Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-yang-data-model-10.txt> (A YANG Data Model for NTP) to Proposed Standard

Christian Huitema <> Fri, 19 February 2021 17:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5D2033A126C for <>; Fri, 19 Feb 2021 09:06:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.89
X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01] autolearn=unavailable autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2lBeY4YnZBlT for <>; Fri, 19 Feb 2021 09:06:05 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B1D0E3A124E for <>; Fri, 19 Feb 2021 09:06:03 -0800 (PST)
Received: from ([] by with esmtp (Exim 4.92) (envelope-from <>) id 1lD9Dn-001177-QB for; Fri, 19 Feb 2021 18:05:56 +0100
Received: from (unknown []) by (Postfix) with ESMTPS id 4DhyNq72VSz1HZ6 for <>; Fri, 19 Feb 2021 08:54:51 -0800 (PST)
Received: from [] ( by with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <>) id 1lD93L-0000dj-S6 for; Fri, 19 Feb 2021 08:54:51 -0800
Received: (qmail 7381 invoked from network); 19 Feb 2021 16:54:50 -0000
Received: from unknown (HELO []) ([]) (envelope-sender <>) by (qmail-ldap-1.03) with ESMTPA for <>; 19 Feb 2021 16:54:50 -0000
To: tom petch <>, "Salz, Rich" <>, Danny Mayer <>, Dhruv Dhody <>
Cc: "" <>, "" <>, NTP WG <>, "" <>
References: <> <> <> <> <> <> <> <> <> <>
From: Christian Huitema <>
Message-ID: <>
Date: Fri, 19 Feb 2021 08:54:50 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Authentication-Results:; auth=pass smtp.auth=
X-Spampanel-Outgoing-Class: ham
X-Spampanel-Outgoing-Evidence: Combined (0.02)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT+c/cqNpqoXhAxqZOEcOyVwPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5y6DvR+bKrMDN8+ZZn6qct6j3CSdYahsEhiizd3WfZtEbrS pFt6FhDAmVioTm2BOtrlYLLlWSy3OGfGBNeqx2anHyJxjDLo4/ugN15VVJm4KWrxEaaKeSxe0Wrx 6M4G5/Wm4Zd53xWOh54QqC5fJ2uRXuVlZN3itw4heFqCetmmdVxh7hoyMoWHMkqYfQEaAmuTN39V SAGznwTrlYf+WLCVpbt3W3gfNnuKkqGP09ZKLJk5mH/X3pSH/ENJb2CQDcs6JlxDUR6KY7+yX92p PGhFfWqyN3veeFIMJz/vumcqAwMU9kjfE7EFo+kP5riIEUmSGpuJN1OVhw4edWBUa0IbcFe+ssGU oJVGON09uNDgeVbMyi0mGLrHItOnwZ8MT6vdNDdc1bvmRwzQjtHTEndCPd0rEuGjFyZoidhtHm+W oYBE/7drH0Ji1exykwyaAEUrXvaL8Tmw6BtoK0GJIjHVWChLcyQhJLJ1LoQDspKgdub6J8+zbIhd VpLuPUKkPixswL8rqSXNtEyPOtcf9IN9aIfVaCHpEB6cFH6WJxE4ZobEKFHo967ILVtyxTwo6rrr qSx/TJa5lp9se4GMY3zlNbnHVzzQptO/QfyJmT0QsdsAtxpLrx2sBi3aTxN1Q/y4v7kO1bsUyhpJ w318KIzzxMwwlmJT37b8CHOVqIzTPPdjzQ6YC7Heg3Xf7O1TOd6TRrggEwRxTIFYcGzgBmIlj5hw pdRULXVcTXoJDAlma4oCYUjVWFj2FzTc73EcX6m+KlJKb3iWnEak/5Df73iNbwN0BCkzBb1FgeZJ e7aTio6ikPOtGcPsEb15fUoej/dic0YV1E3cK088GNIeQjFlPE48k6wYOikXD7qYhWAa7+c6+0Xs DVtCAGQDUwTZWAv0dxCqGRQPPGR7vmqZQrQOZJ0Q4x+0GOxZvoENDONKwTepoEV8JoWhfuVs2p92 abOQTjYr4mblZJIFx02/rieoYQ012X/617XXv8LOWWL/2TEvuGslKTrRIXcXpFg5ivY=
Archived-At: <>
Subject: Re: [Ntp] [Last-Call] Last Call: <draft-ietf-ntp-yang-data-model-10.txt> (A YANG Data Model for NTP) to Proposed Standard
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 19 Feb 2021 17:06:12 -0000

On 2/19/2021 8:34 AM, tom petch wrote:
> On 19/02/2021 15:05, Salz, Rich wrote:
>> I thought a Yang model was supposed to be an on-the-wire 
>> representation of what the server did. Am I wrong? If I'm right, then 
>> the issue around MD5 is with the server, not this doc.
> Rich
> There are two issues with MD5 and NTP.
> One is security, where a crypto-hash is used to authenticate NTPv4 
> packets, and the hash specified in the NTPv4 base spec was MD5 but 
> this was updated by RFC8573 so that MD5 is now deprecated.  I picked 
> up on this in my first review, that the YANG model used MD5 and made 
> no mention of its deprecation.  I knew that RFC8573 should be included 
> but was unclear whether or not it would be acceptable to still include 
> MD5.  Ben, Security AD, said yes, we should, and that is what we now 
> have (along with a number of other hash).  My recent comment was that 
> the Netconf WG label SHA1 as obsolete so should we include it? and 
> what about such as SHA3? The more options the greater a risk of 
> mismatch but that is not an issue I am equipped to resolve, likely one 
> for the IESG (much as I hate generating work for them).
> The other MD5 usage is generating a 32-bit identifier with a good 
> probability of being unique, for entities with IPv6 address, and that 
> I see no problem with, as Ben confirmed.  That means that the I-D will 
> reference the MD5 RFC, which is Informational and so potentially a 
> downref.  Again, one for the AD to resolve (which is why I put it 
> first on my previous post).

There is another problem. Because MD5 is deprecated, some software 
development organizations have checks that prevent use of MD5. The test 
suites will include such checks, and the software will normally not ship 
if the checks detect presence of MD5 in the product. Of course there are 
ways around, but they are not quite as simple as replacing MD5 by 
SHA256, even for those "non crypto" cases.

-- Christian Huitema