allow the > broadcast mode in NTPv5. We should support only the most secure mode > (client-server). It's an interesting concept to prevent attackers from injecting packets by means of the protocol í ½í¸ Maybe the protocol can discard or ignore such packets, but preventing injection is really hard... Regards, Ulrich > > -- > Miroslav Lichvar > > _______________________________________________ > ntp mailing list > ntp@ietf.org > https://www.ietf.org/mailman/listinfo/ntp
- [Ntp] I-D Action: draft-ietf-ntp-ntpv5-requiremen… internet-drafts
- Re: [Ntp] I-D Action: draft-ietf-ntp-ntpv5-requir… Miroslav Lichvar
- [Ntp] Antw: [EXT] Re: I-D Action: draft-ietf-ntp-… Ulrich Windl
- Re: [Ntp] I-D Action: draft-ietf-ntp-ntpv5-requir… James
- Re: [Ntp] I-D Action: draft-ietf-ntp-ntpv5-requir… David Venhoek